Leveraging Internet Background Radiation for Opportunistic Network Analysis

For more than a decade, unsolicited traffic sent to unused regions of the address space has provided valuable insight into malicious Internet activities. In this paper, we explore the utility of this traffic, known as Internet Background Radiation (IBR), for a different purpose: as a data source of Internet-wide measurements. We collect and analyze IBR from two large darknets, carefully deconstructing its various components and characterizing them along dimensions applicable to Internet-wide measurements. Intuitively, IBR can provide insight into network properties when traffic from that network contains relevant information and is of sufficient volume. We turn this intuition into a scientific investigation, examining which networks send IBR, identifying components of IBR that enable opportunistic network inferences, and characterizing the frequency and granularity of traffic sources. We also consider the influences of time of collection and position in the address space on our results. We leverage IBR properties in three case studies to show that IBR can supplement existing techniques by improving coverage and/or diversity of analyzable networks while reducing measurement overhead. Our main contribution is a new framework for understanding the circumstances and properties for which unsolicited traffic is an appropriate data source for inference of macroscopic Internet properties, which can help other researchers assess its utility for a given study.

[1]  V. Paxson End-to-end routing behavior in the internet , 2006, CCRV.

[2]  Yan Liu,et al.  Journal of Emerging Trends in Computing and Information Sciences Analysis of P2p Traffic Identification Methods , 2022 .

[3]  Robert Beverly,et al.  A Robust Classifier for Passive TCP/IP Fingerprinting , 2004, PAM.

[4]  Alberto Dainotti,et al.  Lost in Space: Improving Inference of IPv4 Address Space Utilization , 2016, IEEE Journal on Selected Areas in Communications.

[5]  Vern Paxson,et al.  Automating analysis of large-scale botnet probing events , 2009, ASIACCS '09.

[6]  Ítalo S. Cunha,et al.  Measuring and Characterizing End-to-End Route Dynamics in the Presence of Load Balancing , 2011, PAM.

[7]  Mark Allman,et al.  On the Power and Limitations of Detecting Network Filtering via Passive Observation , 2015, PAM.

[8]  Tal Garfinkel,et al.  Opportunistic Measurement: Extracting Insight from Spurious Traffic , 2005 .

[9]  Amogh Dhamdhere,et al.  Twelve Years in the Evolution of the Internet Ecosystem , 2011, IEEE/ACM Transactions on Networking.

[10]  Lachlan L. H. Andrew,et al.  Capturing ghosts: predicting the used IPv4 space by inferring unobserved addresses , 2014, Internet Measurement Conference.

[11]  Donald F. Towsley,et al.  Exploiting the IPID Field to Infer Network Path and End-System Characteristics , 2005, PAM.

[12]  Alberto Dainotti,et al.  Gaining insight into AS-level outages through analysis of Internet background radiation , 2012, 2013 Proceedings IEEE INFOCOM.

[13]  Vinod Yegneswaran,et al.  Characteristics of internet background radiation , 2004, IMC '04.

[14]  Antonio Pescapè,et al.  Issues and future directions in traffic classification , 2012, IEEE Network.

[15]  Jean Goubault-Larrecq Detecting Subverted Cryptographic Protocols by Entropy Checking , 2006 .

[16]  Steven M. Bellovin,et al.  A technique for counting natted hosts , 2002, IMW '02.

[17]  David Wetherall,et al.  Studying Black Holes in the Internet with Hubble , 2008, NSDI.

[18]  Marco Chiesa,et al.  Analysis of country-wide internet outages caused by censorship , 2011, IMC '11.

[19]  Andra Lutu,et al.  The BGP Visibility Scanner , 2013, 2013 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).

[20]  kc claffy,et al.  Estimating internet address space usage through passive measurements , 2013, CCRV.

[21]  Ming Zhang,et al.  PlanetSeer: Internet Path Failure Monitoring and Characterization in Wide-Area Services , 2004, OSDI.

[22]  Nevil Brownlee One-Way Traffic Monitoring with iatmon , 2012, PAM.

[23]  Van Jacobson,et al.  TCP Extensions for High Performance , 1992, RFC.

[24]  J. Alex Halderman,et al.  An Internet-Wide View of Internet-Wide Scanning , 2014, USENIX Security Symposium.

[25]  Eric Wustrow,et al.  Internet background radiation revisited , 2010, IMC '10.

[26]  Alberto Dainotti,et al.  Extracting benefit from harm: using malware pollution to analyze the impact of political and geophysical events on the internet , 2012, CCRV.

[27]  Ramesh Govindan,et al.  Census and survey of the visible internet , 2008, IMC '08.

[28]  Mark Allman,et al.  On measuring the client-side DNS infrastructure , 2013, Internet Measurement Conference.

[29]  Vern Paxson,et al.  Exploiting underlying structure for detailed reconstruction of an internet-scale event , 2005, IMC '05.

[30]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.