Large-Scale Scanning of TCP s Initial Window

Transcription

1 Large-Scale Scanning of TCP s Initial Window Jan Rüth, Christian Bormann, Oliver Hohlfeld London / IMC, November 2017

2 Why look at Initial Windows? Higher initial window àpotential to transmit more data in fewer roundtrips 600 CWND Initial Window unacknowledged bytes in flight in first round typically as a multiple of the MSS RTT 3 Jan Rüth, Christian Bormann, Oliver Hohlfeld 4

3 Why look at Initial Windows? Amount of data bursted in an unprobed network 50 CWND At the start, we don t know the bottleneck capacity 3 0 RTT Jan Rüth, Christian Bormann, Oliver Hohlfeld 1

4 Why now? IW : RFC 2414 experimental IWs measured Padhye and Floyd SIGCOMM 01 IWs in ISP Qian et al. IMC : RFC 6928 experimental IW 1 Van Jacobsen SIGCOMM 88 IW : RFC 2001 standardized IW : RFC 3390 standardized Dukkipati et al. SIGCOMM CCR 2010 Linux Kernel 2011 IWs measured Medina et al. SIGCOMM CCR Jan Rüth, Christian Bormann, Oliver Hohlfeld

5 Why now? IW : RFC 2414 experimental IWs measured Padhye and Floyd SIGCOMM 01 IWs in ISP Qian et al. IMC : RFC 6928 experimental IW 1 Van Jacobsen SIGCOMM 88 IW : RFC 2001 standardized IW : RFC 3390 standardized Dukkipati et al. SIGCOMM CCR 2010 Linux Kernel 2011 IWs measured Medina et al. SIGCOMM CCR Jan Rüth, Christian Bormann, Oliver Hohlfeld

6 Why now? IW : RFC 2414 experimental IWs measured Padhye and Floyd SIGCOMM 01 IWs in ISP Qian et al. IMC : RFC 6928 experimental Paper Goal: Actively monitor IWs in entire IPv4 space IW 1 Van Jacobsen SIGCOMM 88 IW : RFC 2001 standardized IW : RFC 3390 standardized Dukkipati et al. SIGCOMM CCR 2010 Linux Kernel 2011 IWs measured Medina et al. SIGCOMM CCR Jan Rüth, Christian Bormann, Oliver Hohlfeld

7 Rüth et al. Measuring IWs Our Scanner Probed Host SYN [MSS=...,WIN=...] Loss is a problem Actually tail-loss SYN, ACK ACK, REQUEST Estimate MSS Estimate IW=n Verify IW full Do multiple scans Scan early in the morning ACK, SEG 1 SEG n SEG 1 ACK n+1, WIN=2 MSS SEG n+1 SEG n+2 RST Timeout Retransmission Disable tail-loss probes ¾ Do not enable SACK Trigger big response and Announce MSS and large gure 1: Scan procedure: small A small MSS is announced andreceive vered, preventing to run out of data prior to reaching IW. The Use ACK to test for more data imated IW is the # bytes received before retransmission. window Was the host out of data or was the IW actually full? stop sending before reaching the full IW size if the request not trigger a large enough response. As in [18], we do not Jan Rüth, Christian Bormann, Oliver Hohlfeld d 7acknowledgments causing the remote end not to increase the

8 Measuring IWs Probe without prior knowledge Send a client hello as the request Server hello contain certificate chains variants elow that nitor the m for our ds to trigail in the etermine they are Fails smission received In case a e of more umber of 8 CCDF IMC 17, options November 1 3, 2017,the London, Kingdom We further request enlarging replyunited (e.g., cert stapling) Certificate Chain Length MSS 64, IW 1/2/4/10 MSS 1336, IW 1/2/ Size in kb Figure 2: CCDF of certi cate chain length of 36.5M hosts from censys.io TCP payload sizes covered with several when SNI isdata. enforced IWs using MSS of 64 and a typical MSS of 1336 B.1 the scan, anticipating a long enough response. We choose the URI to ll up the MTU of our connection, thus transmitting more bytes Jan Rüth, Christian Bormann, Oliver Hohlfeld than we announced we would be capable of in the MSS.

