ACM Digital Library home
ACM home
Advanced Search
10.1145/1879141.1879149acmconferencesArticle/Chapter ViewAbstractPublication PagesimcConference Proceedingsconference-collections
research-article

Internet background radiation revisited

IMC '10: Proceedings of the 10th ACM SIGCOMM conference on Internet measurementNovember 2010 Pages 62–74https://doi.org/10.1145/1879141.1879149
Published:01 November 2010Publication History
  • 93citation
  • 589
  • Downloads
Metrics
Total Citations93
Total Downloads589
Last 12 Months50
Last 6 weeks0

ABSTRACT

The monitoring of packets destined for routeable, yet unused, Internet addresses has proved to be a useful technique for measuring a variety of specific Internet phenomenon (e.g., worms, DDoS). In 2004, Pang et al. stepped beyond these targeted uses and provided one of the first generic characterizations of this non-productive traffic, demonstrating both its significant size and diversity. However, the six years that followed this study have seen tremendous changes in both the types of malicious activity on the Internet and the quantity and quality of unused address space. In this paper, we revisit the state of Internet "background radiation" through the lens of two unique data-sets: a five-year collection from a single unused 8 network block, and week-long collections from three recently allocated 8 network blocks. Through the longitudinal study of the long-lived block, comparisons between blocks, and extensive case studies of traffic in these blocks, we characterize the current state of background radiation specifically highlighting those features that remain invariant from previous measurements and those which exhibit significant differences. Of particular interest in this work is the exploration of address space pollution, in which significant non uniform behavior is observed. However, unlike previous observations of differences between unused blocks, we show that increasingly these differences are the result of environmental factors (e.g., misconfiguration, location), rather than algorithmic factors. Where feasible, we offer suggestions for clean up of these polluted blocks and identify those blocks whose allocations should be withheld.

References

  1. D. Moore, V. Paxon, S. Savage, and Shannon C. Inside the Slammer Worm. In Proceedings of IEEE Security and Privacy, Jun 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. D. Moore, C. Shannon, and J. Brown. A Case Study on the Spread and Victims of an Internet Worm. In Proceedings of ACM SIGCOMM Internet Measurement Workshop, Nov 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Michael Bailey, Evan Cooke, David Watson, Farnam Jahanian, and Jose Nazario. The Blaster Worm: Then and Now. IEEE Security & Privacy, 3(4):26--31, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. D. Moore, G. Voelker, and S. Savage. Inferring Internet Denial of Service Activity. In Proceedings of the 2001 USENIX Security Symposium, Aug 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. M. Bailey, E. Cooke, D. Watson, F. Jahanian, and N. Provos. Practical Darknet Measurement. In Proceedings of the 40th Annual Conference on Information Sciences and Systems (CISS), Mar 2006.Google ScholarGoogle ScholarCross RefCross Ref
  6. D. Moore, C. Shannon, G.M. Voelker, and S. Savage. Network Telescopes. Cooperative Association for Internet Data Analysis - Technical Report, 2004.Google ScholarGoogle Scholar
  7. M. Bailey, E. Cooke, D. Watson, F. Jahanian, and N. Provos. Towards Understanding Distributed Blackhole Placement. In Proceedings of the 2nd Workshop on Rapid Malcode (WORM), Oct 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. V. Yegneswaran, P. Barford, and D. Plonka. On the Design and Use of Internet Sinks for Network Abuse Monitoring. In Proceedings of the Symposium on Recent Advances in Intrusion Detection, Sep 2004.Google ScholarGoogle ScholarCross RefCross Ref
  9. M. Bailey, E. Cooke, D. Watson, F. Jahanian, and N. Provos. The In- ternet Motion Sensor - A Distributed Blackhole Monitoring System. In Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS), Feb 2005.Google ScholarGoogle Scholar
  10. R. Pang, V. Yegneswaran, P. Barford, V. Paxson, and L. Peterson. Charac- teristics of Internet Background Radiation. In Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement, Oct 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Moheeb Abu Ra jab, Jay Zarfoss, Fabian Monrose, and Andreas Terzis. A multifaceted approach to understanding the botnet phenomenon. In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement, pages 41--52, New York, NY, USA, 2006. ACM Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Evan Cooke, Farnam Jahanian, and Danny McPherson. The Zombie roundup: Understanding, detecting, and disrupting botnets. In Proceedings of the Steps to Reducing Unwanted Traffic on the Internet (SRUTI 2005 Workshop), Cambridge, MA, July 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. E. Eugene Schultz. Where have the worms and viruses gone?--new trends in malware. Computer Fraud & Security, 2006(7):4--8, 2006.Google ScholarGoogle ScholarCross RefCross Ref
  14. Craig Labovitz, Scott Iekel-Johnson, Danny McPherson, Jon Oberheide, and Farnam Jahanian. Internet Inter-Domain Traffic. In Proc. ACM SIGCOMM (To Appear), 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Geoý Huston. The changing Foundation of the Internet: confronting IPv4 Address Exhaustion. The Internet Protocol Journal, September 2008.Google ScholarGoogle Scholar
  16. Protected Repository for the Defense of Infrastructure Against Cyber Threats. http://www.predict.org.Google ScholarGoogle Scholar
  17. Michael Bailey, Evan Cooke, Farnam Jahanian, Niels Provos, Karl Rosaen, and David Watson. Data Reduction for the Scalable Automated Analysis of Distributed Darknet Traffic. Proceedings of the USENIX/ACM Internet Measurement Conference, October 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Sushant Sinha, Michael Bailey, and Farnam Jahanian. Shedding light on the configuration of dark addresses. In Proceedings of Network and Distributed System Security Symposium (NDSS '07), February 2007.Google ScholarGoogle Scholar
  19. John Bethencourt, Jason Franklin, and Mary Vernon. Mapping Internet sensors with probe response attacks. In Proceedings of the 14th USENIX Security Symposium, Baltimore, MD, August 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Moheeb Abu Ra jab, Fabian Monrose, and Andreas Terzis. On the eýective- ness of distributed worm monitoring. In Proceedings of the 14th USENIX Security Symposium, Baltimore, MD, August 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Evan Cooke, Z. Morley Mao, and Farnam Jahanian. Hotspots: The root causes of non-uniformity in self-propagating malware. In Proceedings of the International Conference on Dependable Systems and Networks (DSN'2006), June 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Abhishek Kumar, Vern Paxson, and Nicholas Weaver. Exploiting underlying structure for detailed reconstruction of an internet-scale event. Proceedings of the USENIX/ACM Internet Measurement Conference, October 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Mark Allman, Vern Paxson, and Jeý Terrell. A brief history of scanning. In IMC '07: Proceedings of the 7th ACM SIGCOMM conference on Internet measurement, New York, NY, USA, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Route Views Pro ject. University of Oregon Route Views Project. http://archive.routeviews.org/, Aug 2010.Google ScholarGoogle Scholar
  25. RIPE (Rseaux IP Europens). RIS Raw Data. http://www.ripe.net/projects/ris/rawdata.html, Aug 2010.Google ScholarGoogle Scholar
  26. RADb: Merit network inc. routing assets database. http://www.radb. net/.Google ScholarGoogle Scholar
  27. B. Kantor, S. Savage, R. Wesson, B. Enright, P. Porras, V. Yeg- neswaran, J. Wolfgang, and Castro S. Conflicker/Conflicker/Downadup as seen from the UCSD Network Telescope - Feb 2009. http://www.caida.org/research/security/ms08-067/conflicker.xml.Google ScholarGoogle Scholar
  28. S. Gauci. RTP Traffic to 1.1.1.1 - Feb 2010. http://blog.sipvicious.org/2010/02/rtp-traffic-to-1111.html.Google ScholarGoogle Scholar
  29. S. Eivind. usken.no - VoIP news! - Feb 2010. http://www.usken.no/2010/02/sip-scanning-causes-ddos-on-ip-1-1-1-1/.Google ScholarGoogle Scholar
  30. Adrian MariÃ{o. Fake Servers List - Official eMule-Board - Apr 2010. http://forum.emule-project.net/index.php?showtopic=139609&st=60.Google ScholarGoogle Scholar
  31. Evan Cooke, Michael Bailey, Farnam Jahanian, and Richard Mortier. The Dark Oracle: Perspective-Aware Unused and Unreachable Address Discov- ery. In Proceedings of the 3rd Symposium on Networked Systems Design & Implementation (NSDI'06), pages 101--114, San Jose, California, USA, May 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Internet background radiation revisited

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        Get this Publication

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader
        View Table of Contents
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!