research-article

Internet background radiation revisited

Authors:

Michael Bailey,

Farnam Jahanian,

Geoff HustonAuthors Info & Claims

IMC '10: Proceedings of the 10th ACM SIGCOMM conference on Internet measurement

Pages 62 - 74

https://doi.org/10.1145/1879141.1879149

Published: 01 November 2010 Publication History

Abstract

The monitoring of packets destined for routeable, yet unused, Internet addresses has proved to be a useful technique for measuring a variety of specific Internet phenomenon (e.g., worms, DDoS). In 2004, Pang et al. stepped beyond these targeted uses and provided one of the first generic characterizations of this non-productive traffic, demonstrating both its significant size and diversity. However, the six years that followed this study have seen tremendous changes in both the types of malicious activity on the Internet and the quantity and quality of unused address space. In this paper, we revisit the state of Internet "background radiation" through the lens of two unique data-sets: a five-year collection from a single unused 8 network block, and week-long collections from three recently allocated 8 network blocks. Through the longitudinal study of the long-lived block, comparisons between blocks, and extensive case studies of traffic in these blocks, we characterize the current state of background radiation specifically highlighting those features that remain invariant from previous measurements and those which exhibit significant differences. Of particular interest in this work is the exploration of address space pollution, in which significant non uniform behavior is observed. However, unlike previous observations of differences between unused blocks, we show that increasingly these differences are the result of environmental factors (e.g., misconfiguration, location), rather than algorithmic factors. Where feasible, we offer suggestions for clean up of these polluted blocks and identify those blocks whose allocations should be withheld.

References

[1]

D. Moore, V. Paxon, S. Savage, and Shannon C. Inside the Slammer Worm. In Proceedings of IEEE Security and Privacy, Jun 2003.

Digital Library

[2]

D. Moore, C. Shannon, and J. Brown. A Case Study on the Spread and Victims of an Internet Worm. In Proceedings of ACM SIGCOMM Internet Measurement Workshop, Nov 2002.

Digital Library

[3]

Michael Bailey, Evan Cooke, David Watson, Farnam Jahanian, and Jose Nazario. The Blaster Worm: Then and Now. IEEE Security & Privacy, 3(4):26--31, 2005.

Digital Library

[4]

D. Moore, G. Voelker, and S. Savage. Inferring Internet Denial of Service Activity. In Proceedings of the 2001 USENIX Security Symposium, Aug 2001.

Digital Library

[5]

M. Bailey, E. Cooke, D. Watson, F. Jahanian, and N. Provos. Practical Darknet Measurement. In Proceedings of the 40th Annual Conference on Information Sciences and Systems (CISS), Mar 2006.

[6]

D. Moore, C. Shannon, G.M. Voelker, and S. Savage. Network Telescopes. Cooperative Association for Internet Data Analysis - Technical Report, 2004.

[7]

M. Bailey, E. Cooke, D. Watson, F. Jahanian, and N. Provos. Towards Understanding Distributed Blackhole Placement. In Proceedings of the 2nd Workshop on Rapid Malcode (WORM), Oct 2004.

Digital Library

[8]

V. Yegneswaran, P. Barford, and D. Plonka. On the Design and Use of Internet Sinks for Network Abuse Monitoring. In Proceedings of the Symposium on Recent Advances in Intrusion Detection, Sep 2004.

[9]

M. Bailey, E. Cooke, D. Watson, F. Jahanian, and N. Provos. The In- ternet Motion Sensor - A Distributed Blackhole Monitoring System. In Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS), Feb 2005.

[10]

R. Pang, V. Yegneswaran, P. Barford, V. Paxson, and L. Peterson. Charac- teristics of Internet Background Radiation. In Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement, Oct 2004.

Digital Library

[11]

Moheeb Abu Ra jab, Jay Zarfoss, Fabian Monrose, and Andreas Terzis. A multifaceted approach to understanding the botnet phenomenon. In IMC '06: Proceedings of the 6th ACM SIGCOMM on Internet measurement, pages 41--52, New York, NY, USA, 2006. ACM Press.

Digital Library

[12]

Evan Cooke, Farnam Jahanian, and Danny McPherson. The Zombie roundup: Understanding, detecting, and disrupting botnets. In Proceedings of the Steps to Reducing Unwanted Traffic on the Internet (SRUTI 2005 Workshop), Cambridge, MA, July 2005.

Digital Library

[13]

E. Eugene Schultz. Where have the worms and viruses gone?--new trends in malware. Computer Fraud & Security, 2006(7):4--8, 2006.

[14]

Craig Labovitz, Scott Iekel-Johnson, Danny McPherson, Jon Oberheide, and Farnam Jahanian. Internet Inter-Domain Traffic. In Proc. ACM SIGCOMM (To Appear), 2010.

Digital Library

[15]

Geoý Huston. The changing Foundation of the Internet: confronting IPv4 Address Exhaustion. The Internet Protocol Journal, September 2008.

[16]

Protected Repository for the Defense of Infrastructure Against Cyber Threats. http://www.predict.org.

[17]

Michael Bailey, Evan Cooke, Farnam Jahanian, Niels Provos, Karl Rosaen, and David Watson. Data Reduction for the Scalable Automated Analysis of Distributed Darknet Traffic. Proceedings of the USENIX/ACM Internet Measurement Conference, October 2005.

Digital Library

[18]

Sushant Sinha, Michael Bailey, and Farnam Jahanian. Shedding light on the configuration of dark addresses. In Proceedings of Network and Distributed System Security Symposium (NDSS '07), February 2007.

[19]

John Bethencourt, Jason Franklin, and Mary Vernon. Mapping Internet sensors with probe response attacks. In Proceedings of the 14th USENIX Security Symposium, Baltimore, MD, August 2005.

Digital Library

[20]

Moheeb Abu Ra jab, Fabian Monrose, and Andreas Terzis. On the eýective- ness of distributed worm monitoring. In Proceedings of the 14th USENIX Security Symposium, Baltimore, MD, August 2005.

Digital Library

[21]

Evan Cooke, Z. Morley Mao, and Farnam Jahanian. Hotspots: The root causes of non-uniformity in self-propagating malware. In Proceedings of the International Conference on Dependable Systems and Networks (DSN'2006), June 2006.

Digital Library

[22]

Abhishek Kumar, Vern Paxson, and Nicholas Weaver. Exploiting underlying structure for detailed reconstruction of an internet-scale event. Proceedings of the USENIX/ACM Internet Measurement Conference, October 2005.

Digital Library

[23]

Mark Allman, Vern Paxson, and Jeý Terrell. A brief history of scanning. In IMC '07: Proceedings of the 7th ACM SIGCOMM conference on Internet measurement, New York, NY, USA, 2007.

Digital Library

[24]

Route Views Pro ject. University of Oregon Route Views Project. http://archive.routeviews.org/, Aug 2010.

[25]

RIPE (Rseaux IP Europens). RIS Raw Data. http://www.ripe.net/projects/ris/rawdata.html, Aug 2010.

[26]

RADb: Merit network inc. routing assets database. http://www.radb. net/.

[27]

B. Kantor, S. Savage, R. Wesson, B. Enright, P. Porras, V. Yeg- neswaran, J. Wolfgang, and Castro S. Conflicker/Conflicker/Downadup as seen from the UCSD Network Telescope - Feb 2009. http://www.caida.org/research/security/ms08-067/conflicker.xml.

[28]

S. Gauci. RTP Traffic to 1.1.1.1 - Feb 2010. http://blog.sipvicious.org/2010/02/rtp-traffic-to-1111.html.

[29]

S. Eivind. usken.no - VoIP news! - Feb 2010. http://www.usken.no/2010/02/sip-scanning-causes-ddos-on-ip-1-1-1-1/.

[30]

Adrian MariÃ{o. Fake Servers List - Official eMule-Board - Apr 2010. http://forum.emule-project.net/index.php?showtopic=139609&st=60.

[31]

Evan Cooke, Michael Bailey, Farnam Jahanian, and Richard Mortier. The Dark Oracle: Perspective-Aware Unused and Unreachable Address Discov- ery. In Proceedings of the 3rd Symposium on Networked Systems Design & Implementation (NSDI'06), pages 101--114, San Jose, California, USA, May 2006.

Digital Library

Cited By

Hiesgen RNawrocki MBarcellos MKopp DHohlfeld OChan EDobbins RDoerr CRossow CThomas DJonker MMok RLuo XKristoff JSchmidt TWählisch Mclaffy kVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)The Age of DDoScovery: An Empirical Comparison of Industry and Academic DDoS AssessmentsProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3688451(259-279)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3688451
Griffioen HKoursiounis GSmaragdakis GDoerr CVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)Have you SYN me? Characterizing Ten Years of Internet ScanningProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3688409(149-164)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3688409
Tamura YTeraoka FKondo T(2024)OLIViS: An OSINT-Based Lightweight Method for Identifying Video Services in Backbone ISPsNOMS 2024-2024 IEEE Network Operations and Management Symposium10.1109/NOMS59830.2024.10575803(1-9)Online publication date: 6-May-2024
https://doi.org/10.1109/NOMS59830.2024.10575803
Show More Cited By

Index Terms

Internet background radiation revisited
1. Applied computing
  1. Physical sciences and engineering
    1. Engineering
2. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security

Recommendations

Leveraging Internet Background Radiation for Opportunistic Network Analysis
IMC '15: Proceedings of the 2015 Internet Measurement Conference

