| Internet Background Radiation (IBR) refers to unsolicited one-way traffic on the Internet, which is a type of unwanted traffic. Research on it can help understand the causes and characteristics of this unwanted traffic and further provide support for related work in the network security field.Because all IBR related work is based on measured raw traffic, the measurement of IBR traffic is the start of all related research. Therefore, the work in this dissertation chooses to start with this problem. Traditionally, IBR traffic can be measured by darknets. However, with the IPv4 address space nearly exhausted, large-scale darknets are hard to acquire. In addition, the address spaces used by darknets are usually fixed and can gradually be known by the senders of unwanted traffic, who may then avoid sending traffic to these dark addresses. This may leads to the bias of the received IBR traffic and furthermore the loss of darknets’proper value. How to obtain IBR traffic using live networks is a new problem in this field, which is the chosen entry point of our research. Existing work can be divided into two kinds: the algorithms based on gray spaces and ones based on one-way flows. The former kind has a certain amount of missing IBR flows and the latter can lead to unnegligible misjudgement. Therefore, two measurement algorithms are proposed in this dissertation from two different angels. One is a measurement algorithm that obtains IBR traffic from offline raw traffic——IP Trace files. The other is a real-time measurement algorithm. The former aims to have a better performance in the Precision and Recall metrics. The latter aims to work in real-time with no sacrifice of the Precision metric and some decrease in the Recall metric. For the former angel, an algorithm called FIBR (Filtering Internet Background Radiation) is proposed. This algorithm combines the advantages of the existing two kinds of algorithms. Based on the notion of source address behavior study, FIBR can accurately obtain the IBR traffic received by the lit space, which leads to a more accurate measurement of the IBR traffic of the whole inner space. The analyses based on theory and benchmark show that the FIBR algorithm can obtain IBR traffic destined to the whole address space of a live network in a more accurate way. For the latter angel, this dissertation proposes an algorithm called RIBRM (Real-time Internet Background Radiation Measurement), which can measure IBR traffic received by a live network in a real-time fashion. Its core idea is based on the notion of the grey space. The innovation here is that the inside gray space is accurately measured based on flow data gathered at the border of a live network and a filtering rule set is then established to filter out the traffic received by the inside active addresses. Experiments show that RIBRM can work at a large-scale live network’s border in real-time. By comparing the IBR traffic measured by the RIBRM algorithm with that obtained by the FIBR algorithm, RIBRM is proved to be able to work in real-time with no sacrifice of the Precision metric and some decrease in the Recall metric. The value of this algorithm is that it can work in a continuous way, which can help find the changing trend of IBR traffic.On this basis, this dissertation analyzes the IBR traffic measured from a live network by the above two algorithms, which is also the main content of the related research field. The FIBR algorithm accurately obtains IBR traffic from five IP Trace files, which are gathered from 2008 to 2012 by the IPTAS system at the border of the Jiangsu CERNET (China Education and Research Network). Based on the flow data captured at the same network border, the RIBRM algorithm measures the inner gray space of the network and gathers the packet-level IBR traffic in Feb.2015. The analyses are conducted from several aspects, such as IBR statistics, IBR classification, IBR spatial characteristics, etc. The main results are:(1) the analyses regarding to the IBR traffic obtained by FIBR show that the volume of IBR traffic increases year by year. Although the IBR bit ratio is less than 1%, the IBR flow ratio is up to 70% in recent years; (2) the main components of IBR traffic are scanning and backscatter, which is consistent with the research results of similar international work; (3) the port analysis shows that the popular destination ports of scanning tend to remain unchanged in a short period but gradually change over time; (4) the spatial analysis shows that scanning against different address blocks tends to be even but backscatter received by different blocks shows a great difference.Based on one of the main components of the IBR traffic-SYN+ACK backscatter, this dissertation chooses detecting SYN flooding attacks based on backscatter as a startup application research of the IBR traffic measurement. Based on the relationship among the attack participants and the detection point, a complete SYN flooding detection model is proposed. After analyzing the features of all the scenarios in the proposed model, a complete attack type analysis is conducted and the corresponding detection logic is derived. Based on the detection logic, a detection algorithm called WSAND (Worldwide SYN flooding Attack detection based on live Network’s flow Data) is then proposed. One feature of this algorithm is that no matter where the attacked server is located, the attack can be detected as long as the SYN flooding attacking traffic or the backscatter traffic passes through the detection point. The other feature is that it can be realized using sampled flow records. Since the algorithm only needs to detect SYN flooding attacking traffic or the backscatter traffic, which only accounts for a small portion of the whole raw traffic, the WSAND algorithm can be deployed at the border of a large-scale live network. In order to guarantee its practicality, the performance of the algorithm under the packet sampling condition is discussed. According to a benchmark established based on a 70-minute IP Trace file, the detection ability of the algorithm is still satisfying even under a small sampling rate. In order to checkout its real-time capacity, the WSAND algorithm is deployed at all 38 PoPs (Points of Presence) of the CERNET with the help of the NBOS (Network Behavior Observation System) platform. The total address space is close to 17 million addresses. During a three-month running from Nov.2014 to Feb. 2015,164677 SYN flooding attacks happened all over the Internet are detected. The attack characteristics, such as strike time, attack rate, attack duration, are then discussed thoroughly. |
PDF Full Text Request