A network telescope perspective of the Conficker outbreak
暂无分享,去创建一个
This paper discusses a dataset of some 16 million packets targeting port 445/tcp collected by a network telescope utilising a /24 netblock in South African IP address space. An initial overview of the collected data is provided. This is followed by a detailed analysis of the packet characteristics observed, including size and TTL. The peculiarities of the observed target selection and the results of the flaw in the Conficker worm's propagation algorithm are presented. An analysis of the 4 million observed source hosts is reported by grouped by both packet counts and the number of distinct hosts per network address block. Address blocks of size /8, 16 and 24 are used for groupings. The localisation, by geographic region and numerical proximity, of high ranking aggregate netblocks is highlighted. The paper concludes with some overall analyses, and consideration of the application of network telescopes to the monitoring of such outbreaks in the future.
[1] Fred Baker,et al. IPv4 and IPv6 Greynets , 2010, RFC.
[2] Eric Wustrow,et al. Internet background radiation revisited , 2010, IMC '10.
[3] Grenville J. Armitage,et al. Defining and Evaluating Greynets (Sparse Darknets) , 2005, The IEEE Conference on Local Computer Networks 30th Anniversary (LCN'05)l.
[4] Bruce Schneier. The Zotob Storm , 2005, IEEE Secur. Priv..