Extracting benefit from harm: using malware pollution to analyze the impact of political and geophysical events on the internet

Unsolicited one-way Internet traffic, also called Internet background radiation (IBR), has been used for years to study malicious activity on the Internet, including worms, DoS attacks, and scanning address space looking for vulnerabilities to exploit. We show how such traffic can also be used to analyze macroscopic Internet events that are unrelated to malware. We examine two phenomena: country-level censorship of Internet communications described in recent work, and natural disasters (two recent earthquakes). We introduce a new metric of local IBR activity based on the number of unique IP addresses per hour contributing to IBR. The advantage of this metric is that it is not affected by bursts of traffic from a few hosts. Although we have only scratched the surface, we are convinced that IBR traffic is an important building block for comprehensive monitoring, analysis, and possibly even detection of events unrelated to the IBR itself. In particular, IBR offers the opportunity to monitor the impact of events such as natural disasters on network infrastructure, and in particular reveals a view of events that is complementary to many existing measurement platforms based on (BGP) control-plane views or targeted active ICMP probing.

[1]  Arun Venkataramani,et al.  iPlane: an information plane for distributed services , 2006, OSDI '06.

[2]  Eric Wustrow,et al.  Internet background radiation revisited , 2010, IMC '10.

[3]  Yuval Shavitt,et al.  DIMES: let the internet measure itself , 2005, CCRV.

[4]  Jun Li,et al.  I-seismograph: Observing and measuring Internet earthquakes , 2011, 2011 Proceedings IEEE INFOCOM.

[5]  R. Sinnott Virtues of the Haversine , 1984 .

[6]  Antonio Pescapè,et al.  Worm Traffic Analysis and Characterization , 2007, 2007 IEEE International Conference on Communications.

[7]  Jose Nizario,et al.  Georgia DDoS Attacks—A Quick Summary of Observations , 2008 .

[8]  Farnam Jahanian,et al.  Internet inter-domain traffic , 2010, SIGCOMM '10.

[9]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[10]  Piotr Kijewski Automated Extraction of Threat Signatures from Network Flows , 2006 .

[11]  Vinod Yegneswaran,et al.  Characteristics of internet background radiation , 2004, IMC '04.

[12]  Mischa Schwartz,et al.  ACM SIGCOMM computer communication review , 2001, CCRV.

[13]  David Wetherall,et al.  Studying Black Holes in the Internet with Hubble , 2008, NSDI.

[14]  Marco Chiesa,et al.  Analysis of country-wide internet outages caused by censorship , 2011, IMC '11.

[15]  V. Paxson,et al.  Opportunistic Measurement : Spurious Network Events as a Light in the Darkness , .

[16]  Niels Provos,et al.  Data reduction for the scalable automated analysis of distributed darknet traffic , 2005, IMC '05.

[17]  Hassen Saïdi,et al.  A Foray into Conficker's Logic and Rendezvous Points , 2009, LEET.

[18]  kc claffy,et al.  Geocompare: a comparison of public and commercial geolocation databases - Technical Report , 2011 .

[19]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.