Abstract
One challenge in understanding the evolution of Internet infrastructure is the lack of systematic mechanisms for monitoring the extent to which allocated IP addresses are actually used. Address utilization has been monitored via actively scanning the entire IPv4 address space. We evaluate the potential to leverage passive network traffic measurements in addition to or instead of active probing. Passive traffic measurements introduce no network traffic overhead, do not rely on unfiltered responses to probing, and could potentially apply to IPv6 as well. We investigate two challenges in using passive traffic for address utilization inference: the limited visibility of a single observation point; and the presence of spoofed IP addresses in packets that can distort results by implying faked addresses are active. We propose a methodology for removing such spoofed traffic on both darknets and live networks, which yields results comparable to inferences made from active probing. Our preliminary analysis reveals a number of promising findings, including novel insight into the usage of the IPv4 address space that would expand with additional vantage points.
Supplemental Material
Available for Download
This errata is to help viewers/readers identify/properly understand our contribution to the SIGCOMMCCR Newsletter. Volume 44 Issue 1, (January 2014) on pages 42-49.
- http://seclists.org/nanog/2009/Feb/2.Google Scholar
- A. Dainotti, A. King. CAIDA Blog: Carna botnet scans confirmed. http://blog.caida.org/best_available_data/2013/05/13/carna-botnet-scans/.Google Scholar
- Advanced Network Technology Center, University of Oregon. Route Views Project. http://www.routeviews.org/.Google Scholar
- K. Benson, A. Dainotti, k. claffy, and E. Aben. Gaining Insight into AS-level Outages through Analysis of Internet Background Radiation. In Traffic Monitoring and Analysis Workshop (TMA), Apr 2013.Google Scholar
- R. Beverly and S. Bauer. The spoofer project: inferring the extent of source address filtering on the internet. In USENIX Workshop on Steps to Reducing Unwanted Traffic on the Internet, SRUTI'05. Google ScholarDigital Library
- R. E. Beverly, IV. Statistical learning in network architecture. PhD thesis, MIT, 2008. AAI0820515. Google ScholarDigital Library
- CAIDA. Supplemental data: Estimating Internet address space usage through passive measurements. http://www.caida.org/publications/papers/2013/passive_ip_space_usage_estimation/supplemental/, 2013.Google Scholar
- E. Chien. Downadup: Attempts at Smart Network Scanning. http://www.symantec.com/connect/blogs/downadup-attempts-smart-network-scanning, 2009.Google Scholar
- Z. Durumeric, E. Wustrow, and J. A. Halderman. ZMap: Fast Internet-wide scanning and its security applications. In Proceedings of the 22nd USENIX Security Symposium, 2013. Google ScholarDigital Library
- J. Heidemann, Y. Pradkin, R. Govindan, C. Papadopoulos, G. Bartlett, and J. Bannister. Census and survey of the visible Internet. In 8th ACM SIGCOMM conference on Internet measurement, IMC '08. Google ScholarDigital Library
- J. Horchert and C. Stöcker. Mapping the internet: A hacker's secret internet census. Spiegel Online, March 2013.Google Scholar
- Information of Sciences Institute, University of Southern California. LANDER project:Internet address census it49c-20120731. http://www.isi.edu/ant/traces/internet_address_census_it49c-20120731.README.txt, 2012.Google Scholar
- Information of Sciences Institute, USC. Internet Address Survey Binary Format. http://www.isi.edu/ant/traces/topology/address_surveys/binformat_description.html, 2012.Google Scholar
- Information of Sciences Institute, USC. ANT Census of the Internet Address Space - browsable map. http://www.isi.edu/ant/address/browse/index.html, 2013.Google Scholar
- Insecure.Com LLC. Nmap Security Scanner. http://nmap.org.Google Scholar
- A. Langley. Probing the viability of TCP extensions. Technical report, Google Inc., Sep 2008.Google Scholar
- Merit Network, Inc. Merit Darknet IPv4. http://software.merit.edu/darknet/.Google Scholar
- R. Munroe. xkcd: MAP of the INTERNET 2006. http://blog.xkcd.com/2006/12/11/the-map-of-the-internet/.Google Scholar
- R. Pang, V. Yegneswaran, P. Barford, V. Paxson, and L. Peterson. Characteristics of internet background radiation. In Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, IMC '04, pages 27--40, New York, NY, USA, 2004. ACM. Google ScholarDigital Library
- A. Sebastian. Default Time To Live (TTL) values. http://www.binbert.com/blog/2009/12/default-time-to-live-ttl-values/, 2009.Google Scholar
- A. N. Shannon V. Spires. Exhaustive search system and method using space-filling curves. Patent, 10 2003. US 6636847.Google Scholar
- SWITCH. Swiss Tele Communication System for Higher Education. http://www.switch.ch/.Google Scholar
- S. Templeton and K. Levitt. Detecting spoofed packets. In DARPA Information Survivability Conference and Exposition, 2003.Google ScholarCross Ref
- University of California, San Diego. The UCSD Network Telescope. http://www.caida.org/projects/network_telescope/.Google Scholar
- E. Wustrow, M. Karir, M. Bailey, F. Jahanian, and G. Huston. Internet background radiation revisited. In 10th ACM SIGCOMM conference on Internet measurement, IMC '10. Google ScholarDigital Library
- S. Zander, L. L. H. Andrew, G. Armitagei, and G. Huston. Estimating IPv4 Address Space Usage with Capture-recapture. In IEEE Workshop on Network Measurements (WNM 2013).Google ScholarCross Ref
Index Terms
- Estimating internet address space usage through passive measurements
Recommendations
Illuminating large-scale IPv6 scanning in the internet
IMC '22: Proceedings of the 22nd ACM Internet Measurement ConferenceWhile scans of the IPv4 space are ubiquitous, today little is known about scanning activity in the IPv6 Internet. In this work, we present a longitudinal and detailed empirical study on large-scale IPv6 scanning behavior in the Internet, based on ...
Errata for: Estimating internet address space usage through passive measurements (SIGCOMM CCR (Vol. 44, Issue 1, January, 2014)
One challenge in understanding the evolution of Internet in- frastructure is the lack of systematic mechanisms for monitoring the extent to which allocated IP addresses are actually used. Address utilization has been monitored via actively scanning the ...
Passive IP traceback: capturing the origin of anonymous traffic through network telescopes
SIGCOMM '10: Proceedings of the ACM SIGCOMM 2010 conferenceIP traceback can be used to find the origin of anonymous traffic; however, Internet-scale IP traceback systems have not been deployed due to a need for cooperation between Internet Service Providers (ISPs). This article presents an Internet-scale ...
Comments