Classifying internet one-way traffic

Internet background radiation (IBR) is a very interesting piece of Internet traffic as it is the result of attacks and misconfigurations. Previous work has primarily analyzed IBR traffic to large unused IP address blocks called network telescopes. In this work, we build new techniques for monitoring one-way traffic in live networks with the main goals of 1) expanding our understanding of this interesting type of traffic towards live networks as well as of 2) making it useful for detecting and analyzing the impact of outages. Our first contribution is a classification scheme for dissecting one-way traffic into useful classes, including one-way traffic due to unreachable services, scanning, peer-to-peer applications, and backscatter. Our classification scheme is helpful for monitoring IBR traffic in live networks solely based on flow level data. After thoroughly validating our classifier, we use it to analyze a massive data-set that covers 7.41 petabytes of traffic from a large backbone network to shed light into the composition of one-way traffic. We find that the main sources of one-way traffic are malicious scanning, peer-to-peer applications, and outages. In addition, we report a number of interesting observations including that one-way traffic makes a very large fraction, i.e., between 34% and 67%, of the total number of flows to the monitored network, although it only accounts for only 3.4% of the number of packets, which suggests a new conceptual model for Internet traffic in which IBR is dominant in terms of flows. Finally, we demonstrate the utility of one-way traffic of the particularly interesting class of unreachable services for monitoring network and service outages by analyzing the impact of interesting events we detected in the network of our university.

[1]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[2]  R. Nowak,et al.  Toward a Model for Source Addresses of Internet Background Radiation , 2006 .

[3]  Randy Bush,et al.  iSPY: Detecting IP Prefix Hijacking on My Own , 2008, IEEE/ACM Transactions on Networking.

[4]  Vinod Yegneswaran,et al.  Internet intrusions: global characteristics and prevalence , 2003, SIGMETRICS '03.

[5]  Vinod Yegneswaran,et al.  Characteristics of internet background radiation , 2004, IMC '04.

[6]  Michalis Faloutsos,et al.  BLINC: multilevel traffic classification in the dark , 2005, SIGCOMM '05.

[7]  Eric Wustrow,et al.  Internet background radiation revisited , 2010, IMC '10.

[8]  Ítalo S. Cunha,et al.  LIFEGUARD: practical repair of persistent route failures , 2012, SIGCOMM '12.

[9]  Brian Trammell,et al.  Bidirectional Flow Export Using IP Flow Information Export (IPFIX) , 2008, RFC.

[10]  Vern Paxson,et al.  A brief history of scanning , 2007, IMC '07.

[11]  Nevil Brownlee One-Way Traffic Monitoring with iatmon , 2012, PAM.

[12]  Brian Trammell,et al.  Bidirectional Flow Export using IPFIX , 2006 .

[13]  Nevil Brownlee,et al.  Passive measurement of one-way and two-way flow lifetimes , 2007, CCRV.

[14]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[15]  Daniel Massey,et al.  PHAS: A Prefix Hijack Alert System , 2006, USENIX Security Symposium.

[16]  Xenofontas A. Dimitropoulos,et al.  Classifying internet one-way traffic , 2012, SIGMETRICS.

[17]  David Watson,et al.  The Blaster worm: then and now , 2005, IEEE Security & Privacy Magazine.

[18]  Wolfgang John,et al.  Heuristics to Classify Internet Backbone Traffic based on Connection Patterns , 2008, 2008 International Conference on Information Networking.

[19]  Michalis Faloutsos,et al.  Internet traffic classification demystified: myths, caveats, and the best practices , 2008, CoNEXT '08.

[20]  Stefan Savage,et al.  Network Telescopes: Technical Report , 2004 .

[21]  Sándor Molnár,et al.  Identification and Analysis of Peer-to-Peer Traffic , 2006, J. Commun..

[22]  Alberto Dainotti,et al.  Extracting benefit from harm: using malware pollution to analyze the impact of political and geophysical events on the internet , 2012, CCRV.

[23]  Zhi-Li Zhang,et al.  Identifying and tracking suspicious activities through IP gray space analysis , 2007, MineNet '07.

[24]  Michalis Faloutsos,et al.  Transport layer identification of P2P traffic , 2004, IMC '04.

[25]  Saikat Guha,et al.  How healthy are today's enterprise networks? , 2008, IMC '08.

[26]  Wolfgang Mühlbauer,et al.  FACT: Flow-Based Approach for Connectivity Tracking , 2011, PAM.

[27]  Yang Xiang,et al.  Detecting prefix hijackings in the internet with argus , 2012, Internet Measurement Conference.

[28]  Joanne Treurniet,et al.  A Network Activity Classification Schema and Its Application to Scan Detection , 2011, IEEE/ACM Transactions on Networking.

[29]  Brian Trammell,et al.  YAF: Yet Another Flowmeter , 2010, LISA.

[30]  Lixia Zhang,et al.  Cyclops: the AS-level connectivity observatory , 2008, CCRV.

[31]  Dan Pei,et al.  A light-weight distributed scheme for detecting ip prefix hijacks in real-time , 2007, SIGCOMM '07.

[32]  David Wetherall,et al.  Studying Black Holes in the Internet with Hubble , 2008, NSDI.

[33]  Zhuoqing Morley Mao,et al.  Accurate Real-time Identification of IP Prefix Hijacking , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[34]  Fernando Gont,et al.  ICMP Attacks against TCP , 2010, RFC.

[35]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[36]  Kavé Salamatian,et al.  Anomaly extraction in backbone networks using association rules , 2009, IMC '09.