Abstract
Monitoring unused or dark IP addresses offers opportunities to significantly improve and expand knowledge of abuse activity without many of the problems associated with typical network intrusion detection and firewall systems. In this paper, we address the problem of designing and deploying a system for monitoring large unused address spaces such as class A telescopes with 16M IP addresses. We describe the architecture and implementation of the Internet Sink (iSink) system which measures packet traffic on unused IP addresses in an efficient, extensible and scalable fashion. In contrast to traditional intrusion detection systems or firewalls, iSink includes an active component that generates response packets to incoming traffic. This gives the iSink an important advantage in discriminating between different types of attacks (through examination of the response payloads). The key feature of iSink’s design that distinguishes it from other unused address space monitors is that its active response component is stateless and thus highly scalable. We report performance results of our iSink implementation in both controlled laboratory experiments and from a case study of a live deployment. Our results demonstrate the efficiency and scalability of our implementation as well as the important perspective on abuse activity that is afforded by its use.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Anderson, R., Khattak, A.: The Use of Information Retrieval Techniques for Intrusion Detection. In: Proceedings of RAID (September 1998)
Network Associates. LovGate Virus Summary, http://vil.nai.com/vil/content/Print100183.htm (2002)
Bullard, C.: Argus Open Project, http://www.qosient.com/argus/
Cranor, C., Gao, Y., Johnson, T., Shkapenyuk, V., Spatscheck, O.: Gigascope: High Performance Network Monitoring with an SQL Interface
E-eye. Analysis: Sasser Worm, http://www.eeye.com/html/Research/Advisories/AD20040501.html
Estan, C., Varghese, G.: New Directions in Traffic Measurement and Accounting. In: Proceedings of ACM SIGCOMM 2002, Pittsburgh, PA (August 2002)
Feldmann, A., Greenberg, A., Lund, C., Reingold, N., Rexford, J.: NetScope: Traffic Engineering for IP Networks. IEEE Network Magazine, Special Issue on Internet Traffic Engineering (2000)
Greene, B.: BGPv4 Security Risk Assessment (June 2002)
Greene, B.: Remote Triggering Black Hole Filtering (August 2002)
Honeyd: Network Rhapsody for You, http://www.citi.umich.edu/u/provos/honeyd
Iannaccone, G., Diot, C., Graham, I., McKeown, N.: Monitoring very high speed links. In: SIGCOMM Internet Measurement Workshop (November 2001)
Kohler, E., Morris, R., Chen, B., Jannotti, J., Kaashoek, F.: The click modular router. ACM Transactions on Computer Systems (August 2000)
Lee, W., Stolfo, S.J., Mok, K.W.: A Data Mining Framework for Building Intrusion Detection Models. In: IEEE Symposium on Security and Privacy (1999)
Liston, T.: The Labrea Tarpit Homepage, http://www.hackbusters.net/LaBrea/
Moore, D.: Network Telescopes, http://www.caida.org/outreach/presentations/2003/dimacs0309/
Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: The Spread of the Sapphire/Slammer Worm. Technical report, CAIDA (2003)
Moore, D., Shannon, C., Claffy, K.: Code Red: A Case Study on the Spread and Victims of an Internet Worm. In: Proceedings of ACM SIGCOMM Internet Measurement Workshop, Marseilles, France (November 2002)
Moore, D., Shannon, C., Voelker, G., Savage, S.: Internet Quarantine: Requirements for Containing Self-Propagating Code. In: Proceedings of IEEE INFOCOM (April 2003)
Moore, D., Voelker, G., Savage, S.: Inferring Internet Denial of Service Activity. In: Proceedings of the 2001 USENIX Security Symposium, Washington D.C. (August 2001)
Oetiker, T.: The multi router traffic grapher. In: Proceedings of the USENIX Twelvth System Administration Conference LISA XII (December 1998)
Paxson, V.: BRO: A System for Detecting Network Intruders in Real Time. In: Proceedings of the 7th USENIX Security Symposium (1998)
Plonka, D.: Flawed Routers Flood University of Wisconsin Internet Time Server, http://www.cs.wisc.edu/plonka/netgear-sntp
Plonka, D.: Flowscan: A network traffic flow reporting and visualization tool. In: Proceedings of the USENIX Fourteenth System Administration Conference LISA XIV (December 2000)
Rekhter, Y.: RFC 1817: CIDR and Classful Routing (August 1995)
Roesch, M.: The SNORT Network Intrusion Detection System, http://www.snort.org
Staniford, S., Hoagland, J., McAlerney, J.: Practical Automated Detection of Stealthy Portscans. In: Proceedings of the ACM CCS IDS Workshop (November 2000)
Staniford, S., Paxson, V., Weaver, N.: How to Own the Internet in Your Spare Time. In: Proceedings of the 11th USENIX Security Symposium, San Francisco, CA (August 2002)
Teng, H.S., Chen, K., Lu, S.C.-Y.: Adaptive Real-Time Anomaly Detection Using Inductively Generated Sequential Patterns. In: IEEE Symposium on Security and Privacy (1999)
The Honeynet Project, http://project.honeynet.org
Trend Micro. WORM RBOT.CC, http://uk.trendmicro-europe.com/enterprise/security_info/-ve_detail.php?Vname=WORM_RBOT.CC
Yegneswaran, V., Barford, P., Jha, S.: Global Intrusion Detection in the DOMINO Overlay System. In: Proceedings of NDSS, San Diego, CA (2004)
Yegneswaran, V., Barford, P., Plonka, D.: On the Design and Use of Internet Sinks for Network Abuse Monitoring. University of Wisconsin Technical Report #1497 (2004)
Yegneswaran, V., Barford, P., Ullrich, J.: Internet Intrusions: Global Characteristics and Prevalence. In: Proceedings of ACM SIGMETRICS, San Diego, CA (June 2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Yegneswaran, V., Barford, P., Plonka, D. (2004). On the Design and Use of Internet Sinks for Network Abuse Monitoring. In: Jonsson, E., Valdes, A., Almgren, M. (eds) Recent Advances in Intrusion Detection. RAID 2004. Lecture Notes in Computer Science, vol 3224. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30143-1_8
Download citation
DOI: https://doi.org/10.1007/978-3-540-30143-1_8
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-23123-3
Online ISBN: 978-3-540-30143-1
eBook Packages: Springer Book Archive