Skip to main content
SpringerLink
Log in

On the Design and Use of Internet Sinks for Network Abuse Monitoring

  • Conference paper
Recent Advances in Intrusion Detection (RAID 2004)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 3224))

Included in the following conference series:

Abstract

Monitoring unused or dark IP addresses offers opportunities to significantly improve and expand knowledge of abuse activity without many of the problems associated with typical network intrusion detection and firewall systems. In this paper, we address the problem of designing and deploying a system for monitoring large unused address spaces such as class A telescopes with 16M IP addresses. We describe the architecture and implementation of the Internet Sink (iSink) system which measures packet traffic on unused IP addresses in an efficient, extensible and scalable fashion. In contrast to traditional intrusion detection systems or firewalls, iSink includes an active component that generates response packets to incoming traffic. This gives the iSink an important advantage in discriminating between different types of attacks (through examination of the response payloads). The key feature of iSink’s design that distinguishes it from other unused address space monitors is that its active response component is stateless and thus highly scalable. We report performance results of our iSink implementation in both controlled laboratory experiments and from a case study of a live deployment. Our results demonstrate the efficiency and scalability of our implementation as well as the important perspective on abuse activity that is afforded by its use.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Anderson, R., Khattak, A.: The Use of Information Retrieval Techniques for Intrusion Detection. In: Proceedings of RAID (September 1998)

    Google Scholar 

  2. Network Associates. LovGate Virus Summary, http://vil.nai.com/vil/content/Print100183.htm (2002)

  3. Bullard, C.: Argus Open Project, http://www.qosient.com/argus/

  4. Cranor, C., Gao, Y., Johnson, T., Shkapenyuk, V., Spatscheck, O.: Gigascope: High Performance Network Monitoring with an SQL Interface

    Google Scholar 

  5. E-eye. Analysis: Sasser Worm, http://www.eeye.com/html/Research/Advisories/AD20040501.html

  6. Estan, C., Varghese, G.: New Directions in Traffic Measurement and Accounting. In: Proceedings of ACM SIGCOMM 2002, Pittsburgh, PA (August 2002)

    Google Scholar 

  7. Feldmann, A., Greenberg, A., Lund, C., Reingold, N., Rexford, J.: NetScope: Traffic Engineering for IP Networks. IEEE Network Magazine, Special Issue on Internet Traffic Engineering (2000)

    Google Scholar 

  8. Greene, B.: BGPv4 Security Risk Assessment (June 2002)

    Google Scholar 

  9. Greene, B.: Remote Triggering Black Hole Filtering (August 2002)

    Google Scholar 

  10. Honeyd: Network Rhapsody for You, http://www.citi.umich.edu/u/provos/honeyd

  11. Iannaccone, G., Diot, C., Graham, I., McKeown, N.: Monitoring very high speed links. In: SIGCOMM Internet Measurement Workshop (November 2001)

    Google Scholar 

  12. Kohler, E., Morris, R., Chen, B., Jannotti, J., Kaashoek, F.: The click modular router. ACM Transactions on Computer Systems (August 2000)

    Google Scholar 

  13. Lee, W., Stolfo, S.J., Mok, K.W.: A Data Mining Framework for Building Intrusion Detection Models. In: IEEE Symposium on Security and Privacy (1999)

    Google Scholar 

  14. Liston, T.: The Labrea Tarpit Homepage, http://www.hackbusters.net/LaBrea/

  15. Moore, D.: Network Telescopes, http://www.caida.org/outreach/presentations/2003/dimacs0309/

  16. Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: The Spread of the Sapphire/Slammer Worm. Technical report, CAIDA (2003)

    Google Scholar 

  17. Moore, D., Shannon, C., Claffy, K.: Code Red: A Case Study on the Spread and Victims of an Internet Worm. In: Proceedings of ACM SIGCOMM Internet Measurement Workshop, Marseilles, France (November 2002)

