Understanding passive and active service discovery

Increasingly, network operators do not directly operate computers on their network, yet are responsible for assessing network vulnerabilities to ensure compliance with policies about information disclosure, and tracking services that affect provisioning. Thus, with decentralized network management, service discovery becomes an important part of maintaining and protecting computer networks. We explore two approaches to service discovery: active probing and passive monitoring. Active probing finds all services currently on the network, except services temporarily unavailable or hidden by firewalls; however, it is often too invasive, especially if used across administrative boundaries. Passive monitoring can find transient services, but misses services that are idle. We compare the accuracy of passive and active approaches to service discovery and show that they are complimentary, highlighting the need for multiple active scans coupled with long-duration passive monitoring. We find passive monitoring is well suited for quickly finding popular services, finding servers responsible for 99% of incoming connections within minutes. Active scanning is better suited to rapidly finding all servers, which is important for vulnerability detection - one scan finds 98% of services in two hours, missing only a handful. External scans are an unexpected ally to passive monitoring, speeding service discovery by the equivalent of 9-15 days of additional observation. Finally, we show how the use of static or dynamic addresses changes the effectiveness of service discovery, both due to address reuse and VPN effects.

[1]  Sun Microsystems,et al.  RPC: Remote Procedure Call Protocol specification: Version 2 , 1988, RFC.

[2]  Hector Garcia-Molina,et al.  Transience of peers & streaming media , 2003, CCRV.

[3]  Krishna P. Gummadi,et al.  Measurement, modeling, and analysis of a peer-to-peer file-sharing workload , 2003, SOSP '03.

[4]  Mark Handley,et al.  SIP: Session Initiation Protocol , 1999, RFC.

[5]  D. Box,et al.  Simple object access protocol (SOAP) 1.1 , 2000 .

[6]  Nick G. Duffield,et al.  Trajectory sampling for direct traffic observation , 2001, TNET.

[7]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[8]  John S. Heidemann,et al.  Experiences with a continuous network tracing infrastructure , 2005, MineNet '05.

[9]  Burak Dayioglu,et al.  USE OF PASSIVE NETWORK MAPPING TO ENHANCE SIGNATURE QUALITY OF MISUSE NETWORK INTRUSION DETECTION SYSTEMS , 2001 .

[10]  Richard Lippmann,et al.  Experience Using Active and Passive Mapping for Network Situational Awareness , 2006, Fifth IEEE International Symposium on Network Computing and Applications (NCA'06).

[11]  Kun-Chan Lan,et al.  Rapid model parameterization from traffic measurements , 2002, TOMC.

[12]  Raj Srinivasan,et al.  RPC: Remote Procedure Call Protocol Specification Version 2 , 1995, RFC.

[13]  Kevin Jeffay,et al.  What TCP/IP protocol headers can tell us about the web , 2001, SIGMETRICS '01.

[14]  Frederic Massicotte,et al.  Passive Network Discovery for Real Time Situation Awareness , 2004 .