"Dark" Traffic in Network 101.0.0.0/8

Similar documents
Analysis of a DDoS Attack

/8. Merit APNIC University of Michigan. George Michaelson Geoff Huston. Eric Wustrow Manish Karir. Micheal Bailey Farnam Jahanian

Internet Traffic Trends A View from 67 ISPs

Network Management & Monitoring

CS 457 Lecture 19 Global Internet - BGP. Fall 2011

Introducing FortiDDoS. Mar, 2013

SolarWinds. Understanding SolarWinds Charts and Graphs Technical Reference

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

Wharf T&T Limited DDoS Mitigation Service Customer Portal User Guide

DDoS Mitigation Techniques

Network layer: Overview. Network layer functions IP Routing and forwarding

Viete, čo robia Vaši užívatelia na sieti? Roman Tuchyňa, CSA

Network and Services Discovery

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

Minimal network traffic is the result of SiteAudit s design. The information below explains why network traffic is minimized.

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík

Windows 2003 Performance Monitor. System Monitor. Adding a counter

Introduction to Netflow

Netflow Overview. PacNOG 6 Nadi, Fiji

Security Toolsets for ISP Defense

HP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide

NSC E

DDoS Protection Technology White Paper

Introduction to Network Security Lab 1 - Wireshark

How To Prevent DoS and DDoS Attacks using Cyberoam

Network Monitoring and Management NetFlow Overview

Chapter 9. IP Secure

Using IPM to Measure Network Performance

How To Stop A Malicious Dns Attack On A Domain Name Server (Dns) From Being Spoofed (Dnt) On A Network (Networking) On An Ip Address (Ip Address) On Your Ip Address On A Pc Or Ip Address

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

Company Network. We want to go into the Internet. Company MBK & Co. KG. von Stephanie Endlich, Thomas Hein, Stephan Gitz und Matthias Härtel

UltraFlow -Cisco Netflow tools-

Ref: A. Leon Garcia and I. Widjaja, Communication Networks, 2 nd Ed. McGraw Hill, 2006 Latest update of this lecture was on

DDoS Overview and Incident Response Guide. July 2014

Inferring Internet Denial-of

NETWORK SECURITY WITH OPENSOURCE FIREWALL

Firewall Defaults and Some Basic Rules

Networking Test 4 Study Guide

Scan Detection - Revisited

Firewall Firewall August, 2003

CONFIGURING TCP/IP ADDRESSING AND SECURITY

WHITE PAPER. Understanding IP Addressing: Everything You Ever Wanted To Know

Internet Measurement Research

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN

19. Exercise: CERT participation in incident handling related to the Article 13a obligations

MULTI WAN TECHNICAL OVERVIEW

The ntop Project: Open Source Network Monitoring

Mobile IP Network Layer Lesson 02 TCP/IP Suite and IP Protocol

Data Networks Summer 2007 Homework #3

Classful IP Addressing (cont.)

Analysis of Network Packets. C DAC Bangalore Electronics City

CSCI Firewalls and Packet Filtering

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

How To Block A Ddos Attack On A Network With A Firewall

NetStream (Integrated) Technology White Paper HUAWEI TECHNOLOGIES CO., LTD. Issue 01. Date

Denial of Service Attacks and Countermeasures. Extreme Networks, Inc. All rights reserved. ExtremeXOS Implementing Advanced Security (EIAS)

Applications. Network Application Performance Analysis. Laboratory. Objective. Overview

Firewalls and Intrusion Detection

ACHILLES CERTIFICATION. SIS Module SLS 1508

Distributed Denial of Service (DDoS)

LARGE-SCALE INTERNET MEASUREMENTS FOR DATA-DRIVEN PUBLIC POLICY. Henning Schulzrinne (+ Walter Johnston & James Miller) FCC & Columbia University

NAT and Firewall Traversal with STUN / TURN / ICE

Analysis of Network Beaconing Activity for Incident Response

This sequence diagram was generated with EventStudio System Designer (

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks

Characterization and Analysis of NTP Amplification Based DDoS Attacks

plixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels

Chapter 3. TCP/IP Networks. 3.1 Internet Protocol version 4 (IPv4)

Plugging Network Security Holes using NetFlow. Loopholes in todays network security solutions and how NetFlow can help

RARP: Reverse Address Resolution Protocol

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

Algorithms and Techniques Used for Auto-discovery of Network Topology, Assets and Services

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

IP addressing and forwarding Network layer

his document discusses implementation of dynamic mobile network routing (DMNR) in the EN-4000.

Introduction to Cisco IOS Flexible NetFlow

DNS (Domain Name System) is the system & protocol that translates domain names to IP addresses.

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

Lessons learned: Sinkholing the Zeroaccess botnet. Ross Gibb. Attack Investigations Team Symantec Security Response.

PROFESSIONAL SECURITY SYSTEMS

CS 43: Computer Networks IP. Kevin Webb Swarthmore College November 5, 2013

Nalini Elkins Introduction to TCP/IP Diagnostics (Web-based Seminar)

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Task 20.1: Configure ASBR1 Serial 0/2 to prevent DoS attacks to ASBR1 from SP1.

DDoS Mitigation Strategies

Configuring Flexible NetFlow

The Value of Flow Data for Peering Decisions

IPFIX IE Extensions for DDoS Attack Detection draft-fu-dots-ipfix-extension-01

Network Security: Workshop. Dr. Anat Bremler-Barr. Assignment #2 Analyze dump files Solution Taken from

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

CS 356 Lecture 16 Denial of Service. Spring 2013

Transcription:

"Dark" Traffic in Network 101.0.0.0/8 September 2010 Geoff Huston George Michaelson APNIC R&D research@apnic.net APNIC is now regularly examining the unused state of IPv4 address blocks before they are passed over for general allocation. Experiments are undertaken with these address blocks by advertising a route to the address block, and recording all incoming traffic received in response to the routing advertisements. This document reports on the results of this experiment in the identification of the patterns of such "dark" traffic that is being directed to the address block 101.0.0.0/8. APNIC expresses its appreciation for the generous assistance provided by NTT and Merit in undertaking this series of experiments. Experiment Details In collaboration with APNIC, AS237 (Merit) exclusively announced 101.0.0.0/8 for the period from 11 August 2010 until 19 August 2010. The data collector was unfiltered, and the data collection system was entirely passive, and no packets were generated in response to the incoming traffic. Traffic Profile Figure 1 shows the traffic profile for network 101/8. (The graph utility used here does not make this adequately clear, but in the following figures the red trace is the total traffic, the blue trace is TCP, the green trace is UDP, the violet trace is ICMP and the cyan trace is all other protocols.)

Figure 1 Traffic profile for 101.0.0.0/8 This traffic profile is similar to the profile that was recorded for 49/8. The address block 101/8 attracts some 12 25Mbps of incoming traffic. Of this, some 60% of the traffic is TCP and 35% is UDP, with the remainder being predominately ICMP. The traffic shows a pronounced diurnal pattern, which most visible in the TCP component of the traffic. There is no clear weekday / weekend delineation. In terms of protocol distribution, the distribution of incoming bytes in these two address blocks are shown in Table 1. This table also includes previously collected data concerning the protocol distribution in 49.0.0.0/8, 14.0.0.0/8 and 223.0.0.0/8. Protocol Proportion of Traffic 101.0.0.0/8 49.0.0.0/8 14.0.0.0/8 223.0.0.0/8 TCP 76.0% 81.5% 66.2% 71.4% UDP 22.7% 17.4% 25.6% 27.6% ICMP 0.9% 1.1% 8.0% 0.9% Other 0.4% 0.0% 0.2% 0.1% Table 1. Distribution of Traffic by Protocol Of note here is that the incoming traffic in network 101.0.0.0/8 has a slightly lower component of TCP traffic, and a corresponding higher UDP component compared to two of the other three network blocks, although it is most similar in profile to 14.0.0.0/8 Also of note in terms of traffic profile, incoming TCP traffic in network 101.0.0.0/8 shows a marked diurnal pattern, while the UDP traffic levels do not show such a marked diurnal pattern. The second view of the overall traffic profile is by packet count rather than traffic (byte) counts. The packet profile of incoming traffic in this network block is shown in the following figure.

Figure 2 Packet profile for 101.0.0.0/8 The 101/8 network block attracts between 25,000 and 45,000 packets per second, where 87% of the incoming packets are TCP, between 14.2% are UDP, 6.1% are ICMP and the remaining packets represent 4.6% of the total. In terms of protocol distribution, the distribution of incoming bytes in these two address blocks are shown in Table 2. This table also includes previously collected data concerning the protocol distribution in 49/8, 14/8 and 223/8 for comparison. Protocol Proportion of Packets 101.0.0.0/8 49.0.0.0/8 14.0.0.0/8 223.0.0.0/8 TCP 83.1% 86.9% 50.0% 50.0% UDP 16.0% 14.2% 36.5% 35.7% ICMP 0.7% 6.1% 9.9% 13.9% Other 0.2% 4.6% 3.6% 0.3% Table 2. Distribution of Packets by Protocol The third form of traffic profile is in terms of packet size distribution. TCP packets are predominately 62 octet SYN packets (14,666M of the 16,437M TCP packets (89%) were TCP SYN packets).

Figure 3 Packet size distribution for 101.0.0.0/8 Of note in the data collected is the ICMP and "other protocol" extended bursts of larger packet sizes. Distribution of Traffic Across /16s The following figure shows the distribution of traffic across the /8 address block, divided up into each of the 256 /16 address blocks. Figure 4 shows this distribution for 101.0.0.0/8. Figure 4 Traffic distribution per /16 for 101.0.0.0/8 In almost all cases the level of incoming traffic lies between 10Kbps to 200Kbps, with a visible diurnal component. There is a "banding" into two traffic profiles: the low /9 exhibits an average traffic level of some 110Kbps per /16, while the high /9 exhibits an average traffic level of 20Kbps, consistent with the scanning behaviour of the conficker virus.

The distribution of average traffic levels for each of the /16s in net 101 is shown in the following figure. Figure 5 Average Traffic load per /16 for 101.0.0.0/8 This data collection shows a pronounced break in the "middle" of the address block. The low half of the address block (49.0.0.0/9) has an average traffic load of 100Kbps per /16, while the upper half of the block (49.128.0.0/9) has an average traffic load of 20Kbps. This will be examined in the next section. There are a number of /16s that appear to show anomalously high levels of traffic, with 10 /16s receiving average incoming traffic levels of in excess of 125Kbps. Differences in "low" and "high" /9s Of the 16,437 million TCP packets directed to network 101.0.0.0/8 over the 8 day period when advertised by AS237, some 12,317 million TCP packets were directed to port 445. TCP port 445 is used by Microsoft systems to support the Server Message Block (SMB) protocol, used for file sharing. It is also a very common vector for attacks on Microsoft Windows systems. This skew of traffic distribution, where the low /9 is dominated by TCP SYN traffic to port 445, while the high /9 has no counterpart, and is instead dominated by UDP traffic is typical of what has been previously observed in 49.0.0.0/8, 14.0.0.0/8 and 223.0.0.0/8 Distribution of Traffic The following figure shows the distribution of traffic levels per /24 in network 101.0.0.0/8.

Figure 6 Traffic profile for 101.0.0.0/8 by /24s The second peak in this distribution at 400bps per /24 is due to Conficker scanning across the low /9 of the address block. It appears that the Conficker scanning traffic element is common across the entire IPv4 address range, and this additional traffic component directed to TCP port 445 in the low /9 of this two address block is not an anomaly that warrants any particular action in terms of reservation of addresses from allocations or assignments. The list of /24s with sustained average traffic levels greater than 10Kbps for the 8 day period are: 101.0.0.0/24 34Kbps 101.1.1.0/24 75Kbps 101.2.173.0/24 85Kbps 101.50.56.0/24 21Kbps 101.53.100.0/24 22Kbps 101.55.225.0/24 12Kbps 101.78.2.0/24 22Kbps 101.96.8.0/24 35Kbps 101.97.51.0/24 213Kbps 101.99.97.0/24 45Kbps 101.99.100.0/24 59Kbps 101.101.101.0/24 53Kbps

101.102.103.0/24 22Kbps 101.110.116.0/24 13Kbps 101.203.172.0/24 278Kbps 101.234.78.0/24 27Kbps 101.251.0.0/24 19Kbps Conclusions Using a threshold value of a sustained incoming traffic rate of more than 10Kbps per /24, corresponding to 40 bits per second per address, or approximately 1 packet on average every 20 seconds per address, then there are 17 /24s in 101.0.0.0/8 that exceed this level of traffic on a sustained basis. It is recommended that these 17 /24s be withheld from regular allocation or assignment from 101.0.0.0/8 for a period of 3 months, allowing a second round of testing of these particular prefixes at that time.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information