IEEE Security and Privacy
Characteristics of internet background radiation
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
DIMES: let the internet measure itself
ACM SIGCOMM Computer Communication Review
Inferring Internet denial-of-service activity
ACM Transactions on Computer Systems (TOCS)
Data reduction for the scalable automated analysis of distributed darknet traffic
IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
iPlane: an information plane for distributed services
OSDI '06 Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation - Volume 7
Studying black holes in the internet with Hubble
NSDI'08 Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation
Proceedings of the ACM SIGCOMM 2010 conference
Internet background radiation revisited
IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
Analysis of country-wide internet outages caused by censorship
Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference
Communications of the ACM
Classifying internet one-way traffic
Proceedings of the 2012 ACM conference on Internet measurement conference
Gaining insight into AS-level outages through analysis of internet background radiation
Proceedings of the 2012 ACM conference on CoNEXT student workshop
Trinocular: understanding internet reliability through adaptive probing
Proceedings of the ACM SIGCOMM 2013 conference on SIGCOMM
Federated flow-based approach for privacy preserving connectivity tracking
Proceedings of the ninth ACM conference on Emerging networking experiments and technologies
Hi-index | 0.02 |
Unsolicited one-way Internet traffic, also called Internet background radiation (IBR), has been used for years to study malicious activity on the Internet, including worms, DoS attacks, and scanning address space looking for vulnerabilities to exploit. We show how such traffic can also be used to analyze macroscopic Internet events that are unrelated to malware. We examine two phenomena: country-level censorship of Internet communications described in recent work, and natural disasters (two recent earthquakes). We introduce a new metric of local IBR activity based on the number of unique IP addresses per hour contributing to IBR. The advantage of this metric is that it is not affected by bursts of traffic from a few hosts. Although we have only scratched the surface, we are convinced that IBR traffic is an important building block for comprehensive monitoring, analysis, and possibly even detection of events unrelated to the IBR itself. In particular, IBR offers the opportunity to monitor the impact of events such as natural disasters on network infrastructure, and in particular reveals a view of events that is complementary to many existing measurement platforms based on (BGP) control-plane views or targeted active ICMP probing.