{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,25]],"date-time":"2026-02-25T17:12:38Z","timestamp":1772039558190,"version":"3.50.1"},"reference-count":74,"publisher":"Association for Computing Machinery (ACM)","issue":"4","license":[{"start":{"date-parts":[[2024,9,16]],"date-time":"2024-09-16T00:00:00Z","timestamp":1726444800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Priv. Secur."],"published-print":{"date-parts":[[2024,11,30]]},"abstract":"<jats:p>Network reconnaissance and measurements play a central role in improving Internet security and are important for understanding the current deployments and trends. Such measurements often require coordination with the measured target. This limits the scalability and the coverage of the existing proposals. IP Identification (IPID) provides a side channel for remote measurements without requiring the targets to install agents or visit the measurement infrastructure. However, current IPID-based techniques have technical limitations due to their reliance on the idealistic assumption of stable IPID changes or prior knowledge, making them challenging to adopt for practical measurements.<\/jats:p>\n          <jats:p>In this work, we aim to tackle the limitations of existing techniques by introducing a novel approach: predictive analysis of IPID counter behavior. This involves utilizing a machine learning (ML) model to understand the historical patterns of IPID counter changes and predict future IPID values. To validate our approach, we implement six ML models and evaluate them on realistic IPID data collected from 4,698 Internet sources. Our evaluations demonstrate that among the six models, the Gaussian Process (GP) model has superior accuracy in tracking and predicting IPID values.<\/jats:p>\n          <jats:p>Using the GP-based predictive analysis, we implement a tool, called ZPredict, to infer various favorable information about target networks or servers. Our evaluation on a large dataset of public servers demonstrates its effectiveness in idle port scanning, measuring Russian censorship, and inferring Source Address Validation.<\/jats:p>\n          <jats:p>Our study methodology is ethical and was developed to mitigate any potential harm, taking into account the concerns associated with measurements.<\/jats:p>","DOI":"10.1145\/3672560","type":"journal-article","created":{"date-parts":[[2024,6,20]],"date-time":"2024-06-20T11:02:30Z","timestamp":1718881350000},"page":"1-33","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":2,"title":["ZPredict: ML-Based IPID Side-channel Measurements"],"prefix":"10.1145","volume":"27","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-8130-0472","authenticated-orcid":false,"given":"Haya","family":"Schulmann","sequence":"first","affiliation":[{"name":"Computer science, Goethe-University Frankfurt, Frankfurt am Main, Germany and ATHENE National Research Center for Applied Cybersecurity, Darmstadt Germany"}]},{"ORCID":"https:\/\/orcid.org\/0009-0000-4932-4266","authenticated-orcid":false,"given":"Shujie","family":"Zhao","sequence":"additional","affiliation":[{"name":"Cybersecurity Analytics and Defences, Fraunhofer Institute for Secure Information Technology SIT, Darmstadt Germany and ATHENE National Research Center for Applied Cybersecurity, Darmstadt Germany"}]}],"member":"320","published-online":{"date-parts":[[2024,9,16]]},"reference":[{"key":"e_1_3_3_2_2","unstructured":"[n.d.]. Rapid7 Labs. Retrieved Dec. 11 2022 from https:\/\/opendata.rapid7.com\/"},{"key":"e_1_3_3_3_2","unstructured":"[n.d.]. URL testing lists intended for discovering website censorship. Retrieved Feb. 11 2022 from https:\/\/github.com\/citizenlab\/test-lists"},{"issue":"5","key":"e_1_3_3_4_2","doi-asserted-by":"crossref","first-page":"594","DOI":"10.1080\/07474938.2010.481556","article-title":"An empirical comparison of machine learning models for time series forecasting","volume":"29","author":"Ahmed Nesreen K.","year":"2010","unstructured":"Nesreen K. Ahmed, Amir F. Atiya, Neamat El Gayar, and Hisham El-Shishiny. 2010. An empirical comparison of machine learning models for time series forecasting. Econ. Rev. 29, 5-6 (2010), 594\u2013621.","journal-title":"Econ. Rev."},{"key":"e_1_3_3_5_2","unstructured":"Fraunhofer AICOS. 2021. TSFEL Documentation Release 0.1.4. Retrieved Nov. 2 2021 from https:\/\/tsfel.readthedocs.io\/_\/downloads\/en\/development\/pdf\/"},{"issue":"4","key":"e_1_3_3_6_2","doi-asserted-by":"crossref","first-page":"311","DOI":"10.2478\/popets-2019-0071","article-title":"Detecting TCP\/IP connections via IPID hash collisions","volume":"2019","author":"Alexander Geoffrey","year":"2019","unstructured":"Geoffrey Alexander, Antonio M. Espinoza, and Jedidiah R. Crandall. 2019. Detecting TCP\/IP connections via IPID hash collisions. Proc. Privacy Enhanc. Technol. 2019, 4 (2019), 311\u2013328.","journal-title":"Proc. Privacy Enhanc. Technol."},{"key":"e_1_3_3_7_2","unstructured":"Antirez. [n.d.]. Retrieved Jan. 16 2022 from http:\/\/seclists.org\/bugtraq\/1998\/Dec\/0079.html"},{"key":"e_1_3_3_8_2","first-page":"1084","volume-title":"Proceedings of the International Conference on Research in Networking","author":"Rocha Antonio A. de A.","year":"2007","unstructured":"Antonio A. de A. Rocha, Rosa M. M. Leao, and Edmundo de Souza e Silva. 2007. A non-cooperative active measurement technique for estimating the average and variance of the one-way delay. In Proceedings of the International Conference on Research in Networking. Springer, 1084\u20131095."},{"key":"e_1_3_3_9_2","first-page":"3971","volume-title":"Proceedings of the 31st USENIX Security Symposium (USENIXSecurity\u201922)","author":"Arp Daniel","year":"2022","unstructured":"Daniel Arp, Erwin Quiring, Feargus Pendlebury, Alexander Warnecke, Fabio Pierazzi, Christian Wressnegger, Lorenzo Cavallaro, and Konrad Rieck. 2022. Dos and don\u2019ts of machine learning in computer security. In Proceedings of the 31st USENIX Security Symposium (USENIXSecurity\u201922). 3971\u20133988."},{"key":"e_1_3_3_10_2","doi-asserted-by":"crossref","unstructured":"Fred Baker and Pekka Savola. 2004. Rfc3704: Ingress filtering for multihomed networks. Retrieved from https:\/\/www.rfc-editor.org\/info\/rfc3704","DOI":"10.17487\/rfc3704"},{"key":"e_1_3_3_11_2","doi-asserted-by":"crossref","first-page":"337","DOI":"10.1145\/1452520.1452560","volume-title":"Proceedings of the 8th ACM SIGCOMM Conference on Internet Measurement","author":"Bender Adam","year":"2008","unstructured":"Adam Bender, Rob Sherwood, and Neil Spring. 2008. Fixing Ally\u2019s growing pains with velocity modeling. In Proceedings of the 8th ACM SIGCOMM Conference on Internet Measurement. 337\u2013342."},{"key":"e_1_3_3_12_2","first-page":"53","volume-title":"Proceedings of the USENIX Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI\u201905)","volume":"5","author":"Beverly Robert","year":"2005","unstructured":"Robert Beverly and Steven Bauer. 2005. The spoofer project: Inferring the extent of source address filtering on the internet. In Proceedings of the USENIX Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI\u201905), Vol. 5. 53\u201359."},{"key":"e_1_3_3_13_2","doi-asserted-by":"crossref","first-page":"123","DOI":"10.1007\/978-3-319-15509-8_10","volume-title":"Proceedings of the 16th International Conference on Passive and Active Measurement (PAM\u201915)","author":"Beverly Robert","year":"2015","unstructured":"Robert Beverly, Matthew Luckie, Lorenza Mosley, and K. C. Claffy. 2015. Measuring and characterizing IPv6 router availability. In Proceedings of the 16th International Conference on Passive and Active Measurement (PAM\u201915). Springer, 123\u2013135."},{"key":"e_1_3_3_14_2","article-title":"Requirements for Internet Hosts\u2014Communication Layers","author":"Braden Robert T.","year":"1989","unstructured":"Robert T. Braden. 1989. Requirements for Internet Hosts\u2014Communication Layers. RFC 1122. Retrieved from https:\/\/www.rfc-editor.org\/info\/rfc1122","journal-title":"RFC 1122"},{"key":"e_1_3_3_15_2","doi-asserted-by":"crossref","first-page":"653","DOI":"10.1145\/2785956.2787485","volume-title":"Proceedings of the ACM Conference on Special Interest Group on Data Communication","author":"Burnett Sam","year":"2015","unstructured":"Sam Burnett and Nick Feamster. 2015. Encore: Lightweight measurement of web censorship with cross-origin requests. In Proceedings of the ACM Conference on Special Interest Group on Data Communication. 653\u2013667."},{"key":"e_1_3_3_16_2","unstructured":"CAIDA. [n.d.]. Retrieved Nov. 10 2022 from https:\/\/www.caida.org\/"},{"key":"e_1_3_3_17_2","first-page":"95","volume-title":"Proceedings of the SIAM International Conference on Data Mining","author":"Chandola Varun","year":"2011","unstructured":"Varun Chandola and Ranga Raju Vatsavai. 2011. A Gaussian process-based online change detection algorithm for monitoring periodic time series. In Proceedings of the SIAM International Conference on Data Mining. SIAM, 95\u2013106."},{"key":"e_1_3_3_18_2","first-page":"1","volume-title":"Proceedings of the IEEE International Conference on Data Science and Advanced Analytics (DSAA\u201915)","author":"Chauhan Sucheta","year":"2015","unstructured":"Sucheta Chauhan and Lovekesh Vig. 2015. Anomaly detection in ECG time signals via deep long short-term memory networks. In Proceedings of the IEEE International Conference on Data Science and Advanced Analytics (DSAA\u201915). IEEE, 1\u20137."},{"key":"e_1_3_3_19_2","doi-asserted-by":"crossref","first-page":"108","DOI":"10.1007\/978-3-540-31966-5_9","volume-title":"Proceedings of the International Workshop on Passive and Active Network Measurement","author":"Chen Weifeng","year":"2005","unstructured":"Weifeng Chen, Yong Huang, Bruno F Ribeiro, Kyoungwon Suh, Honggang Zhang, Edmundo de Souza e Silva, Jim Kurose, and Don Towsley. 2005. Exploiting the IPID field to infer network path and end-system characteristics. In Proceedings of the International Workshop on Passive and Active Network Measurement. Springer, 108\u2013120."},{"key":"e_1_3_3_20_2","volume-title":"Internet Control Message Protocol (icmpv6) for the Internet Protocol Version 6 (ipv6) Specification","author":"Conta Alex","year":"1998","unstructured":"Alex Conta, Stephen Deering, and Mukesh Gupta. 1998. Internet Control Message Protocol (icmpv6) for the Internet Protocol Version 6 (ipv6) Specification. Technical Report. RFC 2463, December."},{"key":"e_1_3_3_21_2","unstructured":"Cyren. [n.d.]. Cyren URL Lookup API: Protect against advanced phishing attacks. Retrieved Nov. 10 2022 from https:\/\/www.cyren.com\/products\/url-lookup-api"},{"key":"e_1_3_3_22_2","first-page":"1039","volume-title":"Proceedings of the Annual Computer Security Applications Conference","author":"Dai Tianxiang","year":"2021","unstructured":"Tianxiang Dai and Haya Shulman. 2021. SMap: Internet-wide scanning for spoofing. In Proceedings of the Annual Computer Security Applications Conference. 1039\u20131050."},{"key":"e_1_3_3_23_2","first-page":"198","volume-title":"Proceedings of the International Workshop on Security Protocols","author":"Danezis George","year":"2008","unstructured":"George Danezis. 2008. Covert communications despite traffic data retention. In Proceedings of the International Workshop on Security Protocols. Springer, 198\u2013214."},{"key":"e_1_3_3_24_2","unstructured":"GeoIP2 Databases. [n.d.]. Retrieved Nov. 10 2022 from https:\/\/www.maxmind.com\/en\/geoip2-databases"},{"key":"e_1_3_3_25_2","doi-asserted-by":"publisher","DOI":"10.1145\/505733.505737"},{"key":"e_1_3_3_26_2","first-page":"605","volume-title":"Proceedings of the 22nd USENIX Security Symposium (USENIXSecurity\u201913)","author":"Durumeric Zakir","year":"2013","unstructured":"Zakir Durumeric, Eric Wustrow, and J. Alex Halderman. 2013. \\(\\lbrace\\) ZMap \\(\\rbrace\\) : Fast internet-wide scanning and its security applications. In Proceedings of the 22nd USENIX Security Symposium (USENIXSecurity\u201913). 605\u2013620."},{"key":"e_1_3_3_27_2","volume-title":"IPv6 IPID Needed","author":"Elkins Nalini","year":"2013","unstructured":"Nalini Elkins, Lawrence Kratzke, Michael Ackermann, and Keven Haining. 2013. IPv6 IPID Needed. Internet-Draft draft-elkins-v6ops-ipv6-ipid-needed-01. Internet Engineering Task Force. Retrieved from https:\/\/datatracker.ietf.org\/doc\/draft-elkins-v6ops-ipv6-ipid-needed\/01\/"},{"key":"e_1_3_3_28_2","doi-asserted-by":"crossref","first-page":"109","DOI":"10.1007\/978-3-319-04918-2_11","volume-title":"Proceedings of the 15th International Conference on Passive and Active Measurement (PAM\u201914)","author":"Ensafi Roya","year":"2014","unstructured":"Roya Ensafi, Jeffrey Knockel, Geoffrey Alexander, and Jedidiah R. Crandall. 2014. Detecting intentional packet drops on the internet via TCP\/IP side channels. In Proceedings of the 15th International Conference on Passive and Active Measurement (PAM\u201914). Springer, 109\u2013118."},{"key":"e_1_3_3_29_2","volume-title":"Proceedings of the Conference on Free and Open Communications on the Internet (FOCI\u201912)","author":"Filasto Arturo","year":"2012","unstructured":"Arturo Filasto and Jacob Appelbaum. 2012. OONI: Open observatory of network interference. In Proceedings of the Conference on Free and Open Communications on the Internet (FOCI\u201912)."},{"key":"e_1_3_3_30_2","doi-asserted-by":"publisher","DOI":"10.1016\/0305-0483(86)90013-7"},{"issue":"4","key":"e_1_3_3_31_2","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/2445566.2445568","article-title":"Fragmentation considered vulnerable","volume":"15","author":"Gilad Yossi","year":"2013","unstructured":"Yossi Gilad and Amir Herzberg. 2013. Fragmentation considered vulnerable. ACM Trans. Info. Syst. Secur. 15, 4 (2013), 1\u201331.","journal-title":"ACM Trans. Info. Syst. Secur."},{"key":"e_1_3_3_32_2","first-page":"816","volume-title":"Proceedings of the IEEE International Conference on Data Science and Advanced Analytics (DSAA\u201916)","author":"Guo Tian","year":"2016","unstructured":"Tian Guo, Zhao Xu, Xin Yao, Haifeng Chen, Karl Aberer, and Koichi Funaya. 2016. Robust online time series prediction with recurrent neural networks. In Proceedings of the IEEE International Conference on Data Science and Advanced Analytics (DSAA\u201916). Ieee, 816\u2013825."},{"key":"e_1_3_3_33_2","first-page":"224","volume-title":"Proceedings of the IEEE Conference on Communications and Network Security (CNS\u201913)","author":"Herzberg Amir","year":"2013","unstructured":"Amir Herzberg and Haya Shulman. 2013. Fragmentation considered poisonous, or: One-domain-to-rule-them-all.org. In Proceedings of the IEEE Conference on Communications and Network Security (CNS\u201913). IEEE, 224\u2013232."},{"key":"e_1_3_3_34_2","doi-asserted-by":"publisher","DOI":"10.1515\/freq-2017-0064"},{"key":"e_1_3_3_35_2","unstructured":"Kris Katterjohn. [n.d.]. Retrieved Feb. 11 2022 from https:\/\/svn.nmap.org\/nmap\/scripts\/ipidseq.nse"},{"issue":"2","key":"e_1_3_3_36_2","doi-asserted-by":"crossref","first-page":"383","DOI":"10.1109\/TNET.2012.2198887","article-title":"Internet-scale IPv4 alias resolution with MIDAR","volume":"21","author":"Keys Ken","year":"2012","unstructured":"Ken Keys, Young Hyun, Matthew Luckie, and Kim Claffy. 