    Google Scholar 

  18. Moore, D., Shannon, C., Voelker, G., Savage, S.: Internet Quarantine: Requirements for Containing Self-Propagating Code. In: Proceedings of IEEE INFOCOM (April 2003)

    Google Scholar 

  19. Moore, D., Voelker, G., Savage, S.: Inferring Internet Denial of Service Activity. In: Proceedings of the 2001 USENIX Security Symposium, Washington D.C. (August 2001)

    Google Scholar 

  20. Oetiker, T.: The multi router traffic grapher. In: Proceedings of the USENIX Twelvth System Administration Conference LISA XII (December 1998)

    Google Scholar 

  21. Paxson, V.: BRO: A System for Detecting Network Intruders in Real Time. In: Proceedings of the 7th USENIX Security Symposium (1998)

    Google Scholar 

  22. Plonka, D.: Flawed Routers Flood University of Wisconsin Internet Time Server, http://www.cs.wisc.edu/plonka/netgear-sntp

  23. Plonka, D.: Flowscan: A network traffic flow reporting and visualization tool. In: Proceedings of the USENIX Fourteenth System Administration Conference LISA XIV (December 2000)

    Google Scholar 

  24. Rekhter, Y.: RFC 1817: CIDR and Classful Routing (August 1995)

    Google Scholar 

  25. Roesch, M.: The SNORT Network Intrusion Detection System, http://www.snort.org

  26. Staniford, S., Hoagland, J., McAlerney, J.: Practical Automated Detection of Stealthy Portscans. In: Proceedings of the ACM CCS IDS Workshop (November 2000)

    Google Scholar 

  27. Staniford, S., Paxson, V., Weaver, N.: How to Own the Internet in Your Spare Time. In: Proceedings of the 11th USENIX Security Symposium, San Francisco, CA (August 2002)

    Google Scholar 

  28. Teng, H.S., Chen, K., Lu, S.C.-Y.: Adaptive Real-Time Anomaly Detection Using Inductively Generated Sequential Patterns. In: IEEE Symposium on Security and Privacy (1999)

    Google Scholar 

  29. The Honeynet Project, http://project.honeynet.org

  30. Trend Micro. WORM RBOT.CC, http://uk.trendmicro-europe.com/enterprise/security_info/-ve_detail.php?Vname=WORM_RBOT.CC

  31. Yegneswaran, V., Barford, P., Jha, S.: Global Intrusion Detection in the DOMINO Overlay System. In: Proceedings of NDSS, San Diego, CA (2004)

    Google Scholar 

  32. Yegneswaran, V., Barford, P., Plonka, D.: On the Design and Use of Internet Sinks for Network Abuse Monitoring. University of Wisconsin Technical Report #1497 (2004)

    Google Scholar 

  33. Yegneswaran, V., Barford, P., Ullrich, J.: Internet Intrusions: Global Characteristics and Prevalence. In: Proceedings of ACM SIGMETRICS, San Diego, CA (June 2003)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Dept. of Computer Science, University of Wisconsin, Madison

    Vinod Yegneswaran & Paul Barford

  2. Dept. of Information Technology, University of Wisconsin, Madison

    Dave Plonka

Authors
  1. Vinod Yegneswaran
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Paul Barford
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Dave Plonka
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science and Engineering, Chalmers University of Technology, SE-412 96, Göteborg, Sweden

    Erland Jonsson  & Magnus Almgren  & 

  2. SRI International, 333 Ravenswood Ave., CA 94025, Menlo Park, USA

    Alfonso Valdes

Rights and permissions

Reprints and permissions

Copyright information

© 2004 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Yegneswaran, V., Barford, P., Plonka, D. (2004). On the Design and Use of Internet Sinks for Network Abuse Monitoring. In: Jonsson, E., Valdes, A., Almgren, M. (eds) Recent Advances in Intrusion Detection. RAID 2004. Lecture Notes in Computer Science, vol 3224. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30143-1_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-30143-1_8

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-23123-3

  • Online ISBN: 978-3-540-30143-1

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation