TY - GEN
T1 - Characteristics of internet background radiation
AU - Pang, Ruoming
AU - Barford, Paul
AU - Yegneswaran, Vinod
AU - Paxson, Vern
AU - Peterson, Larry
PY - 2004
Y1 - 2004
N2 - Monitoring any portion of the Internet address space reveals incessant activity. This holds even when monitoring traffic sent to unused addresses, which we term "background radiation." Background radiation reflects fundamentally nonproductive traffic, either malicious (flooding backscatter, scans for vulnerabilities, worms) or benign (misconfigurations). While the general presence of background radiation is well known to the network operator community, its nature has yet to be broadly characterized. We develop such a characterization based on data collected from four unused networks in the Internet. Two key elements of our methodology are (i) the use of filtering to reduce load on the measurement system, and (ii) the use of active responders to elicit further activity from scanners in order to differentiate different types of background radiation. We break down the components of background radiation by protocol, application, and often specific exploit; analyze temporal patterns and correlated activity; and assess variations across different networks and over time. While we find a menagerie of activity, probes from worms and autorooters heavily dominate. We conclude with considerations of how to incorporate our characterizations into monitoring and detection activities.
AB - Monitoring any portion of the Internet address space reveals incessant activity. This holds even when monitoring traffic sent to unused addresses, which we term "background radiation." Background radiation reflects fundamentally nonproductive traffic, either malicious (flooding backscatter, scans for vulnerabilities, worms) or benign (misconfigurations). While the general presence of background radiation is well known to the network operator community, its nature has yet to be broadly characterized. We develop such a characterization based on data collected from four unused networks in the Internet. Two key elements of our methodology are (i) the use of filtering to reduce load on the measurement system, and (ii) the use of active responders to elicit further activity from scanners in order to differentiate different types of background radiation. We break down the components of background radiation by protocol, application, and often specific exploit; analyze temporal patterns and correlated activity; and assess variations across different networks and over time. While we find a menagerie of activity, probes from worms and autorooters heavily dominate. We conclude with considerations of how to incorporate our characterizations into monitoring and detection activities.
KW - Honeypot
KW - Internet Background Radiation
KW - Network Telescope
UR - http://www.scopus.com/inward/record.url?scp=14944369649&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=14944369649&partnerID=8YFLogxK
U2 - 10.1145/1028788.1028794
DO - 10.1145/1028788.1028794
M3 - Conference contribution
AN - SCOPUS:14944369649
SN - 1581138210
SN - 9781581138214
T3 - Proceedings of the 2004 ACM SIGCOMM Internet Measurement Conference, IMC 2004
SP - 27
EP - 40
BT - Proceedings of the 2004 ACM SIGCOMM Internet Measurement Conference, IMC 2004
PB - Association for Computing Machinery
T2 - Proceedings of the 2004 ACM SIGCOMM Internet Measurement Conference, IMC 2004
Y2 - 25 October 2004 through 27 October 2004
ER -