Characteristics of internet background radiation

Ruoming Pang, Paul Barford, Vinod Yegneswaran, Vern Paxson, Larry Lee Peterson

Research output: Chapter in Book/Report/Conference proceedingConference contribution

207 Citations (Scopus)

Abstract

Monitoring any portion of the Internet address space reveals incessant activity. This holds even when monitoring traffic sent to unused addresses, which we term "background radiation." Background radiation reflects fundamentally nonproductive traffic, either malicious (flooding backscatter, scans for vulnerabilities, worms) or benign (misconfigurations). While the general presence of background radiation is well known to the network operator community, its nature has yet to be broadly characterized. We develop such a characterization based on data collected from four unused networks in the Internet. Two key elements of our methodology are (i) the use of filtering to reduce load on the measurement system, and (ii) the use of active responders to elicit further activity from scanners in order to differentiate different types of background radiation. We break down the components of background radiation by protocol, application, and often specific exploit; analyze temporal patterns and correlated activity; and assess variations across different networks and over time. While we find a menagerie of activity, probes from worms and autorooters heavily dominate. We conclude with considerations of how to incorporate our characterizations into monitoring and detection activities.

Original languageEnglish (US)
Title of host publicationProceedings of the 2004 ACM SIGCOMM Internet Measurement Conference, IMC 2004
Pages27-40
Number of pages14
StatePublished - 2004
Externally publishedYes
EventProceedings of the 2004 ACM SIGCOMM Internet Measurement Conference, IMC 2004 - Taormina, Italy
Duration: Oct 25 2004Oct 27 2004

Other

OtherProceedings of the 2004 ACM SIGCOMM Internet Measurement Conference, IMC 2004
CountryItaly
CityTaormina
Period10/25/0410/27/04

Fingerprint

Internet
Radiation
Monitoring
Network protocols

Keywords

  • Honeypot
  • Internet Background Radiation
  • Network Telescope

ASJC Scopus subject areas

  • Engineering(all)

Cite this

Pang, R., Barford, P., Yegneswaran, V., Paxson, V., & Peterson, L. L. (2004). Characteristics of internet background radiation. In Proceedings of the 2004 ACM SIGCOMM Internet Measurement Conference, IMC 2004 (pp. 27-40)

Characteristics of internet background radiation. / Pang, Ruoming; Barford, Paul; Yegneswaran, Vinod; Paxson, Vern; Peterson, Larry Lee.

Proceedings of the 2004 ACM SIGCOMM Internet Measurement Conference, IMC 2004. 2004. p. 27-40.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Pang, R, Barford, P, Yegneswaran, V, Paxson, V & Peterson, LL 2004, Characteristics of internet background radiation. in Proceedings of the 2004 ACM SIGCOMM Internet Measurement Conference, IMC 2004. pp. 27-40, Proceedings of the 2004 ACM SIGCOMM Internet Measurement Conference, IMC 2004, Taormina, Italy, 10/25/04.
Pang R, Barford P, Yegneswaran V, Paxson V, Peterson LL. Characteristics of internet background radiation. In Proceedings of the 2004 ACM SIGCOMM Internet Measurement Conference, IMC 2004. 2004. p. 27-40
Pang, Ruoming ; Barford, Paul ; Yegneswaran, Vinod ; Paxson, Vern ; Peterson, Larry Lee. / Characteristics of internet background radiation. Proceedings of the 2004 ACM SIGCOMM Internet Measurement Conference, IMC 2004. 2004. pp. 27-40
@inproceedings{beacd7226f38493192c76858f0fb2b07,
title = "Characteristics of internet background radiation",
abstract = "Monitoring any portion of the Internet address space reveals incessant activity. This holds even when monitoring traffic sent to unused addresses, which we term {"}background radiation.{"} Background radiation reflects fundamentally nonproductive traffic, either malicious (flooding backscatter, scans for vulnerabilities, worms) or benign (misconfigurations). While the general presence of background radiation is well known to the network operator community, its nature has yet to be broadly characterized. We develop such a characterization based on data collected from four unused networks in the Internet. Two key elements of our methodology are (i) the use of filtering to reduce load on the measurement system, and (ii) the use of active responders to elicit further activity from scanners in order to differentiate different types of background radiation. We break down the components of background radiation by protocol, application, and often specific exploit; analyze temporal patterns and correlated activity; and assess variations across different networks and over time. While we find a menagerie of activity, probes from worms and autorooters heavily dominate. We conclude with considerations of how to incorporate our characterizations into monitoring and detection activities.",
keywords = "Honeypot, Internet Background Radiation, Network Telescope",
author = "Ruoming Pang and Paul Barford and Vinod Yegneswaran and Vern Paxson and Peterson, {Larry Lee}",
year = "2004",
language = "English (US)",
isbn = "1581138210",
pages = "27--40",
booktitle = "Proceedings of the 2004 ACM SIGCOMM Internet Measurement Conference, IMC 2004",

}

TY - GEN

T1 - Characteristics of internet background radiation

AU - Pang, Ruoming

AU - Barford, Paul

AU - Yegneswaran, Vinod

AU - Paxson, Vern

AU - Peterson, Larry Lee

PY - 2004

Y1 - 2004

N2 - Monitoring any portion of the Internet address space reveals incessant activity. This holds even when monitoring traffic sent to unused addresses, which we term "background radiation." Background radiation reflects fundamentally nonproductive traffic, either malicious (flooding backscatter, scans for vulnerabilities, worms) or benign (misconfigurations). While the general presence of background radiation is well known to the network operator community, its nature has yet to be broadly characterized. We develop such a characterization based on data collected from four unused networks in the Internet. Two key elements of our methodology are (i) the use of filtering to reduce load on the measurement system, and (ii) the use of active responders to elicit further activity from scanners in order to differentiate different types of background radiation. We break down the components of background radiation by protocol, application, and often specific exploit; analyze temporal patterns and correlated activity; and assess variations across different networks and over time. While we find a menagerie of activity, probes from worms and autorooters heavily dominate. We conclude with considerations of how to incorporate our characterizations into monitoring and detection activities.

AB - Monitoring any portion of the Internet address space reveals incessant activity. This holds even when monitoring traffic sent to unused addresses, which we term "background radiation." Background radiation reflects fundamentally nonproductive traffic, either malicious (flooding backscatter, scans for vulnerabilities, worms) or benign (misconfigurations). While the general presence of background radiation is well known to the network operator community, its nature has yet to be broadly characterized. We develop such a characterization based on data collected from four unused networks in the Internet. Two key elements of our methodology are (i) the use of filtering to reduce load on the measurement system, and (ii) the use of active responders to elicit further activity from scanners in order to differentiate different types of background radiation. We break down the components of background radiation by protocol, application, and often specific exploit; analyze temporal patterns and correlated activity; and assess variations across different networks and over time. While we find a menagerie of activity, probes from worms and autorooters heavily dominate. We conclude with considerations of how to incorporate our characterizations into monitoring and detection activities.

KW - Honeypot

KW - Internet Background Radiation

KW - Network Telescope

UR - http://www.scopus.com/inward/record.url?scp=14944369649&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=14944369649&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:14944369649

SN - 1581138210

SN - 9781581138214

SP - 27

EP - 40

BT - Proceedings of the 2004 ACM SIGCOMM Internet Measurement Conference, IMC 2004

ER -