4. SUMMARY AND CONCLUSIONS
In order to be able to present contemporary character-
istics of Internet traffic, 148 traces of 20 minutes duration
have been collected on a pair of backbone links in April
2006. The analysis revealed that IP options are virtually
not applied and IP fragmentation is done to a minor extent
(0.06%), with UDP accounting for most IP fragments. The
latter observation stems from an increased employment of
TCP Path MTU Discovery, which was shown to be even
more dominating than reported earlier. Regarding packet
size distribution, two findings should be noted. First, IP
packet lengths of 628 bytes have become even more common
than t he default datagram size, with P2P traffic identified as
likely source. Second, ex cep t for router traffic, jumbo pack-
ets are used for a single custom application only and are not
seen otherwise. Even though these observations are limited
to our measurements from a single point in the I nternet, this
summary about current behavior of network protocols helps
to understand the influence of additional protocol features
on Internet traffic and can contribute to an improvement of
future simulation models.
Additionally, a number of anomalies and inconsistencies
have been observed, serving as pointers to keep in mind
for protocol and application developers. As one cause for
the otherwise rare occurrence of IP fragmentation additional
headers introduced by VPN have been identified, advising
application developers to use smaller MSS values. Further-
more, one single long- duration UDP burst was observed
while gathering protocol statistics. This was found to be an
UDP DoS attack, undetected by the network management
tools in operation. This indicates the need for continuous
refinement of network monitoring policies. The magnitude
of the burst also raises stability and fairness concerns, call-
ing for addition of some kind of congestion control to UDP.
Finally, several types of misbehaviors within IP and TCP
headers have b een discussed. The anomalies observed could
be explained by three different causes:
• Buggy or misbeh aving applications or protocol stacks
• Active OS fingerprinting [13]
• Network attacks exploiting protocol vulnerabilities
Even though all header anomalies observed are rare com-
pared to the total number packets, their existence shows
that developers need to carefully design implementations.
Almost any p ossible inconsistency in protocol headers will
appear eventually, thus network protocols and applications
have to be designed and implemented as robust as possible,
leaving no vulnerabilities.
Since access to traffic on highly aggregated links is still
uncommon for researchers working on network security, our
results form valuable input to related research on topics like
large scale intrusion detection or traffic filtering. Besides
quantifying the occurrence of different header anomalies ’in
the wild’, the results yield explanations for the origins of
these commonly observed inconsistencies. Not every mal-
formed packet header is necessarily part of attacking traffic,
as proven by the example of the DNS server setting invalid
fragmentation bits, but can also be introduced by improper
protocol stacks. This information can be relevant when re-
fining rule-sets for traffic filters, as applied in firewalls or
network intrusion detection systems. Furthermore, knowl-
edge about the nature of header anomalies can be interesting
for researchers or developers creating stress tests for rout ers
and other network components.
5. ACKNOWLEDGMENTS
The authors want to thank Pierre Kleberger for his kind
technical support and Tomas Olovsson for his valuable and
constructive comments throughout t he MonNet project.
6. REFERENCES
[1] S. McCreary and K. Claffy, “Trends in wide area ip traffic
patterns - a view from ames internet exchange,” CAIDA, San
Diego Supercomputer Center, Tech. Rep., 2000.
[2] N. Brownlee and K. Claffy, “Internet measurement,” IEEE
Internet Computing, vol. 08, no. 5, pp. 30–33, 2004.
[3] A. Householder, K. Houle, and C . Dougherty, “Computer
attack trends challenge internet security,” Computer, vol. 35,
no. 4, pp. 5–7, 2002.
[4] S. Floyd and E. Kohler, “Internet research needs better mod-
els,” ser. Comput. Commun. Rev. (USA), vol. 33. Princeton,
NJ, USA: ACM, 2003, pp. 29–34.
[5] K. Thompson, G. J. Miller, and R. Wilder, “Wide-area in-
ternet traffic patterns and characteristics,” IEEE Network,
vol. 11, no. 6, pp. 10–23, 1997.
[6] C. Shannon, D. Moore, and K. Claffy, “Beyond folklore: ob-
servations on fragmented traffic,” IEEE/ACM Transactions
on Networking, vol. 10, no. 6, pp. 709–20, 2002.
[7] C. Fraleigh, S. Moon, B. Lyles, C. Cotton, M. Khan, D. Moll,
R. Rockell, T. Seely, and C. Diot, “Packet-level traffic mea-
surements from the sprint ip backbone,” Network, IEEE,
vol. 17, no. 6, pp. 6–16, 2003.
[8] K. Pentikousis and H. Badr, “Quantifying the deployment of
tcp options - a comparative study,” IEEE Communications
Letters, vol. 8, no. 10, pp. 647–9, 2004.
[9] M. Allman, “A web server’s view of the transport layer,”
SIGCOMM Comput. Commun. Rev., vol. 30, no. 5, 2000.
[10] A. Medina, M. Allman, and S. Floyd, “Measuring the evolu-
tion of transport protocols in the internet,” Computer Com-
munication Review, vol. 35, no. 2, pp. 37–51, 2005.
[11] A. Hussain, G. Bartlett, Y. Pryadkin, J. Heidemann, C. Pa-
padopoulos, and J. Bannister, “Experiences with a contin-
uous network tracing infrastructure,” in MineNet’05: ACM
SIGCOMM workshop on Mining network data. New Yor k,
NY, USA: ACM Press, 2005.
[12] J. Xu, J. Fan, M. Amm ar, and S. Moon, “On the design and
performance of prefix-preserving ip traffic trace anonymiza-
tion,” in IMW ’01: ACM SIGCOMM Workshop on Internet
Measurement. New York, NY, USA: ACM Press, 2001.
[13] T. Karagiannis, A. Broido, N. Brownlee, k claffy, and
M. Faloutsos, “File-sharing in the internet: A characteri-
zation of p2p traffic in the backbone,” UC Riverside, Tech.
Rep., 2003.
[14] CiscoSystems, “Ipsec vpn wan design overview,” Cisco
Doc., 2006. [Online]. Available: http://www.cisco.com/
univercd/cc/td/doc/solution/ipsecov.pdf
[15] Fyodor, “Nmap security scanner,” 1998. [Online]. Available:
http://insecure.org/nmap/index.html