Temporal and Efficient Analysis of Services Availability

Similar documents
arxiv: v2 [cs.ni] 14 Sep 2016

The Impact of Router Outages on the AS-Level Internet

Illegitimate Source IP Addresses At Internet Exchange Points

Scanning the IPv6 Internet: Towards a Comprehensive Hitlist

Chapter 2. Switch Concepts and Configuration. Part II

Stable Internet Route Selection

Computation of Multiple Node Disjoint Paths

Running Ad Hoc Reports

Access Control Using Intelligent Application Bypass

The Dark Oracle: Perspective-Aware Unused and Unreachable Address Discovery

Campus Networking Workshop CIS 399. Core Network Design

Telematics Chapter 9: Peer-to-Peer Networks

Network Forensics Prefix Hijacking Theory Prefix Hijacking Forensics Concluding Remarks. Network Forensics:

CHAPTER 4 PROPOSED ARCHITECTURE FOR INCREMENTAL PARALLEL WEBCRAWLER

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Network Address Translation (NAT)

First Steps to Using a PacketShaper

Visualization of Internet Traffic Features

Preventing the unnecessary propagation of BGP withdraws

Configure Routing Resources on the Switch

Review for Chapter 4 R1,R2,R3,R7,R10,R11,R16,R17,R19,R22,R24, R26,R30 P1,P2,P4,P7,P10,P11,P12,P14,P15,P16,P17,P22,P24,P29,P30

Software Systems for Surveying Spoofing Susceptibility

NAT, IPv6, & UDP CS640, Announcements Assignment #3 released

Intended status: Informational. Intel Corporation P. Seite. France Telecom - Orange. February 14, 2013

Measuring IPv6 Adoption

Networking Theory CSCI 201 Principles of Software Development

Fundamentals of Information Systems Security Lesson 8 Mitigation of Risk and Threats to Networks from Attacks and Malicious Code

Tracking Global Threats with the Internet Motion Sensor

BGP Routing Table Report

Computer and Network Security

Evaluating Network Security using Internet Measurements

Enterprise IPv6 Deployment Security and other topics

RTRlib. An Open-Source Library in C for RPKI-based Prefix Origin Validation. Matthias Wählisch, Fabian Holler, Thomas C. Schmidt, Jochen H.

Host Identity Sources

APNIC input to the Vietnam Ministry of Information and Communications ICT Journal on IPv6

Publish Subscribe Deployment Option for NDN in the Constrained IoT

VMware vcenter AppSpeed User s Guide AppSpeed 1.0 EN

Network Discovery Policies

Task Scheduling. Introduction to Task Scheduling. Configuring a Recurring Task

TCP/IP. Model and Layers Bits and Number Bases IPv4 Addressing Subnetting Classless Interdomain Routing IPv6

BGP Routing Table Report

More Specific Announcements in BGP. Geoff Huston APNIC

Mapping Internet Sensors with Probe Response Attacks

Internet Numbers Introduction to the RIR System

AS INTERNET hosts and applications continue to grow,

Towards A Longitudinal Study of Adoption of RPKI-Based Route Filtering

A Scalable Routing System Design for the Future Internet

RPKI MIRO & RTRlib. Andreas Reuter, Matthias Wählisch Freie Universität Berlin

RIPE NCC Technical Services. Kaveh Ranjbar, Chief Information Officer

An Operational Perspective on BGP Security. Geoff Huston February 2005

Education Network Security

Updates and Analyses

CS 5114 Network Programming Languages Control Plane. Nate Foster Cornell University Spring 2013

Fairness Example: high priority for nearby stations Optimality Efficiency overhead

IPv4 Address Allocation and Evolution of BGP Routing Tables

Computer Science 461 Midterm Exam March 14, :00-10:50am

arxiv: v1 [cs.ni] 24 Jun 2016

Partitioning the Internet

Internet Measurements. Motivation

Analyzing Cacheable Traffic in ISP Access Networks for Micro CDN applications via Content-Centric Networking

Web Caching and Content Delivery

On characterizing BGP routing table growth

The S in IoT is for Security Owning all the Things

How to Discover Live Network


CS519: Computer Networks. Lecture 2, part 2: Feb 4, 2004 IP (Internet Protocol)

IPv6 Pollution Traffic Analysis

Software Systems for Surveying Spoofing Susceptibility

Trisul Network Analytics - Traffic Analyzer

Performance Analysis of Multicast Mobility in a H-MIP Proxy Environment

IPv6 Classification. PacketShaper 11.8

Akamai's V6 Rollout Plan and Experience from a CDN Point of View. Christian Kaufmann Director Network Architecture Akamai Technologies, Inc.

Akamai's V6 Rollout Plan and Experience from a CDN Point of View. Christian Kaufmann Director Network Architecture Akamai Technologies, Inc.

Securing CS-MARS C H A P T E R

Understanding the effect of streaming overlay construction on AS level traffic

Discovering Interdomain Prefix Propagation using Active Probing

CSCD58 WINTER 2018 WEEK 6 - NETWORK LAYER PART 1. Brian Harrington. February 13, University of Toronto Scarborough

BGP The Movie. Geoff Huston September 2004 APNIC

CNT Computer and Network Security: BGP Security

SJTU 2018 Fall Computer Networking. Wireless Communication

Network Address Translation (NAT)

CS519: Computer Networks

Multimedia Streaming. Mike Zink

snoc Snoc DDoS Protection Fast Secure Cost effective Introduction Snoc 3.0 Global Scrubbing Centers Web Application DNS Protection

Advanced Computer Networking. Please make sure now that you received a complete copy of the exam.

SCADACS SCADACS. SCADA & Computer Security. Find Them, Bind Them Industrial Control Systems(ICS) on the Internet

Lecture 13: Routing in multihop wireless networks. Mythili Vutukuru CS 653 Spring 2014 March 3, Monday

Listen and Whisper: Security Mechanisms for BGP

Our Narrow Focus Computer Networking Security Vulnerabilities. IP-level vulnerabilities

Demystifying Service Discovery: Implementing an Internet-Wide Scanner

CSE 473 Introduction to Computer Networks. Final Exam Review

Parallel Crawlers. Junghoo Cho University of California, Los Angeles. Hector Garcia-Molina Stanford University.

Worm Detection, Early Warning and Response Based on Local Victim Information

Application Detection

Increasing IPv6 deployment in Indonesia

Chapter 7: Routing Dynamically. Routing & Switching

ON-LINE EXPERT SUPPORT THROUGH VPN ACCESS

On the Feasibility of Prefetching and Caching for Online TV Services: A Measurement Study on

ServiceNow Certified Implementation Specialist Discovery Exam Specification

Enhanced Feasible-Path Unicast Reverse Path Filtering draft-sriram-opsec-urpf-improvements-01

Transcription:

Temporal and Efficient Analysis of Services Availability Johannes Klick, Stephan Lau Matthias Wählisch, Volker Roth {johannes.klick,stephan.lau,m.waehlisch,volker.roth}@fu-berlin.de 1 / 17

Measuring Deployment of Internet Services Objective Identify hosts that provide a specific Internet service Common Scanning Approaches IANA /0 4.3 billion IPv4 addresses IANA allocated 3.7 billion IPv4 addresses BGP announced prefixes 2.8 billion IPv4 addresses IP hitlists Is this really a good idea? 2 / 17

Problems with Dumb Scanning Hitrates are often below two percent Abuse reports Rate limiting on routers Load on intrusion detection systems IP Blacklisting +++ We should scan less! 3 / 17

Proposed Solution: TASS Topology Aware Scanning Strategy (TASS) in a nutshell: 1. Perfom a full IPv4 scan once 2. Select prefixes with a certain coverage of responsive hosts 3. Scan only the selected prefixes for a given time period Result: Reduce scan traffic by 25-90 % and miss only 1-10% service responses 4 / 17

Deriving Prefixes I CAIDA Routeviews Prefix-to-AS database 1. Prefixes are not complementary 2. Less specific prefixes (l-prefixes) contain more specific prefixes (m-prefixes) 3. A single IP address can have multiple prefixes 5 / 17

Deriving Prefixes II The less specific l-prefix /8 contains the more specific m-prefix /12. The l-prefix is then decomposed into the more specific one and the remaining smaller prefixes 6 / 17

Host Stability vs. Prefix Length Host distribution over prefix lengths based on seven different measurements from 09/2015 to 03/2016. Datasource: censys.io. 7 / 17

HTTPS (Less Specific Prefixes) 1 1 Density 0.8 0.6 0.4 0.2 0 Host Coverage 100000 80000 60000 40000 20000 Address Space Coverage Density 140000 120000 160000 0.8 0.6 0.4 0.2 0 Coverage 0 Prefix rank 8 / 17

HTTPS (More Specific Prefixes) Density 1 0.8 0.6 0.4 0.2 0 Host Coverage 200000 150000 100000 50000 Address Space Coverage 250000 Density 300000 0 350000 1 0.8 0.6 0.4 0.2 0 400000 Coverage Prefix rank 9 / 17

Accuracy over Time: IPv4 Hitlists 1 0.9 CWMP FTP HTTP HTTPS Hitrate 0.8 0.7 0.6 0.5 0.4 09/15 10/15 11/15 12/15 01/16 02/16 03/16 Time [month/year] Hitrate of a IPv4 hitlist scan compared to IPv4 full scans. Datasource: 4.1 TB from censy.io. 10 / 17

Accuracy over Time: TASS (Host Coverage 100%) 1 0.98 Hitrate 0.96 0.94 0.92 0.9 09/15 10/15 11/15 12/15 01/16 02/16 03/16 Time [month/year] CWMP FTP Less specific HTTP HTTPS More specific CWMP HTTP FTP HTTPS Hitrate of a TASS scan compared to IPv4 full scans. Datasource: 4.1 TB from censy.io. 11 / 17

Accuracy over Time: TASS (Host Coverage 95%) 1 0.98 Hitrate 0.96 0.94 0.92 0.9 09/15 10/15 11/15 12/15 01/16 02/16 03/16 Time [month/year] CWMP FTP Less specific HTTP HTTPS More specific CWMP HTTP FTP HTTPS Hitrate of a TASS scan compared to IPv4 full scans. Datasource: 4.1 TB from censy.io. 12 / 17

Future Work Detailed analysis of the skipped hosts Better understanding of service stability per AS type Analyses of longer time periods and more protocols IPv6 scans 13 / 17

Thanks! More details: Towards Better Internet Citizenship: Reducing the Footprint of Internet-wide Scans by Topology Aware Prefix Selection http://arxiv.org/pdf/1605.05856.pdf arxiv:1605.05856v1 [cs.ni] 19 May 2016 Towards Better Internet Citizenship: Reducing the Footprint of Internet-wide Scans by Topology Aware Prefix Selection Internet service discovery is an emerging topic to study the deployment of protocols. Towards this end, our community periodically scans the entire advertised IPv4 address space. In this paper, we question this principle. Being good Internet citizens means that we should limit scan traffic to what is necessary. We conducted a study of scan data, which shows that several prefixes do not accommodate any host of interest and the network topology is fairly stable. We argue that this allows us to collect representative data by scanning less. In our paper, we explore the idea to scan all prefixes once and then identify prefixes of interest for future scanning. Based on our analysis of the censys.io data set (4.1 TB data encompassing 28 full IPv4 scans within 6 months) we found that we can reduce scan traffic between 25-90% and miss only 1-10% of the hosts, depending on desired tradeoffs and protocols. 1. INTRODUCTION Fast Internet-wide scanning is growing in popularity among researchers. At the time of writing, researchers regularly scan the Internet for vulnerable SSL certificates [5,12], SSH public keys [10], and for the banners of plain text protocols such as SMTP, HTTP, FTP and Telnet [4]. The majority of researchers scan at least 2.8 billion addresses advertised in the IPv4 address space [5,7,10,14,17]. Hitrates, the fraction of probed addresses from which a response is received, are very often under two percent [6]. This means that most scan traffic is overhead. Most of these scans are done periodically for trend analyses, which exacerbates the amount of unnecessary scan traffic. For example, the ongoing Internet-wide research project censys.io [4,6] probes the IANA allocated address space for 19 protocols on a continuous basis. This results in 72.2 billion generated IP-packets each week, or more than 3.754 trillion IP Johannes Klick Freie Universität Berlin johannes.klick@fuberlin.de ABSTRACT Stephan Lau Matthias Wählisch Freie Universität Berlin Freie Universität Berlin stephan.lau@fu-berlin.de m.waehlisch@fuberlin.de Volker Roth Freie Universität Berlin volker.roth@fu-berlin.de packets per year. Whereas scanning the IPv4 address space is feasible this is not any more the case for IPv6. When IPv6 becomes more popular, we need scanning strategies that limit scans to portions of the address space that are in use. In this paper, we present the Topology Aware Scanning Strategy (TASS), a new IP prefix based and topology aware scanning strategy for periodic scanning. TASS enables researchers to collect responses from 90-99% of the available hosts for six months by scanning only 10-75% of the announced IPv4 address space in each scan cycle (protocol dependent). TASS is seeded with the results of a full advertised IPv4 address scan for a given protocol and time period. The prefixes for all responses will be selected for periodic scans of the given protocol. Periodic scanning of only selected prefixes reduces scan traffic significantly while hitting most of the hosts of interest. For instance, our analysis reveals that responsive prefixes obtained from a full FTP scan cover 98% of all FTP hosts 6 months later, at the cost of scanning only 57.4% of the advertised addresses. The scanning overhead can be optimized further by omitting prefixes with a low density. Here, density denotes the fraction of hosts per address space size. For example, if we limit prefix selection to a 95% coverage of the responsive addresses then we can still find 92.3% of the FTP hosts after six months while scanning only 20.6% of the announced address space. For our evaluation of TASS we use 4.1TB of data derived from 28 full IPv4 scans obtained from censys.io [4]. For common protocols we show that, following an initial scan ofthe fullipv4address space, the hitrateforresponsive prefixes decreases by about 0.3 percent per month compared to what a full scan would find. Consequently, periodical TASS scans are 1.25 to 10 times more efficient for a period of at least 6 months if researchers accept a single-digit percentage reduction in host coverage. 1 14 / 17

Backup 15 / 17

TASS in Detail: 1. At time t 0, perform a full scan and output all responsive addresses. Let N be their number. Count the number of responsive addresses c i in each responsive prefix i. The sum of all c i is N. 2. Calculate the density ρ i = c i /2 32 prefix length of all responsive prefixes and their relative host coverage φ i = c i /N of responsive addresses. 3. Sort the prefixes in the descending order of density. Relabel prefixes so that i < j ρ i > ρ j. 4. Find the smallest k so that k i=1 φ i > φ. 5. Scan prefixes 1,..., k repeatedly until time t 0 + t, then start over at step 1. 16 / 17

Results IPv4 address space coverage of the protocols using less and more specific prefixes. 17 / 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback