1. Background noise of
the Internet
Matsuzaki ‘maz’ Yoshinobu
<maz@iij.ad.jp>
bdNOG10 maz@iij.ad.jp 1

2. I receive a packet because it’s:
• A part of my communication (^_^)
• Something else (T_T)
• Those ‘something else’ are considered as
background noise of the Internet, mostly unwanted
traffic.
• Every internet facing host is receiving such packets
Today’s topic
bdNOG10 maz@iij.ad.jp 2

3. PPP-EXP
• This study is conducted by Pool Protection Project
(PPP-EXP)
• PPP-EXP was started by IIJ and JPNIC to protect the
JPNIC free IPv4 pool from abuse
• https://www.attn.jp/ppp/
• The setup
• Announcing prefixes by AS2522
• Monitoring and discarding packets to the prefixes
• Simple zone file for the reverse zones
• only SOA and NS (no PTR records)
bdNOG10 maz@iij.ad.jp 3

4. Classifications of noises
• The sender is an initiator
• Scanning
• Virus spreading
• Attacking
• Something mistake
• The sender is a reflector
• Victim of IP spoofing attack
• SYN-Flooding and etc.
• Something mistake
bdNOG10 maz@iij.ad.jp 4

5. The sender is an initiator
• Intentionally sending traffic to ‘us’
bdNOG10 maz@iij.ad.jp 5
sender
=
initiator

6. The sender is a reflector
• The original sender sends an IP spoofing packet to a
host, and the host then send *back* a reply to ‘us’
The source address of
the packet is spoofed
as ‘us’
bdNOG10 maz@iij.ad.jp 6
sender
=
reflector

7. Disclaimer
• I don’t know the actual intent of the packets, so the
most of reasons mentioned in this slides are my
‘guess’
• The fact
• We receive some amount of packets on the Internet
facing hosts
• Guesses
• Scanning
• Reflections
• Weird implementations
• Mistake
bdNOG10 maz@iij.ad.jp 7

8. The data
• Duration: 2019/01/10 00:00~24:00(JST)
• Fully captured incoming packets toward the
prefixes
• many pcap files
• about 6 hunreds million packets
• 2758 packets/host/day
bdNOG10 maz@iij.ad.jp 8

9. Mostly TCP packets
TCP 95% (577340492) UDP 4% (26945104)
ICMP 1% (3897454) IP6 0% (2153)
bdNOG10 maz@iij.ad.jp 9

10. And mostly TCP-SYN
SYN 98% (563062001) SYN-ACK 2% (12229116) OTHER 0% (2049375)
bdNOG10 maz@iij.ad.jp 10

11. The TCP Flag variations
• SYN 563062001
• SYN-ACK 12229116
• SYN-ECE-CWR 941603
• RST 555637
• RST-ACK 293503
• ACK 106575
• SYN-ACK-ECE 52175
• SYN-ACK-ECE-CWR 44801
• FIN-SYN-RST-PSH-ACK-URG 21745
• SYN-ACK-CWR 10423
• PSH-ACK 9532
• FIN-PSH-ACK 4434
• SYN-RST 4258
• FIN-ACK 2817
• RST-ECE 502
• RST-ECE-CWR 445
• RST-CWR 433
• SYN-PSH 364
• none 63
• RST-PSH 32
• FIN 17
• PSH 6
• PSH-ACK-URG-CWR 3
• FIN-SYN-RST-ACK-URG-CWR 2
• FIN-RST-PSH-ACK-URG-CWR 1
• SYN-PSH-CWR 1
• CWR 1
• FIN-SYN-RST-PSH-ACK-URG-CWR 1
• RST-PSH-ACK-ECE-CWR 1
bdNOG10 maz@iij.ad.jp 11

12. The major destination ports
TCP-SYN destinations
• 23 73958566
• 52869 34724310
• 8545 14738763
• 22 13507821
• 445 11378107
• 80 10794925
• 8080 9323605
• 4776 7615618
• 4784 7602022
• 1433 5755354
UDP destinations
• 389 2445405
• 4776 2381843
• 4784 2354203
• 1900 2287302
• 50328 1191988
• 50592 1190070
• 50336 1188298
• 50584 1180976
• 11211 1064441
• 19 754180
bdNOG10 maz@iij.ad.jp 12

