Internet intrusions: global characteristics and prevalence
SIGMETRICS '03 Proceedings of the 2003 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
IEEE Security and Privacy
Characteristics of internet background radiation
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Transport layer identification of P2P traffic
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
The Blaster Worm: Then and Now
IEEE Security and Privacy
BLINC: multilevel traffic classification in the dark
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Inferring internet denial-of-service activity
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Accurate Real-time Identification of IP Prefix Hijacking
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
PHAS: a prefix hijack alert system
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Identifying and tracking suspicious activities through IP gray space analysis
Proceedings of the 3rd annual ACM workshop on Mining network data
Passive measurement of one-way and two-way flow lifetimes
ACM SIGCOMM Computer Communication Review
A light-weight distributed scheme for detecting ip prefix hijacks in real-time
Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
Proceedings of the 7th ACM SIGCOMM conference on Internet measurement
Studying black holes in the internet with Hubble
NSDI'08 Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation
Cyclops: the AS-level connectivity observatory
ACM SIGCOMM Computer Communication Review
How healthy are today's enterprise networks?
Proceedings of the 8th ACM SIGCOMM conference on Internet measurement
Internet traffic classification demystified: myths, caveats, and the best practices
CoNEXT '08 Proceedings of the 2008 ACM CoNEXT Conference
Anomaly extraction in backbone networks using association rules
Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference
Internet background radiation revisited
IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
LISA'10 Proceedings of the 24th international conference on Large installation system administration
iSPY: detecting IP prefix hijacking on my own
IEEE/ACM Transactions on Networking (TON)
FACT: flow-based approach for connectivity tracking
PAM'11 Proceedings of the 12th international conference on Passive and active measurement
ACM SIGCOMM Computer Communication Review
A network activity classification schema and its application to scan detection
IEEE/ACM Transactions on Networking (TON)
One-way traffic monitoring with iatmon
PAM'12 Proceedings of the 13th international conference on Passive and Active Measurement
LIFEGUARD: practical repair of persistent route failures
Proceedings of the ACM SIGCOMM 2012 conference on Applications, technologies, architectures, and protocols for computer communication
Detecting prefix hijackings in the internet with argus
Proceedings of the 2012 ACM conference on Internet measurement conference
RiskRoute: a framework for mitigating network outage threats
Proceedings of the ninth ACM conference on Emerging networking experiments and technologies
Federated flow-based approach for privacy preserving connectivity tracking
Proceedings of the ninth ACM conference on Emerging networking experiments and technologies
Hi-index | 0.00 |
Internet background radiation (IBR) is a very interesting piece of Internet traffic as it is the result of attacks and misconfigurations. Previous work has primarily analyzed IBR traffic to large unused IP address blocks called network telescopes. In this work, we build new techniques for monitoring one-way traffic in live networks with the main goals of 1) expanding our understanding of this interesting type of traffic towards live networks as well as of 2) making it useful for detecting and analyzing the impact of outages. Our first contribution is a classification scheme for dissecting one-way traffic into useful classes, including one-way traffic due to unreachable services, scanning, peer-to-peer applications, and backscatter. Our classification scheme is helpful for monitoring IBR traffic in live networks solely based on flow level data. After thoroughly validating our classifier, we use it to analyze a massive data-set that covers 7.41 petabytes of traffic from a large backbone network to shed light into the composition of one-way traffic. We find that the main sources of one-way traffic are malicious scanning, peer-to-peer applications, and outages. In addition, we report a number of interesting observations including that one-way traffic makes a very large fraction, i.e., between 34% and 67%, of the total number of flows to the monitored network, although it only accounts for only 3.4% of the number of packets, which suggests a new conceptual model for Internet traffic in which IBR is dominant in terms of flows. Finally, we demonstrate the utility of one-way traffic of the particularly interesting class of unreachable services for monitoring network and service outages by analyzing the impact of interesting events we detected in the network of our university.