Alberto Dainotti

Estimating internet address space usage through passive measurements

Alberto Dainotti, Karyn Benson, Alistair King, kc claffy, Michael Kallitsis, Eduard Glatz, Xenofontas Dimitropoulos
Appears in: 
CCR January 2014
One challenge in understanding the evolution of Internet infrastructure is the lack of systematic mechanisms for monitoring the extent to which allocated IP addresses are actually used. Address utilization has been monitored via actively scanning the entire IPv4 address space. We evaluate
Public Review By: 
Renata Teixeira

This paper presents a novel approach for estimating the fraction of the IP address space that is actively used. The state-of-the-art in this area, ISI's Census project, issues active probes to every address block on the IPv4 space. Active probing suffers from high probing overhead. With the adoption of IPv6, any technique based solely on probing the entire address space may no longer work. The solution presented in this paper passively observes traffic to infer the fraction of used IPv4 address space. They say that an address block is used if it is sending or receiving traffic. Passive measurements introduce no probing overhead and hence the technique can potentially scale for IPv6. The use of passive measurements, however, brings two challenges. First, one single vantage point cannot observe traffic from all active addresses. Second, spoofed addresses may cause the technique to infer that an address is active when it is not. The main contributions of this paper are: (i) to show empirically that passive measurements do observe a large fraction of the used address space; and (ii) a technique to filter spoofed addresses. All reviewers appreciated the well thought-out approach presented in this paper. Although the estimation technique is simple (i.e., observed addresses minus spoofed ones), reviewers particularly liked the techniques to filter out spoofed addresses in two types of datasets: netflow traces and packet traces collected at darknets. Reviewers also acknowledged the validation and evaluation effort in the paper. Reviewers did give a number of suggestions to improve the presentation of the paper both to clarify explanations and get the ideas across more concisely. For example, the comparison with the ISI

Extracting benefit from harm: using malware pollution to analyze the impact of political and geophysical events on the internet

Alberto Dainotti, Roman Amman, Emile Aben, Kimberly C. Claffy
Appears in: 
CCR January 2012

Unsolicited one-way Internet traffic, also called Internet background radiation (IBR), has been used for years to study malicious activity on the Internet, including worms, DoS attacks, and scanning address space looking for vulnerabilities to exploit. We show how such traffic can also be used to analyze macroscopic Internet events that are unrelated to malware. We examine two phenomena: country-level censorship of Internet communications described in recent work, and natural disasters (two recent earthquakes).

Public Review By: 
Sharad Agarwal

Natural disasters such as earthquakes can have a tremendous impact on Internet connectivity. Computers may get knocked off the Internet due to power outages, local ISP outages, wide-area Internet cable cuts, or the need for users to attend to more pressing matters. Detecting such a shift in Internet connectivity is not trivial. For example, the drop in connections to a news website from disconnected users may be offset by the increased number of connections from connected users who now urgently need news. This paper considers how changes in Internet background radiation (IBR) – unsolicited, one-way traffic primarily from worms – can be used to understand such macroscopic Internet events. In an IMC 2011 paper, the same authors studied the impact of country-wide censorship on BGP announcements, packets per second of IBR, and active probes. In this paper, the authors focus on IBR during two natural disasters – the recent earthquakes in New Zealand and Japan. Specifically, the authors examine the number of distinct source IP addresses in IBR going to their darknet. They also examine how the ratio of this number before and after the earthquakes varies by distance from the epicenters. Some graphs show stark differences before and after the events, while other graphs show more subtle differences. This is primarily an exploratory paper. It does not provide an algorithm for automatically detecting the presence and impact of such events. The authors state that they have only scratched the surface of this problem. The motivation for this analysis is unclear, since there are more direct tools that geologists use to detect such events. Nonetheless, the authors have a genuine desire to understand the impact on the Internet of natural disasters. This is clearly interesting work and it is in part for papers such as this that ACM CCR exists. Beyond the authors’ paper in IMC 2011, this paper considers a different type of major event and a different metric. There are interesting findings here that should hopefully spark follow-on work. Is there a single algorithm that will tell you, with few false positives and false negatives when such an event has occurred? Is it robust to countries with very limited Internet access or countries of different sizes? Is such analysis robust to long term changes in the nature of IBR? How can network operators use such techniques to troubleshoot their networks during such disasters?

Syndicate content