2012. Internet-scale IPv4 alias resolution with MIDAR. IEEE\/ACM Trans. Netw. 21, 2 (2012), 383\u2013399.","journal-title":"IEEE\/ACM Trans. Netw."},{"key":"e_1_3_3_37_2","first-page":"1063","volume-title":"Proceedings of the 28th USENIX Security Symposium (USENIXSecurity\u201919)","author":"Klein Amit","year":"2019","unstructured":"Amit Klein and Benny Pinkas. 2019. From IP ID to device ID and KASLR bypass. In Proceedings of the 28th USENIX Security Symposium (USENIXSecurity\u201919). 1063\u20131080."},{"key":"e_1_3_3_38_2","first-page":"107","volume-title":"Proceedings of the 21st International Conference on Passive and Active Measurement (PAM\u201920)","author":"Korczy\u0144ski Maciej","year":"2020","unstructured":"Maciej Korczy\u0144ski, Yevheniya Nosyk, Qasim Lone, Marcin Skwarek, Baptiste Jonglez, and Andrzej Duda. 2020. Don\u2019t forget to lock the front door! inferring the deployment of source address validation of inbound traffic. In Proceedings of the 21st International Conference on Passive and Active Measurement (PAM\u201920). Springer, 107\u2013121."},{"key":"e_1_3_3_39_2","first-page":"111","volume-title":"Proceedings of the 23rd USENIX Security Symposium (USENIXSecurity\u201914)","author":"K\u00fchrer Marc","year":"2014","unstructured":"Marc K\u00fchrer, Thomas Hupperich, Christian Rossow, and Thorsten Holz. 2014. Exit from hell? Reducing the impact of amplification DDoS attacks. In Proceedings of the 23rd USENIX Security Symposium (USENIXSecurity\u201914). 111\u2013125."},{"key":"e_1_3_3_40_2","unstructured":"Scikit Learn. [n.d.]. Retrieved Dec. 14 2020 from https:\/\/scikit-learn.org\/stable\/modules\/generated\/sklearn.gaussian_process.kernels.WhiteKernel.html"},{"key":"e_1_3_3_41_2","article-title":"Deployment of source address validation by network operators: A randomized control trial","author":"Lone Qasim","year":"2022","unstructured":"Qasim Lone, Alisa Frik, Matthew Luckie, M Korczy\u0144ski, Michel van Eeten, and Carlos Gan\u00e1n. 2022. Deployment of source address validation by network operators: A randomized control trial. In Proceedings of the IEEE Conference on Security and Privacy (S&P\u201922).","journal-title":"Proceedings of the IEEE Conference on Security and Privacy (S&P\u201922)"},{"key":"e_1_3_3_42_2","first-page":"1","volume-title":"Proceedings of the Network Traffic Measurement and Analysis Conference (TMA\u201918)","author":"Lone Qasim","year":"2018","unstructured":"Qasim Lone, Matthew Luckie, Maciej Korczy\u0144ski, Hadi Asghari, Mobin Javed, and Michel Van Eeten. 2018. Using crowdsourcing marketplaces for network measurements: The case of spoofer. In Proceedings of the Network Traffic Measurement and Analysis Conference (TMA\u201918). IEEE, 1\u20138."},{"key":"e_1_3_3_43_2","doi-asserted-by":"crossref","first-page":"229","DOI":"10.1007\/978-3-319-54328-4_17","volume-title":"Proceedings of the International Conference on Passive and Active Network Measurement","author":"Lone Qasim","year":"2017","unstructured":"Qasim Lone, Matthew Luckie, Maciej Korczy\u0144ski, and Michel Van Eeten. 2017. Using loops observed in traceroute to infer the ability to spoof. In Proceedings of the International Conference on Passive and Active Network Measurement. Springer, 229\u2013241."},{"key":"e_1_3_3_44_2","first-page":"119","volume-title":"Proceedings of the Conference on Internet Measurement Conference","author":"Luckie Matthew","year":"2013","unstructured":"Matthew Luckie, Robert Beverly, William Brinkmeyer, and K. C. Claffy. 2013. Speedtrap: Internet-scale IPv6 alias resolution. In Proceedings of the Conference on Internet Measurement Conference. 119\u2013126."},{"key":"e_1_3_3_45_2","first-page":"465","volume-title":"Proceedings of the ACM SIGSAC Conference on Computer and Communications Security","author":"Luckie Matthew","year":"2019","unstructured":"Matthew Luckie, Robert Beverly, Ryan Koga, Ken Keys, Joshua A. Kroll, and K. Claffy. 2019. Network hygiene, incentives, and regulation: Deployment of source address validation in the internet. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 465\u2013480."},{"key":"e_1_3_3_46_2","unstructured":"Gordon \u201cFyodor\u201d Lyon. [n.d.]. Retrieved Feb. 11 2022 from https:\/\/nmap.org\/book\/"},{"key":"e_1_3_3_47_2","unstructured":"MANRS. [n.d.]. Anti-Spoofing\u2014Preventing traffic with spoofed source IP addresses. Retrieved Jan. 25 2023 from https:\/\/www.manrs.org\/netops\/guide\/antispoofing\/"},{"key":"e_1_3_3_48_2","unstructured":"Arturo Filast\u00f2 Maria Xynou. [n.d.]. New blocks emerge in Russia amid war in Ukraine: An OONI network measurement analysis. Retrieved Nov. 10 2022 from https:\/\/ooni.org\/post\/2022-russia-blocks-amid-ru-ua-conflict\/"},{"key":"e_1_3_3_49_2","unstructured":"Jared Mauch. [n.d.]. Spoofing ASNs. Retrieved Jan. 25 2023 from https:\/\/seclists.org\/nanog\/2013\/Aug\/132"},{"key":"e_1_3_3_50_2","doi-asserted-by":"publisher","DOI":"10.1016\/B978-0-12-813117-6.00003-X"},{"key":"e_1_3_3_51_2","first-page":"1265","volume-title":"Proceedings of the IEEE International Conference on Communications (ICC\u201912)","author":"Mongkolluksamee Sophon","year":"2012","unstructured":"Sophon Mongkolluksamee, Kensuke Fukuda, and Panita Pongpaibool. 2012. Counting NATted hosts by observing TCP\/IP field behaviors. In Proceedings of the IEEE International Conference on Communications (ICC\u201912). IEEE, 1265\u20131270."},{"issue":"3","key":"e_1_3_3_52_2","first-page":"69","article-title":"A guide to appropriate use of correlation coefficient in medical research","volume":"24","author":"Mukaka Mavuto M.","year":"2012","unstructured":"Mavuto M. Mukaka. 2012. A guide to appropriate use of correlation coefficient in medical research. Malawi Med. J. 24, 3 (2012), 69\u201371.","journal-title":"Malawi Med. J."},{"key":"e_1_3_3_53_2","first-page":"135","volume-title":"Proceedings of the IEEE Symposium on Security and Privacy (SP\u201920)","author":"Niaki Arian Akhavan","year":"2020","unstructured":"Arian Akhavan Niaki, Shinyoung Cho, Zachary Weinberg, Nguyen Phong Hoang, Abbas Razaghpanah, Nicolas Christin, and Phillipa Gill. 2020. ICLab: A global, longitudinal internet censorship measurement platform. In Proceedings of the IEEE Symposium on Security and Privacy (SP\u201920). IEEE, 135\u2013151."},{"key":"e_1_3_3_54_2","first-page":"533","volume-title":"Proceedings of the Conference of the ACM Special Interest Group on Data Communication (SIGCOMM\u201918)","author":"Nisar Aqib","year":"2018","unstructured":"Aqib Nisar, Aqsa Kashaf, Ihsan Ayyub Qazi, and Zartash Afzal Uzmi. 2018. Incentivizing censorship measurements via circumvention. In Proceedings of the Conference of the ACM Special Interest Group on Data Communication (SIGCOMM\u201918). ACM, New York, NY, 533\u2013546. 10.1145\/3230543.3230568"},{"key":"e_1_3_3_55_2","unstructured":"NMAP. [n.d.]. TCP Idle Scan. Retrieved Nov. 10 2022 from https:\/\/nmap.org\/book\/idlescan.html"},{"key":"e_1_3_3_56_2","doi-asserted-by":"crossref","first-page":"69","DOI":"10.1007\/978-3-030-00434-7_4","volume-title":"Proceedings of the International Conference on Cryptology and Network Security","author":"Orevi Liran","year":"2018","unstructured":"Liran Orevi, Amir Herzberg, and Haim Zlatokrilov. 2018. DNS-DNS: DNS-based de-nat scheme. In Proceedings of the International Conference on Cryptology and Network Security. Springer, 69\u201388."