Advertisement

On the Design and Use of Internet Sinks for Network Abuse Monitoring

  • Vinod Yegneswaran
  • Paul Barford
  • Dave Plonka
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3224)

Abstract

Monitoring unused or dark IP addresses offers opportunities to significantly improve and expand knowledge of abuse activity without many of the problems associated with typical network intrusion detection and firewall systems. In this paper, we address the problem of designing and deploying a system for monitoring large unused address spaces such as class A telescopes with 16M IP addresses. We describe the architecture and implementation of the Internet Sink (iSink) system which measures packet traffic on unused IP addresses in an efficient, extensible and scalable fashion. In contrast to traditional intrusion detection systems or firewalls, iSink includes an active component that generates response packets to incoming traffic. This gives the iSink an important advantage in discriminating between different types of attacks (through examination of the response payloads). The key feature of iSink’s design that distinguishes it from other unused address space monitors is that its active response component is stateless and thus highly scalable. We report performance results of our iSink implementation in both controlled laboratory experiments and from a case study of a live deployment. Our results demonstrate the efficiency and scalability of our implementation as well as the important perspective on abuse activity that is afforded by its use.

Keywords

Intrusion Detection Honeypots Deception Systems 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Anderson, R., Khattak, A.: The Use of Information Retrieval Techniques for Intrusion Detection. In: Proceedings of RAID (September 1998)Google Scholar
  2. 2.
    Network Associates. LovGate Virus Summary, http://vil.nai.com/vil/content/Print100183.htm (2002)
  3. 3.
    Bullard, C.: Argus Open Project, http://www.qosient.com/argus/
  4. 4.
    Cranor, C., Gao, Y., Johnson, T., Shkapenyuk, V., Spatscheck, O.: Gigascope: High Performance Network Monitoring with an SQL InterfaceGoogle Scholar
  5. 5.
  6. 6.
    Estan, C., Varghese, G.: New Directions in Traffic Measurement and Accounting. In: Proceedings of ACM SIGCOMM 2002, Pittsburgh, PA (August 2002)Google Scholar
  7. 7.
    Feldmann, A., Greenberg, A., Lund, C., Reingold, N., Rexford, J.: NetScope: Traffic Engineering for IP Networks. IEEE Network Magazine, Special Issue on Internet Traffic Engineering (2000)Google Scholar
  8. 8.
    Greene, B.: BGPv4 Security Risk Assessment (June 2002) Google Scholar
  9. 9.
    Greene, B.: Remote Triggering Black Hole Filtering (August 2002) Google Scholar
  10. 10.
    Honeyd: Network Rhapsody for You, http://www.citi.umich.edu/u/provos/honeyd
  11. 11.
    Iannaccone, G., Diot, C., Graham, I., McKeown, N.: Monitoring very high speed links. In: SIGCOMM Internet Measurement Workshop (November 2001)Google Scholar
  12. 12.
    Kohler, E., Morris, R., Chen, B., Jannotti, J., Kaashoek, F.: The click modular router. ACM Transactions on Computer Systems (August 2000)Google Scholar
  13. 13.
    Lee, W., Stolfo, S.J., Mok, K.W.: A Data Mining Framework for Building Intrusion Detection Models. In: IEEE Symposium on Security and Privacy (1999)Google Scholar
  14. 14.
    Liston, T.: The Labrea Tarpit Homepage, http://www.hackbusters.net/LaBrea/
  15. 15.
  16. 16.
    Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: The Spread of the Sapphire/Slammer Worm. Technical report, CAIDA (2003)Google Scholar
  17. 17.
    Moore, D., Shannon, C., Claffy, K.: Code Red: A Case Study on the Spread and Victims of an Internet Worm. In: Proceedings of ACM SIGCOMM Internet Measurement Workshop, Marseilles, France (November 2002)Google Scholar
  18. 18.
    Moore, D., Shannon, C., Voelker, G., Savage, S.: Internet Quarantine: Requirements for Containing Self-Propagating Code. In: Proceedings of IEEE INFOCOM (April 2003)Google Scholar
  19. 19.
    Moore, D., Voelker, G., Savage, S.: Inferring Internet Denial of Service Activity. In: Proceedings of the 2001 USENIX Security Symposium, Washington D.C. (August 2001)Google Scholar
  20. 20.
    Oetiker, T.: The multi router traffic grapher. In: Proceedings of the USENIX Twelvth System Administration Conference LISA XII (December 1998)Google Scholar
  21. 21.
    Paxson, V.: BRO: A System for Detecting Network Intruders in Real Time. In: Proceedings of the 7th USENIX Security Symposium (1998)Google Scholar
  22. 22.
    Plonka, D.: Flawed Routers Flood University of Wisconsin Internet Time Server, http://www.cs.wisc.edu/plonka/netgear-sntp
  23. 23.
    Plonka, D.: Flowscan: A network traffic flow reporting and visualization tool. In: Proceedings of the USENIX Fourteenth System Administration Conference LISA XIV (December 2000)Google Scholar
  24. 24.
    Rekhter, Y.: RFC 1817: CIDR and Classful Routing (August 1995) Google Scholar
  25. 25.
    Roesch, M.: The SNORT Network Intrusion Detection System, http://www.snort.org
  26. 26.
    Staniford, S., Hoagland, J., McAlerney, J.: Practical Automated Detection of Stealthy Portscans. In: Proceedings of the ACM CCS IDS Workshop (November 2000)Google Scholar
  27. 27.
    Staniford, S., Paxson, V., Weaver, N.: How to Own the Internet in Your Spare Time. In: Proceedings of the 11th USENIX Security Symposium, San Francisco, CA (August 2002)Google Scholar
  28. 28.
    Teng, H.S., Chen, K., Lu, S.C.-Y.: Adaptive Real-Time Anomaly Detection Using Inductively Generated Sequential Patterns. In: IEEE Symposium on Security and Privacy (1999)Google Scholar
  29. 29.
    The Honeynet Project, http://project.honeynet.org
  30. 30.
  31. 31.
    Yegneswaran, V., Barford, P., Jha, S.: Global Intrusion Detection in the DOMINO Overlay System. In: Proceedings of NDSS, San Diego, CA (2004)Google Scholar
  32. 32.
    Yegneswaran, V., Barford, P., Plonka, D.: On the Design and Use of Internet Sinks for Network Abuse Monitoring. University of Wisconsin Technical Report #1497 (2004)Google Scholar
  33. 33.
    Yegneswaran, V., Barford, P., Ullrich, J.: Internet Intrusions: Global Characteristics and Prevalence. In: Proceedings of ACM SIGMETRICS, San Diego, CA (June 2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Vinod Yegneswaran
    • 1
  • Paul Barford
    • 1
  • Dave Plonka
    • 2
  1. 1.Dept. of Computer ScienceUniversity of WisconsinMadison
  2. 2.Dept. of Information TechnologyUniversity of WisconsinMadison

Personalised recommendations