Article

Understanding passive and active service discovery

Authors:
Genevieve Bartlett

University of Southern California, Los Angeles, CA

University of Southern California, Los Angeles, CA
View Profile

,
John Heidemann

University of Southern California, Los Angeles, CA

University of Southern California, Los Angeles, CA
View Profile

,
Christos Papadopoulos

Colorado State University, Fort Collins, CO

Colorado State University, Fort Collins, CO
View Profile

IMC '07: Proceedings of the 7th ACM SIGCOMM conference on Internet measurementOctober 2007Pages 57–70https://doi.org/10.1145/1298306.1298314

Published:24 October 2007Publication History

IMC '07: Proceedings of the 7th ACM SIGCOMM conference on Internet measurement

Pages 57–70

ABSTRACT

Increasingly, network operators do not directly operate computers on their network, yet are responsible for assessing network vulnerabilities to ensure compliance with policies about information disclosure, and tracking services that affect provisioning. Thus, with decentralized network management, service discovery becomes an important part of maintaining and protecting computer networks.

We explore two approaches to service discovery: active probing and passive monitoring. Active probing finds all services currently on the network, except services temporarily unavailable or hidden by firewalls; however, it is often too invasive, especially if used across administrative boundaries. Passive monitoring can find transient services, but misses services that are idle. We compare the accuracy of passive and active approaches to service discovery and show that they are complimentary, highlighting the need for multiple active scans coupled with long-duration passive monitoring. We find passive monitoring is well suited for quickly finding popular services, finding servers responsible for 99% of incoming connections within minutes. Active scanning is better suited to rapidly finding all servers, which is important for vulnerability detection - one scan finds 98% of services in two hours, missing only a handful. External scans are an unexpected ally to passive monitoring, speeding service discovery by the equivalent of 9-15 days of additional observation. Finally, we show how the use of static or dynamic addresses changes the effectiveness of service discovery, both due to address reuse and VPN effects.

References

Nessus vulnerability scanner. http://www.nessus.org.Google Scholar
Nmap ("Network Mapper"). http://insecure.org/nmap/.Google Scholar
Snort. http://www.snort.org/.Google Scholar
M. Bawa, H. Deshpande, and H. Garcia-Molina. Transience of peers and streaming media. In Proceedings of the I, pages 107--112, Princeton, NJ, USA, October 2002.Google Scholar
D. Box, D. Ehnebuske, G. Kakivaya, A. Layman, N. Mendelsohn, H. F. Nielsen, S. Thatte, and D. Winer. Simple object access protocol (soap) 1.1. Technical Report NOTE-SOAP-20000508, W3C, May 2000.Google Scholar
B. Dayioglu and A. Özgit. Use of passive network mapping to enhance signature quality of misuse network intrusion detection systems. 2001.Google Scholar
Nick Duffield and Matthias Grossglauser. Trajectory sampling for direct traffic observation. In Proceedings of the ACM SIGCOMM Conference, pages 179--191, Stockholm, Sweeden, August 2000. ACM. Google ScholarDigital Library
Krishna P. Gummadi, Richard J. Dunn, Stefan Saroiu, Steven D. Gribble, Henry M. Levy, and John Zahorjan. Measurement, modelling, and analysis of a peer-to-peer file-sharing workload. In Proceedings of the 19th Symposium on Operating Systems Principles, pages 314--329, Bolton Landing, NY, USA, October 2003. ACM. Google ScholarDigital Library
A. Hussain, G. Bartlett, Y. Pryadkin, J. Heidemann, C. Papadopoulos, and J. Bannister. Experiences with a continuous network tracing infrastructure. In Proceedings of the ACM SIGCOMM Workshop on Mining network data Mine Net, pages 185--190, Philadelphia, PA, USA, August 2005. Google ScholarDigital Library
M. Krzywinski. Port knocking: Network authentication across closed ports. SysAdmin Magazine, 12(6):12--17, June 2003.Google Scholar
Kun-Chan Lan and John Heidemann. Rapid model parameteration from traffic measurement. ACM Transactions on Modeling and Computer Simulations, 12(3):201--229, July 2002. Google ScholarDigital Library
A. De Montigny-Leboeuf and F. Massicotte. Passive network discovery for real time situation awareness. In Proceedings of the The RTO Information Systems Technology Panel (IST) Symposium on Adaptive Defence in Unclassified Networks, pages 288--300, November 2004.Google Scholar
V. Paxson. Bro: a system for detecting network intruders in real-time. Computer Networks (Amsterdam, Netherlands: 1999), 31(23-24):2435--2463, 1999. Google ScholarDigital Library
J. Rosenberg, H. Schulzrinne, A. Johnston, G. Camarillo, J. Peterson, M. Handley R. Sparks, and E. Schooler. SIP: Session initiation protocol. RFC 3261, Internet Request For Comments, June 2002. Google ScholarDigital Library
D. Schweitzer. Two sides of vulnerability scanning. http://www.computerworld.com/, February 2005.Google Scholar
F. Donelson Smith, Felix Hernandez, Kevin Jeffay, and David Ott. What TCP/IP protocol headers can tell us about the web. In Proceedings of the ACM SIGMETRICS, pages 245--256, Cambridge, MA, USA, June 2001. ACM. Google ScholarDigital Library
Sun Microsystems. RPC: remote procedure call protocol specification version 2. RFC 1057, Internet Request For Comments, June 1988. Google ScholarDigital Library
The PREDICT Program. Predict: Protected repository for the defense of infrastructure against cyber-threats. http://www.predict.org, January 2005.Google Scholar
S. Webster, R. Lippmann, and M. Zissman. Experience using active and passive mapping for network situational awareness. In Proceedings of the 5th IEEE International Symposium on Network Computing and Applications, pages 19--26, July 2006. Google ScholarDigital Library

Index Terms

Understanding passive and active service discovery
1. Networks
  1. Network services
    1. Network monitoring

Recommendations

Dynamic Service Discovery Using Active Lookup and Registration
SERVICES '08: Proceedings of the 2008 IEEE Congress on Services - Part I

Dynamic discovery of available service providers is a key factor in achieving an adaptable and loosely-coupled service-oriented architecture. We consider in this paper active services and how UML 2 collaborations can be used to define contracts for such ...
Read More
Process model-based atomic service discovery and composition of composite semantic web services using web ontology language for services OWL-S

Web Service composition has become indispensable as a single web service cannot satisfy complex functional requirements. Composition of services has received much interest to support business-to-business B2B or enterprise application integration. An ...
Read More
Mining and clustering service goals for RESTful service discovery

In recent years, RESTful services that are mainly described using short texts are becoming increasingly popular. The keyword-based discovery technology adopted by existing service registries usually suffers from low recall and is insufficient to ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
IMC '07: Proceedings of the 7th ACM SIGCOMM conference on Internet measurement
October 2007
390 pages
ISBN:9781595939081
DOI:10.1145/1298306
Program Chairs:
Constantine Dovrolis
Georgia Institute of Technology
,
Matthew Roughan
University of Adelaide, Australia
Copyright © 2007 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 24 October 2007
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
active measurement
network reconnaissance
passive monitoring
service discovery
situational awareness
Qualifiers
- Article
Conference

Acceptance Rates
Overall Acceptance Rate277of1,083submissions,26%
Upcoming Conference
IMC '24

Sponsor:

sigcomm

sigcomm

ACM Internet Measurement Conference

November 4 - 6, 2024

Madrid , AA , Spain
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 55
  Total Citations
  View Citations
- 781
  Total Downloads
- Downloads (Last 12 months)46
- Downloads (Last 6 weeks)1
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Understanding passive and active service discovery

IMC '07: Proceedings of the 7th ACM SIGCOMM conference on Internet measurement

ABSTRACT

References

Cited By

Index Terms

Recommendations

Dynamic Service Discovery Using Active Lookup and Registration

Process model-based atomic service discovery and composition of composite semantic web services using web ontology language for services OWL-S

Mining and clustering service goals for RESTful service discovery