For more than a decade, unsolicited traffic sent to unused regions of the address space has provided valuable insight into malicious Internet activities. In this paper, we explore the utility of this traffic, known as Internet Background Radiation (IBR),...
Characteristics of internet background radiation
IMC '04: Proceedings of the 4th ACM SIGCOMM conference on Internet measurement

Monitoring any portion of the Internet address space reveals incessant activity. This holds even when monitoring traffic sent to unused addresses, which we term "background radiation. " Background radiation reflects fundamentally nonproductive traffic, ...
Analysis of a "/0" stealth scan from a botnet

Botnets are the most common vehicle of cyber-criminal activity. They are used for spamming, phishing, denial-of-service attacks, brute-force cracking, stealing private information, and cyber warfare. Botnets carry out network scans for several reasons, ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '10: Proceedings of the 10th ACM SIGCOMM conference on Internet measurement

November 2010

496 pages

ISBN:9781450304832

DOI:10.1145/1879141

Program Chair:
Mark Allman
International Computer Science Institute

Copyright © 2010 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

In-Cooperation

USENIX Assoc: USENIX Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 November 2010

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

IMC '10

Sponsor:

IMC '10: Internet Measurement Conference

November 1 - 30, 2010

Melbourne, Australia

Acceptance Rates

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

106
Total Citations
View Citations
685
Total Downloads

Downloads (Last 12 months)57
Downloads (Last 6 weeks)7

Reflects downloads up to 27 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Hiesgen RNawrocki MBarcellos MKopp DHohlfeld OChan EDobbins RDoerr CRossow CThomas DJonker MMok RLuo XKristoff JSchmidt TWählisch Mclaffy kVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)The Age of DDoScovery: An Empirical Comparison of Industry and Academic DDoS AssessmentsProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3688451(259-279)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3688451
Griffioen HKoursiounis GSmaragdakis GDoerr CVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)Have you SYN me? Characterizing Ten Years of Internet ScanningProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3688409(149-164)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3688409
Tamura YTeraoka FKondo T(2024)OLIViS: An OSINT-Based Lightweight Method for Identifying Video Services in Backbone ISPsNOMS 2024-2024 IEEE Network Operations and Management Symposium10.1109/NOMS59830.2024.10575803(1-9)Online publication date: 6-May-2024
https://doi.org/10.1109/NOMS59830.2024.10575803
García-Peñas RRodríguez-Gómez RMaciá-Fernández G(2024)HoDiNTComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2024.110570250:COnline publication date: 1-Aug-2024
https://dl.acm.org/doi/10.1016/j.comnet.2024.110570
Bortoluzzi FIrwin BWestphall C(2023)A cloud-native framework for globally distributed capture and analysis of Internet Background Radiation2023 18th Iberian Conference on Information Systems and Technologies (CISTI)10.23919/CISTI58278.2023.10211290(1-4)Online publication date: 20-Jun-2023
https://doi.org/10.23919/CISTI58278.2023.10211290
Anand AKallitsis MSippe JDainotti ARossi DSecci SBonaventure OQiu L(2023)Aggressive Internet-Wide Scanners: Network Impact and Longitudinal CharacterizationCompanion of the 19th International Conference on emerging Networking EXperiments and Technologies10.1145/3624354.3630583(1-8)Online publication date: 5-Dec-2023
https://dl.acm.org/doi/10.1145/3624354.3630583
Izhikevich LTran MKallitsis MFass ADurumeric ZMontpetit MLeivadeas AUhlig SJaved M(2023)Cloud Watching: Understanding Attacks Against Cloud-Hosted ServicesProceedings of the 2023 ACM on Internet Measurement Conference10.1145/3618257.3624818(313-327)Online publication date: 24-Oct-2023
https://dl.acm.org/doi/10.1145/3618257.3624818
Song XBaltra GHeidemann JMontpetit MLeivadeas AUhlig SJaved M(2023)Inferring Changes in Daily Human Activity from Internet ResponseProceedings of the 2023 ACM on Internet Measurement Conference10.1145/3618257.3624796(627-644)Online publication date: 24-Oct-2023
https://dl.acm.org/doi/10.1145/3618257.3624796
Soro FFavale TGiordano DDrago IRescio TMellia MHouidi ZRossi D(2023)Enlightening the Darknets: Augmenting Darknet Visibility With Active ProbesIEEE Transactions on Network and Service Management10.1109/TNSM.2023.326767120:4(5012-5025)Online publication date: Dec-2023
https://doi.org/10.1109/TNSM.2023.3267671
Collins MHussain ASchwab S(2023)Identifying and Differentiating Acknowledged Scanners in Network Traffic2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW59978.2023.00069(567-574)Online publication date: Jul-2023
https://doi.org/10.1109/EuroSPW59978.2023.00069
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten