Bro: a system for detecting network intruders in real-time
Computer Networks: The International Journal of Computer and Telecommunications Networking
Trajectory sampling for direct traffic observation
Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication
What TCP/IP protocol headers can tell us about the web
Proceedings of the 2001 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Rapid model parameterization from traffic measurements
ACM Transactions on Modeling and Computer Simulation (TOMACS)
Measurement, modeling, and analysis of a peer-to-peer file-sharing workload
SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
Experiences with a continuous network tracing infrastructure
Proceedings of the 2005 ACM SIGCOMM workshop on Mining network data
Experience Using Active and Passive Mapping for Network Situational Awareness
NCA '06 Proceedings of the Fifth IEEE International Symposium on Network Computing and Applications
Census and survey of the visible internet
Proceedings of the 8th ACM SIGCOMM conference on Internet measurement
Flexible and efficient platform modeling for distributed interactive systems
Proceedings of the 1st ACM SIGCHI symposium on Engineering interactive computing systems
Automating network application dependency discovery: experiences, limitations, and new solutions
OSDI'08 Proceedings of the 8th USENIX conference on Operating systems design and implementation
Demystifying service discovery: implementing an internet-wide scanner
IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
Nfsight: netflow-based network awareness tool
LISA'10 Proceedings of the 24th international conference on Large installation system administration
A Dynamic Recursive Unified Internet Design (DRUID)
Computer Networks: The International Journal of Computer and Telecommunications Networking
Detection and classification of peer-to-peer traffic: A survey
ACM Computing Surveys (CSUR)
ZMap: fast internet-wide scanning and its security applications
SEC'13 Proceedings of the 22nd USENIX conference on Security
Demystifying internet-wide service discovery
IEEE/ACM Transactions on Networking (TON)
Hi-index | 0.01 |
Increasingly, network operators do not directly operate computers on their network, yet are responsible for assessing network vulnerabilities to ensure compliance with policies about information disclosure, and tracking services that affect provisioning. Thus, with decentralized network management, service discovery becomes an important part of maintaining and protecting computer networks. We explore two approaches to service discovery: active probing and passive monitoring. Active probing finds all services currently on the network, except services temporarily unavailable or hidden by firewalls; however, it is often too invasive, especially if used across administrative boundaries. Passive monitoring can find transient services, but misses services that are idle. We compare the accuracy of passive and active approaches to service discovery and show that they are complimentary, highlighting the need for multiple active scans coupled with long-duration passive monitoring. We find passive monitoring is well suited for quickly finding popular services, finding servers responsible for 99% of incoming connections within minutes. Active scanning is better suited to rapidly finding all servers, which is important for vulnerability detection - one scan finds 98% of services in two hours, missing only a handful. External scans are an unexpected ally to passive monitoring, speeding service discovery by the equivalent of 9-15 days of additional observation. Finally, we show how the use of static or dynamic addresses changes the effectiveness of service discovery, both due to address reuse and VPN effects.