Classification Scheme One-way Traffic Composition Service Availability Monitoring Classifying Internet One-way Traffic Eduard Glatz, Xenofontas Dimitropoulos ETH Zurich May 15, 2012 Eduard Glatz, Xenofontas Dimitropoulos Classifying Internet One-way Traffic
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Classification SchemeOne-way Traffic Composition
Service Availability Monitoring
Classifying Internet One-way Traffic
Eduard Glatz,Xenofontas Dimitropoulos
ETH Zurich
May 15, 2012
Eduard Glatz, Xenofontas Dimitropoulos Classifying Internet One-way Traffic
Classification SchemeOne-way Traffic Composition
Service Availability Monitoring
Overview
I Classification scheme for dissecting one-way traffic that reliessolely on flow-level data
I Observation on one-way traffic based on a massive dataset of457 billion flows
I Show how one-way flows are useful for service availabilitymonitoring
Eduard Glatz, Xenofontas Dimitropoulos Classifying Internet One-way Traffic
Classification SchemeOne-way Traffic Composition
Service Availability Monitoring
Preliminaries
I Study incoming one-way traffic at the network level:connections that do not receive a reply.
I Example causes of one-way traffic:
I Failures & PoliciesI AttacksI Special application behavior
I Sampling and asymmetric routing can result in artificialone-way traffic
I One-way traffic can be measured in edge networks
Eduard Glatz, Xenofontas Dimitropoulos Classifying Internet One-way Traffic
Classification SchemeOne-way Traffic Composition
Service Availability Monitoring
Preliminaries
I Study incoming one-way traffic at the network level:connections that do not receive a reply.
I Example causes of one-way traffic:
I Failures & PoliciesI AttacksI Special application behavior
I Sampling and asymmetric routing can result in artificialone-way traffic
I One-way traffic can be measured in edge networks
Eduard Glatz, Xenofontas Dimitropoulos Classifying Internet One-way Traffic
Classification SchemeOne-way Traffic Composition
Service Availability Monitoring
Classification Scheme
I Associate each one-way flow with a number of signs
I Introduce 18 signs exploiting in 4 cases techniques from theliterature
I Classify flows based on their signsI Classes:
I Unreachable servicesI P2P applicationsI ScanningI BackscatterI Suspected BenignI Bogon
Eduard Glatz, Xenofontas Dimitropoulos Classifying Internet One-way Traffic
Classification SchemeOne-way Traffic Composition
Service Availability Monitoring
Signs: Host pair behavior
a) b) c) d)
Figure: Mixture of incoming one- and two-way flows exchanged betweena host pair. Hosts are represented by nodes and the presence ofinflow/outflow/biflows by arrows.
I End-hosts-communicating: One-way flow between productivehost pair
I Limited dialog: One-way flows between unproductive host pair
Eduard Glatz, Xenofontas Dimitropoulos Classifying Internet One-way Traffic
Classification SchemeOne-way Traffic Composition
Service Availability Monitoring
Signs: Host pair behavior
a) b) c) d)
Figure: Mixture of incoming one- and two-way flows exchanged betweena host pair. Hosts are represented by nodes and the presence ofinflow/outflow/biflows by arrows.
I End-hosts-communicating: One-way flow between productivehost pair
I Limited dialog: One-way flows between unproductive host pair
Eduard Glatz, Xenofontas Dimitropoulos Classifying Internet One-way Traffic
Classification SchemeOne-way Traffic Composition
Service Availability Monitoring
Signs: Local host behavior
I Unused local address: Unpopulated local IP address
I Service unreachable: Unanswered request to local service
I Peer-to-peer1: Flow towards local P2P host
1W. John and S. Tafvelin. Heuristics to classify internet backbone traffic based on connection patterns.
International Conference on Information Networking (ICOIN), 2008
Eduard Glatz, Xenofontas Dimitropoulos Classifying Internet One-way Traffic
Classification SchemeOne-way Traffic Composition
Service Availability Monitoring
Signs: Remote host behavior
I Service sole reply: no biflow on srcIP ∧ dstPort≥1024 ∧srcPort < 1024
I Remote scanner 12: TRW algorithm (suspected scanner)
I Remote scanner 23: Host classification (suspected scanner)
I Remote non-scanner: TRW algorithm (suspected regular host)
2J. Jung, V. Paxson, A. Berger, and H. Balakrishnan. Fast portscan detection using sequential hypothesis
testing. In Proceedings of the IEEE Symposium on Security and Privacy, 20043M. Allman, V. Paxson, and J. Terrell. A brief history of scanning. In Proceedings of the 7th ACM
SIGCOMM IMC, 2007
Eduard Glatz, Xenofontas Dimitropoulos Classifying Internet One-way Traffic
Classification SchemeOne-way Traffic Composition
Service Availability Monitoring
Signs: Flow feature
I Artifact: UDP/TCP flow with both port numbers=0
I Single packet: Flow contains one packet only
I Large flow: Flow carries ≥ 10 packets or ≥ 10240 bytes
I Bogon: Source IP belongs to bogon space
I Protocol: IP protocol type of flow
Eduard Glatz, Xenofontas Dimitropoulos Classifying Internet One-way Traffic
Eduard Glatz, Xenofontas Dimitropoulos Classifying Internet One-way Traffic
Classification SchemeOne-way Traffic Composition
Service Availability Monitoring
Signs
Sign Type Sign Name Detection Criterion/Algorithm
Host pair behavior End-hosts-communicating One-way flow between productive host pairLimited dialog One-way flows between unproductive host pair
Remote host behavior Service sole reply no biflow on srcIP ∧ dstPort≥1024 ∧ srcPort < 1024Remote scanner 1 TRW algorithm (suspected scanner)Remote scanner 2 Host classification (suspected scanner)Remote non-scanner TRW algorithm (suspected regular host)
Local host behavior Unused local address Unpopulated local IP addressService unreachable Unanswered request to local servicePeer-to-peer Flow towards local P2P host
Flow feature Artifact UDP/TCP flow with both port numbers=0Single packet Flow contains one packet onlyLarge flow Flow carries ≥ 10 packets or ≥ 10240 bytesBogon Source IP belongs to bogon spaceProtocol IP protocol type of flow
Eduard Glatz, Xenofontas Dimitropoulos Classifying Internet One-way Traffic