},{"key":"e_1_3_3_57_2","first-page":"427","volume-title":"Proceedings of the IEEE Symposium on Security and Privacy (SP\u201917)","author":"Pearce Paul","year":"2017","unstructured":"Paul Pearce, Roya Ensafi, Frank Li, Nick Feamster, and Vern Paxson. 2017. Augur: Internet-wide detection of connectivity disruptions. In Proceedings of the IEEE Symposium on Security and Privacy (SP\u201917). IEEE, 427\u2013443."},{"key":"e_1_3_3_58_2","volume-title":"Internet Protocol","author":"Postel Jon","year":"1981","unstructured":"Jon Postel. 1981. Internet Protocol. RFC 791. RFC Editor. Retrieved from https:\/\/www.rfc-editor.org\/info\/rfc791"},{"key":"e_1_3_3_59_2","volume-title":"Proceedings of the Network and Distributed Systems Security Symposium (NDSS\u201920)","author":"Ramesh Reethika","year":"2020","unstructured":"Reethika Ramesh, Ram Sundara Raman, Matthew Bernhard, Victor Ongkowijaya, Leonid Evdokimov, Anne Edmundson, Steven Sprecher, Muhammad Ikram, and Roya Ensafi. 2020. Decentralized control: A case study of Russia. In Proceedings of the Network and Distributed Systems Security Symposium (NDSS\u201920)."},{"key":"e_1_3_3_60_2","unstructured":"RosKomSvoboda. [n.d.]. Monitoring of registry. Retrieved June 10 2023 from https:\/\/reestr.rublacklist.net\/en\/"},{"key":"e_1_3_3_61_2","doi-asserted-by":"crossref","first-page":"243","DOI":"10.1007\/978-3-319-76481-8_18","volume-title":"Proceedings of the International Conference on Passive and Active Network Measurement","author":"Salutari Flavia","year":"2018","unstructured":"Flavia Salutari, Danilo Cicalese, and Dario J. Rossi. 2018. A closer look at ip-id behavior in the wild. In Proceedings of the International Conference on Passive and Active Network Measurement. Springer, 243\u2013254."},{"key":"e_1_3_3_62_2","article-title":"Computing TCP\u2019s Retransmission Timer","author":"Sargent Matt","year":"2011","unstructured":"Matt Sargent, Jerry Chu, Dr. Vern Paxson, and Mark Allman. 2011. Computing TCP\u2019s Retransmission Timer. RFC 6298. Retrieved from https:\/\/www.rfc-editor.org\/info\/rfc6298","journal-title":"RFC 6298"},{"key":"e_1_3_3_63_2","doi-asserted-by":"crossref","first-page":"69","DOI":"10.1007\/978-3-031-56252-5_4","volume-title":"Proceedings of the International Conference on Passive and Active Network Measurement","author":"Schulmann Haya","year":"2024","unstructured":"Haya Schulmann and Shujie Zhao. 2024. Insights into SAV implementations in the internet. In Proceedings of the International Conference on Passive and Active Network Measurement. Springer, 69\u201387."},{"key":"e_1_3_3_64_2","doi-asserted-by":"publisher","DOI":"10.1016\/B978-0-12-384982-3.00004-3"},{"key":"e_1_3_3_65_2","article-title":"Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing","author":"Senie Daniel","year":"2000","unstructured":"Daniel Senie and Paul Ferguson. 2000. Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. RFC 2827. Retrieved from https:\/\/www.rfc-editor.org\/info\/rfc2827","journal-title":"RFC 2827"},{"issue":"4","key":"e_1_3_3_66_2","doi-asserted-by":"crossref","first-page":"133","DOI":"10.1145\/964725.633039","article-title":"Measuring ISP topologies with rocketfuel","volume":"32","author":"Spring Neil","year":"2002","unstructured":"Neil Spring, Ratul Mahajan, and David Wetherall. 2002. Measuring ISP topologies with rocketfuel. ACM SIGCOMM Comput. Commun. Rev. 32, 4 (2002), 133\u2013145.","journal-title":"ACM SIGCOMM Comput. Commun. Rev."},{"key":"e_1_3_3_67_2","doi-asserted-by":"crossref","unstructured":"K. Sriram D. Montgomery and J. Haas. 2020. RFC 8704 enhanced feasible-path unicast reverse path forwarding.","DOI":"10.17487\/RFC8704"},{"key":"e_1_3_3_68_2","unstructured":"The Moscow Times. [n.d.]. Russia Has Blocked 138K Websites Since Ukraine Invasion Prosecutor Says. Retrieved Nov. 10 2022 from https:\/\/www.themoscowtimes.com\/2022\/08\/08\/russia-has-blocked-138k-websites-since-ukraine-invasion-prosecutor-says-a78532"},{"key":"e_1_3_3_69_2","article-title":"Updated Specification of the IPv4 ID Field","author":"Touch Dr. Joseph D.","year":"2013","unstructured":"Dr. Joseph D. Touch. 2013. Updated Specification of the IPv4 ID Field. RFC 6864. Retrieved from https:\/\/www.rfc-editor.org\/info\/rfc6864","journal-title":"RFC 6864"},{"key":"e_1_3_3_70_2","first-page":"247","volume-title":"Proceedings of the IEEE Security and Privacy Workshops (SPW)","author":"Ham Jeroen Van Der","year":"2017","unstructured":"Jeroen Van Der Ham. 2017. Ethics and internet measurements. In Proceedings of the IEEE Security and Privacy Workshops (SPW). 247\u2013251. 10.1109\/SPW.2017.17"},{"key":"e_1_3_3_71_2","volume-title":"Proceedings of the Conference on Free and Open Communications on the Internet (FOCI\u201912)","author":"Verkamp John-Paul","year":"2012","unstructured":"John-Paul Verkamp and Minaxi Gupta. 2012. Inferring mechanics of web censorship around the world. In Proceedings of the Conference on Free and Open Communications on the Internet (FOCI\u201912)."},{"key":"e_1_3_3_72_2","article-title":"Alias resolution based on ICMP rate limiting","author":"Vermeulen Kevin","year":"2020","unstructured":"Kevin Vermeulen, Burim Ljuma, Vamsi Addanki, Matthieu Gouel, Olivier Fourmaux, Timur Friedman, and Reza Rejaie. 2020. Alias resolution based on ICMP rate limiting. Retrieved from https:\/\/arXiv:2002.00252","journal-title":"Retrieved from https:\/\/arXiv:2002.00252"},{"key":"e_1_3_3_73_2","article-title":"The worldwide web of Chinese and Russian information controls","author":"Weber Valentin","year":"2019","unstructured":"Valentin Weber. 2019. The worldwide web of Chinese and Russian information controls. Center for Technology and Global Affairs, University of Oxford.","journal-title":"Center for Technology and Global Affairs, University of Oxford"},{"key":"e_1_3_3_74_2","first-page":"179","volume-title":"Proceedings of the 22nd ACM Internet Measurement Conference","author":"Xue Diwen","year":"2022","unstructured":"Diwen Xue, Benjamin Mixon-Baca, Anna Ablove, Beau Kujath, Jedidiah R. Crandall, and Roya Ensafi. 2022. TSPU: Russia\u2019s decentralized censorship system. In Proceedings of the 22nd ACM Internet Measurement Conference. 179\u2013194."},{"key":"e_1_3_3_75_2","first-page":"2069","volume-title":"Proceedings of the IEEE Conference on Computer Communications (INFOCOM\u201918)","author":"Zhang Xu","year":"2018","unstructured":"Xu Zhang, Jeffrey Knockel, and Jedidiah R. Crandall. 2018. Onis: Inferring tcp\/ip-based trust relationships completely off-path. In Proceedings of the IEEE Conference on Computer Communications (INFOCOM\u201918). IEEE, 2069\u20132077."}],"container-title":["ACM Transactions on Privacy and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3672560","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3672560","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T00:06:14Z","timestamp":1750291574000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3672560"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,9,16]]},"references-count":74,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2024,11,30]]}},"alternative-id":["10.1145\/3672560"],"URL":"https:\/\/doi.org\/10.1145\/3672560","relation":{},"ISSN":["2471-2566","2471-2574"],"issn-type":[{"value":"2471-2566","type":"print"},{"value":"2471-2574","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,9,16]]},"assertion":[{"value":"2023-09-25","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-05-19","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-09-16","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}