Extracting benefit from harm: using malware pollution to analyze the impact of political and geophysical events on the internet

Alberto Dainotti, Roman Amman, Emile Aben, Kimberly C. Claffy
Appears in: 
CCR January 2012

Unsolicited one-way Internet traffic, also called Internet background radiation (IBR), has been used for years to study malicious activity on the Internet, including worms, DoS attacks, and scanning address space looking for vulnerabilities to exploit. We show how such traffic can also be used to analyze macroscopic Internet events that are unrelated to malware. We examine two phenomena: country-level censorship of Internet communications described in recent work, and natural disasters (two recent earthquakes). We introduce a new metric of local IBR activity based on the number of unique IP addresses per hour contributing to IBR. The advantage of this metric is that it is not affected by bursts of traffic from a few hosts. Although we have only scratched the surface, we are convinced that IBR traffic is an important building block for comprehensive monitoring, analysis, and possibly even detection of events unrelated to the IBR itself. In particular, IBR offers the opportunity to monitor the impact of events such as natural disasters on network infrastructure, and in particular reveals a view of events that is complementary to many existing measurement platforms based on (BGP) control-plane views or targeted active ICMP probing.

Public Review By: 
Sharad Agarwal

Natural disasters such as earthquakes can have a tremendous impact on Internet connectivity. Computers may get knocked off the Internet due to power outages, local ISP outages, wide-area Internet cable cuts, or the need for users to attend to more pressing matters. Detecting such a shift in Internet connectivity is not trivial. For example, the drop in connections to a news website from disconnected users may be offset by the increased number of connections from connected users who now urgently need news. This paper considers how changes in Internet background radiation (IBR) – unsolicited, one-way traffic primarily from worms – can be used to understand such macroscopic Internet events. In an IMC 2011 paper, the same authors studied the impact of country-wide censorship on BGP announcements, packets per second of IBR, and active probes. In this paper, the authors focus on IBR during two natural disasters – the recent earthquakes in New Zealand and Japan. Specifically, the authors examine the number of distinct source IP addresses in IBR going to their darknet. They also examine how the ratio of this number before and after the earthquakes varies by distance from the epicenters. Some graphs show stark differences before and after the events, while other graphs show more subtle differences. This is primarily an exploratory paper. It does not provide an algorithm for automatically detecting the presence and impact of such events. The authors state that they have only scratched the surface of this problem. The motivation for this analysis is unclear, since there are more direct tools that geologists use to detect such events. Nonetheless, the authors have a genuine desire to understand the impact on the Internet of natural disasters. This is clearly interesting work and it is in part for papers such as this that ACM CCR exists. Beyond the authors’ paper in IMC 2011, this paper considers a different type of major event and a different metric. There are interesting findings here that should hopefully spark follow-on work. Is there a single algorithm that will tell you, with few false positives and false negatives when such an event has occurred? Is it robust to countries with very limited Internet access or countries of different sizes? Is such analysis robust to long term changes in the nature of IBR? How can network operators use such techniques to troubleshoot their networks during such disasters?