ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Characteristics of internet background radiation
Full text PdfPdf (396 KB)
Source Internet Measurement Conference archive
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement table of contents
Taormina, Sicily, Italy
SESSION: Traffic characterization table of contents
Pages: 27 - 40  
Year of Publication: 2004
ISBN:1-58113-821-0
Authors
Ruoming Pang  Princeton University, Princeton, NJ
Vinod Yegneswaran  University of Wisconsin at Madison
Paul Barford  University of Wisconsin at Madison
Vern Paxson  International Computer Science Institute, Lawrence Berkeley Laboratory
Larry Peterson  Princeton University, Princeton, NJ
Sponsors
SIGCOMM: ACM Special Interest Group on Data Communication
ACM: Association for Computing Machinery
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 15,   Downloads (12 Months): 118,   Citation Count: 49
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1028788.1028794
What is a DOI?

ABSTRACT

Monitoring any portion of the Internet address space reveals incessant activity. This holds even when monitoring traffic sent to unused addresses, which we term "background radiation. " Background radiation reflects fundamentally nonproductive traffic, either malicious (flooding backscatter, scans for vulnerabilities, worms) or benign (misconfigurations). While the general presence of background radiation is well known to the network operator community, its nature has yet to be broadly characterized. We develop such a characterization based on data collected from four unused networks in the Internet. Two key elements of our methodology are <i>(i)</i> the use of <i>filtering</i> to reduce load on the measurement system, and <i>(ii)</i> the use of <i>active responders</i> to elicit further activity from scanners in order to differentiate different types of background radiation. We break down the components of background radiation by protocol, application, and often specific exploit; analyze temporal patterns and correlated activity; and assess variations across different networks and over time. While we find a menagerie of activity, probes from worms and autorooters heavily dominate. We conclude with considerations of how to incorporate our characterizations into monitoring and detection activities.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
W32 A gobot IB. http://www.sophos.com/virusinfo/analyses/trojagobotib.html.
 
2
C. Anley. Creating arbitrary shellcode in unicode expanded strings, January 2002. http://www.nextgenss.com/papers/unicodebo.pdf.
3
Martin F. Arlitt , Carey L. Williamson, Web server workload characterization: the search for invariants, Proceedings of the 1996 ACM SIGMETRICS international conference on Measurement and modeling of computer systems, p.126-137, May 23-26, 1996, Philadelphia, Pennsylvania, United States
 
4
L. Baldwin, P. Sloss, and S. Friedl. Iraqi Trace. http://www.mynetwatchman.com/kb/security/articles/iraqiworm/iraqitrace. htm.
 
5
W32 Beagle. J. http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.j@mm.html.
 
6
B. Caswell and M. Roesch. The SNORT network intrusion detection system. http://www.snort.org, April 2004.
 
7
Common Internet File System. http://www.snia.org/tech_activities/CIFS/CIFS-TR-1p00_FINAL.pdf.
 
8
M. Dacier, F. Pouget, and H. Debar. Attack processes found on the internet. In Proceedings of NATO Symposium, 2004.
 
9
P. Danzig, S. Jamin, R. C'aceres, D. Mitzel, and D. Estrin. An empirical workload model for driving wide-area TCP/IP network simulations. Internetworking: Research and Experience, 3:1--26, 1992.
 
10
DCE 1.1: Remote procedure call. http://www.opengroup.org/onlinepubs/9629399/toc.htm.
 
11
Flowreplay Design Notes. http://www.synfin.net/papers/flowreplay.pdf.
 
12
B. Greene. BGPv4 Security Risk Assessment, June 2002.
 
13
The Honeynet Project. http://project.honeynet.org, 2003.
 
14
J. Jung, V. Paxson, A. Berger,, and H. Balakrishnan. Fast portscan detectionusing sequential hypothesis testing. In Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, May 2004.
 
