The International Arab Journal of Information Technology (IAJIT)


Exploitation of ICMP Time Exceeded Packets for A Large-Scale Router Delay Analysis

Internet Control Message Protocol Time-Exceeded (ICMP-TE) time exceeded packets are particular communication protocols to express inaccessibility of nodes in terms of hop count limitations. With the Internet of Things (IoT) concept taking more space in our daily life, accessibility or in some manners inaccessibility of hosts should be analysed more carefully. ICMP time exceeded packets might be hand of an attacker, sometimes an indicator of compromise for a possible IoT Botnet attack or a tool for delay measurement. In this study, with the exploitation of ICMP time exceeded packets, we analyse Round Trip Time (RTT) delays of randomly distributed IP routers around the globe. We conduct a comprehensive delay analysis study considering the delay results of more than 1 million time exceeded packets taken in return for subject ICMP requests. To prove ICMP time exceeded packets might also be a signature for a possible IoT Botnet attack, we carry out a secure experiment for Mirai IoT Botnet scanning and exhibit the indicators to differentiate these two possible usages.

[1] Allman M., Beverly R., and Trammell B., “Principles for Measurability in Protocol Design,” ACM SIGCOMM Computer Communication Review, vol. 47, no. 2, pp. 2-12, 2017.

[2] Allman M., Paxson V., and Blanton E., “TCP Congestion Control,” IETF RFC 5681, 2009.

[3] Antonakakis M., April T., Bailey M., Bernhard M., Bursztein E., Cochran J., Durumeric Z., Halderman J., Invernizzi L., Kallitsis M., Kumar D., Lever C., Ma Z., Mason J., Menscher D., Seaman C., Sullivan N., Thomas K., and Zhou Y., “Understanding the Mirai Botnet,” in Proceedings of 26th USENIX Security Symposium, Vancouver, pp. 1093-1110, 2017.

[4] Boutremans C., Iannaccone G., and Diot C., “Impact of Link Failures on VOIP Performance,” in Proceedings of Network and Operating Systems Support for Digital Audio and Video, Miami, pp. 63-71, 2002.

[5] Chang R., “Defending Against Flooding-Based Distributed Denial of Service Attacks: A Tutorial,” IEEE Communications Magazine, vol. 40, no. 10, pp. 42-51, 2002.

[6] Cho K., Mitsuya K., and Kata A., “Traffic Data Repository At The WIDE Project,” in Proceedings of the Annual Conference on USENIX Annual Technical Conference, San Diego, pp. 263-270, 2000.

[7] Choi B., Zhang Z., Hung D., and Du C., Scalable Network Monitoring in High Speed Networks, Springer, 2011.

[8] Chowdhary M., Suri S., and Bhutani M., “Comparative Study of Intrusion Detection System,” International Journal of Computer Sciences and Engineering, vol. 2, no. 4, pp. 197- 200, 2014.

[9] Donnet B., Luckie M., Merindol P., and Pansiot J., “Revealing MPLS Tunnels Obscured from Traceroute,” ACM SIGCOMM Computer Communication Review, vol. 42, no. 2, pp. 87-93, 2012.

[10] Fontugne R., Abry P., Fukuda K., Veitch D., Cho K., Borgnat P., and Wendt H., “Scaling in Internet Traffic: A 14 Year and 3 Day Longitudinal Study, with Multiscale Analyses and Random Projections,” IEEE/ACM Transactions on Networking, vol. 25, no. 4, pp. 2152-2165, 2017.

[11] Gannon M., Warner G., and Arora A., “An Accidental Discovery of Iot Botnets and A Method for Investigating Them with A Custom Lua Dissector,” in Proceedings of Conference on Digital Forensics, Security and Law. 3, Daytona Beach, 2017.

[12] Gezer A., “Large-Scale Round-Trip Time Analysis of Ipv4 Hosts Around the Globe,” Turkish Journal of Electrical Engineering and Computer Sciences, vol. 27, no. 3, pp. 1998- 2009, 2019.

[13] Gürsun G., “On Spectral Analysis of Internet Delayspace and Detecting Anomalous Routing Paths,” Turkish Journal of Electrical Engineering and Computer Science, vol. 27, no. 2, pp. 738- 751, 2019.

[14] Heidemann J., Pradkin Y., Govindan R., Papadopoulos C., Bartlett G., and Bannister J., “Census and Survey of the Visible Internet,” in Proceedings of 8th ACM SIGCOMM Conference on Internet Measurement, Vouliagmeni, pp. 169-182, 2008.

[15] Hengartner U., Moon S., Mortier R., and Diot C., “Detection and Analysis of Routing Loops in Packet Traces,” in Proceedings of the 2nd ACM SIGCOMM Workshop on Internet Measurement, Marseille, pp. 107-112, 2002.

[16] Janowski R., Grabowski M., and Arabas P., “New Heuristics for TCP Retransmission Timers,” in Proceedings of International Conference on Computer Recognition Systems, Progress in Computer Recognition Systems, Cham, pp. 117-129, 2019.

[17] Kolias C., Kambourakis G., Stavrou A., and Voas J. “DDoS in the IoT: Mirai and Other Botnets,” Computer, vol. 50, no. 7, pp. 80-84, 2017.

[18] Mohammed H., Attiya G., and El-Dolil S., “New Class-based Dynamic Scheduling Strategy for Self-Management of Packets at the Internet Routers,” The International Arab Journal of Information Technology, vol. 16, no. 3, pp. 473- 481, 2019.

[19] Mudassar A., Asri N., Usman A., Amjad K., and Ghafir I., “A New Linux Based TCP Congestion Control Mechanism for Long Distance High Bandwidth Sustainable Smart Cities,” Sustainable Cities and Society, vol. 37, pp. 164- 167, 2018.

[20] Pathak A., Pucha H., Zhang Y., Hu Y., and Mao M., “A Measurement Study of Internet Delay Asymmetry,” in Proceedings of International Conference on Passive and Active Network Measurement, Cleveland, pp. 182-191, 2008.

[21] Paxon V., Allman M., Chu J., and Sargent M., “Computing TCP’s Retransmission Timer,” IETF RFC 6298, 2011.

[22] Sinanovic H. and Mrdovic S., “Analysis of Mirai Malicious Software,” in Proceedings of 25th International Conference on Software, Telecommunications and Computer Networks, Spli, pp. 1-5, 2017.

[23] Zarpelao B., Miani R., Kawakani C., and Alvarenga S., “A Survey of Intrusion Detection Exploitation of ICMP Time Exceeded Packets for A Large-Scale Router Delay Analysis 1097 in Internet of Things,” Journal of Network and Computer Applications, vol. 84, pp. 25-37, 2017. Ali Gezer was born in Kayseri City, Turkey, in 1976. He received the B.S. degree in Electronic and Computer Education from Marmara University in 1999 and M.S. degree in Computer Engineering from Erciyes University in 2004, and the Ph.D. degree in Electronic Engineering from Erciyes University, Kayseri, TURKEY, in 2011. He is an assistant professor with the Electronic and Communication Technology in Kayseri University. His research interests include internet traffic analysis, self- similarity, network traffic modelling and characterization, signal processing techniques, telecommunication technologies, IoT botnet investigations, and malware analysis. Gary Warner was born in Indiana and grew up in the Mid-West. He moved to Birmingham, Alabama to attend UAB, where he earned his Bachelor’s in Computer Science. Warner has worked in mainframe operations, network security and design, and as the I.T. Director for an oil and gas company. He started the Birmingham InfraGard chapter in 2001, and has served on the national board of directors for both the FBI InfraGard program and the DHS Energy ISAC. In 2007, he joined the University of Alabama at Birmingham to train future cybercrime investigators. He currently directs a staff of 50 student researchers in the UAB Computer Forensics Research Lab where he works primarily on malware and botnet investigations, cybercrime investigations, and the social media usage of criminals, hate groups, and terrorists.