Characteristics of Internet Background Radiation

ACM Internet Measurement Conference (IMC), 2004

Authors: Ruoming Pang, Vinod Yegneswaran, Paul Barford, Vern

Paxson, Larry Peterson

Presenter: Tai Do

CDA6938

UCF, Spring 2007

Introduction

• Background Radiation:– Traffic sent to unused addresses.

– Nonproductive traffic: malicious (flooding backscatter, hostile scan, spam) OR benign (misconfigurations).

– Pervasive nature (hence “background”).

Backscatter

Source: [MVS01]

Introduction

• Goals of Characterization:–What is all this nonproductive traffic

trying to do?

–How can we filter it out to detect new types of malicious activity?

Outline

• Introduction

• Measurement Methodology– Filtering– Responders– Experimental Setup

• Data Analysis

• Concluding Remarks

Measurement Methodology(Filtering)

• Enormous volume of data:– 30,000 packets/sec of background radiation

on a Class A network.

• Source-Destination Filtering:– Assumption: background radiation sources

posses the same degree of affinity to monitored IP addresses

– For each source, keep the connections to N destinations.

Measurement Methodology(Filtering)

Measurement Methodology(Filtering)

Measurement Methodology(Active Responders)

• Why Active Responders?– Elicit further activity from scanners.– Differentiate different types of background

radiation.

• Stateless Responder: based on Active Sink.

• Stateful Responder: based on Honeyd.

Measurement Methodology(Application-Level Responders)

• Data-driven: – Which responders to build is based on observed

traffic volumes.

• Application-level Responders:– Not only adhere to the structure of the underlying

protocol, but also to know what to say.

• New types of activities emerge over time, responders also need to evolve.

• What degree can we automate the development process of responders?

Measurement Methodology(Application-Level Responders)

• Responders developed for:– HTTP (port 80)– NetBIOS (port 137/139),– CIFS/SMB (port 139/445)– DCE/RPC [10] (port 135/1025 and CIFS

named pipes)– Dameware (port 6129). – Backdoors installed by MyDoom (port

3127) and Beagle (port 2745)

Measurement Methodology(Experimental Setup)

• Two different systems: iSink, and LBL Sink.• Traces collected from three sites:

– Class A network (large)– UW campus (medium)– Lawrence Berkeley Lab (LBL) (small)

• Same forms of application response.• Different underlying mechanisms.• Support two kinds of data analysis:

– Passive analysis: no filter, no responder– Active analysis: with filter, and responder

Experimental Setup: iSink

Experimental Setup: LBL Sink

Outline

• Introduction

• Measurement Methodology

• Data Analysis– Passive Analysis– Active Analysis

• Activities in Background Radiation• Characteristics of Sources

• Concluding Remarks

Passive MeasurementTraffic Composition

• What is the type and volume of observed traffic without actively responding to any packet?

• Findings:– TCP dominates in all three networks

(comparing to ICMP and UDP)– TCP/SYN packets constitute a significant

portion of the background radiation traffic.– A small number of ports are the targets of a

majority of TCP/SYN packets.

Activities in Background Radiation

• Study dominant activities on the popular ports. • Traffic is divided by ports:

– Consider all connections between a source-destination pair on a given destination port.

• Background Radiation concentrates on a small number of ports:– Only look at the most popular ports.– Many popular ports are also used by the normal traffic

use application semantic level.

• Investigate 12 ports.

TCP Port 80 (HTTP)

• Targeted against Microsoft IIS server.

• Dominant activity is a WebDAV buffer-overrun exploit.

TCP Port 80 (HTTP)Port 80 Activities

Characteristics of Sources

• Study background radiation activities coming from the same source IP (activity vector).

• Activity vector in three dimensions:– Across ports– Across destination networks– Over time

• Caveat: – DHCP: hosts might be assigned different addresses

over time.

Sources Across portActivities across ports may give a better picture of a source’s goals

Agobot Sources: UW 1

Sources Across port

• Top two exploits are extensively observed across all 4 networks.

Sources Seen Over Time

• Witty did not persist over a month: deliberately damages its host.

• Blaster’s grip on hosts is quite tenacious.

Outline

• Introduction

• Measurement Methodology

• Data Analysis

• Concluding Remarks

Strengths of the paper

• First attempt to characterize background radiation.

• Good Measurement Methodology:– Effective filtering technique.– Detailed set of active responders for popular ports.

• Meaningful Data Analysis:– Passive Analysis: activities concentrate on few

popular ports.– Active Analysis: Extreme dynamism in many aspects

of background radiation.

Limitations of the paper

• The filtering could be biased.– The same kind of activity to all destination IP

addresses.– Fail to capture multi-vector worms that pick one

exploit per IP address.

• DHCP problem makes source IP address less accurate as source identity.

• To what extent the development of application-level responders can be automated?

Thank you.

Questions?

References

• [Barford2004] Paul Barford. Trends in Internet Measurement. PPT from U. of Wisconsin, Fall 2004.

• [MVS01] Moore, Geoffrey M. Voelker, and Stefan Savage. Inferring Internet Denial-of-Service Activity. In Proceedings of the 10th USENIX Security Symposium, pages 9--22. USENIX, August 2001.

Some jargons

• Named pipe: supports inter-process communication. FIFO. System-persistent.

• CIFS: Common Interface File System. • DCE/RPC: Distributed Computing Environment/Remote

Procedure Call• SAMR: Security Account Manager Remote service• srvsvc: server service• msmsgri32.exe: ???• SMB: • Autorooter: similar to worms, without self-propagation