Article

Toward understanding distributed blackhole placement

Authors:

Michael Bailey,

Farnam Jahanian,

Danny McPhersonAuthors Info & Claims

WORM '04: Proceedings of the 2004 ACM workshop on Rapid malcode

Pages 54 - 64

https://doi.org/10.1145/1029618.1029627

Published: 29 October 2004 Publication History

Abstract

The monitoring of unused Internet address space has been shown to be an effective method for characterizing Internet threats including Internet worms and DDOS attacks. Because there are no legitimate hosts in an unused address block, traffic must be the result of misconfiguration, backscatter from spoofed source addresses, or scanning from worms and other probing. This paper extends previous work characterizing traffic seen at specific unused address blocks by examining differences observed between these blocks. While past research has attempted to extrapolate the results from a small number of blocks to represent global Internet traffic, we present evidence that distributed address blocks observe dramatically different traffic patterns. This work uses a network of blackhole sensors which are part of the Internet Motion Sensor (IMS) collection infrastructure. These sensors are deployed in networks belonging to service providers, large enterprises, and academic institutions representing a diverse sample of the IPv4 address space. We demonstrate differences in traffic observed along three dimensions: over all protocols and services, over a specific protocol and service, and over a particular worm signature. This evidence is then combined with additional experimentation to build a list of sensor properties providing plausible explanations for these differences. Using these properties, we conclude with recommendations for the understanding the implications of sensor placement.

References

[1]

CERT. CERT Advisory CA-2001-26 Nimda Worm. http://www.cert.org/advisories/CA-2001-26.html, September 2001.

[2]

CERT. Code Red II: Another worm exploiting buffer overflow in IIS indexing service DLL. http://www.cert.org/incident_notes/IN-2001-09.html, August 2001.

[3]

CERT. CERT Advisory CA-2003-20 W32/Blaster worm. http://www.cert.org/advisories/CA-2003-20.html, August 2003.

[4]

CERT. CERT advisory CA-2003-20 W32/Blaster worm. http://www.cert.org/advisories/CA-2003-20.html, August 2003.

[5]

Cisco Systems. Net Flow services and applications, 1999.

[6]

Evan Cooke, Michael Bailey, David Watson, Farnam Jahanian, and Jose Nazario. The Internet motion sensor: A distributed global scoped Internet threat monitoring system. Technical Report CSE-TR-491-04, University of Michigan, Electrical Engineering and Computer Science, July 2004.

[7]

Dan Golding. Peering Evolution. Nanog Presentation, October 2002.

[8]

Craig Labovitz, Abha Ahuja, and Michael Bailey. Shining Light on Dark Address Space. http://www.arbornetworks.com/downloads/research38/dark_address_space.pdf, November 2001.

[9]

Zhuoqing Morley Mao, Ramesh Govindan, George Varghese, and Randy Katz. Route Flap Damping Exacerbates Internet Routing Convergence. In Proc of ACM SIGCOMM, 2002.

Digital Library

[10]

Microsoft Corporation. What you should know about the Sasser worm and its variants. http://www.microsoft.com/security/incident/sasser.mspx, May 2004.

[11]

David Moore. Network telescopes: Observing small or distant security events. In 11th USENIX Security Symposium, Invited talk, San Francisco, CA, August 5--9 2002. Unpublished.

[12]

David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, and Nicholas Weaver. Inside the slammer worm. IEEE Security & Privacy, 1(4):33--39, 2003.

Digital Library

[13]

David Moore, Colleen Shannon, Geoffrey M. Voelker, and Stefan Savage. Network Telescopes: Technical Report. Technical report, Cooperative Association for Internet Data Analysis - CAIDA, 2004.

[14]

David Moore, Geoffrey M. Voelker, and Stefan Savage. Inferring Internet denial-of-service activity. In Proceedings of the Tenth USENIX Security Symposium, pages 9--22, Washington, D.C., August 13--17 2001. USENIX.

Digital Library

[15]

Chris Morrow and Brian Gemberling. How to Allow your Customers to blackhole their own traffic. http://www.secsup.org/CustomerBlackHole/.

[16]

R. Pang, V. Yegneswaran, P. Barford, V. Paxson, and L. Peterson. Characteristics of Internet Background Radiation. Available at http://www.cs.princeton.edu/nsg/papers/telescope.pdf.

[17]

Vern Paxson. Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks, 31(23-24):2435--2463, 1999.

Digital Library

[18]

Niels Provos. Honeyd ---A virtual honeypot daemon. In 10th DFN-CERT Workshop, Hamburg, Germany, February 2003.

[19]

M. Roesch. Snort: Lightweight intrusion detection for networks. In Proc. 13th Systems Administration Conference (LISA), pages 229--238, 1999.

Digital Library

[20]

SANS Institute. Internet storm center. http://isc.incidents.org/, June 2004.

[21]

Colleen Shannon and David Moore. The spread of the Witty worm. http://www.caida.org/analysis/secuirty/witty/, June 2004.

[22]

Dug Song, Rob Malan, and Robert Stone. A snapshot of global Internet worm activity. Technical report, Arbor Networks, 2001.

[23]

Lance Spitzner. Honeypots: Tracking Hackers. Addison-Wesley, 2002.

Digital Library

[24]

Lance Spitzner et al. The honeynet project. http://project.honeynet.org/, June 2004.

[25]

Robert Stone. CenterTrack: An IP overlay network for tracking DoS floods. In USENIX, editor, Proceedings of the 9th USENIX Security Symposium, pages 199--212, Berkeley, CA, USA, August 14--17 2000. The USENIX Association.

Digital Library

[26]

Symantec Corp. Linux.Slapper.Worm. http://securityresponse.symantec.com/avcenter/venc/data/linux.slapper.worm.html.

[27]

Team CYMRU. The darknet project. http://www.cymru.com/Darknet/index.html, June 2004.

[28]

University of Oregon.RouteViews project. http://www.routeviews.org/.

[29]

Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham. A taxonomy of computer worms. In Proceedings of the 2003 ACM workshop on Rapid Malcode, pages 11--18. ACM Press, 2003.

Digital Library

[30]

Vinod Yegneswaran, Paul Barford, and Somesh Jha. Global intrusion detection in the DOMINO overlay system. In Proceedings of Network and Distributed System Security Symposium ( NDSS '04), San Diego, CA, February 2004.

[31]

Vinod Yegneswaran, Paul Barford, and Dave Plonka. On the design and use of Internet sinks for network abuse monitoring. Technical Report 1497, University of Wisconsin, Computer Science Department, 2004.

[32]

Cliff C. Zou, Don Towsley, Weibo Gong, and Songlin Cai. Routing Worm: A Fast, Selective Attack Worm based on IP Address Information. UMass ECE Technical Report TR-03-CSE-06, November 2003.

Cited By

Wagner DRanadive SGriffioen HKallitsis MDainotti ASmaragdakis GFeldmann AMontpetit MLeivadeas AUhlig SJaved M(2023)How to Operate a Meta-Telescope in your Spare TimeProceedings of the 2023 ACM on Internet Measurement Conference10.1145/3618257.3624831(328-343)Online publication date: 24-Oct-2023
https://dl.acm.org/doi/10.1145/3618257.3624831
Gong QGu C(2021)A Baseline Modeling Algorithm for Internet Port Scanning Radiation Flows2021 IEEE 6th International Conference on Signal and Image Processing (ICSIP)10.1109/ICSIP52628.2021.9688791(1255-1259)Online publication date: 22-Oct-2021
https://doi.org/10.1109/ICSIP52628.2021.9688791
Nishijima KKondo THosokawa TShigemoto TKawaguchi NHasegawa HHonda HSuzuki YKaji TNakamura O(2021)Verification of the Effectiveness to Monitor Darknet across Multiple Organizations2021 Ninth International Symposium on Computing and Networking Workshops (CANDARW)10.1109/CANDARW53999.2021.00065(346-351)Online publication date: Nov-2021
https://doi.org/10.1109/CANDARW53999.2021.00065
Show More Cited By

Index Terms

Toward understanding distributed blackhole placement
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security

Recommendations

On the development of an internetwork-centric defense for scanning worms

Studies of worm outbreaks have found that the speed of worm propagation makes manual intervention ineffective. Consequently, many automated containment mechanisms have been proposed to contain worm outbreaks before they grow out of control. These ...
Internet-scale malware mitigation: combining intelligence of the control and data plane
WORM '06: Proceedings of the 4th ACM workshop on Recurring malcode

Security on the Internet today is treated mostly as a data plane problem. IDS's, firewalls, and spam filters all operate on the simple principle of detecting malicious data plane behavior and erecting data plane filters. In this paper we explore how ...
A monitoring system for detecting repeated packets with applications to computer worms
Abstract
We present a monitoring system which detects repeated packets in network traffic, and has applications including detecting computer worms. It uses Bloom filters with counters. The system analyzes traffic in routers of a network. Our preliminary ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

