Internet Background Radiation

Опубликовано 6 сентября 2016, 6:24

Monitoring any portion of the Internet address space reveals incessant activity. This holds even when monitoring traffic sent to unused addresses---thus we term the traffic ``background radiation.'' Background radiation reflects fundamentally nonproductive traffic, either malicious (flooding backscatter, scans for vulnerabilities, worms) or benign (misconfigurations). While the general presence of background radiation is well known to the network operator community, its nature had not been previously characterized. We developed a broad characterization [1] based on data collected from unused networks in the Internet over the last two years. Three key elements of our methodology are (1) the use of filtering to reduce load on the measurement system, and (2) the use of active responders to elicit further activity from scanners in order to differentiate different types of background radiation, and (3) the use of application level traffic semantic analysis to uncover activity details at application protocol level. While we find a menagerie of activity, probes from worms and autorooters heavily dominate the traffic. We conclude with considerations of how to incorporate our characterizations into monitoring and detecting activities. [1] R. Pang, V. Yegneswaran, P. Barford, V. Paxson, and L. Peterson. Characteristics of Internet background radiation. Internet Measurement Conference 2004