Toward a Model for Source Addresses of Internet Background Radiation

Internet background radiation, the fundamentally unproductive traffic that arises from misconfigurations and malicious activities, is pervasive and has complex characteristics. Understanding the network locations of hosts that generate background radiation can be helpful in the development of new techniques aimed at reducing this unwanted traffic. This paper presents an initial investigation of the network locations of hosts that generate malicious background radiation using source addresses in packet traces from network telescopes, firewalls and intrusion detection systems distributed throughout the Internet. We characterize background radiation source addresses across the IPv4 address space for /8, /16 and /24 aggregates. Using a conservative multiscale density estimation method, we find that source addresses of background radiation form a relatively small number of tight clusters – i.e., that the distribution of source addresses exhibits characteristics of a highly irregular multifractal with a broad spectrum that is consistent over all of our data. We verify that the distributional properties are consistent with multifractals, and propose a multiscale multiplicative innovations (MMI) model for host locations that can be used to generate random variates with the same distributional properties as our empirical data. This model is targeted for use in analytic, simulation and emulation evaluations of methods for reducing unwanted traffic as well as potential real time monitoring and detection applications.

[1]  Robert D. Nowak,et al.  Multiscale Poisson Intensity and Density Estimation , 2007, IEEE Transactions on Information Theory.

[2]  Eddie Kohler,et al.  Observed Structure of Addresses in IP Traffic , 2002, IEEE/ACM Transactions on Networking.

[3]  P. Barford The Wisconsin Advanced Internet Laboratory , 2005 .

[4]  Zhuoqing Morley Mao,et al.  Toward understanding distributed blackhole placement , 2004, WORM '04.

[5]  Karl N. Levitt,et al.  A hybrid quarantine defense , 2004, WORM '04.

[6]  Vinod Yegneswaran,et al.  Characteristics of internet background radiation , 2004, IMC '04.

[7]  Vinod Yegneswaran,et al.  On the Design and Use of Internet Sinks for Network Abuse Monitoring , 2004, RAID.

[8]  Donald F. Towsley,et al.  Worm propagation modeling and analysis under dynamic quarantine defense , 2003, WORM '03.

[9]  Kevin A. Kwiat,et al.  Modeling the spread of active worms , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[10]  Eddie Kohler,et al.  Internet research needs better models , 2003, CCRV.

[11]  Mike Hibler,et al.  An integrated experimental environment for distributed systems and networks , 2002, OPSR.

[12]  Randy H. Katz,et al.  Characterizing the Internet hierarchy from multiple vantage points , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[13]  Richard G. Baraniuk,et al.  A Multifractal Wavelet Model with Application to Network Traffic , 1999, IEEE Trans. Inf. Theory.

[14]  R. Nowak Fractal modeling and analysis of Poisson processes , 1998, Conference Record of Thirty-Second Asilomar Conference on Signals, Systems and Computers (Cat. No.98CH36284).

[15]  Anja Feldmann,et al.  Data networks as cascades: investigating the multifractal nature of Internet WAN traffic , 1998, SIGCOMM '98.