research-article

Leveraging Internet Background Radiation for Opportunistic Network Analysis

Authors:

Alberto Dainotti,

Alex C. Snoeren,

Michael KallitsisAuthors Info & Claims

IMC '15: Proceedings of the 2015 Internet Measurement Conference

Pages 423 - 436

https://doi.org/10.1145/2815675.2815702

Published: 28 October 2015 Publication History

Abstract

For more than a decade, unsolicited traffic sent to unused regions of the address space has provided valuable insight into malicious Internet activities. In this paper, we explore the utility of this traffic, known as Internet Background Radiation (IBR), for a different purpose: as a data source of Internet-wide measurements. We collect and analyze IBR from two large darknets, carefully deconstructing its various components and characterizing them along dimensions applicable to Internet-wide measurements. Intuitively, IBR can provide insight into network properties when traffic from that network contains relevant information and is of sufficient volume. We turn this intuition into a scientific investigation, examining which networks send IBR, identifying components of IBR that enable opportunistic network inferences, and characterizing the frequency and granularity of traffic sources. We also consider the influences of time of collection and position in the address space on our results. We leverage IBR properties in three case studies to show that IBR can supplement existing techniques by improving coverage and/or diversity of analyzable networks while reducing measurement overhead. Our main contribution is a new framework for understanding the circumstances and properties for which unsolicited traffic is an appropriate data source for inference of macroscopic Internet properties, which can help other researchers assess its utility for a given study.

References

[1]

360 Total Security Software License and Service Agreement. www.360safe.com/totalsecurity/en/licence.html.

[2]

Chapter 8. Remote OS Detection: Usage and Examples. nmap.org/book/osdetect-methods.html#osdetect-ts.

[3]

Server queries. developer.valvesoftware.com/wiki/Server_queries.

[4]

Xbox 360 network ports and router configurations for Xbox Live. support.xbox.com/en-US/xbox-360/networking/network-ports-used-xbox-live.

[5]

Teredo Overview. technet.microsoft.com/en-us/library/bb457011.aspx, 2003.

[6]

Archipelago Measurement Infrastructure. www.caida.org/projects/ark, 2006.

[7]

Important: kernel security and bug fix update. www.redhat.com/archives/rhsa-announce/2012-July/msg00014.html, 2012.

[8]

BIND remote denial of service. www.freebsd.org/security/advisories/FreeBSD-SA-13:07.bind.asc, 2013.

[9]

Open Resolver Project, 2014. openresolverproject.org.

[10]

Routeviews Prefix to AS mappings Dataset for IPv4 and IPv6. www.caida.org/data/routing/routeviews-prefix2as.xml, 2015.

[11]

S. M. Bellovin. A Technique for Counting NATted Hosts. In Internet Measurement Workshop (IMW), 2002.

Digital Library

[12]

K. Benson, A. Dainotti, k. claffy, and E. Aben. Gaining Insight into AS-level Outages through Analysis of Internet Background Radiation. In Traffic Monitoring and Analysis Workshop (TMA), 2013.

[13]

R. Beverly. A Robust Classifier for Passive TCP/IP Fingerprinting. In PAM, 2004.

[14]

N. Brownlee. One-way Traffic Monitoring with iatmon. In Passive and Active Network Measurement Workshop (PAM), 2012.

Digital Library

[15]

M. Casado, T. Garfinkel, W. Cui, V. Paxson, and S. Savage. Opportunistic Measurement: Extracting Insight from Spurious Traffic. In HOTNETS, 2005.

[16]

W. Chen, Y. Huang, B. F. Ribeiro, K. Suh, H. Zhang, E. de Souza e Silva, J. F. Kurose, and D. F. Towsley. Exploiting the IPID field to infer network path and end-system characteristics. In Passive and Active Network Measurement Workshop (PAM), 2005.

Digital Library

[17]

E. Chien. Downadup: Attempts at Smart Network Scanning. www.symantec.com/connect/blogs/downadup-attempts-smart-network-scanning, 2009.

[18]

CIA. The World Factbook: Population.

[19]

Í. Cunha, R. Teixeira, and C. Diot. Measuring and Characterizing End-to-End Route Dynamics in the Presence of Load Balancing. In Passive and Active Network Measurement Conference (PAM), 2011.

