Identifying Traffic Anomalies Interfering with IBR Based Outage Detection
Internet Background Radiation (IBR) is network pollution, composed of all kinds of Internet traffic, namely backscatter data (due to spoofing), botnet scans and other traffic pollution (due to misconfigurations in the networking devices). For many years, IBR collected at routed, but unused address spaces, known as Network Telescope aka Darknet, has been used in multiple network research applications such as identifying malicious Internet activities, detecting Internet outages, etc. The Internet Outage Detection Analysis (IODA) is a research project of UCSD which uses a predictable signal that can be extracted from IBR to monitor the Internet for macroscopic Internet connectivity outages. Due to the varied composition of IBR, extracting consistent "normal" IBR traffic is difficult, but at the same time is required to detect outages accurately. In this report, I investigate and analyze IBR collected at the UC San Diego Network Telescope (UCSD-NT), with the goal of developing a better understanding of events distorting the coherent nature of the IBR signal and subsequently devising approaches to detect and remove traffic triggered by these events. These distortions in the IBR signal can be caused by many events, such as Distributed Denial of Service (DDoS) attacks, botnet scans, Domain Name Service (DNS) poisoning, etc. I investigate these events to study their causes by various means of statistical and experimental tools. In my analysis of three years of IBR data, I detect many short-term events which distort a stable signal extracted from IBR (used by IODA), by generating traffic bursts. Also, I identify and analyze a large-scale event: SYNRENT (coined from SYN-BitTorrent), which caused an increase in the TCP-SYN traffic reaching the UCSD-NT for over two years. I present a broad characterization of SYNRENT in terms of source IPs, countries, Autonomous Systems (AS), operating systems, etc. to better understand the phenomenon. This thesis also identifies possible causes of SYNRENT such as the Distributed Hash Table (DHT) poisoning of BitTorrent traffic in the Great Firewall of China. To mitigate such distorting events and bursts, I present a software solution to detect and filter them in real-time: the primary idea is to use the history of previously observed unique source IPs on destination ports and IPs, to determine the occurrence of a burst. In addition to proposing and implementing the solution, I provide substantial evidence to prove that it successfully detects and removes the components that distort the signal from IODA preferred IBR.