One-Way Traffic Monitoring with iatmon
During the last decade, unsolicited one-way Internet traffic has been used to study malicious activity on the Internet. Researchers usually observe such traffic using network telescopes deployed on darkspace (unused address space). When darkspace observations began ten years ago, one-way traffic was minimal. Over the last five years, however, traffic levels have risen so that they are now high enough to require more subtle differentiation – raw packet and byte or even port counts make it hard to discern and distinguish new activities.
To make changes in composition of one-way traffic aggregates more detectable, we have developed iatmon (Inter-Arrival Time Monitor), a freely available measurement and analysis tool that allows one to separate one-way traffic into clearly-defined subsets. Initially we have implemented two subsetting schemes; source types, based on the schema proposed in ; and inter-arrival-time (IAT) groups that summarise source behaviour over time.
We use 14 types and 10 groups, giving us a matrix of 140 type + group subsets. Each subset constitutes only a fraction of the total traffic, so changes within the subsets are easily observable when changes in total traffic levels might not even be noticeable.
We report on our experience with this tool to observe changes in one-way traffic at the UCSD network telescope over the first half of 2011. Daily average plots of source numbers and their traffic volumes show clear long-term changes in several of our types and groups.
KeywordsSource Type Source Address Network Telescope Subsetting Scheme Spoof Source Address
Unable to display preview. Download preview PDF.
- 1.Aben, E.: Conficker as seen from UCSD Network Telescope (February 2009), http://www.caida.org/research/security/ms08-067/conficker.xml
- 2.Barford, P., Nowak, R., Willett, R., Yegneswaran, V.: Toward a Model for Source Address of Internet Background Radiation. In: Proc. Passive and Active Measurement Conference, PAM 2006, Adelaide, Australia (2006)Google Scholar
- 3.CAIDA. Ucsd network telescope data use policy and request form, http://www.caida.org/data/passive/telescope_dataset_request.xml
- 4.CAIDA. UCSD Network Telescope global attack traffic, http://www.caida.org/data/realtime/telescope/
- 5.CAIDA. UCSD Network Telescope Research, http://www.caida.org/data/passive/network_telescope.xml
- 6.Cooke, E., Bailey, M., Mao, Z., Watson, D., Jahanian, F., McPherson, D.: Toward understanding distributed blackhole placement. In: Proc. ACM Workshop on Rapid Malcode, WORM 2004, Washington DC, USA, pp. 54–64 (2004)Google Scholar
- 7.Lee, D., Brownlee, N.: Passive Measurement of One-way and Two-way Flow Lifetimes. In: ACM SIGCOMM Computer Communication Review (2007)Google Scholar
- 8.Loewenstern, A.: DHT protocol (2008), http://www.bittorrent.org/beps/bep_0003.html
- 9.Moore, D., Shannon, C., Brown, D., Voelker, G., Savage, S.: Inferring Internet Denial-of-Service Activity. ACM Transactions on Computer Systems (May 2006)Google Scholar
- 10.Pang, R., Yegneswaran, V., Barford, P., Paxson, V., Peterson, L.: Characteristics of Internet Background Radiation. In: Proc. of the 4th ACM SIGCOMM Conference on Internet Measurement, IMC 2004, Sicily, Italy, pp. 27–40 (2004)Google Scholar
- 11.Porras, P., Saidi, H., Yegneswaran, V.: Conficker C P2P Protocol and Implementation. In: SRI International Technical Report, September 21 (2009), http://mtc.sri.com/Conficker/P2P/
- 12.Treurniet, J.: A network activity classification schema and its application to scan detection. IEEE/ACM Transactions on Networking PP(99) (2011)Google Scholar
- 13.wiki.theory.org. Bittorrent protocol specification v1.0 (2006), http://wiki.theory.org/BitTorrentSpecification
- 14.Wustrow, E., Karir, M., Bailey, M., Jahanian, F., Huston, G.: Internet background radiation revisited. In: Proceedings of the 10th Annual Conference on Internet Measurement, IMC 2010. ACM (2010)Google Scholar