15
H. Kim and B. Karp. Autograph: Toward automated, distributed worm signature detection. In 13th USENIX Security Symposium, San Diego, California, August 2004.
16
Eddie Kohler , Robert Morris , Benjie Chen , John Jannotti , M. Frans Kaashoek, The click modular router, ACM Transactions on Computer Systems (TOCS), v.18 n.3, p.263-297, Aug. 2000  [doi>10.1145/354871.354874]
 
17
C. Kreibich and J. Crowcroft. Honeycomb--creating intrusion detection signatures using honeypots. In 2nd Workshop on Hot Topics in Networks (Hotnets-II), Cambridge, Massachusetts, November 2003.
 
18
D. Moore. Network telescopes: Observing small or distant security events. Invited Presentation at the 11th USENIX Security Symposium, 2002.
 
19
David Moore , Vern Paxson , Stefan Savage , Colleen Shannon , Stuart Staniford , Nicholas Weaver, Inside the Slammer Worm, IEEE Security and Privacy, v.1 n.4, p.33-39, July 2003  [doi>10.1109/MSECP.2003.1219056]
 
20
D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. The spread of the sapphire/slammer worm. http://www.caida.org/outreach/papers/2003/sapphire/sapphire.html, 2003.
21
David Moore , Colleen Shannon , k claffy, Code-Red: a case study on the spread and victims of an internet worm, Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, November 06-08, 2002, Marseille, France  [doi>10.1145/637201.637244]
 
22
D. Moore, C. Shannon, G. Voelker, and S. Savage. Internet quarantine: Requirements for containing self-propagating code. In Proceedings of IEEE INFOCOM, April 2003.
 
23
D. Moore, G. Voelker, and S. Savage. Inferring internet denial of service activity. In Proceedings of the 2001 USENIX Security Symposium, Washington D. C., August 2001.
 
24
W32 Mydoom. A@mm. http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.a@mm.html.
 
25
Vern Paxson, Empirically derived analytic models of wide-area TCP connections, IEEE/ACM Transactions on Networking (TON), v.2 n.4, p.316-336, Aug. 1994  [doi>10.1109/90.330413]
 
26
Vern Paxson, Bro: a system for detecting network intruders in real-time, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.31 n.23-24, p.2435-2463, Dec. 1999  [doi>10.1016/S1389-1286(99)00112-7]
 
27
N. Provos. The Honeyd Virtual Honeypot. http://www.honeyd.org, 2003.
 
28
W32 Randex. D. http://www.liutilities.com/products/wintaskspro/processlibrary/msmsgri32.
 
29
Martin Roesch, Snort - Lightweight Intrusion Detection for Networks, Proceedings of the 13th USENIX conference on System administration, November 07-12, 1999, Seattle, Washington
 
30
W32 Sasser. Worm. http://securityresponse. symantec. com/avcenter/venc/data/w32. sasser. worm. html.
 
31
Security Focus. Microsoft IIS 5. 0 "translate: f" source disclosure vulnerability. http://www.securityfocus. com/bid/1578/discussion/, April 2004.
 
32
S. Singh, C. Estan, G. Varghese, and S. Savage. The Earlybird system for real-time detection of unknown worms. Technical Report CS2003-0761, University of California, San Diego, August 2003.
 
33
Stuart Staniford , Vern Paxson , Nicholas Weaver, How to Own the Internet in Your Spare Time, Proceedings of the 11th USENIX Security Symposium, p.149-167, August 05-09, 2002
 
34
K. Thompson, G. Miller, and R. Wilder. Wide area I nternet traffic patterns and characteristics. IEEE Network, 11(6):10--23, November 1997.
 
