Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
The Internet

Distributed Network for Reverse-Tracerouting 52

I got the head's up from some folks concerning Traceloop.com. It's an interesting idea - you can see what route your traffic takes on the /return/ path. By utilizing a large group of distributed test points anyone registered with the service can run traceroutes in both directions provided there is a client near the destination ISP. So, they are looking for more people to sign up for the network - but also to have people use it. I'd like to see this used vis a vis DoS attacks and such - but this approach is a whole new way of doing this.
This discussion has been archived. No new comments can be posted.

Distributed Network for Reverse-Tracerouting

Comments Filter:
  • How many hops away from slashdot am I?

    C:\>tracert slashdot.org
    Tracing route to slashdot.org [127.0.0.1]
    over a maximum of 30 hops:

    1 <10 ms <10 ms <10 ms slashdot.org [127.0.0.1]

    Trace complete.


    Hrm, that looks pretty good. So why do the pages take so long to load?

    --Shoeboy
  • Now I know I'm not some kind of network guru, but isn't there the possibility that this could be used to launch DDoS attacks? Any kind of distributed system has got to have the ability to launch such attacks, and open services like this must surely be more vulnerable to abuse than machines that have to be cracked.

    Hopefully the encryption system they are using will withstand such attempts. At least they've thought about it, because this kind of thing would probably be a target for malicious script kiddies.

    However it would be good to be able to reverse traceroute incoming packets. It's also nice to be able to worry less about allowing UDP and ICMP through your firewall, and hopefully this will be taken up by enough concerned sysadmins to make it a viable concept. As recent attempts have shown, tracking down the originator of DDoS attacks is pretty hard, and this might save us the threat of yet more Government "protection" for the net.

  • ICMP packets already account for an absurdly large amount of total Internet trafic. I can't be bothered to find a link, but I believe it was between 15-17%.

    Is it really a wise use of limited bandwidth resources to develope new network clogging toys for 'system administrators' to play with? What a lot of geeks tend to forget is that real people are trying to accomplish real work over the Internet. It's no longer just their personal playground.

    The entire economy has been transformed to rely on networking and information technology. Bandwidth is a critical resource that mustn't be wasted on 'cool' new toys.

    Even worse, systems like Traceloop are always poorly thought out and rife with possible exploits. The last thing we need is yet another platform for hackers to launch malicious attacks on the public and private sector's key information systems.

    Basically, if it's not business critical, it doesn't belong on the Internet anymore.

    - qpt
  • The idea is quite nice, but what's the actual use of this? In practice, how many times does it happen that the reverse route differs from the forward route?

    Also, the first time I tried it didn't work :-( And when it would have worked, the results would have been worthless because the distance between the targets and the clients was too large - though this will change when the network grows.
  • how many times does it happen that the reverse route differs from the forward route

    Quite often. It's the rule rather than the exception. Ever heard of 'hot potato routing'? Do a search and you'll understand.

  • by Hemos ( 2 ) on Thursday March 01, 2001 @02:42AM (#393488) Homepage Journal
    We need more database RAM, actually. Then we need more webserver RAM - we're reaching our celing on max connections, and can't add more until we get more RAM.
  • As I see it, they will charge nothing to use the basic client, but they charge for the 'pro' client which will have additional features. Still, if this is a 'shared' service where all the clients participate by serving to others as well, does it then seem fair that they receive money for it?

    Or should I wait for www.opentraceloop.org?

    Dave
  • C:\>tracert slashdot.org
    Tracing route to slashdot.org [127.0.0.1]

    [...]
    Hrm, that looks pretty good. So why do the pages take so long to load?


    Because, as you've clearly demonstrated, slashdot.org is using a Microsoft operating system.

    Touche.
  • what if the FBI has had something like this for some time now, and they just never told anyone about it i mean after the carnivore incident i think the next toy they make they will be a more hush about, maybe it's called intestional track or something spaz like " y ru 8 us " Just a thought take dont take it flame bait seriously, just think of the stealth planes america has, and what is exactly next generation stuff we have not seen yet.
  • WAAH
    Getting a 404 error on the download link that was sent after registering. Anyone else getting this?
  • by Anonymous Coward
    Basically, if it's not business critical, it doesn't belong on the Internet anymore.

    Are your statements business critical? There is more to life, and the internet, than money.

  • I think the discussion was about SMURF attacks.

    Basically it gives you the ability to follow back to the source of an attacker.

    The best argument I heard against it was that ISPs first should do some decent outgoing filtering to catch SMURF - attacks.

    Of course you might be able to abuse the system by faking a malicious attack from the host to be attacked. I doubt that this would be fun for script kids though, since using multiple hosts sounds much more impressive.

  • by Phizzy ( 56929 ) on Thursday March 01, 2001 @03:16AM (#393495)
    Alright, first, ICMP is a necessity. It is the Internet Control Messaging Protocol, and is used to troubleshoot network issues. It does _not_ use much bandwidth, and I seriously doubt it consumes 15-17%, though I do not have stats to back that up. Regardless, even if it does take that much bandwidth, or even 25%, it is a necessary part of the internet. I work at an ISP, doing routing configuration and troubleshooting most of the time, and without free reign to use ICMP however I want (which includes flood pings and extended pings), I could not do my job. This tool could be used to save a lot of time on the internet, actually.. here's a situation I see every day.. some customer has a problem reaching blah.com.. when he runs a traceroute, it goes all the way through my network, and then dies in another isp's network which I have no visibility to. I have to send email or call the other ISP and wait at their whim for them to address the problem, which happens slowly, if not at all most of the time. If Traceloop were inplemented across the board, a lot of time could be saved by Noc employees across the globe, which would mean quicker resolution of internet problems, which would lead to greater stability and speed on the network, which I am sure would help your precious business.

    You business people need to realize that you don't own the internet. You pay for a very small amount of bandwidth on the internet, which you can do what you choose with, but you didn't build the internet, you don't maintain the internet and you have no right whatsoever to tell anyone else what to do with their bandwidth.

    The only thing I can figure is you're either an idiot or a troll.. if the former is true, please go read Internet Architechtures by Halabi (cisco press book)... it is very useful. If the latter is the case, the fuck right off.

    //Phizzy
  • Sorry there, but if you take the time to read the FAQ [traceloop.com] you'll see that they express the same concerns about the possibility of this network being used as a launching point for DDoS. I don't see how this makes me a troll.

  • Services like this can be used to find the nodes in the internet as well, generally, all traffic at some time will get routed through a very busy node, and if a hacker knows where to focus DoS attacks they can take down serious proportions of the Net.

    I think a while back Nature published a paper to the effect of this, with a topology of the internet. The main thing to come out of this study was that the internet is fairly robust and secure unless those seeking to attack it know the busiest nodes to attack.

    So what we are getting is a way to discover the weakest points for free, hence anyone with enough knowledge and motivation to do so can seriously damage the internet.

    What it all comes down to is Do you really need to know where your packets go? With the Legislation introduced by the government in the UK, its all rather academic considering they are allowed to peek at the information anyway. And as far as i know there is no way to reroute your packets to take a specific route.

    Basically it comes down to being a waste of bandwidth and resources, and a potential security problem.
  • How much RAM do you guys HAVE? At current prices, is it that hard to add more? After all, I've seen PC133 RAM down to $60/256M.

    Heck, get VA to cough up an Alpha for the DB system, and load that puppy up to 10G of memory! It worked for Altavista...
  • Perhaps its a cry for help? :)
  • Basically, if it's not business critical, it doesn't belong on the Internet anymore.

    Did Gore die and they made you king of the net ?
    The internet is suposed free so where do you get off telling us what to use it for and what not to use it for ?
    Maybe the tool can be used for usefull things
    And where is the line, are things like Quake, irc ... usefull/business critical ?
  • You tell him!!!!
  • You said: I may be able to fire my security firm, but I don't have any influence over yours - and I can always vote against my congressman

    You might be able to fire him, but I am a South African living in London, UK. What am I supposed to do when your goverment, I am guessing USA, decideds that they are the "Law of the Internet"? Do I get a vote on who sits in the Whitehouse, who makes the laws and who applies the law?

    When will people realise that the USA/"country of choice" is not the Internet, the whole world is, even the horrible little countries you are not allowed to export encryption to. Andrew

  • by Anonymous Coward on Thursday March 01, 2001 @03:39AM (#393504)
    The UK academic network [ja.net] charge institutions (2p/MB on average), some of which pass the cost on to individuals, for transatlantic traffic.
    Having a way to do reverse traceroutes would be invaluable for identifing the offending traffic more effectively.
    Currently we can look at traceroutes for evidence of the JANET US gateways, and the ping time (anything that does through the US gateways >70ms) all of which isn't ideal...
  • Yes, it does.

    They make the clients and run the central servers which tie the whole thing together. This is not a fully distributed Network like gnutella (thank god). So there is nothing wrong with them trying to make some money from it.
  • denier (n.) 1. A unit of fineness for rayon, nylon, and silk fibers, based on a standard mass per length of 1 gram per 9,000 meters of yarn. 2. a. A small coin of varying composition and value current in western Europe from the eighth century until the French Revolution. b. A small, trifling sum. (Archaic)
  • What am I supposed to do when your goverment, I am guessing USA, decideds that they are the "Law of the Internet"?

    This brings up the pertinent question, "why is your government paying attention?" The USA is certainly not within its rights to be intervening in your country's internal affairs. If the USA oversteps its boundaries, it is your government's prerogative to ignore it. When imperialists try to dictate terms to you, it is your obligation ro resist.

    When will people realise that the USA/"country of choice" is not the Internet, the whole world is, even the horrible little countries you are not allowed to export encryption to.

    Complaining about the situation won't make it any better; you've got to take action if you want anyone to listen. "Political power grows out of the barrel of a gun," as Chairman Mao said - and while it's not often wise to apply this proverb literally, the saying certainly has a lot of truth to it.
  • by fanatic ( 86657 ) on Thursday March 01, 2001 @03:50AM (#393508)
    I'd like to see this used vis a vis DoS attacks and such

    A serious DOS wil use spoofed source addresses, rendering this use useless.
  • by Floody ( 153869 ) on Thursday March 01, 2001 @03:51AM (#393509)
    While the distributed concept of this approaches something that might be called cool, there is already a remote tool installed at many NAPs which provides similar functionality in terms of reverse traceroutes and considerably more (BGP, etc). It's called looking glass, it's open source (perl) and doesn't carry around the broken subscriber model that this traceloop crap has.

    Check out http://nitrous.digex.net [digex.net] for more info. An invaluable tool for routing engineers.
  • Any Tier 2 or higher NSP will have multiple paths to multiple providers via transit peering at local and global Network Access Points. Each peer at those network access points will have traffic intended to the destination and will each use their own route to get there.

    During a Denial of Service attack, certain peers can be overwhelmed, while others are passing little or no traffic. This tool will let you bounce tranceroutes off of other starting points so that you can correctly verify your transit and peering operation. There is a lot of value in this tool. I can see larger ISPs paying a subscription to gain access to this type of service to help them develop their own Quality of Service with peering providers.

    Hopefully they add support for IPv6 and the 6bone, as for now we're restricted to using web pages with traceroute CGI's. For more information on BGP routing, take a look at http://www.landfield.com/rfcs/rfc1771.html [landfield.com]. Have a nice day!

    -Pat

  • Oops.. wonder where my mind was! That's traceroute and not tranceroute.

    /me takes another acid hit!

    -Pat

  • No and i wish people would stop asking me that so i think faster than what i type i even think faster than i speak it's a terrrible affliciction
  • The idea is quite nice, but what's the actual use of this? In practice, how many times does it happen that the reverse route differs from the forward route?

    Well, you obiously haven't looked at many traceroutes. Or maybe you are thinking of things within your own network. However, it is highly likely if I trace from my network to someone elses on the other side of the world the return route would be different. Therefore a tool like this is excellent for debugging network problems. It might some times be the case when you traceroute to someone (e.g. Exodus). The traceroute *'s out on the last few hops. If you could see things from Exodus's side you would see that there is nothing wrong with their network but that the packets are coming back through a different route and that route has problems. Without a reverse traceroute you might incorrectly presume that there is a problem with Exodus. This sort of tool is truely useful for debugging network problems.

    Having said that, I have been using various Looking Glasses around the world to debug connections already and this doesn't add anthing new except that it is working on a bigger scale and is easier to use.

  • Quite often the return route differs. In fact, in many cases, subsequent traceroutes won't even be the same. Packets will take whatever route any given router sends it by. If packets always followed the same route, there wouldn't be any such thing as out of order packets.

    Just because a packet travelling from point A to point B passing through router C, because point A thought C was the best place to send the packet, does not mean that B will think the same thing. B may send the packet to a different router, or any of the many routers in between might make such a decision.

    Of course, it doesn't really make any difference as long as the packet gets there. When this becomes significant is when you get horrible latency or speed issues when connecting to a specific site but nobody else has the same problem. The site may have plenty of bandwidth, but a router somewhere in between is sending your data to you through a clogged hole somewhere.

    -Restil
  • Many of the new business models require a level of QOS system performance in selection of a service provider tools such as trace routes can identify potential service problems.....All networks are not equal. Kevin Facinelli www.colosource.com Colocation Resource Center
  • I can be botherer to find a link from CAIDA [caida.org]. At least for their data set, which was a single point, the percentage was more like 1.3% of the packets and 0.7% of the bytes.

    If you have a link that supports that number, I'd be interested in seeing. Of course, 2/3 of all statistics are made-up :).

    Let's say that Traceloop does 1 million traces a day. Each one causes 30 out-going and 30 in-coming packets to be sent. That's a total of 60M packets per day, or 700 per second, which is a drop in the bucket. Even if you go up to 1 billion traces, it's still insignificant to the Internet as a whole.

  • Moderate down
  • they describe their hardware in the faq [slashdot.org]. however, as i recall from attending a talk hemos gave a few weeks back at wpi [wpi.edu], those stats are all out of date. i think the ram in those boxen has doubled since the last update to the desciption, and is about to do so again.

  • yeah!!
  • That's because it's still in Alpha. Once it's in Beta, you'll be able to actually download something..

    ..and once we get to the third or fourth patch, you'll see things will start to get working.

    huraY!

    Dave
  • by wowbagger ( 69688 ) on Thursday March 01, 2001 @05:41AM (#393521) Homepage Journal
    Precisely my point: their DB server has 2G of RAM. Assume they've maxed it out: that's 4G since it's an Intel system.

    Given the amount of crap the /. system must track, upgrading that to a dual or 4-way Alpha with 10G of RAM would probably help a bunch.
  • by SteveLightman ( 321319 ) on Thursday March 01, 2001 @05:42AM (#393522)
    The source for tltrace is freely available. The link hasn't been published on the site (yet), but it is tltrace-0.91b-1.src.tar.gz [traceloop.com].
    We will endeavour to make this clearer on the web site in the future. Go ahead and grab it if you like.
  • ALL smurf attacks can be stopped by properly configured routers. Of course there are always clueless bastards out there making the rest of our live difficult.

    kashani
  • Unfortunately these guys didn't actually inspect the entire Internet. So they have no idea about the faliover circuits, routers, paths, etc. Take my network. Normally you route through an one of two OC-3 to get one site. If one router/circuit fails OSPF changes to use the DS-3 on another router. You can't see this route while the OC-3 is up.
    Fortunately your average attacker could only kill one larger router/access point at a time. Even the last DDOS was only beating on Yahoo, ebay, etc individually IIRC. Not to mention that network infrastructure is quite a bit harder to take down then a web cluster.

    kashani
  • Great to see you reading and posting, Hemos. Do you think you could give Taco the hint that having him post once and a while might be a *good thing* I mean seriously, I don't think I've seen a CmdrTaco post in the 2+ years I've been reading /. Pretty lame. Has he given up? Too aloof?


    --------
  • I think you missed the decimal point. It is probably between 0.15% and 1.5%. Think about it, few applications actually use ICMP. And the ones that do, typically ping a host before establishing a connection. So they send one small packet before connecting and sending thousands of larger packets. Then think about applications that might ping constantly, to verify that a host is on the network. Those send 512bits per ping for a rate of 512bps. Wow. When you consider that the pipes they are traveling down are going to be at least 1Mbps wide (we're not constantly pinging some 33.6 modem) it is a very small amount of data. As others point out, ICMP is not just a "cool toy", it is very critical to the functionality and maintenance of the internet.
  • Actually, by putting a "hosts" file in your windows directory, you can bypass using DNS.

    Which means that Shoeboy simply added slashdot.org to his local hosts file, mapped it to his own machine, and ran tracert.

    Not a bad troll, though.

  • Working...: http://www.traceloop.com/download/traceloop.zip

  • It strikes me as strange that the people who got worked up over locator/id chips being embedded in consumer products, are not getting worked up over this.

    Yes reverse traceroute is more indirect, but both are ways to locate the general whereabouts of the individual.

    The question is where do we draw the line?

    Frank Fletcher.
  • by Anonymous Coward
    The HEP network monitoring project [hep.net] has offered stuff like reverse tracetroute for a while now, no sign-up required.

    It works really well.

  • A similar Idea I have heard kicked around is the ability to automatically shutdown single source flood without the need for the Administrators getting involved at all.

    The idea works like this: A system realizes its getting DoS'd (a relatively simple realization. either your getting a lot of bogus return address', or you know whos flooding you...) So if you're getting a bunch of bogus address' you need a way to shut it off as close to the source as possible. So, Network hardware all up and down the spectrum needs a new protocol: call it "ADA, Anit-Denial of Service Attack protocol). This language defines a way for a node to ask the next node in the link to automatically kill packets that are coming in with bogus return address', and which are destined to go either to or through your node. The upstream node will be able to tell just by checking which trunk the data came down, and verifying that the return address is coming from that trunk. If it gets some that are invalid (more then 1% of a particular type for example), then it would ask the router along the source trunk to do the same. Each node would take about 1 to 2 minutes of statistics gathering to be able to figure out definitively where the DoS is coming from, and then could stop passing those packets along, and ask the next router upstream to do the same. The advantage is that the system is perfectly safe since you can't ask to have someone else shut down, because the router won't accept and pass on the request unless the trunk the request came from matches the trunk down which the DoS target exists. You would be vulnerable to having your connection severed against your will only if one of the routers is compromised, but by definition if a router is compromised, your connection is vulnerable anyway.

    The nice thing about this system is that if you get DoS'd, and you know you're being DoS'd, you send this request upstream, and the routers will work their way back to the source until the attackers own ISP will kill the packets before they even make it one hop onto the net in general. It can be completely automated, and there is no additional risk to your connection than already exists. The protocol would require some basic info and statistics engines in the routers, but that already exists for other purposes (like load balancing). It would still allow you to send out bogus return address' but if you start flooding someone, the system will automatically lock you out from the person you're flooding.

    This won't serve to stop all DoS attacks, but it will stop the morons with the instant "DoS in a can" software from being able to attack someone because they stole their IRC nick, or something equally retarded. Additionally, calling the owner of the Router would allow you to use their logs (if they will let you) to track down the perpetrator.

    -=Geoskd
    www.geoskd.com [geoskd.com]
  • I don't know about *tracing* the source of the DoS attack (especially the DDoS attack), but I believe such a network would be useful to get some early warnings especially when IP spoofing is used, right?
  • Errrmmmm..... 127.0.0.1 == localhost Quelle surprise 1 hop away from yourself. Troll _________________________________________ Sig on the dotted line...................
  • Alright, first, ICMP is a necessity. It is the Internet Control Messaging Protocol, and is used to troubleshoot network issues.

    It's used for a lot more than that. It is a required protocol, all IP stacks must support it. If they don't, they aren't IP stacks, they some proprietary thing that is similar to IP.

    -

The only difference between a car salesman and a computer salesman is that the car salesman knows he's lying.

Working...