13. Packets distribution: Sender
Thenumberofoccurrences
The number of packets sent by a source
Many hosts sending a few packets
A few sending a LOT
bdNOG10 maz@iij.ad.jp 13

14. A few hosts sending a lot of
packets
• Ukrainian IP (31609992 packets)
• TCP-SYN to TCP/1025-10000
• USA IP (10793632 packets)
• TCP-SYN to TCP/52869
• Dutch IP (10572421 packets)
• TCP-SYN to TCP/52869
• HongKong IP (7330971 packets)
• TCP-SYN to TCP/3031 and other 546 ports
• Ireland 8 IPs (total 51607564packets)
• TCP-SYN to TCP/53601-60800
bdNOG10 maz@iij.ad.jp 14

15. TCP/23 scanners
Thenumberofoccurrences
The number of packets sent by a source
bdNOG10 maz@iij.ad.jp 15
Existing around here

16. Security services based on
scanning results
• Many others, and each of them is scanning you
• More new services means more scanning packets
to your network
bdNOG10 maz@iij.ad.jp 16

17. Many hosts sending a few
$%. . # % b8 b%, #% #% #,# $ , b1b %%#%#%%#% # .b@5 b LT ZOb%$
$]$$$$.bb $b$$, b Kb $$$b $%%b $ %bIK Mb $,bb6### ;2#$# #####
$]$$%$.bbK $%b$II%b K b% ,b$$ $b b %b %bb######### #K%.
$]$$ $.bb b b b $ b M $b$L b ,bM%L bbK .PK $.U # C ##
$]$$ $.bbL, MbM%% b I MbIL $b , bK MLb b Lbb##### ##]### .PT
$]$$ $.bb Mb M ,b % b , b $ b M $b$L%Mb % bbMU O O $.U ## A
$]$$ $.bbI, Lb%$,,bI$L,bI b I Lb$M $b M b %bb#a#####.DT#$##L%
$]$$ $.bb %b b b Mb $ b b %b bb.W . LZ LLX %.Z
$]$$ $.bb b b % b b b $%b$% %b bb .#4%.[ .: ##%.
$]$$,$.bb % b % bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb%.WL
$%. . # ,%%b8 b%, #% #% #,# $ , b1b %%#%#%%#% # .b@5 b LT ZOb $
$]$$$$.bb $b$$ $b $ b $$$b $%%b L MbIK Mb $,bb6##$ #2#$#T ####
$]$$%$.bbK $%b$II%b K b% ,b$$% bIL%$b %$$b L bb############3#T#
$]$$ $.bb,KL b b$$$$b$$$$b$$$$b$$$$b % b$$$$bb##_ ######## ###
$%. . $# , b8 b%, #% #% #,# , %$b1b %%#%#%%#% # .b7 bD>F b LW
%, %% b¥PTb bU ZPUT bDS % , <9 >b[ , bL X $ TU ¥ Lb F b
LT ZOb$
$]$$$$.bb $$b$$ b I b $$$b $$ b M KbIK Mb $,bb6##0 2#$##F####
$]$$%$.bbK $%b$II%bIKL b% ,bMK Lb b$$$$b$$$$bb#########T######
$]$$ $.bb $$ bMMMM K b$$$$b$ $ b$ ,b$ $ b$,$ bb####FP##########
$]$$ $.bb$$ bM I b$$$$b$$$$b$%$ b$ $ bbbbbbbbbbbb# ##########
$%. . %#,% %b8 b%, #% #% #,# , %$b1b %%#%#%%#% # .b7 bD>F b LW
%, %% b¥PTb bU ZPUT bDS % , <9 >b[ bL X $ TU ¥ Lb F b
LT ZOb$
$]$$$$.bb $$b$$ b I b $$$b $$ b M bIK Mb $,bb6##0 2#$##E####
$]$$%$.bbK $%b$II%bIKL b% ,bMK Lb b$$$$b$$$$bb#########T######
$]$$ $.bb $$ bMMMM K$ b$$$$b$ $ b$ ,b$ $ b$,$ bb####F###########
$]$$ $.bb$$ bM %Ib$$$$b$$$$b$%$ b$ $ bbbbbbbbbbbb# ##########
They send UDP packets, and then send TCP-SYN to the same destination port
Probably... BitTorrent!
bdNOG10 maz@iij.ad.jp 17

18. This might be a P2P as well
-/7/07/4+./3204vEKv./2+43+3.+.65+20142v;v/.6+.-.+..2+/-/+4337vNAK)vd]f_k`v145
-n----7vv12--v-.^Yv3Z-¥v1---v03..v[¥Y0v4¥1[v0¥[3vvB+++c+=+3+++rH:+
-n--.-7vv¥Z32v40[Yv¥-]0v-/^]v-.]3v]1]Yv155¥vY¥05vv+]j+++++++++D++5
-n--/-7vv[/.Yv3.]/v[.50v[11]v^.3/v[..6v665¥v¥/34vv++Y++++J+Z+++++_
-n--0-7vv20]Yv¥2Z[v4456vZ[^6v]0Z2v.Y.1v34--v/566vvL+++m+++++++_+&+
-n--1-7vv0..0v2155v-][6v4/0]v15/]v[][6v66.Zv-^^2vv.+M+++i;D+++++++
-n--2-7vv--45v1¥3^v464/v]53[v2¥^.v5¥Z-v¥/-.v.5[/vv+nIgoi+dU+++++++
-n--3-7vv..05v5-]4v4.¥2v[1Y1v[-Z]v/Z0^vY0Z]vZ[]¥vv+5++h+++++(<++++
9t ;
-n-.5-7vv]6Z.v-165v.-/6v¥]43v¥2^4v4ZZ¥v.[..v-Y1/vv+++++'+l++q++++?
-n-.6-7vv-[Y3vZ]Z2v266[v2¥^Yv/¥Z-v5Y54v3]3^v2]24vv++++ +U+ +++fgVP
-n-.Y-7vvY-]-v3^/^v551¥vY12¥v[06]v662]v/]Y/vY-0Yvv++g,+I+U+++V+++7
-n-.Z-7vv[4¥¥v3]6^v^51Yv.Y/2v4Y/0v/Z]4v./-5vZ]Z.vv++f++F+# !(+++++
-n-.[-7vv34/¥v¥^]]v^5-0v[Y0ZvY.30v66[]v51Z5v54[Zvv_ +++++8+[++++++
-n-.¥-7vv62^1v3Y5¥vZ]-0v0.05v/32Zv.^04v3/2[v3415vv++b+++.5$S+4ZT_D
-n-.]-7vv-513v03^^v[44^v0Z]4v3.20v0331v-ZZ[v/^6^vv+C3+++8+YL3¥++,+
-n-.^-7vv0..6vYZ]]v.Z¥Zv/3Z^v03[0vvvvvvvvvvvvvvvvv.+++++$+3+
-/7/0714+245.55vEKv.4.+03+10+5+0-501v;v/.6+.-.+..2+/-/+4337vNAK)vd]f_k`v15/
-n----7vv12--v-.^]v3Z-^v1---v00..vZ250vYZ/1v/Z-5vvB+++c+=+0++++"(+
-n--.-7vv¥Z32v40[Yv454/v-/^]v-.]Yv//.Zv3]5]vZ/34vv+]j+ni++++ +f++_
-n--/-7vv]^]3v¥Z-¥v¥6/3v6[54v/5[6v31Y1v61]3v^.[^vv+++++$++&+¥+++++
-n--0-7vv]]3-v3623v5[¥2v3].4v.11Yv204]v5/Y4v.2[6vv+ a ++f++FLs++++
-n--1-7vv40¥5v3ZY3v[Z[]v¥0[6v0^1/vZ6Z1v01[4v^..[vvj+c+++++<?++1+++
-n--2-7vv6/03v3./4v3[4Yv344.v.¥]0vY/Y.v6Z^[vZ651vv+3Y%d _h++++++++
-n--3-7vv-^/2v0113v¥Z1¥v04-1v[610v45Y5vZ244v0^^[vv+#1C+I4++@n++m<+
9t ;
-n-.5-7vv]¥^4v35]Zv[¥Y6vZ-4/v[3[.vY//.v322]v0--4vv++`++++i+++ ]V-+
-n-.6-7vv6]¥0v[023v]/.Yv0Z.Zv^641v[61.v]¥2^v]Y2Yvv+++ ++8++k+>+W+
-n-.Y-7vv¥220v[1/0v^Z41v.1[/vZ2Z2v3/66v.06.v6^Z-vv+L+!+k++++Z+++++
-n-.Z-7vv]03/v-3[3v^Y1.v3-^1v01Y5v02Y-v53/-v^Y2[vv+Z+++> +1+2++++T
-n-.[-7vv^.Z]v^¥3[vZ/..vY¥]3v[2.-v4^24v/-6¥v-450vv+++d+++++++P++++
-n-.¥-7vv^^5Zv1646v1Z/5v3¥4^v[^//v.^23v[-65v0.Z.vv++Eo &e++ + ++.+
-n-.]-7vv¥3/]v6[-5v0]1Yv]¥5/v¥53[v¥5^4v-6¥]v^654vv++++;F+++d++++++
-n-.^-7vv]5[.v-.01v]5][v0/Z5v5¥[^v5¥1¥v35Z¥vvvvvvv+++1++/++++I`+
bdNOG10 maz@iij.ad.jp 18

