On the Design and Use of Internet Sinks for Network Abuse Monitoring

Abstract

Network abuse monitoring (eg., for intrusions and denial of service attacks) is an important component in security architecture. Monitoring unused IP addresses offers opportunities to significantly improve perspective on abuse activity without many of the problems associated with typical network intrusion detection and firewall systems. In this paper, we describe a scalable architecture for an IP traffic monitoring system called an Internet Sink (isink). The objective of this system is to measure abuse activity on unused or "dark" IP addresses in an efficient and scalable fashion. A distinguishing feature of an isink in contrast to traditional intrusion detection systems or firewalls, is that it includes a stateless active component that generates response packets to incorning traffic. This gives the isink an important advantage in discriminating between different types of attacks (through examination of the response payloads). In the second part of the paper, we report a case study of live deployment and performance results of our isink implementation in controlled laboratory experiments. The case study demonstrates the utility of isink by revealing interesting network phenomena such as periodic probing and SMTP hot-spots. The laboratory results demonstrate the efficiency and scalability of our implementation.