Detecting ICMP Rate Limiting in the Internet (extended)
Hang Guo and John Heidemann
Citation
Hang Guo and John Heidemann. Detecting ICMP Rate Limiting in the Internet (extended). Technical Report ISI-TR-717. USC/Information Sciences Institute. [PDF] [alt PDF]
Bibtex Citation
@techreport{Guo17a,
author = {Guo, Hang and Heidemann, John},
title = {Detecting {ICMP} Rate Limiting in the {Internet} (extended)},
institution = {USC/Information Sciences Institute},
year = {2017},
sortdate = {2017-05-19},
project = {ant, retrofuturebridge, lacrend},
jsubject = {topology_modeling},
jlocation = {johnh: pafile},
number = {ISI-TR-717},
month = feb,
keywords = {icmp, rate limiting},
url = {https://ant.isi.edu/%7ejohnh/PAPERS/Guo17a.html},
pdfurl = {https://ant.isi.edu/%7ejohnh/PAPERS/Guo17a.pdf},
blogurl = {https://ant.isi.edu/blog/?p=1015},
abstact = {
Active probing with ICMP is the center of
many network measurements, with tools like ping, traceroute,
and their derivatives used to map topologies and as
a precursor for security scanning. However, rate limiting
of ICMP traffic has long been a concern, since undetected
rate limiting to ICMP could distort measurements, silently
creating false conclusions. To settle this concern, we look
systematically for ICMP rate limiting in the Internet. We
develop a model for how rate limiting affects probing,
validate it through controlled testbed experiments, and
create FADER, a new algorithm that can identify rate
limiting from user-side traces with minimal requirements
for new measurement traffic. We validate the accuracy
of FADER with many different network configurations in
testbed experiments and show that it almost always detects
rate limiting. Accuracy is perfect when measurement
probing ranges from 0 to 60x the rate limit, and almost
perfect (95\%) with up to 20\% packet loss. The worst
case for detection is when probing is very fast and blocks
are very sparse, but even there accuracy remains good
(measurements 60x the rate limit of a 10\% responsive
block is correct 65\% of the time). With this confidence,
we apply our algorithm to a random sample of whole
Internet, showing that rate limiting exists but that for slow
probing rates, rate-limiting is very, very rare. For our random
sample of 40,493 /24 blocks (about 2\% of the responsive
space), we confirm 6 blocks (0.02\%!) see rate limiting at
0.39 packets/s per block. We look at higher rates in public
datasets and suggest that fall-off in responses as rates
approach 1 packet/s per /24 block (14M packets/s from
the prober to the whole Internet), is consistent with rate
limiting. We also show that even very slow probing (0.0001
packet/s) can encounter rate limiting of NACKs that are
concentrated at a single router near the prober.
}
}