Toward understanding distributed blackhole placement

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Toward understanding distributed blackhole placement

Full text

Pdf (479 KB)

Source

Workshop on Rapid Malcode archive
Proceedings of the 2004 ACM workshop on Rapid malcode table of contents

Washington DC, USA

SESSION: Session 3 table of contents

Pages: 54 - 64

Year of Publication: 2004

ISBN:1-58113-970-5

Authors

Evan Cooke	University of Michigan, Ann Arbor, MI
Michael Bailey	University of Michigan, Ann Arbor, MI
Z. Morley Mao	University of Michigan, Ann Arbor, MI
David Watson	University of Michigan, Ann Arbor, MI
Farnam Jahanian	University of Michigan, Ann Arbor, MI
Danny McPherson	Arbor Networks

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control
ACM: Association for Computing Machinery

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 2, Downloads (12 Months): 37, Citation Count: 16

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1029618.1029627 What is a DOI?

ABSTRACT

The monitoring of unused Internet address space has been shown to be an effective method for characterizing Internet threats including Internet worms and DDOS attacks. Because there are no legitimate hosts in an unused address block, traffic must be the result of misconfiguration, backscatter from spoofed source addresses, or scanning from worms and other probing. This paper extends previous work characterizing traffic seen at specific unused address blocks by examining differences observed between these blocks. While past research has attempted to extrapolate the results from a small number of blocks to represent global Internet traffic, we present evidence that distributed address blocks observe dramatically different traffic patterns. This work uses a network of blackhole sensors which are part of the Internet Motion Sensor (IMS) collection infrastructure. These sensors are deployed in networks belonging to service providers, large enterprises, and academic institutions representing a diverse sample of the IPv4 address space. We demonstrate differences in traffic observed along three dimensions: over all protocols and services, over a specific protocol and service, and over a particular worm signature. This evidence is then combined with additional experimentation to build a list of sensor properties providing plausible explanations for these differences. Using these properties, we conclude with recommendations for the understanding the implications of sensor placement.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	CERT. CERT Advisory CA-2001-26 Nimda Worm. http://www.cert.org/advisories/CA-2001-26.html, September 2001.
	2	CERT. Code Red II: Another worm exploiting buffer overflow in IIS indexing service DLL. http://www.cert.org/incident_notes/IN-2001-09.html, August 2001.
	3	CERT. CERT Advisory CA-2003-20 W32/Blaster worm. http://www.cert.org/advisories/CA-2003-20.html, August 2003.
	4	CERT. CERT advisory CA-2003-20 W32/Blaster worm. http://www.cert.org/advisories/CA-2003-20.html, August 2003.
	5	Cisco Systems. Net Flow services and applications, 1999.
	6	Evan Cooke, Michael Bailey, David Watson, Farnam Jahanian, and Jose Nazario. The Internet motion sensor: A distributed global scoped Internet threat monitoring system. Technical Report CSE-TR-491-04, University of Michigan, Electrical Engineering and Computer Science, July 2004.
	7	Dan Golding. Peering Evolution. Nanog Presentation, October 2002.
	8	Craig Labovitz, Abha Ahuja, and Michael Bailey. Shining Light on Dark Address Space. http://www.arbornetworks.com/downloads/research38/dark_address_space.pdf, November 2001.
	9	Zhuoqing Morley Mao , Ramesh Govindan , George Varghese , Randy H. Katz, Route flap damping exacerbates internet routing convergence, Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications, August 19-23, 2002, Pittsburgh, Pennsylvania, USA
	10	Microsoft Corporation. What you should know about the Sasser worm and its variants. http://www.microsoft.com/security/incident/sasser.mspx, May 2004.
	11	David Moore. Network telescopes: Observing small or distant security events. In 11th USENIX Security Symposium, Invited talk, San Francisco, CA, August 5--9 2002. Unpublished.
	12	David Moore , Vern Paxson , Stefan Savage , Colleen Shannon , Stuart Staniford , Nicholas Weaver, Inside the Slammer Worm, IEEE Security and Privacy, v.1 n.4, p.33-39, July 2003 [doi>10.1109/MSECP.2003.1219056]
	13	David Moore, Colleen Shannon, Geoffrey M. Voelker, and Stefan Savage. Network Telescopes: Technical Report. Technical report, Cooperative Association for Internet Data Analysis - CAIDA, 2004.
	14	David Moore, Geoffrey M. Voelker, and Stefan Savage. Inferring Internet denial-of-service activity. In Proceedings of the Tenth USENIX Security Symposium, pages 9--22, Washington, D.C., August 13--17 2001. USENIX.
	15	Chris Morrow and Brian Gemberling. How to Allow your Customers to blackhole their own traffic. http://www.secsup.org/CustomerBlackHole/.
	16	R. Pang, V. Yegneswaran, P. Barford, V. Paxson, and L. Peterson. Characteristics of Internet Background Radiation. Available at http://www.cs.princeton.edu/nsg/papers/telescope.pdf.
	17	Vern Paxson, Bro: a system for detecting network intruders in real-time, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.31 n.23-24, p.2435-2463, Dec. 1999 [doi>10.1016/S1389-1286(99)00112-7]
	18	Niels Provos. Honeyd ---A virtual honeypot daemon. In 10th DFN-CERT Workshop, Hamburg, Germany, February 2003.
	19	Martin Roesch, Snort - Lightweight Intrusion Detection for Networks, Proceedings of the 13th USENIX conference on System administration, November 07-12, 1999, Seattle, Washington
	20	SANS Institute. Internet storm center. http://isc.incidents.org/, June 2004.
	21	Colleen Shannon and David Moore. The spread of the Witty worm. http://www.caida.org/analysis/secuirty/witty/, June 2004.
	22	Dug Song, Rob Malan, and Robert Stone. A snapshot of global Internet worm activity. Technical report, Arbor Networks, 2001.
	23	L. Spitzner, Honeypots: Tracking Hackers, Addison-Wesley Longman Publishing Co., Inc., Boston, MA, 2002
	24	Lance Spitzner et al. The honeynet project. http://project.honeynet.org/, June 2004.
	25	Robert Stone. CenterTrack: An IP overlay network for tracking DoS floods. In USENIX, editor, Proceedings of the 9th USENIX Security Symposium, pages 199--212, Berkeley, CA, USA, August 14--17 2000. The USENIX Association.
	26	Symantec Corp. Linux.Slapper.Worm. http://securityresponse.symantec.com/avcenter/venc/data/linux.slapper.worm.html.
	27	Team CYMRU. The darknet project. http://www.cymru.com/Darknet/index.html, June 2004.
	28	University of Oregon.RouteViews project. http://www.routeviews.org/.
	29	Nicholas Weaver , Vern Paxson , Stuart Staniford , Robert Cunningham, A taxonomy of computer worms, Proceedings of the 2003 ACM workshop on Rapid malcode, October 27-27, 2003, Washington, DC, USA [doi>10.1145/948187.948190]
	30	Vinod Yegneswaran, Paul Barford, and Somesh Jha. Global intrusion detection in the DOMINO overlay system. In Proceedings of Network and Distributed System Security Symposium ( NDSS '04), San Diego, CA, February 2004.
	31	Vinod Yegneswaran, Paul Barford, and Dave Plonka. On the design and use of Internet sinks for network abuse monitoring. Technical Report 1497, University of Wisconsin, Computer Science Department, 2004.
	32	Cliff C. Zou, Don Towsley, Weibo Gong, and Songlin Cai. Routing Worm: A Fast, Selective Attack Worm based on IP Address Information. UMass ECE Technical Report TR-03-CSE-06, November 2003.

CITED BY 16

	Warren Harrop , Grenville Armitage, Greynets: a definition and evaluation of sparsely populated darknets, Proceeding of the 2005 ACM SIGCOMM workshop on Mining network data, August 26-26, 2005, Philadelphia, Pennsylvania, USA
	David W. Richardson , Steven D. Gribble , Edward D. Lazowska, The limits of global scanning worm detectors in the presence of background noise, Proceedings of the 2005 ACM workshop on Rapid malcode, November 11-11, 2005, Fairfax, VA, USA
	David S. Anderson , Chris Fleizach , Stefan Savage , Geoffrey M. Voelker, Spamscatter: characterizing internet scam hosting infrastructure, Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, p.1-14, August 06-10, 2007, Boston, MA
	Warren Harrop , Grenville Armitage, Real-time collaborative network monitoring and control using 3D game engines for representation and interaction, Proceedings of the 3rd international workshop on Visualization for computer security, November 03-03, 2006, Alexandria, Virginia, USA
	Yoichi Shinoda , Ko Ikai , Motomu Itoh, Vulnerabilities of passive internet threat monitors, Proceedings of the 14th conference on USENIX Security Symposium, p.14-14, July 31-August 05, 2005, Baltimore, MD
	Moheeb Abu Rajab , Fabian Monrose , Andreas Terzis, On the effectiveness of distributed worm monitoring, Proceedings of the 14th conference on USENIX Security Symposium, p.15-15, July 31-August 05, 2005, Baltimore, MD
	Michael Bailey , Evan Cooke , Farnam Jahanian , Niels Provos , Karl Rosaen , David Watson, Data reduction for the scalable automated analysis of distributed darknet traffic, Proceedings of the Internet Measurement Conference 2005 on Internet Measurement Conference, p.21-21, October 19-21, 2005, Berkeley, CA
	Abhishek Kumar , Vern Paxson , Nicholas Weaver, Exploiting underlying structure for detailed reconstruction of an internet-scale event, Proceedings of the Internet Measurement Conference 2005 on Internet Measurement Conference, p.33-33, October 19-21, 2005, Berkeley, CA
	Sachin Katti , Balachander Krishnamurthy , Dina Katabi, Collaborating against common enemies, Proceedings of the Internet Measurement Conference 2005 on Internet Measurement Conference, p.34-34, October 19-21, 2005, Berkeley, CA
	K. G. Anagnostakis , S. Sidiroglou , P. Akritidis , K. Xinidis , E. Markatos , A. D. Keromytis, Detecting targeted attacks using shadow honeypots, Proceedings of the 14th conference on USENIX Security Symposium, p.9-9, July 31-August 05, 2005, Baltimore, MD
	L. Li , P. Liu , Y. C. Jhi , G. Kesidis, Evaluation of collaborative worm containment on the DETER testbed, Proceedings of the DETER Community Workshop on Cyber Security Experimentation and Test on DETER Community Workshop on Cyber Security Experimentation and Test 2007, p.5-5, August 06-07, 2007, Boston, MA
	Spiros Antonatos , Kostas Anagnostakis , Evangelos Markatos, Honey@home: a new approach to large-scale threat monitoring, Proceedings of the 2007 ACM workshop on Recurring malcode, November 02-02, 2007, Alexandria, Virginia, USA
	George Kesidis , Ihab Hamadeh , Youngmi Jin , Soranun Jiwasurat , Milan Vojnović, A model of the spread of randomly scanning Internet worms that saturate access links, ACM Transactions on Modeling and Computer Simulation (TOMACS), v.18 n.2, p.1-14, April 2008
	Mark Allman , Vern Paxson , Jeff Terrell, A brief history of scanning, Proceedings of the 7th ACM SIGCOMM conference on Internet measurement, October 24-26, 2007, San Diego, California, USA
	Erwin Louis Carrow, InfoSec technology management of user space and services through security threat gateways, Proceedings of the 4th annual conference on Information security curriculum development, September 28-28, 2007, Kennesaw, Georgia
	Erwin Louis Carrow, Puppetnets and botnets: information technology vulnerability exploits that threaten basic internet use, Proceedings of the 4th annual conference on Information security curriculum development, September 28-28, 2007, Kennesaw, Georgia