-
Aggressive Internet-Wide Scanners: Network Impact and Longitudinal Characterization
Authors:
Aniket Anand,
Michalis Kallitsis,
Jackson Sippe,
Alberto Dainotti
Abstract:
Aggressive network scanners, i.e., ones with immoderate and persistent behaviors, ubiquitously search the Internet to identify insecure and publicly accessible hosts. These scanners generally lie within two main categories; i) benign research-oriented probers; ii) nefarious actors that forage for vulnerable victims and host exploitation. However, the origins, characteristics and the impact on real…
▽ More
Aggressive network scanners, i.e., ones with immoderate and persistent behaviors, ubiquitously search the Internet to identify insecure and publicly accessible hosts. These scanners generally lie within two main categories; i) benign research-oriented probers; ii) nefarious actors that forage for vulnerable victims and host exploitation. However, the origins, characteristics and the impact on real networks of these aggressive scanners are not well understood. In this paper, via the vantage point of a large network telescope, we provide an extensive longitudinal empirical analysis of aggressive IPv4 scanners that spans a period of almost two years. Moreover, we examine their network impact using flow and packet data from two academic ISPs. To our surprise, we discover that a non-negligible fraction of packets processed by ISP routers can be attributed to aggressive scanners. Our work aims to raise the network community's awareness for these "heavy hitters", especially the miscreant ones, whose invasive and rigorous behavior i) makes them more likely to succeed in abusing the hosts they target and ii) imposes a network footprint that can be disruptive to critical network services by incurring consequences akin to denial of service attacks.
△ Less
Submitted 11 May, 2023;
originally announced May 2023.
-
Quantifying Nations Exposure to Traffic Observation and Selective Tampering
Authors:
Alexander Gamero-Garrido,
Esteban Carisimo,
Shuai Hao,
Bradley Huffaker,
Alex C. Snoeren,
Alberto Dainotti
Abstract:
Almost all popular Internet services are hosted in a select set of countries, forcing other nations to rely on international connectivity to access them. We infer instances where traffic towards a large portion of a country is serviced by a small number of Autonomous Systems, and, therefore, may be exposed to observation or selective tampering. We introduce the Country-level Transit Influence (CTI…
▽ More
Almost all popular Internet services are hosted in a select set of countries, forcing other nations to rely on international connectivity to access them. We infer instances where traffic towards a large portion of a country is serviced by a small number of Autonomous Systems, and, therefore, may be exposed to observation or selective tampering. We introduce the Country-level Transit Influence (CTI) metric to quantify the significance of a given AS on the international transit service of a particular country. By studying the CTI values for the top ASes in each country, we find that 32 nations have transit ecosystems that render them particularly exposed, with traffic destined to over 40% of their IP addresses privy to a single AS. In the nations where we are able to validate our findings with in-country operators, we obtain 83% accuracy on average. In the countries we examine, CTI reveals two classes of networks that play a particularly prominent role: submarine cable operators and state-owned ASes.
△ Less
Submitted 25 February, 2022; v1 submitted 12 October, 2021;
originally announced October 2021.
-
Spoki: Unveiling a New Wave of Scanners through a Reactive Network Telescope
Authors:
Raphael Hiesgen,
Marcin Nawrocki,
Alistair King,
Alberto Dainotti,
Thomas C. Schmidt,
Matthias Wählisch
Abstract:
Large-scale Internet scans are a common method to identify victims of a specific attack. Stateless scanning like in ZMap has been established as an efficient approach to probing at Internet scale. Stateless scans, however, need a second phase to perform the attack, which remains invisible to network telescopes that only capture the first incoming packet and is not observed as a related event by ho…
▽ More
Large-scale Internet scans are a common method to identify victims of a specific attack. Stateless scanning like in ZMap has been established as an efficient approach to probing at Internet scale. Stateless scans, however, need a second phase to perform the attack, which remains invisible to network telescopes that only capture the first incoming packet and is not observed as a related event by honeypots. In this work, we examine Internet-wide scan traffic through Spoki, a reactive network telescope operating in real-time that we design and implement. Spoki responds to asynchronous TCP SYN packets and engages in TCP handshakes initiated in the second phase of two-phase scans. Because it is extremely lightweight it scales to large prefixes where it has the unique opportunity to record the first data sequence submitted within the TCP handshake ACK. We analyze two-phase scanners during a three months period using globally deployed Spoki reactive telescopes as well as flow data sets from IXPs and ISPs. We find that a predominant fraction of TCP SYNs on the Internet has irregular characteristics. Our findings also provide a clear signature of today's scans as: (i) highly targeted, (ii) scanning activities notably vary between regional vantage points, and (iii) a significant share originates from malicious sources.
△ Less
Submitted 11 October, 2021;
originally announced October 2021.
-
Chocolatine: Outage Detection for Internet Background Radiation
Authors:
Andreas Guillot,
Romain Fontugne,
Philipp Winter,
Pascal Merindol,
Alistair King,
Alberto Dainotti,
Cristel Pelsser
Abstract:
The Internet is a complex ecosystem composed of thousands of Autonomous Systems (ASs) operated by independent organizations; each AS having a very limited view outside its own network. These complexities and limitations impede network operators to finely pinpoint the causes of service degradation or disruption when the problem lies outside of their network. In this paper, we present Chocolatine, a…
▽ More
The Internet is a complex ecosystem composed of thousands of Autonomous Systems (ASs) operated by independent organizations; each AS having a very limited view outside its own network. These complexities and limitations impede network operators to finely pinpoint the causes of service degradation or disruption when the problem lies outside of their network. In this paper, we present Chocolatine, a solution to detect remote connectivity loss using Internet Background Radiation (IBR) through a simple and efficient method. IBR is unidirectional unsolicited Internet traffic, which is easily observed by monitoring unused address space. IBR features two remarkable properties: it is originated worldwide, across diverse ASs, and it is incessant. We show that the number of IP addresses observed from an AS or a geographical area follows a periodic pattern. Then, using Seasonal ARIMA to statistically model IBR data, we predict the number of IPs for the next time window. Significant deviations from these predictions indicate an outage. We evaluated Chocolatine using data from the UCSD Network Telescope, operated by CAIDA, with a set of documented outages. Our experiments show that the proposed methodology achieves a good trade-off between true-positive rate (90%) and false-positive rate (2%) and largely outperforms CAIDA's own IBR-based detection method. Furthermore, performing a comparison against other methods, i.e., with BGP monitoring and active probing, we observe that Chocolatine shares a large common set of outages with them in addition to many specific outages that would otherwise go undetected.
△ Less
Submitted 30 September, 2019; v1 submitted 11 June, 2019;
originally announced June 2019.
-
A Survey among Network Operators on BGP Prefix Hijacking
Authors:
Pavlos Sermpezis,
Vasileios Kotronis,
Alberto Dainotti,
Xenofontas Dimitropoulos
Abstract:
BGP prefix hijacking is a threat to Internet operators and users. Several mechanisms or modifications to BGP that protect the Internet against it have been proposed. However, the reality is that most operators have not deployed them and are reluctant to do so in the near future. Instead, they rely on basic - and often inefficient - proactive defenses to reduce the impact of hijacking events, or on…
▽ More
BGP prefix hijacking is a threat to Internet operators and users. Several mechanisms or modifications to BGP that protect the Internet against it have been proposed. However, the reality is that most operators have not deployed them and are reluctant to do so in the near future. Instead, they rely on basic - and often inefficient - proactive defenses to reduce the impact of hijacking events, or on detection based on third party services and reactive approaches that might take up to several hours. In this work, we present the results of a survey we conducted among 75 network operators to study: (a) the operators' awareness of BGP prefix hijacking attacks, (b) presently used defenses (if any) against BGP prefix hijacking, (c) the willingness to adopt new defense mechanisms, and (d) reasons that may hinder the deployment of BGP prefix hijacking defenses. We expect the findings of this survey to increase the understanding of existing BGP hijacking defenses and the needs of network operators, as well as contribute towards designing new defense mechanisms that satisfy the requirements of the operators.
