Check out the new USENIX Web site. next up previous
Next: Defensive Measures to reduce Up: Evaluation Previous: Whisper: Security Properties against


Listen: Experimental Evaluation


Table 2: Listen: Summary of Results
Number of Probability of
Reachability Problems False Negatives
Outbound 235 0.93%
Inbound 343 0.37%


In this section, we describe our real-world experiences using the Listen protocol. We make two important observations from our analysis. First, we found that a large fraction of incomplete TCP connections are spurious i.e., not indicative of a reachability problem. We show that by adaptively setting the parameters $ T,N$ of our listen algorithm we can drastically reduce the probability of such false negatives due to such connections. Second, we are able to detect several reachability problems using Listen including specific misconfiguration related problems like forwarding errors. Table 2 presents a concise summary of the results obtained from our deployment. We were able to detect reachability problems to $ 578$ different prefixes from our testbed with a very false negative probabilities of $ 0.95\%$ and $ 0.37\%$ respectively due to spurious outbound and inbound connections.

We will now describe our deployment experience in greater detail. In our testbed, we use three active probing tests to verify the correctness of results obtained using Listen: (a) ping the destination; (b) traceroute and check whether any IP address along in the path is in the same prefix as the destination; (c) perform a port 80 scan on the destination IP address. These tests are activated for every incomplete connection. We classify an incomplete connection as having a reachability problem only if all the three probing tests fail. We classify an incomplete connection as a spurious connection if one of the probing techniques is able to detect that the route to a destination prefix works. A spurious TCP connection is an incomplete connection that is not indicative of a reachability problem.


Table 3: Aggregate characteristics of Listen from the deployment
Number of end-hosts behind $ /24$ network 28
Number of days 40
Total No. of TCP connections 994234
No. of complete connections 894897
No. of incomplete connections 99337
Average Routing Table Size 123482
Total No. of Active Prefixes 11141
Average No. of Active Prefixes per hour 141
Average No. of Active Prefixes per day 2500-3000
Verifiable Prefixes 9711
Prefixes with perennial problems 42


Table 3 presents the aggregate characteristics of the traffic we observed from a $ /24$ network for over $ 40$ days. In reality, we found that nearly $ 10\%$ of the connections are incomplete of which a large fraction of these connections are spurious ($ 91\%$ inbound and $ 63\%$ outbound). A more careful observation at the spurious connections showed that nearly $ 90\%$ of spurious inbound connections are due to port scanners and worms. The most prominent ones being the Microsoft NetBIOS worm and the SQL server worms [6]. Spurious outbound connections occur primarily due to failed connection attempts to non-live hosts and attempts to access a disabled ports of other end-hosts (e.g., telnet port being disabled in a destination end-host).Given this alarmingly high number of spurious connections, we propose defensive measures to reduce the probability of false negatives due to such connections.


Subsections
next up previous
Next: Defensive Measures to reduce Up: Evaluation Previous: Whisper: Security Properties against
116 2004-02-12