On the Power and Limitations of Detecting Network Filtering via Passive Observation

  • Matthew SargentEmail author
  • Jakub Czyz
  • Mark Allman
  • Michael Bailey
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8995)


Network operators often apply policy-based traffic filtering at the egress of edge networks. These policies can be detected by performing active measurements; however, doing so involves instrumenting every network one wishes to study. We investigate a methodology for detecting policy-based service-level traffic filtering from passive observation of traffic markers within darknets. Such markers represent traffic we expect to arrive and, therefore, whose absence is suggestive of network filtering. We study the approach with data from five large darknets over the course of one week. While we show the approach has utility to expose filtering in some cases, there are also limits to the methodology.


Background Radiation Infected Host Origin Network Edge Network Multiple Policy 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



We would like to thank Christian Kreibich for the Netalyzr data, Phillip Porras for the Conficker sinkhole data, and Vern Paxson for comments on an earlier draft. This work is sponsored by NSF grants CNS-1213157, CNS-1237265, CNS-1505790 and CNS-1111699.


  1. 1.
    Allman, M., Paxson, V., Terrell, J.: A brief history of scanning. In: Proceedings of the ACM SIGCOMM Conference on Internet Measurement, IMC’07 (2007)Google Scholar
  2. 2.
    Bailey, M., Cooke, E., Jahanian, F., Nazario, J., Watson, D.: The internet motion sensor: a distributed blackhole monitoring system. In: Proceedings of Network and Distributed System Security Symposium, NDSS’05, pp. 167–179 (2005)Google Scholar
  3. 3.
    Benson, K., Dainotti, A., claffy, k., Aben, E.: Gaining insight into AS-level outages through analysis of internet background radiation. In: Traffic Monitoring and Analysis Workshop, TMA’13 (2013)Google Scholar
  4. 4.
    Beverly, R., Berger, A., Hyun, Y., claffy, k.: Understanding the efficacy of deployed internet source address validation filtering. In: Proceedings of the ACM SIGCOMM conference on Internet Measurement, IMC’09 (2009)Google Scholar
  5. 5.
    Bush, R., Hiebert, J., Maennel, O., Roughan, M., Uhlig, S.: Testing the reachability of (new) address space. In: Proceedings of the SIGCOMM workshop on Internet Network Management, INM’07, pp. 236–241. ACM, New York (2007)Google Scholar
  6. 6.
    CAIDA: Conficker/Conflicker/Downadup as seen from the UCSD Network Telescope. (2013)
  7. 7.
    Chien, E.: Downadup: attempts at smart network scanning. (2009)
  8. 8.
    Choffnes, D.R., Bustamante, F.E., Ge, Z.: Crowdsourcing service-level network event monitoring. In: Proceedings of the Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, SIGCOMM’10 (2010)Google Scholar
  9. 9.
  10. 10.
    Dainotti, A., Squarcella, C., Aben, E., Claffy, K.C., Chiesa, M., Russo, M., Pescapé, A.: Analysis of country-wide internet outages caused by censorship. In: IMC ’11 (2011)Google Scholar
  11. 11.
  12. 12.
    Kreibich, C., Weaver, N., Nechaev, B., Paxson, V.: Netalyzr: illuminating the edge network. In: Proceedings of the ACM SIGCOMM Conference on Internet Measurement, IMC’10 (2010)Google Scholar
  13. 13.
    Kristoff, J.: Experiences with conficker c sinkhole operation and analysis. In: Proceedings of Australian Computer Emergency Response Team Conference (2009)Google Scholar
  14. 14.
    Pang, R., Yegneswaran, V., Barford, P., Paxson, V., Peterson, L.: Characteristics of internet background radiation. In: Proceedings of the ACM SIGCOMM conference on Internet Measurement, IMC’04 (2004)Google Scholar
  15. 15.
    Porras, P., Saidi, H., Yegneswaran, V.: An analysis of conficker’s logic and rendezvous points. Technical report, SRI International (2009)Google Scholar
  16. 16.
    Richard, M., Ligh, M.: Making fun of your malware. In: Defcon 17 (2009)Google Scholar
  17. 17.
    University of Oregon: Route Views project.
  18. 18.
    Wustrow, E., Karir, M., Bailey, M., Jahanian, F., Houston, G.: Internet background radiation revisited. In: Proceedings of the ACM SIGCOMM Conference on Internet Measurement, IMC’10 (2010)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Matthew Sargent
    • 1
    Email author
  • Jakub Czyz
    • 2
  • Mark Allman
    • 3
  • Michael Bailey
    • 4
  1. 1.Case Western Reserve UniversityClevelandUSA
  2. 2.University of MichiganAnn ArborUSA
  3. 3.Intl. Computer Science InstituteBerkeleyUSA
  4. 4.University of Illinois at Urbana-ChampaignChampaignUSA

Personalised recommendations