Internet background radiation revisited

The monitoring of packets destined for routeable, yet unused, Internet addresses has proved to be a useful technique for measuring a variety of specific Internet phenomenon (e.g., worms, DDoS). In 2004, Pang et al. stepped beyond these targeted uses and provided one of the first generic characterizations of this non-productive traffic, demonstrating both its significant size and diversity. However, the six years that followed this study have seen tremendous changes in both the types of malicious activity on the Internet and the quantity and quality of unused address space. In this paper, we revisit the state of Internet "background radiation" through the lens of two unique data-sets: a five-year collection from a single unused 8 network block, and week-long collections from three recently allocated 8 network blocks. Through the longitudinal study of the long-lived block, comparisons between blocks, and extensive case studies of traffic in these blocks, we characterize the current state of background radiation specifically highlighting those features that remain invariant from previous measurements and those which exhibit significant differences. Of particular interest in this work is the exploration of address space pollution, in which significant non uniform behavior is observed. However, unlike previous observations of differences between unused blocks, we show that increasingly these differences are the result of environmental factors (e.g., misconfiguration, location), rather than algorithmic factors. Where feasible, we offer suggestions for clean up of these polluted blocks and identify those blocks whose allocations should be withheld.

[1]  Vinod Yegneswaran,et al.  Characteristics of internet background radiation , 2004, IMC '04.

[2]  Farnam Jahanian,et al.  Internet inter-domain traffic , 2010, SIGCOMM '10.

[3]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[4]  Vern Paxson,et al.  Exploiting underlying structure for detailed reconstruction of an internet-scale event , 2005, IMC '05.

[5]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[6]  E. Eugene Schultz Where have the worms and viruses gone?—new trends in malware , 2006 .

[7]  Zhuoqing Morley Mao,et al.  Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware , 2006, International Conference on Dependable Systems and Networks (DSN'06).

[8]  Farnam Jahanian,et al.  The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets , 2005, SRUTI.

[9]  Vinod Yegneswaran,et al.  On the Design and Use of Internet Sinks for Network Abuse Monitoring , 2004, RAID.

[10]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[11]  Mary K. Vernon,et al.  Mapping Internet Sensors with Probe Response Attacks , 2005, USENIX Security Symposium.

[12]  Vern Paxson,et al.  A brief history of scanning , 2007, IMC '07.

[13]  Niels Provos,et al.  Data reduction for the scalable automated analysis of distributed darknet traffic , 2005, IMC '05.

[14]  Zhuoqing Morley Mao,et al.  Toward understanding distributed blackhole placement , 2004, WORM '04.

[15]  F. Jahanian,et al.  Practical Darknet Measurement , 2006, 2006 40th Annual Conference on Information Sciences and Systems.

[16]  Richard Mortier,et al.  The Dark Oracle: Perspective-Aware Unused and Unreachable Address Discovery , 2006, NSDI.

[17]  Farnam Jahanian,et al.  Shedding Light on the Configuration of Dark Addresses , 2007, NDSS.

[18]  David Watson,et al.  The Blaster worm: then and now , 2005, IEEE Security & Privacy Magazine.

[19]  Andreas Terzis,et al.  On the Effectiveness of Distributed Worm Monitoring , 2005, USENIX Security Symposium.

[20]  Andreas Terzis,et al.  A multifaceted approach to understanding the botnet phenomenon , 2006, IMC '06.

[21]  Farnam Jahanian,et al.  The Internet Motion Sensor - A Distributed Blackhole Monitoring System , 2005, NDSS.

[22]  Stefan Savage,et al.  Network Telescopes: Technical Report , 2004 .