35
Make your richer! Get more money easily! http://www.per.rcpt.to/lists/rlinetd/msg01850.html.
 
36
Dame Ware Mini Remote Control Server <= 3. 72 buffer overflow. http://www.securityfocus.com/archive/1/347576.
 
37
Microsoft Windows DCOM RPC interface buffer overrun vulnerability (MS 03-026). http://www.securityfocus.com/bid/8205.
 
38
Microsoft Windows Locator Service buffer overflow vulnerability (MS 03-001). http://www.securityfocus.com/bid/6666.
 
39
Microsoft Windows 2000 Web DAV buffer overflow vulnerability (MS 03-007). cite http://www.securityfocus.com/bid/7116.
 
40
Windows Messenger Popup Spam. http://www.lurhq.com/popup_spam.html.
 
41
W32 Xibo. http://www.sophos.com/virusinfo/analyses/w32xiboa.html.
 
42
V. Yegneswaran, P. Barford, and D. Plonka. On the design and use of internet sinks for network abuse monitoring. In Proceedings of Recent Advances in Intrusion Detection, 2004.
43
Vinod Yegneswaran , Paul Barford , Johannes Ullrich, Internet intrusions: global characteristics and prevalence, Proceedings of the 2003 ACM SIGMETRICS international conference on Measurement and modeling of computer systems, June 11-14, 2003, San Diego, CA, USA

CITED BY  49
Avinash Sridharan , Tao Ye, Tracking port scanners on the IP backbone, Proceedings of the 2007 workshop on Large scale attack defense, August 27-27, 2007, Kyoto, Japan
Marc E. Fiuczynski, PlanetLab: overview, history, and future directions, ACM SIGOPS Operating Systems Review, v.40 n.1, January 2006
Kuai Xu , Zhi-Li Zhang , Supratik Bhattacharyya, Profiling internet backbone traffic: behavior models and applications, ACM SIGCOMM Computer Communication Review, v.35 n.4, October 2005
Michael Vrable , Justin Ma , Jay Chen , David Moore , Erik Vandekieft , Alex C. Snoeren , Geoffrey M. Voelker , Stefan Savage, Scalability, fidelity, and containment in the potemkin virtual honeyfarm, ACM SIGOPS Operating Systems Review, v.39 n.5, December 2005
Fabio Ricciato , Francesco Vacirca , Martin Karner, Bottleneck detection in UMTS via TCP passive monitoring: a real case, Proceedings of the 2005 ACM conference on Emerging network experiment and technology, October 24-27, 2005, Toulouse, France
Kurt Rohloff , Tamer Başar, The detection of RCS worm epidemics, Proceedings of the 2005 ACM workshop on Rapid malcode, November 11-11, 2005, Fairfax, VA, USA
David W. Richardson , Steven D. Gribble , Edward D. Lazowska, The limits of global scanning worm detectors in the presence of background noise, Proceedings of the 2005 ACM workshop on Rapid malcode, November 11-11, 2005, Fairfax, VA, USA
Cliff C. Zou , Weibo Gong , Don Towsley , Lixin Gao, The monitoring and early detection of internet worms, IEEE/ACM Transactions on Networking (TON), v.13 n.5, p.961-974, October 2005
Yu Jin , György Simon , Kuai Xu , Zhi-Li Zhang , Vipin Kumar, Gray's anatomy: dissecting scanning activities using IP gray space analysis, Proceedings of the 2nd USENIX workshop on Tackling computer systems problems with machine learning techniques, p.1-6, April 10, 2007, Cambridge, MA
Fabio Ricciato, Unwanted traffic in 3G networks, ACM SIGCOMM Computer Communication Review, v.36 n.2, April 2006
Fabio Ricciato, Some remarks to recent papers on traffic analysis: or the case for public Wiki-like platforms for commenting published papers, ACM SIGCOMM Computer Communication Review, v.36 n.3, July 2006
Justin Ma , John Dunagan , Helen J. Wang , Stefan Savage , Geoffrey M. Voelker, Finding diversity in remote code injection exploits, Proceedings of the 6th ACM SIGCOMM on Internet measurement, October 25-27, 2006, Rio de Janeriro, Brazil
James Newsome , David Brumley , Jason Franklin , Dawn Song, Replayer: automatic protocol replay by binary analysis, Proceedings of the 13th ACM conference on Computer and communications security, October 30-November 03, 2006, Alexandria, Virginia, USA
Ruoming Pang , Vern Paxson , Robin Sommer , Larry Peterson, binpac: a yacc for writing application protocol parsers, Proceedings of the 6th ACM SIGCOMM on Internet measurement, October 25-27, 2006, Rio de Janeriro, Brazil
Ying Zhang , Evan Cooke , Z. Morley Mao, Internet-scale malware mitigation: combining intelligence of the control and data plane, Proceedings of the 4th ACM workshop on Recurring malcode, November 03-03, 2006, Alexandria, Virginia, USA
Lei Chen , Raghu Ramakrishnan , Paul Barford , Bee-Chung Chen , Vinod Yegneswaran, Composite subset measures, Proceedings of the 32nd international conference on Very large data bases, September 12-15, 2006, Seoul, Korea
John Bethencourt , Jason Franklin , Mary Vernon, Mapping internet sensors with probe response attacks, Proceedings of the 14th conference on USENIX Security Symposium, p.13-13, July 31-August 05, 2005, Baltimore, MD
Michael Bailey , Evan Cooke , Farnam Jahanian , Niels Provos , Karl Rosaen , David Watson, Data reduction for the scalable automated analysis of distributed darknet traffic, Proceedings of the Internet Measurement Conference 2005 on Internet Measurement Conference, p.21-21, October 19-21, 2005, Berkeley, CA
Kuai Xu , Zhi-Li Zhang , Supratik Bhattacharyya, Reducing unwanted traffic in a backbone network, Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop, p.2-2, July 07, 2005, Cambridge, MA
Robert Beverly , Steven Bauer, The spoofer project: inferring the extent of source address filtering on the internet, Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop, p.8-8, July 07, 2005, Cambridge, MA
Cliff C. Zou , Nick Duffield , Don Towsley , Weibo Gong, Adaptive defense against various network attacks, Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop, p.10-10, July 07, 2005, Cambridge, MA
Abhishek Kumar , Vern Paxson , Nicholas Weaver, Exploiting underlying structure for detailed reconstruction of an internet-scale event, Proceedings of the Internet Measurement Conference 2005 on Internet Measurement Conference, p.33-33, October 19-21, 2005, Berkeley, CA
Vinod Yegneswaran , Jonathon T. Giffin , Paul Barford , Somesh Jha, An architecture for generating semantics-aware signatures, Proceedings of the 14th conference on USENIX Security Symposium, p.7-7, July 31-August 05, 2005, Baltimore, MD
Fabio Ricciato , Francesco Vacirca , Philipp Svoboda, Diagnosis of capacity bottlenecks via passive monitoring in 3G networks: An empirical analysis, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.51 n.4, p.1205-1231, March, 2007
Birger Tödtmann , Erwin P. Rathgeb, Anticipatory distributed packet filter configurations for carrier-grade IP networks, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.51 n.10, p.2565-2579, July, 2007
Evan Cooke , Andrew Myrick , David Rusek , Farnam Jahanian, Resource-aware multi-format network security data storage, Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense, p.177-184, September 11-15, 2006, Pisa, Italy