Digital Library

[20]

A. Dainotti, R. Amman, E. Aben, and k. claffy. Extracting Benefit from Harm: Using Malware Pollution to Analyze the Impact of Political and Geophysical Events on the Internet. SIGCOMM Comput. Commun. Rev. (CCR), 42, Jan. 2012.

Digital Library

[21]

A. Dainotti, K. Benson, A. King, k. claffy, E. Glatz, X. Dimitropoulos, P. Richter, A. Finamore, and A. Snoeren. Lost in Space: Improving Inference of IPv4 Address Space Utilization. Technical report, CAIDA, Oct 2014.

[22]

A. Dainotti, K. Benson, A. King, k. claffy, M. Kallitsis, E. Glatz, and X. Dimitropoulos. Estimating Internet Address Space Usage through Passive Measurements. SIGCOMM CCR, 44(1), Dec. 2013.

Digital Library

[23]

A. Dainotti, A. Pescapè, and K. Claffy. Issues and future directions in traffic classification. IEEE Network, 26(1):35--40, Jan 2012.

Digital Library

[24]

A. Dainotti, C. Squarcella, E. Aben, k. claffy, M. Chiesa, M. Russo, and A. Pescapé. Analysis of Country-wide Internet Outages Caused by Censorship. In Internet Measurement Conference (IMC), 2011.

Digital Library

[25]

A. Dhamdhere and C. Dovrolis. Twelve Years in the Evolution of the Internet Ecosystem. IEEE/ACM Transactions on Networking, 19, Sep 2011.

Digital Library

[26]

Z. Durumeric, M. Bailey, and J. A. Halderman. An Internet-Wide View of Internet-Wide Scanning. In USENIX Security, 2014.

Digital Library

[27]

N. Falliere. Sality: Story of a Peer-to-Peer Viral Network. www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/sality_peer_to_peer_viral_network.pdf, 2011.

[28]

J. Goubault-Larrecq and J. Olivain. Detecting Subverted Cryptographic Protocols by Entropy Checking. Technical Report LSV-06-13, Laboratoire Spécification et Vérification, ENS Cachan.

[29]

J. Heidemann, Y. Pradkin, R. Govindan, C. Papadopoulos, G. Bartlett, and J. Bannister. Census and Survey of the Visible Internet. In IMC, 2008.

Digital Library

[30]

V. Jacobson, R. Braden, and D. Borman. TCP Extensions for High Performance. RFC 1323 (Proposed Standard), May 1992.

Digital Library

[31]

E. Katz-Bassett, H. V. Madhyastha, J. P. John, A. Krishnamurthy, D. Wetherall, and T. Anderson. Studying Black Holes in the Internet with Hubble. In NSDI, 2008.

Digital Library

[32]

A. Kumar, V. Paxson, and N. Weaver. Exploiting Underlying Structure for Detailed Reconstruction of an Internet-scale Event. In IMC, 2005.

Digital Library

[33]

Z. Li, A. Goyal, Y. Chen, and V. Paxson. Automating Analysis of Large-scale Botnet Probing Events. In ACM Symposium on Information, Computer, and Communications Security (ASIACCS), 2009.

Digital Library

[34]

Y. Liu and Y. Yang. Analysis of P2P Traffic Identification Methods. Emerging Trends in Computing and Information Sciences, 4(5), 2013.

[35]

A. Loewenstern and A. Norberg. DHT Protocol. www.bittorrent.org/beps/bep_0005.html, Jan 2008.

[36]

A. Lutu, M. Bagnulo, and O. Maennel. The BGP Visibility Scanner. In Global Internet Symposium (GI), 2013.

[37]

B. McDanel. TCP Timestamping - Obtaining System Uptime Remotely. seclists.org/bugtraq/2001/Mar/182, 2001.

[38]

K. McNamee. Malware Analysis Report: New C&C Protocol for ZeroAccess/Sirefef. botnetlegalnotice.com/zeroaccess/files/Ex_14_Decl_Anselmi.pdf, 2012.

[39]

D. Moore, C. Shannon, D. Brown, G. Voelker, and S. Savage. Inferring Internet Denial-of-Service Activity. ACM Transactions on Computer Systems, 24(2), May 2006.

Digital Library

[40]

A. Norberg. uTorrent transport protocol. www.bittorrent.org/beps/bep_0029.html, June 2009.

[41]

R. Pang, V. Yegneswaran, P. Barford, V. Paxson, and L. Peterson. Characteristics of Internet Background Radiation. In IMC, 2004.

Digital Library

[42]

V. Paxson. End-to-end Routing Behavior in the Internet. In ACM SIGCOMM, 1996.

Digital Library

[43]

M. Prince. The DDoS That Almost Broke the Internet. blog.cloudflare.com/the-ddos-that-almost-broke-the-internet, March 2013.

[44]

M. Sargent, J. Czyz, M. Allman, and M. Bailey. On The Power and Limitations of Detecting Network Filtering via Passive Observation. In PAM, 2015.

[45]

K. Schomp, T. Callahan, M. Rabinovich, and M. Allman. On Measuring the Client-side DNS Infrastructure. In IMC, 2013.

Digital Library

[46]

The Bro Project. TCP Scan detection. bro.icir.org/sphinx/scripts/policy/misc/scan.bro.html, 2014.

[47]

B. Van Nice. Drilling Down into DNS DDoS. www.nanog.org/sites/default/files/nanog63-dnstrack-vannice-ddos.pdf. NANOG 63, Feb 2015.

[48]

E. Wustrow, M. Karir, M. Bailey, F. Jahanian, and G. Huston. Internet Background Radiation Revisited. In Internet Measurement Conference (IMC), 2010.

Digital Library

[49]

M. Zalewski. p0f v3: passive fingerprinter. lcamtuf.coredump.cx/p0f3/README, 2012.

[50]

S. Zander, L. L. H. Andrew, and G. Armitage. Capturing Ghosts: Predicting the Used IPv4 Space by Inferring Unobserved Addresses. In IMC, 2014.

Digital Library

[51]

M. Zhang, C. Zhang, V. Pai, L. Peterson, and R. Wang. PlanetSeer: Internet Path Failure Monitoring and Characterization in Wide-Area Services. In Operating Systems Design and Implementation (OSDI), 2004

Digital Library

Cited By

García-Peñas RRodríguez-Gómez RMaciá-Fernández G(2024)HoDiNTComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2024.110570250:COnline publication date: 1-Aug-2024
https://dl.acm.org/doi/10.1016/j.comnet.2024.110570
Zhao LKobayashi SFukuda K(2024)Exploring the Discovery Process of Fresh IPv6 Prefixes: An Analysis of Scanning Behavior in Darknet and HoneynetPassive and Active Measurement10.1007/978-3-031-56249-5_4(95-111)Online publication date: 20-Mar-2024
https://doi.org/10.1007/978-3-031-56249-5_4
Anand AKallitsis MSippe JDainotti ARossi DSecci SBonaventure OQiu L(2023)Aggressive Internet-Wide Scanners: Network Impact and Longitudinal CharacterizationCompanion of the 19th International Conference on emerging Networking EXperiments and Technologies10.1145/3624354.3630583(1-8)Online publication date: 5-Dec-2023
https://dl.acm.org/doi/10.1145/3624354.3630583
Show More Cited By

Index Terms

Leveraging Internet Background Radiation for Opportunistic Network Analysis
1. Networks
  1. Network protocols
    1. Transport protocols
  2. Network types
    1. Public Internet

Recommendations

Characteristics of internet background radiation
IMC '04: Proceedings of the 4th ACM SIGCOMM conference on Internet measurement

Monitoring any portion of the Internet address space reveals incessant activity. This holds even when monitoring traffic sent to unused addresses, which we term "background radiation. " Background radiation reflects fundamentally nonproductive traffic, ...
Internet background radiation revisited
IMC '10: Proceedings of the 10th ACM SIGCOMM conference on Internet measurement

The monitoring of packets destined for routeable, yet unused, Internet addresses has proved to be a useful technique for measuring a variety of specific Internet phenomenon (e.g., worms, DDoS). In 2004, Pang et al. stepped beyond these targeted uses and ...
Analysis of a "/0" stealth scan from a botnet
IMC '12: Proceedings of the 2012 Internet Measurement Conference

Botnets are the most common vehicle of cyber-criminal activity. They are used for spamming, phishing, denial of service attacks, brute-force cracking, stealing private information, and cyber warfare. Botnets carry out network scans for several reasons, ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '15: Proceedings of the 2015 Internet Measurement Conference

October 2015

550 pages

ISBN:9781450338486

DOI:10.1145/2815675

General Chairs:
Kenjiro Cho
IIJ/Keio University
,
Kensuke Fukuda
NII/Sokendai
,
Program Chairs:
Vivek Pai
Google
,
Neil Spring
University of Maryland

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGMETRICS: ACM Special Interest Group on Measurement and Evaluation
SIGCOMM: ACM Special Interest Group on Data Communication
USENIX Assoc: USENIX Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 October 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

DHS S&T cooperative agreement
Department of Homeland Security Science and Technology Directorate
NSF

Conference

IMC '15

Sponsor:

SIGMETRICS
SIGCOMM
USENIX Assoc

IMC '15: Internet Measurement Conference

October 28 - 30, 2015

Tokyo, Japan

Acceptance Rates

IMC '15 Paper Acceptance Rate 31 of 96 submissions, 32%;

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Upcoming Conference

IMC '24

Sponsor:
sigcomm
sigcomm

ACM Internet Measurement Conference

November 4 - 6, 2024

Madrid , AA , Spain

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

22
Total Citations
View Citations
279
Total Downloads

Downloads (Last 12 months)41
Downloads (Last 6 weeks)19

Reflects downloads up to 01 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

García-Peñas RRodríguez-Gómez RMaciá-Fernández G(2024)HoDiNTComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2024.110570250:COnline publication date: 1-Aug-2024
https://dl.acm.org/doi/10.1016/j.comnet.2024.110570
Zhao LKobayashi SFukuda K(2024)Exploring the Discovery Process of Fresh IPv6 Prefixes: An Analysis of Scanning Behavior in Darknet and HoneynetPassive and Active Measurement10.1007/978-3-031-56249-5_4(95-111)Online publication date: 20-Mar-2024
https://doi.org/10.1007/978-3-031-56249-5_4
Anand AKallitsis MSippe JDainotti ARossi DSecci SBonaventure OQiu L(2023)Aggressive Internet-Wide Scanners: Network Impact and Longitudinal CharacterizationCompanion of the 19th International Conference on emerging Networking EXperiments and Technologies10.1145/3624354.3630583(1-8)Online publication date: 5-Dec-2023
https://dl.acm.org/doi/10.1145/3624354.3630583
Gioacchini LVassio LMellia MDrago IHouidi ZRossi D(2023)i-DarkVec: Incremental Embeddings for Darknet Traffic AnalysisACM Transactions on Internet Technology10.1145/359537823:3(1-28)Online publication date: 3-May-2023
https://dl.acm.org/doi/10.1145/3595378
Soro FFavale TGiordano DDrago IRescio TMellia MHouidi ZRossi D(2023)Enlightening the Darknets: Augmenting Darknet Visibility With Active ProbesIEEE Transactions on Network and Service Management10.1109/TNSM.2023.326767120:4(5012-5025)Online publication date: Dec-2023
https://doi.org/10.1109/TNSM.2023.3267671
Collins MHussain ASchwab S(2023)Identifying and Differentiating Acknowledged Scanners in Network Traffic2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW59978.2023.00069(567-574)Online publication date: Jul-2023
https://doi.org/10.1109/EuroSPW59978.2023.00069
Kallitsis MPrajapati RHonavar VWu DYen J(2022)Detecting and Interpreting Changes in Scanning Behavior in Large Network TelescopesIEEE Transactions on Information Forensics and Security10.1109/TIFS.2022.321164417(3611-3625)Online publication date: 2022
https://doi.org/10.1109/TIFS.2022.3211644
Vermeer MWest JCuevas ANiu SChristin NVan Eeten MFiebig TGañán CMoore T(2021)SoK: A Framework for Asset Discovery: Systematizing Advances in Network Measurements for Protecting Organizations2021 IEEE European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP51992.2021.00037(440-456)Online publication date: Sep-2021
https://doi.org/10.1109/EuroSP51992.2021.00037
Soro FAllegretta MMellia MDrago IBertholdo L(2020)Sensing the Noise: Uncovering Communities in Darknet Traffic2020 Mediterranean Communication and Computer Networking Conference (MedComNet)10.1109/MedComNet49392.2020.9191555(1-8)Online publication date: Jun-2020
https://doi.org/10.1109/MedComNet49392.2020.9191555
Han YZhong YWang H(2020)Overview of Network Outage Detection Technology in 5G2020 International Wireless Communications and Mobile Computing (IWCMC)10.1109/IWCMC48107.2020.9148527(1400-1403)Online publication date: Jun-2020
https://doi.org/10.1109/IWCMC48107.2020.9148527
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents