Characteristics of Internet Characteristics of Internet Background Radiation Background Radiation Authors: Ruoming Pang, Ruoming Pang, Vinod Yegneswaran, Vinod Yegneswaran, Paul Barford, Paul Barford, Vern Paxson, Vern Paxson, & Larry Peterson & Larry Peterson Publisher: ACM Internet Measurement Conference ACM Internet Measurement Conference (IMC), 2004 (IMC), 2004 Presented by: Chowdhury, Abu Rahat Chowdhury, Abu Rahat
40
Embed
Characteristics of Internet Background Radiation Authors: Ruoming Pang, Vinod Yegneswaran, Paul Barford, Vern Paxson, & Larry Peterson & Larry Peterson.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Characteristics of Internet Characteristics of Internet Background RadiationBackground Radiation
Authors:Ruoming Pang, Ruoming Pang,
Vinod Yegneswaran, Vinod Yegneswaran, Paul Barford, Paul Barford, Vern Paxson, Vern Paxson,
& Larry Peterson& Larry Peterson
Publisher:ACM Internet Measurement Conference ACM Internet Measurement Conference
(IMC), 2004(IMC), 2004
Presented by: Chowdhury, Abu RahatChowdhury, Abu Rahat
Today’s OutlineToday’s Outline
• The Authors and their Problem Statements• Objective & Terminology • The study and Network Telescope• Measurement Methodology:
• Passive Measurement• Active Measurement
• Comments.
Ruoming PangSoftware engineer Google NY
Current Research Projects and ThrustsCurrent Research Projects and ThrustsMeasurement, analysis, and security of wide area networked systems and network protocols
Vern Paxson Associate Professor
EECS Department of UC Berkeley,
Vinod YegneswaranGrad Student
Computer Science and Statistics
University of Wisconsin
The Authors
Paul BarfordAssistant Professor, Department of Computer SciencesUniversity of Wisconsin-Madison
Larry L. Peterson ProfessorDepartment of Computer Science Princeton, NJ 08544
The ProblemThe Problem
• Background radiation reflects fundamentally nonproductive traffic, either malicious or benign. While the general presence of background radiation is well known to the network operator community, its nature has yet to be broadly characterized
• Goals of Characterization:– What is all this nonproductive traffic trying to
do?– How can we filter it out to detect new types of
malicious activity?
OutlineOutline
• The Authors and their Problem Statements• Objective & Terminology • The study and Network Telescope• Measurement Methodology:
• Passive Measurement• Active Measurement
• Comments
ObjectiveObjective
• To characterize Background Radiation based on:
– Types of attack, behavior, traffic composition, frequency, target networks, etc.
• Secondary objectives– Development of an effective traffic filtering system– Use of active responders to effectively identify the
We are all exposed to ionizing radiation from natural sources at all times. This radiation is called natural background radiation, and its main sources are the following:
• Radioactive substances in the earth's crust
• Emanation of radioactive gas from the earth
• Cosmic rays from outer space which bombard the earth
Source: Google Earth
Internet Background RadiationInternet Background Radiation
• The Baseline “Noise” of Internet traffic– Every IP address---even an unused one---receives packets constantly…So Fundamentally nonproductive traffic.
• Data-driven: – Which responders to build is based on observed traffic
volumes
• Application-level Responders:– Not only adhere to the structure of the underlying
protocol, but also to know what to say
• New types of activities emerge over time, responders also need to evolve
Radiation Activity ClassificationRadiation Activity ClassificationWhich Malware is Most Active?
What is the most PopularApplication?
Which Vulnerability is MostTargeted?
A Rich Collection of Applications are A Rich Collection of Applications are targeted in the Background Radiationtargeted in the Background Radiation
• Windows RPC• HTTP• Netbios/CIFS/SMB• Virus backdoors (MyDoom, Beagle, etc.)• Dameware• Universal PnP• Microsoft SQL (Slammer)• MySQL• DNS• BitTorrent
TCP Port 80 (HTTP)TCP Port 80 (HTTP)
• Targeted against Microsoft IIS server.• Dominant activity is a WebDAV buffer-overrun
exploit.
TCP Port 80 (HTTP)TCP Port 80 (HTTP)
Port 80 Activities
Other FiguresOther Figures
Summary of Active Summary of Active ObservationObservation
• Study dominant activities on the popular ports• Same Attacker on multiple networks• Some sources avoid Class A• Traffic is divided by ports:
– Consider all connections between a source-destination pair on a given destination port
• Background Radiation concentrates on a small number of ports:– Only look at the most popular ports.– Many popular ports are also used by the normal traffic
use application semantic level.– Many replies are needed to see what is happening
ConclusionConclusion
• Background Radiation is – Complex in Structure, highly automated, frequently
malicious, potentially adversarial & matured in rapid speed
• Passive measurement reveal only part of the story
• Need to interact with the traffic to see what are the actual objectives of the attacker
StrengthsStrengths
• First attempt to characterize background radiation
• Good Measurement Methodology:– Detailed set of active responders for popular ports.
• Meaningful Data Analysis:– Passive Analysis: activities concentrate on popular ports.– Active Analysis: Extreme dynamism in many aspects of
background radiation.
WeaknessesWeaknesses
• The filtering could be biased.– The same kind of activity to all destination IP addresses.– Fail to capture multi-vector worms that pick one exploit per IP
address
• Significant amount of connections didn’t proceed
• DHCP problem makes source IP address less accurate as source identity.
• To what extent the development of application-level responders can be automated?
Reference & Back up SlideReference & Back up Slide
ReferencesReferences
• [Barford2004] Paul Barford. Trends in Internet Measurement. PPT from U. of Wisconsin, Fall 2004
• [MVS01] Moore, Geoffrey M. Voelker, and Stefan Savage. Inferring Internet Denial-of-Service Activity. In Proceedings of the 10th USENIX Security Symposium, pages 9--22. USENIX, August 2001