Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Background noise of the Internet

42 views

Published on

I will share a study based on incoming traffic to our darknet which is just monitoring and discarding packets. So basically there is no user traffic, but still we are observing many incoming traffic. Mostly those are scanning but also we found many interesting activities.
The same might be happing to every Internet facing host, and it's important to understand the current situation of the Internet.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Background noise of the Internet

  1. 1. Background noise of the Internet Matsuzaki ‘maz’ Yoshinobu <maz@iij.ad.jp> bdNOG10 maz@iij.ad.jp 1
  2. 2. I receive a packet because it’s: • A part of my communication (^_^) • Something else (T_T) • Those ‘something else’ are considered as background noise of the Internet, mostly unwanted traffic. • Every internet facing host is receiving such packets Today’s topic bdNOG10 maz@iij.ad.jp 2
  3. 3. PPP-EXP • This study is conducted by Pool Protection Project (PPP-EXP) • PPP-EXP was started by IIJ and JPNIC to protect the JPNIC free IPv4 pool from abuse • https://www.attn.jp/ppp/ • The setup • Announcing prefixes by AS2522 • Monitoring and discarding packets to the prefixes • Simple zone file for the reverse zones • only SOA and NS (no PTR records) bdNOG10 maz@iij.ad.jp 3
  4. 4. Classifications of noises • The sender is an initiator • Scanning • Virus spreading • Attacking • Something mistake • The sender is a reflector • Victim of IP spoofing attack • SYN-Flooding and etc. • Something mistake bdNOG10 maz@iij.ad.jp 4
  5. 5. The sender is an initiator • Intentionally sending traffic to ‘us’ bdNOG10 maz@iij.ad.jp 5 sender = initiator
  6. 6. The sender is a reflector • The original sender sends an IP spoofing packet to a host, and the host then send *back* a reply to ‘us’ The source address of the packet is spoofed as ‘us’ bdNOG10 maz@iij.ad.jp 6 sender = reflector
  7. 7. Disclaimer • I don’t know the actual intent of the packets, so the most of reasons mentioned in this slides are my ‘guess’ • The fact • We receive some amount of packets on the Internet facing hosts • Guesses • Scanning • Reflections • Weird implementations • Mistake bdNOG10 maz@iij.ad.jp 7
  8. 8. The data • Duration: 2019/01/10 00:00~24:00(JST) • Fully captured incoming packets toward the prefixes • many pcap files • about 6 hunreds million packets • 2758 packets/host/day bdNOG10 maz@iij.ad.jp 8
  9. 9. Mostly TCP packets TCP 95% (577340492) UDP 4% (26945104) ICMP 1% (3897454) IP6 0% (2153) bdNOG10 maz@iij.ad.jp 9
  10. 10. And mostly TCP-SYN SYN 98% (563062001) SYN-ACK 2% (12229116) OTHER 0% (2049375) bdNOG10 maz@iij.ad.jp 10
  11. 11. The TCP Flag variations • SYN 563062001 • SYN-ACK 12229116 • SYN-ECE-CWR 941603 • RST 555637 • RST-ACK 293503 • ACK 106575 • SYN-ACK-ECE 52175 • SYN-ACK-ECE-CWR 44801 • FIN-SYN-RST-PSH-ACK-URG 21745 • SYN-ACK-CWR 10423 • PSH-ACK 9532 • FIN-PSH-ACK 4434 • SYN-RST 4258 • FIN-ACK 2817 • RST-ECE 502 • RST-ECE-CWR 445 • RST-CWR 433 • SYN-PSH 364 • none 63 • RST-PSH 32 • FIN 17 • PSH 6 • PSH-ACK-URG-CWR 3 • FIN-SYN-RST-ACK-URG-CWR 2 • FIN-RST-PSH-ACK-URG-CWR 1 • SYN-PSH-CWR 1 • CWR 1 • FIN-SYN-RST-PSH-ACK-URG-CWR 1 • RST-PSH-ACK-ECE-CWR 1 bdNOG10 maz@iij.ad.jp 11
  12. 12. The major destination ports TCP-SYN destinations • 23 73958566 • 52869 34724310 • 8545 14738763 • 22 13507821 • 445 11378107 • 80 10794925 • 8080 9323605 • 4776 7615618 • 4784 7602022 • 1433 5755354 UDP destinations • 389 2445405 • 4776 2381843 • 4784 2354203 • 1900 2287302 • 50328 1191988 • 50592 1190070 • 50336 1188298 • 50584 1180976 • 11211 1064441 • 19 754180 bdNOG10 maz@iij.ad.jp 12
  13. 13. Packets distribution: Sender Thenumberofoccurrences The number of packets sent by a source Many hosts sending a few packets A few sending a LOT bdNOG10 maz@iij.ad.jp 13
  14. 14. A few hosts sending a lot of packets • Ukrainian IP (31609992 packets) • TCP-SYN to TCP/1025-10000 • USA IP (10793632 packets) • TCP-SYN to TCP/52869 • Dutch IP (10572421 packets) • TCP-SYN to TCP/52869 • HongKong IP (7330971 packets) • TCP-SYN to TCP/3031 and other 546 ports • Ireland 8 IPs (total 51607564packets) • TCP-SYN to TCP/53601-60800 bdNOG10 maz@iij.ad.jp 14
  15. 15. TCP/23 scanners Thenumberofoccurrences The number of packets sent by a source bdNOG10 maz@iij.ad.jp 15 Existing around here
  16. 16. Security services based on scanning results • Many others, and each of them is scanning you • More new services means more scanning packets to your network bdNOG10 maz@iij.ad.jp 16
  17. 17. Many hosts sending a few $%. . # % b8 b%, #% #% #,# $ , b1b %%#%#%%#% # .b@5 b LT ZOb%$ $]$$$$.bb $b$$, b Kb $$$b $%%b $ %bIK Mb $,bb6### ;2#$# ##### $]$$%$.bbK $%b$II%b K b% ,b$$ $b b %b %bb######### #K%. $]$$ $.bb b b b $ b M $b$L b ,bM%L bbK .PK $.U # C ## $]$$ $.bbL, MbM%% b I MbIL $b , bK MLb b Lbb##### ##]### .PT $]$$ $.bb Mb M ,b % b , b $ b M $b$L%Mb % bbMU O O $.U ## A $]$$ $.bbI, Lb%$,,bI$L,bI b I Lb$M $b M b %bb#a#####.DT#$##L% $]$$ $.bb %b b b Mb $ b b %b bb.W . LZ LLX %.Z $]$$ $.bb b b % b b b $%b$% %b bb .#4%.[ .: ##%. $]$$,$.bb % b % bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb%.WL $%. . # ,%%b8 b%, #% #% #,# $ , b1b %%#%#%%#% # .b@5 b LT ZOb $ $]$$$$.bb $b$$ $b $ b $$$b $%%b L MbIK Mb $,bb6##$ #2#$#T #### $]$$%$.bbK $%b$II%b K b% ,b$$% bIL%$b %$$b L bb############3#T# $]$$ $.bb,KL b b$$$$b$$$$b$$$$b$$$$b % b$$$$bb##_ ######## ### $%. . $# , b8 b%, #% #% #,# , %$b1b %%#%#%%#% # .b7 bD>F b LW %, %% b¥PTb bU ZPUT bDS % , <9 >b[ , bL X $ TU ¥ Lb F b LT ZOb$ $]$$$$.bb $$b$$ b I b $$$b $$ b M KbIK Mb $,bb6##0 2#$##F#### $]$$%$.bbK $%b$II%bIKL b% ,bMK Lb b$$$$b$$$$bb#########T###### $]$$ $.bb $$ bMMMM K b$$$$b$ $ b$ ,b$ $ b$,$ bb####FP########## $]$$ $.bb$$ bM I b$$$$b$$$$b$%$ b$ $ bbbbbbbbbbbb# ########## $%. . %#,% %b8 b%, #% #% #,# , %$b1b %%#%#%%#% # .b7 bD>F b LW %, %% b¥PTb bU ZPUT bDS % , <9 >b[ bL X $ TU ¥ Lb F b LT ZOb$ $]$$$$.bb $$b$$ b I b $$$b $$ b M bIK Mb $,bb6##0 2#$##E#### $]$$%$.bbK $%b$II%bIKL b% ,bMK Lb b$$$$b$$$$bb#########T###### $]$$ $.bb $$ bMMMM K$ b$$$$b$ $ b$ ,b$ $ b$,$ bb####F########### $]$$ $.bb$$ bM %Ib$$$$b$$$$b$%$ b$ $ bbbbbbbbbbbb# ########## They send UDP packets, and then send TCP-SYN to the same destination port Probably... BitTorrent! bdNOG10 maz@iij.ad.jp 17
  18. 18. This might be a P2P as well -/7/07/4+./3204vEKv./2+43+3.+.65+20142v;v/.6+.-.+..2+/-/+4337vNAK)vd]f_k`v145 -n----7vv12--v-.^Yv3Z-¥v1---v03..v[¥Y0v4¥1[v0¥[3vvB+++c+=+3+++rH:+ -n--.-7vv¥Z32v40[Yv¥-]0v-/^]v-.]3v]1]Yv155¥vY¥05vv+]j+++++++++D++5 -n--/-7vv[/.Yv3.]/v[.50v[11]v^.3/v[..6v665¥v¥/34vv++Y++++J+Z+++++_ -n--0-7vv20]Yv¥2Z[v4456vZ[^6v]0Z2v.Y.1v34--v/566vvL+++m+++++++_+&+ -n--1-7vv0..0v2155v-][6v4/0]v15/]v[][6v66.Zv-^^2vv.+M+++i;D+++++++ -n--2-7vv--45v1¥3^v464/v]53[v2¥^.v5¥Z-v¥/-.v.5[/vv+nIgoi+dU+++++++ -n--3-7vv..05v5-]4v4.¥2v[1Y1v[-Z]v/Z0^vY0Z]vZ[]¥vv+5++h+++++(<++++ 9t ; -n-.5-7vv]6Z.v-165v.-/6v¥]43v¥2^4v4ZZ¥v.[..v-Y1/vv+++++'+l++q++++? -n-.6-7vv-[Y3vZ]Z2v266[v2¥^Yv/¥Z-v5Y54v3]3^v2]24vv++++ +U+ +++fgVP -n-.Y-7vvY-]-v3^/^v551¥vY12¥v[06]v662]v/]Y/vY-0Yvv++g,+I+U+++V+++7 -n-.Z-7vv[4¥¥v3]6^v^51Yv.Y/2v4Y/0v/Z]4v./-5vZ]Z.vv++f++F+# !(+++++ -n-.[-7vv34/¥v¥^]]v^5-0v[Y0ZvY.30v66[]v51Z5v54[Zvv_ +++++8+[++++++ -n-.¥-7vv62^1v3Y5¥vZ]-0v0.05v/32Zv.^04v3/2[v3415vv++b+++.5$S+4ZT_D -n-.]-7vv-513v03^^v[44^v0Z]4v3.20v0331v-ZZ[v/^6^vv+C3+++8+YL3¥++,+ -n-.^-7vv0..6vYZ]]v.Z¥Zv/3Z^v03[0vvvvvvvvvvvvvvvvv.+++++$+3+ -/7/0714+245.55vEKv.4.+03+10+5+0-501v;v/.6+.-.+..2+/-/+4337vNAK)vd]f_k`v15/ -n----7vv12--v-.^]v3Z-^v1---v00..vZ250vYZ/1v/Z-5vvB+++c+=+0++++"(+ -n--.-7vv¥Z32v40[Yv454/v-/^]v-.]Yv//.Zv3]5]vZ/34vv+]j+ni++++ +f++_ -n--/-7vv]^]3v¥Z-¥v¥6/3v6[54v/5[6v31Y1v61]3v^.[^vv+++++$++&+¥+++++ -n--0-7vv]]3-v3623v5[¥2v3].4v.11Yv204]v5/Y4v.2[6vv+ a ++f++FLs++++ -n--1-7vv40¥5v3ZY3v[Z[]v¥0[6v0^1/vZ6Z1v01[4v^..[vvj+c+++++<?++1+++ -n--2-7vv6/03v3./4v3[4Yv344.v.¥]0vY/Y.v6Z^[vZ651vv+3Y%d _h++++++++ -n--3-7vv-^/2v0113v¥Z1¥v04-1v[610v45Y5vZ244v0^^[vv+#1C+I4++@n++m<+ 9t ; -n-.5-7vv]¥^4v35]Zv[¥Y6vZ-4/v[3[.vY//.v322]v0--4vv++`++++i+++ ]V-+ -n-.6-7vv6]¥0v[023v]/.Yv0Z.Zv^641v[61.v]¥2^v]Y2Yvv+++ ++8++k+>+W+ -n-.Y-7vv¥220v[1/0v^Z41v.1[/vZ2Z2v3/66v.06.v6^Z-vv+L+!+k++++Z+++++ -n-.Z-7vv]03/v-3[3v^Y1.v3-^1v01Y5v02Y-v53/-v^Y2[vv+Z+++> +1+2++++T -n-.[-7vv^.Z]v^¥3[vZ/..vY¥]3v[2.-v4^24v/-6¥v-450vv+++d+++++++P++++ -n-.¥-7vv^^5Zv1646v1Z/5v3¥4^v[^//v.^23v[-65v0.Z.vv++Eo &e++ + ++.+ -n-.]-7vv¥3/]v6[-5v0]1Yv]¥5/v¥53[v¥5^4v-6¥]v^654vv++++;F+++d++++++ -n-.^-7vv]5[.v-.01v]5][v0/Z5v5¥[^v5¥1¥v35Z¥vvvvvvv+++1++/++++I`+ bdNOG10 maz@iij.ad.jp 18
  19. 19. Many hosts sending a few • There might be a wrong node information in the P2P network. • Based on that, many hosts are trying to connect the *nodes* • I guess users of the senders are not aware of this • Why such a wrong node information? • Someone made mistake on his/her configuration? • Someone is attacking the P2P network by injecting wrong nodes? • The number of unique senders might be indicating the number of P2P users bdNOG10 maz@iij.ad.jp 19
  20. 20. Packets distribution: Receiver bdNOG10 maz@iij.ad.jp 20 Average 2758 packets/host A few hosts are receiving a lot Thenumberofoccurrences The number of packets received by a host
  21. 21. A few hosts receiving the most of many packets from the many hosts Probably by a P2P application based on wrong nodes information bdNOG10 maz@iij.ad.jp 21 Thenumberofoccurrences The number of packets received by a hostThe number of packets sent by a sender
  22. 22. Oh, yes. I see IP6 (41) packet 0, 3 00) " , 0 ) , -.,0, 2 ) 0 ) 30 " . 2 - 4), " ) 0 " " - 1 ,( .,10 . ,) 0 0 , ) 0 3 " 3 " 3 " 3 " 2 3 The PTR record of the sender looks like a HTTP server -> www134.cs.uic.edu Seems like it’s searching a router bdNOG10 maz@iij.ad.jp 22
  23. 23. This explains that bdNOG10 maz@iij.ad.jp 23
  24. 24. IP6 (41) 6to4 packet (,1'.1')&(-..)-]8 ] ' '$] ),($]KF]((0-)$] ]'$] CI ] 57 $] T ]8 X-] ( $] PI ]0) (0)& &00&(]2](, &)''& )& 1]8 -] CD ' ).-- $] KO () $]P CF T] 4 ] - ] C[ CF] PI 1] ) ]) ' 1- ''1 '',1 '011)'' & ]2])'')10 E 1)')E110 E 1)')E&-,)- 1] 7 CI ] & $]E O ' )-E(] E TT E $] S ')(),-'.$]CE ]).,00,.,(,$] KP]).)''$] K P ] O ( -'$P $P $ CE :9$P $ EC ] $] PI ]' ' ''''1 ,'']'',E]) DC] '''] D)0]- .']E', ]- '( 6&&@&&3&& P &>E& ' ''('1 0 E ])')E]-'')].-- ]'')']'-.E]) ' ]- '' &&&$ &XP&&&¥ & & ' '')'1 '',]' '0]'''']'''']''''])'' ])'')]0 E 3&&&&&&&&&&&&&&& ' '' '1 )')E]'''']'''']'''']0 E ])')E]'(DD] &$&&&&&&&&&$&&&& ' '' '1 (. .] ).]C (]0E'D] '()]-C '])-E(]'''' &&& &&&&&& 3 &&& ' '','1 ')' ]',,']'('(]' ')]'(' ]' ' &&& &&&&&&&& bdNOG10 maz@iij.ad.jp 24
  25. 25. 6to4 reflections • Someone is using 6to4 with an IPv4 address from our prefix, and we got a reply Using 6to4 with wrong IPv4 address configuration 6to4 relay bdNOG10 maz@iij.ad.jp 25
  26. 26. 6to4 reflections • Guesses • Configuration error and weird implementation made 6to4 enabled, and the host tried to access the Internet through it? • Someone using 6to4 space for IPv6 SYN-flooding? • We also observe ’ICMP6 TTL expired’ packet related to 6to4 bdNOG10 maz@iij.ad.jp 26
  27. 27. Sudden traffic • 300Mbps toward a single destination • Many sources from different countries and economies • UDP, random source and destination port • Don’t fragment, 1052 bytes bdNOG10 maz@iij.ad.jp 27
  28. 28. The sudden traffic • Firstly I assumed a P2P, but it looks strange • I couldn’t feel the intent of ‘commutation’ from the payloads • That’s just my feeling • So I counted • The byte distribution of the payload bdNOG10 maz@iij.ad.jp 28
  29. 29. Byte distributions sometimes tell something pdf docx jpg m4apptx bdNOG10 maz@iij.ad.jp 29
  30. 30. The byte distribution is too flat The UDP datagram bdNOG10 maz@iij.ad.jp 30
  31. 31. Analysis of the sudden traffic • The payload is totally random • No intention for communication • OK, I suppose this a DDoS attack • But to the destination that is not serving anything? • Just mistake? • Lesson learned • Without any particular reason, sometimes you suddenly become a target of DDoS bdNOG10 maz@iij.ad.jp 31
  32. 32. There was this kind of packet as well.. - - , P45P , P0P , -P625 P D I P -PP P , P< P P> P > P <P9 9<PP3 E 8 -PP<: P ;9P P< 9 P 9P P P PP > 11 -PP P P P P > P < P ;P ; PP1111 ;< I -PP P >P P >P P P ; ;P PP;< 9 D ; / DA 0 -PP P P P P P P P : PP< I>I . -PP P P P P P :P P PP I>I . >I -PP P P < P <P P P > P , <PP I 9DED -PP > P P < P P >P ,P < >P PPE 9DED E -PP <P P P P P P P PP 5 -PP P P P P P P P PP >I > -PP P P P : P P P P PPI . >I -PP P P P P P P P PP I>I I>I , -PP P P P P P P 9PPPPPPP >I ;<P I P P;<P 9 DP P;<P DIP P;<P EEIP P;< . IP II - 777 :AD . ; E< P:AD . P:AD . I>I P 777 ; I I>I . ; E<P PI>I . PI>I . I>I P PI>I P 777. ; E<P PI>I . I>I . >I P IP P P9DED E P P9DED E P 5P P 777P >I P>I . >I PI>I PI>I P>I bdNOG10 maz@iij.ad.jp 32
  33. 33. Summary • We have background noise in the Internet (IPv4) • Malicious activities are observed • Yes, of course • Security service providers are also scanning you • Some other non-intentional or aftereffect-ish activities are also happening in the Internet • If you are unlucky, you might receive many packets without any particular reason bdNOG10 maz@iij.ad.jp 33

×