A System for Characterising Internet Background Radiation

This literature review introduces the reader to Internet Background Radiation (IBR), both its components and common recording practices. In doing so, it will set up a theoretical basis for the construction of the IBR characterisation system to follow. The literature review is split into three main parts. Section 2 provides background information on IBR and its components: worms, scanning activities, backscatter from reflected distributed denial-of-service (DDoS) attacks, and misconfigurations. These are the sources of the data being characterised. Section 3 discusses the Border Gateway Protocol (BGP), the protocol used on the internet for routing packets between Autonomous Systems (ASs). This is of interest as the construction of live BGP tables for the collected data may provide a way of discovering spoofed IP addresses. Section 4 provides information on IBR collection tools and analysis methods. The collection tools discussed are darknets (also called network telescopes, sinkholes, blackhole monitors or background radiation monitors (Bailey et al., 2006)) and greynets (Harrop & Armitage, 2005). In this literature review, darknets and greynets will both referred to as network telescopes, with the terms “darknet” or “greynet” being used when more specificity is required. The analysis tools discussed are packet-level analysis, network flows and and honeynets. This section also delves into previous work in characterising network activities with statistical tools. This will form a basis for the system implemented in this study. In this literature review, the CIDR notations /8, /16 and /24 will be used to refer to the traditional pre-CIDR Class A, Class B and Class C subnets (Fuller et al., 1993) respectively, in order to maintain consistency with the referencing of differently sized IPv4 subnets (such as /19s). The number following the “/” denotes the number of fixed bits (out of 32 total bits) in each of the addresses within the subnet.