Brian Eriksson , Paul Barford , Robert Nowak , Mark Crovella, Learning network structure from passive measurements, Proceedings of the 7th ACM SIGCOMM conference on Internet measurement, October 24-26, 2007, San Diego, California, USA
Yu Jin , Zhi-Li Zhang , Kuai Xu , Feng Cao , Sambit Sahu, Identifying and tracking suspicious activities through IP gray space analysis, Proceedings of the 3rd annual ACM workshop on Mining network data, June 12-12, 2007, San Diego, California, USA
Kurt R. Rohloff , Tamer Bacşar, Deterministic and stochastic models for the detection of random constant scanning worms, ACM Transactions on Modeling and Computer Simulation (TOMACS), v.18 n.2, p.1-24, April 2008
Carrie Gates , Carol Taylor , Matt Bishop, Dependable security: testing network intrusion detection systems, Proceedings of the 3rd conference on Third Workshop on Hot Topics in System Dependability, p.12-12, June 26, 2007, Edinburgh, UK
Paul Barford , Mike Blodgett, Toward botnet mesocosms, Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, p.6-6, April 10, 2007, Cambridge, MA
Chris Kanich , Kirill Levchenko , Brandon Enright , Geoffrey M. Voelker , Stefan Savage, The heisenbot uncertainty problem: challenges in separating bots from chaff, Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, p.1-9, April 15-15, 2008, San Francisco, California
Michalis Polychronakis , Panayiotis Mavrommatis , Niels Provos, Ghost turns zombie: exploring the life cycle of web-based malware, Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, p.1-8, April 15-15, 2008, San Francisco, California
Jian Zhang , Phillip Porras , Johannes Ullrich, Highly predictive blacklisting, Proceedings of the 17th conference on Security symposium, p.107-122, July 28-August 01, 2008, San Jose, CA
Carrie E. Gates, A case study in testing a network security algorithm, Proceedings of the 4th International Conference on Testbeds and research infrastructures for the development of networks & communities, March 18-20, 2008, Innsbruck, Austria
Jose M. Gonzalez , Vern Paxson , Nicholas Weaver, Shunting: a hardware/software architecture for flexible, high-performance network intrusion prevention, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA
Carrie Gates , Carol Taylor, Challenging the anomaly detection paradigm: a provocative discussion, Proceedings of the 2006 workshop on New security paradigms, September 19-22, 2006, Germany
Walter Scheirer , Mooi Choo Chuah, Syntax vs. semantics: competing approaches to dynamic network intrusion detection, International Journal of Security and Networks, v.3 n.1, p.24-35, December 2008
Mark Allman , Vern Paxson , Jeff Terrell, A brief history of scanning, Proceedings of the 7th ACM SIGCOMM conference on Internet measurement, October 24-26, 2007, San Diego, California, USA
Richard J Barnett , Barry Irwin, Towards a taxonomy of network scanning techniques, Proceedings of the 2008 annual research conference of the South African Institute of Computer Scientists and Information Technologists on IT research in developing countries: riding the wave of technology, p.1-7, October 06-08, 2008, Wilderness, South Africa
Jaeyeon Jung , Anmol Sheth , Ben Greenstein , David Wetherall , Gabriel Maganis , Tadayoshi Kohno, Privacy oracle: a system for finding application leaks with black box differential testing, Proceedings of the 15th ACM conference on Computer and communications security, October 27-31, 2008, Alexandria, Virginia, USA
Brian Eriksson , Paul Barford , Robert Nowak, Network discovery from passive measurements, ACM SIGCOMM Computer Communication Review, v.38 n.4, October 2008
Kuai Xu , Zhi-Li Zhang , Supratik Bhattacharyya, Internet traffic behavior profiling for network security monitoring, IEEE/ACM Transactions on Networking (TON), v.16 n.6, p.1241-1252, December 2008
Romain Fontugne , Toshio Hirotsu , Kensuke Fukuda, An image processing approach to traffic anomaly detection, Proceedings of the 4th Asian Conference on Internet Engineering, November 18-20, 2008, Pratunam, Bangkok, Thailand
Erwan Le MalÉCot , Masayoshi Kohara , Yoshiaki Hori , Kouichi Sakurai, Toward a Scalable Visualization System for Network Traffic Monitoring, IEICE - Transactions on Information and Systems, v.E91-D n.5, p.1300-1310, May 2008
Wei Li , Marco Canini , Andrew W. Moore , Raffaele Bolla, Efficient application identification and the temporal and spatial stability of classification schema, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.53 n.6, p.790-809, April, 2009
Zhichun Li , Anup Goyal , Yan Chen , Vern Paxson, Automating analysis of large-scale botnet probing events, Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, March 10-12, 2009, Sydney, Australia
Andrew G. Miklas , Stefan Saroiu , Alec Wolman , Angela Demke Brown, Bunker: a privacy-oriented platform for network tracing, Proceedings of the 6th USENIX symposium on Networked systems design and implementation, p.29-42, April 22-24, 2009, Boston, Massachusetts
Chin-Tser Huang , Jeff Janies, An adaptive approach to granular real-time anomaly detection, EURASIP Journal on Advances in Signal Processing, 2009, p.1-13, January 2009

INDEX TERMS

General Terms:
Measurement


Keywords:
honeypot, internet background radiation, network telescope

Collaborative Colleagues:
Ruoming Pang: colleagues
Vinod Yegneswaran: colleagues
Paul Barford: colleagues
Vern Paxson: colleagues
Larry Peterson: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player