ABSTRACT
Internet background radiation (IBR) is a very interesting piece of Internet traffic as it is the result of attacks and misconfigurations. Previous work has primarily analyzed IBR traffic to large unused IP address blocks called network telescopes. In this work, we build new techniques for monitoring one-way traffic in live networks with the main goals of 1) expanding our understanding of this interesting type of traffic towards live networks as well as of 2) making it useful for detecting and analyzing the impact of outages. Our first contribution is a classification scheme for dissecting one-way traffic into useful classes, including one-way traffic due to unreachable services, scanning, peer-to-peer applications, and backscatter. Our classification scheme is helpful for monitoring IBR traffic in live networks solely based on flow level data. After thoroughly validating our classifier, we use it to analyze a massive data-set that covers 7.41 petabytes of traffic from a large backbone network to shed light into the composition of one-way traffic. We find that the main sources of one-way traffic are malicious scanning, peer-to-peer applications, and outages. In addition, we report a number of interesting observations including that one-way traffic makes a very large fraction, i.e., between 34% and 67%, of the total number of flows to the monitored network, although it only accounts for only 3.4% of the number of packets, which suggests a new conceptual model for Internet traffic in which IBR is dominant in terms of flows. Finally, we demonstrate the utility of one-way traffic of the particularly interesting class of unreachable services for monitoring network and service outages by analyzing the impact of interesting events we detected in the network of our university.
Supplemental Material
Available for Download
Summary Review Documentation for "Classifying Internet One-way Traffic", Authors: E. Glatz and X. Dimitropoulos
- One-way Traffic Classification Website. http://www.ow-class.ethz.ch/.Google Scholar
- Akamai Technologies. The state of the internet report (3rd quarter, 2009). Technical report, 2009.Google Scholar
- M. Allman, V. Paxson, and J. Terrell. A brief history of scanning. In Proceedings of the 7th ACM SIGCOMM conference on Internet measurement, page 82. ACM, 2007. Google ScholarDigital Library
- M. Bailey, E. Cooke, F. Jahanian, D. Watson, and J. Nazario. The blaster worm: Then and now. IEEE Security and Privacy, 3:26--31, July 2005. Google ScholarDigital Library
- D. Brauckhoff, X. Dimitropoulos, A. Wagner, and K. Salamatian. Anomaly extraction in backbone networks using association rules. In Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference, IMC'09, pages 28--34, New York, NY, USA, 2009. ACM. Google ScholarDigital Library
- N. Brownlee. One-way traffic monitoring with iatmon. In Passive and Active Measurement Conference, 2012. Google ScholarDigital Library
- CAIDA. UCSD Network Telescope. http://www.caida.org/data/realtime/telescope/.Google Scholar
- Y.-J. Chi, R. Oliveira, and L. Zhang. Cyclops: the as-level connectivity observatory. SIGCOMM Comput. Commun. Rev., 38(5), Sept. 2008. Google ScholarDigital Library
- T. Cymru. The Bogon Reference. http://www.team-cymru.org/Services/Bogons/, 2012.Google Scholar
- A. Dainotti, R. Amman, E. Aben, and K. C. Claffy. Extracting benefit from harm: using malware pollution to analyze the impact of political and geophysical events on the internet. SIGCOMM Comput. Commun. Rev., 42(1):31--39, 2012. Google ScholarDigital Library
- Cooperative Network Security Community -- Internet Security. www.dshield.org.Google Scholar
- E. Glatz and X. Dimitropoulos. Classifying internet one-way traffic. TIK-Report 336, ETH Zurich, May 2012.Google Scholar
- S. Guha, J. Chandrashekar, N. Taft, and K. Papagiannaki. How healthy are today's enterprise networks? In Proceedings of the 8th ACM SIGCOMM conference on Internet measurement, pages 145--150. ACM, 2008. Google ScholarDigital Library
- X. Hu and Z. M. Mao. Accurate real-time identification of ip prefix hijacking. In Proceedings of the 2007 IEEE Symposium on Security and Privacy, SP'07, 2007. Google ScholarDigital Library
- IANA - Internet Assigned Numbers Authority. PORT NUMBERS. http://www.iana.org/assignments/port-numbers, 2011.Google Scholar
- C. Inacio and B. Trammell. Yaf: yet another flowmeter. In Proceedings of the 24th international conference on Large installation system administration, pages 1--16. USENIX Association, 2010. Google ScholarDigital Library
- Y. Jin, Z. Zhang, K. Xu, F. Cao, and S. Sahu. Identifying and tracking suspicious activities through IP gray space analysis. In Proceedings of the 3rd annual ACM workshop on Mining network data, page 12. ACM, 2007. Google ScholarDigital Library
- W. John and S. Tafvelin. Heuristics to classify internet backbone traffic based on connection patterns. International Conference on Information Networking (ICOIN), pages 1--5, 2008.Google ScholarCross Ref
- J. Jung, V. Paxson, A. Berger, and H. Balakrishnan. Fast portscan detection using sequential hypothesis testing. In Proceedings of the IEEE Symposium on Security and Privacy, pages 211--225, 2004.Google ScholarCross Ref
- T. Karagiannis, A. Broido, and M. Faloutsos. Transport layer identification of p2p traffic. Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, pages 121--134, 2004. Google ScholarDigital Library
- T. Karagiannis, K. Papagiannaki, and M. Faloutsos. Blinc: multilevel traffic classification in the dark. In Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications, SIGCOMM '05, 2005. Google ScholarDigital Library
- E. Katz-Bassett, H. V. Madhyastha, J. P. John, A. Krishnamurthy, D. Wetherall, and T. Anderson. Studying black holes in the internet with hubble. In Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation, NSDI'08, 2008. Google ScholarDigital Library
- E. Katz-Bassett, C. Scott, D. R. Choffnes, I. Cunha, V. Valancius, N. Feamster, H. V. Madhyastha, T. Anderson, and A. Krishnamurthy. Lifeguard: practical repair of persistent route failures. In Proceedings of the ACM SIGCOMM 2012, 2012. Google ScholarDigital Library
- H. Kim, K. Claffy, M. Fomenkov, D. Barman, M. Faloutsos, and K. Lee. Internet traffic classification demystified: myths, caveats, and the best practices. In Proceedings of the 2008 ACM CoNEXT conference, page 11. ACM, 2008. Google ScholarDigital Library
- M. Lad, D. Massey, D. Pei, Y. Wu, B. Zhang, and L. Zhang. PHAS: A prefix hijack alert system. In In Proc. USENIX Security Symposium, 2006. Google ScholarDigital Library
- D. Lee and N. Brownlee. Passive measurement of one-way and two-way flow lifetimes. SIGCOMM Comput. Commun. Rev., 37(3):17--28, 2007. Google ScholarDigital Library
- D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. Inside the slammer worm. IEEE Security and Privacy, 1:33--39, July 2003. Google ScholarDigital Library
- D. Moore, C. Shannon, G. Voelker, and S. Savage. Network telescopes: Technical report. Technical report, CAIDA, 2004.Google Scholar
- D. Moore, G. M. Voelker, and S. Savage. Inferring internet denial-of-service activity. In SSYM'01: Proceedings of the 10th conference on USENIX Security Symposium, Berkeley, USA, 2001. Google ScholarDigital Library
- R. Pang, V. Yegneswaran, P. Barford, V. Paxson, and L. Peterson. Characteristics of Internet background radiation. In Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, pages 27--40. ACM New York, NY, USA, 2004. Google ScholarDigital Library
- M. Perényi, T. D. Dang, A. Gefferth, and S. Molnr. Identification and analysis of peer-to-peer traffic. JOURNAL OF COMMUNICATIONS, 1(7), 2006.Google Scholar
- D. Schatzmann, S. Leinen, J. Kogel, and W. Muhlbauer. Fact: Flow-based approach for connectivity tracking. In Passive and Active Measurement conference, Mar. 2011. Google ScholarDigital Library
- X. Shi, Y. Xiang, Z. Wang, X. Yin, and J. Wu.Detecting prefix hijackings in the internet with argus. In Proceedings of the 12th ACM SIGCOMM conference on Internet measurement. ACM, 2012. Google ScholarDigital Library
- B. Trammell and E. Boschi. Bidirectional flow export using IPFIX. RFC 5103, January 2008.Google Scholar
- J. Treurniet. A network activity classification schema and its application to scan detection. IEEE/ACM Trans. Netw., 19(5):1396--1404, Oct. 2011. Google ScholarDigital Library
- US Homeland Security. BGPmon. http://bgpmon.net/.Google Scholar
- Wikipedia. Netflow. http://en.wikipedia.org/wiki/Netflow.Google Scholar
- E. Wustrow, M. Karir, M. Bailey, F. Jahanian, and G. Huston. Internet background radiation revisited. In Proceedings of the 10th annual conference on Internet measurement, IMC'10, pages 62--74, New York, NY, USA, 2010. ACM. Google ScholarDigital Library
- V. Yegneswaran, P. Barford, and J. Ullrich. Internet intrusions: global characteristics and prevalence. SIGMETRICS Perform. Eval. Rev., 31(1):138--147, 2003. Google ScholarDigital Library
- Z. Zhang, Y. Zhang, Y. C. Hu, Z. M. Mao, and R. Bush. ispy: detecting ip prefix hijacking on my own. IEEE/ACM Trans. Netw., 18(6), Dec. 2010. Google ScholarDigital Library
- C. Zheng, L. Ji, D. Pei, J. Wang, and P. Francis. A light-weight distributed scheme for detecting ip prefix hijacks in real-time. In Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications, SIGCOMM'07, 2007. Google ScholarDigital Library
Index Terms
- Classifying internet one-way traffic
Recommendations
Classifying internet one-way traffic
Performance evaluation reviewIn this work we analyze a massive data-set that captures 5.23 petabytes of traffic to shed light into the composition of one-way traffic towards a large network based on a novel one-way traffic classifier. We find that one-way traffic makes a very large ...
Classifying internet one-way traffic
SIGMETRICS '12: Proceedings of the 12th ACM SIGMETRICS/PERFORMANCE joint international conference on Measurement and Modeling of Computer SystemsIn this work we analyze a massive data-set that captures 5.23 petabytes of traffic to shed light into the composition of one-way traffic towards a large network based on a novel one-way traffic classifier. We find that one-way traffic makes a very large ...
Comments