Spatial-Temporal Characteristics of Internet Malicious Sources

This paper presents a large scale longitudinal study of the spatial and temporal features of malicious source addresses. The basis of our study is a 402-day trace of over 7 billion Internet intrusion attempts provided by DShield.org, which includes 160 million unique source addresses. Specifically, we focus on spatial distributions and temporal characteristics of malicious sources. First, we find that one out of 27 hosts is potentially a scanning source among 232 IPv4 addresses. We then show that malicious sources have a persistent, non-uniform spatial distribution. That is, more than 80% of the sources send packets from the same 20% of the IPv4 address space over time. We also find that 7.3% of malicious source addresses are unroutable, and that some source addresses are correlated. Next, we show that most sources have a short lifetime. 57.9 % of the source addresses appear only once in the trace, and 90% of source addresses appear less than 5 times. These results have implications for both attacks and defenses.

[1]  Nick Feamster,et al.  Understanding the network-level behavior of spammers , 2006, SIGCOMM.

[2]  Vinod Yegneswaran,et al.  An Inside Look at Botnets , 2007, Malware Detection.

[3]  Angelos D. Keromytis,et al.  Implementing a distributed firewall , 2000, CCS.

[4]  Tal Garfinkel,et al.  Opportunistic Measurement: Extracting Insight from Spurious Traffic , 2005 .

[5]  Vinod Yegneswaran,et al.  Internet intrusions: global characteristics and prevalence , 2003, SIGMETRICS '03.

[6]  Robert Beverly,et al.  The spoofer project: inferring the extent of source address filtering on the internet , 2005 .

[7]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[8]  David Moore,et al.  The Spread of the Witty Worm , 2004, IEEE Secur. Priv..

[9]  David Moore,et al.  Internet quarantine: requirements for containing self-propagating code , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[10]  Heejo Lee,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM '01.

[11]  Chuanyi Ji,et al.  Measuring Network-Aware Worm Spreading Ability , 2007, IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications.