Advertisement

One-Way Traffic Monitoring with iatmon

  • Nevil Brownlee
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7192)

Abstract

During the last decade, unsolicited one-way Internet traffic has been used to study malicious activity on the Internet. Researchers usually observe such traffic using network telescopes deployed on darkspace (unused address space). When darkspace observations began ten years ago, one-way traffic was minimal. Over the last five years, however, traffic levels have risen so that they are now high enough to require more subtle differentiation – raw packet and byte or even port counts make it hard to discern and distinguish new activities.

To make changes in composition of one-way traffic aggregates more detectable, we have developed iatmon (Inter-Arrival Time Monitor), a freely available measurement and analysis tool that allows one to separate one-way traffic into clearly-defined subsets. Initially we have implemented two subsetting schemes; source types, based on the schema proposed in [12]; and inter-arrival-time (IAT) groups that summarise source behaviour over time.

We use 14 types and 10 groups, giving us a matrix of 140 type + group subsets. Each subset constitutes only a fraction of the total traffic, so changes within the subsets are easily observable when changes in total traffic levels might not even be noticeable.

We report on our experience with this tool to observe changes in one-way traffic at the UCSD network telescope over the first half of 2011. Daily average plots of source numbers and their traffic volumes show clear long-term changes in several of our types and groups.

Keywords

Source Type Source Address Network Telescope Subsetting Scheme Spoof Source Address 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Aben, E.: Conficker as seen from UCSD Network Telescope (February 2009), http://www.caida.org/research/security/ms08-067/conficker.xml
  2. 2.
    Barford, P., Nowak, R., Willett, R., Yegneswaran, V.: Toward a Model for Source Address of Internet Background Radiation. In: Proc. Passive and Active Measurement Conference, PAM 2006, Adelaide, Australia (2006)Google Scholar
  3. 3.
    CAIDA. Ucsd network telescope data use policy and request form, http://www.caida.org/data/passive/telescope_dataset_request.xml
  4. 4.
    CAIDA. UCSD Network Telescope global attack traffic, http://www.caida.org/data/realtime/telescope/
  5. 5.
    CAIDA. UCSD Network Telescope Research, http://www.caida.org/data/passive/network_telescope.xml
  6. 6.
    Cooke, E., Bailey, M., Mao, Z., Watson, D., Jahanian, F., McPherson, D.: Toward understanding distributed blackhole placement. In: Proc. ACM Workshop on Rapid Malcode, WORM 2004, Washington DC, USA, pp. 54–64 (2004)Google Scholar
  7. 7.
    Lee, D., Brownlee, N.: Passive Measurement of One-way and Two-way Flow Lifetimes. In: ACM SIGCOMM Computer Communication Review (2007)Google Scholar
  8. 8.
    Loewenstern, A.: DHT protocol (2008), http://www.bittorrent.org/beps/bep_0003.html
  9. 9.
    Moore, D., Shannon, C., Brown, D., Voelker, G., Savage, S.: Inferring Internet Denial-of-Service Activity. ACM Transactions on Computer Systems (May 2006)Google Scholar
  10. 10.
    Pang, R., Yegneswaran, V., Barford, P., Paxson, V., Peterson, L.: Characteristics of Internet Background Radiation. In: Proc. of the 4th ACM SIGCOMM Conference on Internet Measurement, IMC 2004, Sicily, Italy, pp. 27–40 (2004)Google Scholar
  11. 11.
    Porras, P., Saidi, H., Yegneswaran, V.: Conficker C P2P Protocol and Implementation. In: SRI International Technical Report, September 21 (2009), http://mtc.sri.com/Conficker/P2P/
  12. 12.
    Treurniet, J.: A network activity classification schema and its application to scan detection. IEEE/ACM Transactions on Networking PP(99) (2011)Google Scholar
  13. 13.
    wiki.theory.org. Bittorrent protocol specification v1.0 (2006), http://wiki.theory.org/BitTorrentSpecification
  14. 14.
    Wustrow, E., Karir, M., Bailey, M., Jahanian, F., Huston, G.: Internet background radiation revisited. In: Proceedings of the 10th Annual Conference on Internet Measurement, IMC 2010. ACM (2010)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Nevil Brownlee
    • 1
    • 2
  1. 1.CAIDAUC San DiegoUSA
  2. 2.The University of AucklandNew Zealand

Personalised recommendations