△ Less
Submitted 9 January, 2018;
originally announced January 2018.
-
ARTEMIS: Neutralizing BGP Hijacking within a Minute
Authors:
Pavlos Sermpezis,
Vasileios Kotronis,
Petros Gigis,
Xenofontas Dimitropoulos,
Danilo Cicalese,
Alistair King,
Alberto Dainotti
Abstract:
BGP prefix hijacking is a critical threat to Internet organizations and users. Despite the availability of several defense approaches (ranging from RPKI to popular third-party services), none of them solves the problem adequately in practice. In fact, they suffer from: (i) lack of detection comprehensiveness, allowing sophisticated attackers to evade detection, (ii) limited accuracy, especially in…
▽ More
BGP prefix hijacking is a critical threat to Internet organizations and users. Despite the availability of several defense approaches (ranging from RPKI to popular third-party services), none of them solves the problem adequately in practice. In fact, they suffer from: (i) lack of detection comprehensiveness, allowing sophisticated attackers to evade detection, (ii) limited accuracy, especially in the case of third-party detection, (iii) delayed verification and mitigation of incidents, reaching up to days, and (iv) lack of privacy and of flexibility in post-hijack counteractions, on the side of network operators. In this work, we propose ARTEMIS (Automatic and Real-Time dEtection and MItigation System), a defense approach (a) based on accurate and fast detection operated by the AS itself, leveraging the pervasiveness of publicly available BGP monitoring services and their recent shift towards real-time streaming, thus (b) enabling flexible and fast mitigation of hijacking events. Compared to previous work, our approach combines characteristics desirable to network operators such as comprehensiveness, accuracy, speed, privacy, and flexibility. Finally, we show through real-world experiments that, with the ARTEMIS approach, prefix hijacking can be neutralized within a minute.
△ Less
Submitted 27 June, 2018; v1 submitted 3 January, 2018;
originally announced January 2018.
-
Lost in Space: Improving Inference of IPv4 Address Space Utilization
Authors:
Alberto Dainotti,
Karyn Benson,
Alistair King,
kc claffy,
Eduard Glatz,
Xenofontas Dimitropoulos,
Philipp Richter,
Alessandro Finamore,
Alex C. Snoeren
Abstract:
One challenge in understanding the evolution of Internet infrastructure is the lack of systematic mechanisms for monitoring the extent to which allocated IP addresses are actually used. In this paper we try to advance the science of inferring IPv4 address space utilization by analyzing and correlating results obtained through different types of measurements. We have previously studied an approach…
▽ More
One challenge in understanding the evolution of Internet infrastructure is the lack of systematic mechanisms for monitoring the extent to which allocated IP addresses are actually used. In this paper we try to advance the science of inferring IPv4 address space utilization by analyzing and correlating results obtained through different types of measurements. We have previously studied an approach based on passive measurements that can reveal used portions of the address space unseen by active approaches. In this paper, we study such passive approaches in detail, extending our methodology to four different types of vantage points, identifying traffic components that most significantly contribute to discovering used IPv4 network blocks. We then combine the results we obtained through passive measurements together with data from active measurement studies, as well as measurements from BGP and additional datasets available to researchers. Through the analysis of this large collection of heterogeneous datasets, we substantially improve the state of the art in terms of: (i) understanding the challenges and opportunities in using passive and active techniques to study address utilization; and (ii) knowledge of the utilization of the IPv4 space.
△ Less
Submitted 30 October, 2014; v1 submitted 24 October, 2014;
originally announced October 2014.