9 Scanner implementation We want to probe all reachable IPv4 / hosts We implement the methodology in Zmap Bypasses the kernel stack Typically only used for enumeration We enable Zmap to send multiple packets We can manually craft connections and manipulate them Modified Zmap, / scanners available on Github 9 Jan Rüth, Christian Bormann, Oliver Hohlfeld

10 Fraction of IPs [%] Results IPv4 / % 30% 100% 50 % 10 % Initial Window Size 25 and do not agree Many hosts still use IW 4 scan triggers many abuse mails In contrast to, this appears in access logs How much scanning is enough? 10 10% 50% 100 % 30 % 1 % Jan Rüth, Christian Bormann, Oliver Hohlfeld

11 Fraction of IPs [%] Results IPv4 / % 30% 100% 50 % 10 % % 5 6 seems to 20 be 25 30enough Scanning Initial Window Size and do not agree Many hosts still use IW 4 scan triggers many abuse mails In contrast to, this appears in access logs How much scanning is enough? 11 10% 50% 100 % 30 % 1 % Jan Rüth, Christian Bormann, Oliver Hohlfeld

12 Results Who uses which IW? IMC 17, November 1 3, 2017, London, United Kingdom % 80% 105 7% 8% 7% 11% Service IW1 IW2 IW4 IW10 IW1 IW2 IW4 IW Akamai EC Cloud are Azure Access NW Initial Window Size Figure 5: Distribution of IWs per AS. Left, 3 and 3 clusters of ASs standing out. Right, representatives of these clusters or ASs that do not t into the clusters # IPs Rüth et Table 3: Per-service IW distribution [%] clustered by IP ran (servers) or reverse DNS (access). Dominant IWs highlight reachable hosts within the entire IPv4 address space. In light of ongoing debate on IW sizes, our study provides an up-to-date v of the current Internet-wide IW con gurations documenting slow adherence Here: similar distribution for and to RFC recommended changes of the IW. and ) with nearly exclusive use of mostly compromise The main result of our study is a rather network dependent content provider, e.g., hosters, cloud provider, and CDNs. ASes with con guration. Since especially service providers can bene t fr many IW 2 based hosts belong to ISPs or in case of also to larger IWs, their adoption (or even larger IWs) is high. universities. The cluster for IW 4 is a mixture between ISPs and also noted service speci c customizations, e.g., Akamai enables hosters. While the measurement shows more ISPs, the service and even per-customer speci c IW con gurations. Si measurement stands out with an AS from Akamai that use IW 4. In these services are virtualized, analyzing such service (not h case of GoDaddy, 19.8% (32.7%) of the 137 k (193 k ) hosts -speci c con gurations requires prior knowledge to present va that were announced by AS26496 (704 pre xes) use an IW of 48. We host names/urls a setting our generalized methodology avoid remark that the number of GoDaddy hosts is 1% which is why be applicable to the Internet at large. Circumventing this limitat this IW peak is not clearly visible in Figure 3. Unlike our previous by probing selected services with manually curated URL lists t observed 4 kb IW hosts, these hosts use a static con guration of motivates future work. In contrast, networks with a larger fract IW 48, irrespective of the announced MSS. We found no obvious of legacy and other devices show a much lower deploym reason for these comparably large IWs. Jan Rüth, Christian Bormann, and higher shares of older recommended IW sizes (i.e., 1, 2, 4) Oliver Hohlfeld 12 We nd a diverse picture of di erent IW con gurations. To comcase of Linux, this can be caused by outdated systems since IW Most people in the Alexa list follow current RFCs Generally, we see older IWs in Access Networks CDNs and Cloud seem to be more up to date

13 Conclusion Distributions dominated by RFC-recommended values Still a lot of IW 2 and IW 4 Heavily used infrastructure and popular hosts seem to be on We also find some customization Some hosts have very large IWs Periodic 1% scans are available at Source code available at 13 Jan Rüth, Christian Bormann, Oliver Hohlfeld