worm blog: On the Design and Use of Internet Sinks for Network Abuse Monitoring

« A Theoretical Superworm | Main | Early DoS and Worms »

On the Design and Use of Internet Sinks for Network Abuse Monitoring

Work's been busy again, I didn't have much of a chance to stack up some posts last week. This week I head to Virus Bulletin in Montreal (ping me if you're there), so I'll stack up some posts and keep it on auto-pilot.

The iSink architecture paper is a worthwhile read to study large-scale collection and analysis methods. Such methods are usually used to detect new worms.

Monitoring unused or dark IP addresses offers opportunities to significantly improve and expand knowledge of abuse activity without many of the problems associated with typical network intrusion detection and firewall systems. In this paper, we address the problem of designing and deploying a system for monitoring large unused address spaces such as class A telescopes with 16M IP addresses. We describe the architecture and implementation of the Internet Sink (iSink) system which measures packet traffic on unused IP addresses in an efficient, extensible and scalable fashion. In contrast to traditional intrusion detection systems or firewalls, iSink includes an active component that generates response packets to incoming traffic. This gives the iSink an important advantage in discriminating between different types of attacks (through examination of the response payloads). The key feature of iSink’s design that distinguishes it from other unused address space monitors is that its active response component is stateless and thus highly scalable. We report performance results of our iSink implementation in both controlled laboratory experiments and from a case study of a live deployment. Our results demonstrate the efficiency and scalability of our implementation as well as the important perspective on abuse activity that is afforded by its use.

Source: On the Design and Use of Internet Sinks for Network Abuse Monitoring, Vinod Yegneswaran, Paul Barford, and Dave Plonka.

October 9, 2006 in detection, papers | Permalink
Tell others: digg submit | del.icio.us this | Reddit

Comments

Using the idea of this to monitor the network abuse use is so interesting.Hope that you would also post some details regarding the steps that you would do.

Posted by: plumbing supplies | Oct 8, 2011 1:03:20 AM

The comments to this entry are closed.