Carrier-Grade Anomaly Detection Using Time-to-Live Header Information

Time-to-Live data in the IP header offers two interesting characteristics: First, different IP stacks pick different start TTL values. Second, each traversed router should decrement the TTL value. The combination of both offers host and route fingerprinting options. We present the first work to investigate Internet-wide TTL behavior at carrier scale and evaluate its fit to detect anomalies, predominantly spoofed source IP addresses. Using purpose-built software, we capture 2 weeks of raw TTL data at a 40 Gbit/s Internet uplink. For further insight, we actively measure observed hosts and conduct large-scale hitlist-based measurements, which yields three complementary data sets for IPv4 and IPv6. A majority (69% IPv4; 81% IPv6) of passively observed multipacket hosts exhibit one stable TTL value. Active measurements on unstable hosts yield a stable anchor TTL value for more than 85% of responsive hosts. We develop a structure to further classify unstable hosts taking, for example, temporal stability into account. Correlation of TTL values with BGP data is clear, yet unpredictive. The results indicate that carrier-grade TTL anomaly detection can yield significant insights in the following categories: First, the method can flag anomalies based on TTL observations (yet likely at a difficult false positive/false negative trade-off). Second, the method can establish trust that a packet originates from its acclaimed source.