Detection of Active Topology Probing Deception
NAVAL POSTGRADUATE SCHOOL MONTEREY CA
Pagination or Media Count:
For all purposes and intents, being able to infer the topology of a network is crucial to both operators and adversaries alike. Traceroute is a common active probing technique but it may be subverted by deceptive responses. We identify possible inconsistencies in traceroute deception systems, and endeavor to find potential deception in the historic IPv4 Routed 24 Topology Dataset from the Center for Applied Internet Data Analysis CAIDA. Our results show three major patterns in 2013 and 2014 that exhibited instances of inconsistencies matching the techniques in our methodology. In addition to analyzing the historic dataset, we evaluate three cases of traceroute manipulation in the wild. These case studies include The Pirate Bay TPB server supposedly residing in North Korea, the Star Wars- and Christmas Carol-themed gags involving customized Domain Name System DNS names, and the experimental DeTracer at the Naval Postgraduate School NPS. In the TPB case, we discovered extensive and long-running deception in the 24 subnet. We find intriguing patterns in the gag traceroutes and fake topologies from the DeTracer for which we may use to improve our filtering process. In all, the findings will aid future operations in verifying inferred network topologies from traceroutes.
- Computer Systems Management and Standards