WORM '04: Proceedings of the 2004 ACM workshop on Rapid malcode

October 2004

100 pages

ISBN:1581139705

DOI:10.1145/1029618

Program Chair:
Vern Paxson
International Computer Science Institute & Lawrence Berkeley National Laboratory

Copyright © 2004 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 29 October 2004

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

CCS04

Sponsor:

CCS04: 11th ACM Conference on Computer and Communications Security 2004

October 29, 2004

Washington DC, USA

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

69
Total Citations
View Citations
416
Total Downloads

Downloads (Last 12 months)4
Downloads (Last 6 weeks)2

Reflects downloads up to 14 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Wagner DRanadive SGriffioen HKallitsis MDainotti ASmaragdakis GFeldmann AMontpetit MLeivadeas AUhlig SJaved M(2023)How to Operate a Meta-Telescope in your Spare TimeProceedings of the 2023 ACM on Internet Measurement Conference10.1145/3618257.3624831(328-343)Online publication date: 24-Oct-2023
https://dl.acm.org/doi/10.1145/3618257.3624831
Gong QGu C(2021)A Baseline Modeling Algorithm for Internet Port Scanning Radiation Flows2021 IEEE 6th International Conference on Signal and Image Processing (ICSIP)10.1109/ICSIP52628.2021.9688791(1255-1259)Online publication date: 22-Oct-2021
https://doi.org/10.1109/ICSIP52628.2021.9688791
Nishijima KKondo THosokawa TShigemoto TKawaguchi NHasegawa HHonda HSuzuki YKaji TNakamura O(2021)Verification of the Effectiveness to Monitor Darknet across Multiple Organizations2021 Ninth International Symposium on Computing and Networking Workshops (CANDARW)10.1109/CANDARW53999.2021.00065(346-351)Online publication date: Nov-2021
https://doi.org/10.1109/CANDARW53999.2021.00065
Liu CLiu QHao SBao CLi X(2021)IPv6-Darknet Network Traffic DetectionArtificial Intelligence and Security10.1007/978-3-030-78612-0_19(231-241)Online publication date: 9-Jul-2021
https://doi.org/10.1007/978-3-030-78612-0_19
Chindipha SIrwin BHerbert Ade Villiers CSmuts H(2019)Quantifying the Accuracy of Small Subnet-Equivalent Sampling of IPv4 Internet Background Radiation DatasetsProceedings of the South African Institute of Computer Scientists and Information Technologists 201910.1145/3351108.3351129(1-8)Online publication date: 17-Sep-2019
https://dl.acm.org/doi/10.1145/3351108.3351129
Soro FDrago ITrevisan MMellia MCeron JJ. Santanna J(2019)Are Darknets All The Same? On Darknet Visibility for Security Monitoring2019 IEEE International Symposium on Local and Metropolitan Area Networks (LANMAN)10.1109/LANMAN.2019.8847113(1-6)Online publication date: Jul-2019
https://doi.org/10.1109/LANMAN.2019.8847113
AlShehyari SYeun CDamiani E(2017)Monitoring darknet activities by using network telescope2017 12th International Conference for Internet Technology and Secured Transactions (ICITST)10.23919/ICITST.2017.8356360(123-128)Online publication date: Dec-2017
https://doi.org/10.23919/ICITST.2017.8356360
Feng YHori YSakurai K(2017)A Behavior-Based Online Engine for Detecting Distributed Cyber-AttacksInformation Security Applications10.1007/978-3-319-56549-1_7(79-89)Online publication date: 30-Mar-2017
https://doi.org/10.1007/978-3-319-56549-1_7
Fachkha CDebbabi M(2016)Darknet as a Source of Cyber Intelligence: Survey, Taxonomy, and CharacterizationIEEE Communications Surveys & Tutorials10.1109/COMST.2015.249769018:2(1197-1227)Online publication date: Oct-2017
https://doi.org/10.1109/COMST.2015.2497690
Gadhia FChoi JCho BSong J(2015)Comparative analysis of darknet traffic characteristics between darknet sensors2015 17th International Conference on Advanced Communication Technology (ICACT)10.1109/ICACT.2015.7224757(59-64)Online publication date: Jul-2015
https://doi.org/10.1109/ICACT.2015.7224757
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents