RadarGun

RadarGun is a tool for scalable and accurate IP alias resolution and velocity modeling. Briefly, it discovers aliases (two interfaces on the same router) among a list of IP addresses by sending probes to each IP address and inspecting the IP identifier (IP ID) in the IP header of the response. If a router's IP ID is implemented internally as a counter, RadarGun can model this counter over time by inferring the rate at which the counter increases. This rate is the "velocity" of the router and usually approximates a straight line. To determine aliases, RadarGun computes the "distance" between all pairs of lines; those pairs with a small distance, meaning their counters have similar values at the same time, are output as aliases.

RadarGun was inspired by, and an attempt to improve upon, Ally, the Scriptroute tool for alias resolution. By modeling the IP ID as a counter, RadarGun is able to resolve aliases among a list of addresses with far fewer probes than Ally, which requires fresh probes for every comparison.

Download

Version 0.2
Version 0.1
RadarGun depends on Scriptroute.

List of IP addresses tested for the paper.

FAQ

How should IP addresses be formatted as input to RadarGun?

For normal operation (finding aliases), one IP address per line. For "confirm" mode (enabled with the -c command line argument), each line consists of a list of suspected aliases for a single device.

When I probe a small number of IP addresses, RadarGun reports them as "non-linear", but when probed as part of a larger group, they are "linear". Why?

RadarGun sends probes as fast as it can. When sending probes to a small list of addresses, each address is probed so often that RadarGun actually affects the rate the address' IP ID is increasing (its slope), rather than just measures it. This causes the estimated slope to be very high, and RadarGun conservatively reports that this slope is too high to be modeled as linear. To fix this, increase the Delay parameter in params.rb.

Papers

People