Skip to main content
SpringerLink
Log in
Book cover

International Conference on Passive and Active Network Measurement

PAM 2015: Passive and Active Measurement pp 165–178Cite as

On the Power and Limitations of Detecting Network Filtering via Passive Observation

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 8995))

Abstract

Network operators often apply policy-based traffic filtering at the egress of edge networks. These policies can be detected by performing active measurements; however, doing so involves instrumenting every network one wishes to study. We investigate a methodology for detecting policy-based service-level traffic filtering from passive observation of traffic markers within darknets. Such markers represent traffic we expect to arrive and, therefore, whose absence is suggestive of network filtering. We study the approach with data from five large darknets over the course of one week. While we show the approach has utility to expose filtering in some cases, there are also limits to the methodology.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    Five is a somewhat arbitrary choice that weeds out /24 address blocks that send exceedingly little traffic for illustrative purposes.

  2. 2.

    There are more Conficker infected hosts in some of the routed blocks and ASes, however, we truncate the plot at 255 for comparison with /24 blocks.

  3. 3.

    We included UDP in our analysis, but elide it from this discussion due to space constraints and its similarity with the TCP results.

References

  1. Allman, M., Paxson, V., Terrell, J.: A brief history of scanning. In: Proceedings of the ACM SIGCOMM Conference on Internet Measurement, IMC’07 (2007)

    Google Scholar 

  2. Bailey, M., Cooke, E., Jahanian, F., Nazario, J., Watson, D.: The internet motion sensor: a distributed blackhole monitoring system. In: Proceedings of Network and Distributed System Security Symposium, NDSS’05, pp. 167–179 (2005)

    Google Scholar 

  3. Benson, K., Dainotti, A., claffy, k., Aben, E.: Gaining insight into AS-level outages through analysis of internet background radiation. In: Traffic Monitoring and Analysis Workshop, TMA’13 (2013)

    Google Scholar 

  4. Beverly, R., Berger, A., Hyun, Y., claffy, k.: Understanding the efficacy of deployed internet source address validation filtering. In: Proceedings of the ACM SIGCOMM conference on Internet Measurement, IMC’09 (2009)

    Google Scholar 

  5. Bush, R., Hiebert, J., Maennel, O., Roughan, M., Uhlig, S.: Testing the reachability of (new) address space. In: Proceedings of the SIGCOMM workshop on Internet Network Management, INM’07, pp. 236–241. ACM, New York (2007)

    Google Scholar 

  6. CAIDA: Conficker/Conflicker/Downadup as seen from the UCSD Network Telescope. http://www.caida.org/research/security/ms08-067/conficker.xml (2013)

  7. Chien, E.: Downadup: attempts at smart network scanning. http://www.symantec.com/connect/blogs/downadup-attempts-smart-network-scanning (2009)

  8. Choffnes, D.R., Bustamante, F.E., Ge, Z.: Crowdsourcing service-level network event monitoring. In: Proceedings of the Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, SIGCOMM’10 (2010)

    Google Scholar 

  9. Comcast: Blocked ports list. https://customer.comcast.com/help-and-support/internet/list-of-blocked-ports/

  10. Dainotti, A., Squarcella, C., Aben, E., Claffy, K.C., Chiesa, M., Russo, M., Pescapé, A.: Analysis of country-wide internet outages caused by censorship. In: IMC ’11 (2011)

    Google Scholar 

  11. F-Secure: Threat Report H1 2014. http://www.f-secure.com/documents/996508/1030743/Threat_Report_H1_2014.pdf (2014)

  12. Kreibich, C., Weaver, N., Nechaev, B., Paxson, V.: Netalyzr: illuminating the edge network. In: Proceedings of the ACM SIGCOMM Conference on Internet Measurement, IMC’10 (2010)

    Google Scholar 

  13. Kristoff, J.: Experiences with conficker c sinkhole operation and analysis. In: Proceedings of Australian Computer Emergency Response Team Conference (2009)

    Google Scholar 

  14. Pang, R., Yegneswaran, V., Barford, P., Paxson, V., Peterson, L.: Characteristics of internet background radiation. In: Proceedings of the ACM SIGCOMM conference on Internet Measurement, IMC’04 (2004)

    Google Scholar 

  15. Porras, P., Saidi, H., Yegneswaran, V.: An analysis of conficker’s logic and rendezvous points. Technical report, SRI International (2009)

    Google Scholar 

  16. Richard, M., Ligh, M.: Making fun of your malware. In: Defcon 17 (2009)

    Google Scholar 

  17. University of Oregon: Route Views project. http://www.routeviews.org/

  18. Wustrow, E., Karir, M., Bailey, M., Jahanian, F., Houston, G.: Internet background radiation revisited. In: Proceedings of the ACM SIGCOMM Conference on Internet Measurement, IMC’10 (2010)

    Google Scholar 

Download references

Acknowledgments

We would like to thank Christian Kreibich for the Netalyzr data, Phillip Porras for the Conficker sinkhole data, and Vern Paxson for comments on an earlier draft. This work is sponsored by NSF grants CNS-1213157, CNS-1237265, CNS-1505790 and CNS-1111699.

Author information

Authors and Affiliations

  1. Case Western Reserve University, Cleveland, OH, USA

    Matthew Sargent

  2. University of Michigan, Ann Arbor, MI, USA

    Jakub Czyz

  3. Intl. Computer Science Institute, Berkeley, CA, USA

    Mark Allman

  4. University of Illinois at Urbana-Champaign, Champaign, IL, USA

    Michael Bailey

Authors
  1. Matthew Sargent
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jakub Czyz
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mark Allman
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Michael Bailey
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Matthew Sargent .

Editor information

Editors and Affiliations

  1. University of Southern California, Marina Del Rey, California, USA

    Jelena Mirkovic

  2. New York University, New York, New York, USA

    Yong Liu

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Sargent, M., Czyz, J., Allman, M., Bailey, M. (2015). On the Power and Limitations of Detecting Network Filtering via Passive Observation. In: Mirkovic, J., Liu, Y. (eds) Passive and Active Measurement. PAM 2015. Lecture Notes in Computer Science(), vol 8995. Springer, Cham. https://doi.org/10.1007/978-3-319-15509-8_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-15509-8_13

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-15508-1

  • Online ISBN: 978-3-319-15509-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation