TCP/IP traffic patterns: attacks, errors, steganography or normal behaviour?

This paper presents the results of research on the way the network security is affected by the current state of TCP-IP protocol suite behaviour. A number of examples of possible issues are presented. When discussing classes of such issues, it is pointed out that security is affected by the existence of not only incorrect implementations, but also differences in implementations that can be used for various purposes. In the main part of the paper an analysis of the traffic collected on an Internet backbone link from the year 1999 up to 2006 is presented. The results show that the predicted behaviour can be observed in the real-world traffic. The differences between the measurement results and the theory are analysed, with a more in-depth look into a number of patterns and the changes of the patterns between the traffic collected in different years. In addition, an operating system detection tool is used to estimate the operating systems used by the nodes. Then the estimation is compared with anomaly patterns and the conclusions are presented. After analysing the findings, the pros and cons to different possible explanations of the observed patterns are presented, including flaws, attacks, various kinds of errors and steganography.