19. Many hosts sending a few
• There might be a wrong node information in the P2P
network.
• Based on that, many hosts are trying to connect the *nodes*
• I guess users of the senders are not aware of this
• Why such a wrong node information?
• Someone made mistake on his/her configuration?
• Someone is attacking the P2P network by injecting wrong
nodes?
• The number of unique senders might be indicating the
number of P2P users
bdNOG10 maz@iij.ad.jp 19

20. Packets distribution: Receiver
bdNOG10 maz@iij.ad.jp 20
Average 2758 packets/host
A few hosts are
receiving a lot
Thenumberofoccurrences
The number of packets received by a host

21. A few hosts receiving the most of
many packets from the many hosts
Probably by a P2P application based on wrong nodes
information
bdNOG10 maz@iij.ad.jp 21
Thenumberofoccurrences
The number of packets received by a hostThe number of packets sent by a sender

22. Oh, yes. I see IP6 (41) packet
0, 3 00) " , 0 ) , -.,0, 2
) 0
) 30 " . 2 - 4), "
) 0 " " - 1 ,(
.,10 . ,) 0 0 , ) 0
3 "
3 "
3 "
3 " 2
3
The PTR record of the sender looks like a HTTP server -> www134.cs.uic.edu
Seems like it’s searching a router
bdNOG10 maz@iij.ad.jp 22

23. This explains that
bdNOG10 maz@iij.ad.jp 23

24. IP6 (41) 6to4 packet
(,1'.1')&(-..)-]8 ] ' '$] ),($]KF]((0-)$] ]'$] CI ] 57 $] T ]8 X-] ( $]
PI ]0)
(0)& &00&(]2](, &)''& )& 1]8 -] CD ' ).-- $] KO () $]P CF T] 4 ] - ]
C[ CF] PI 1] ) ]) ' 1- ''1 '',1 '011)'' & ]2])'')10 E 1)')E110 E 1)')E&-,)- 1]
7 CI ] & $]E O ' )-E(] E TT E $] S ')(),-'.$]CE ]).,00,.,(,$] KP]).)''$] K P ]
O ( -'$P $P $ CE :9$P $ EC ] $] PI ]'
' ''''1 ,'']'',E]) DC] '''] D)0]- .']E', ]- '( 6&&@&&3&& P &>E&
' ''('1 0 E ])')E]-'')].-- ]'')']'-.E]) ' ]- '' &&&$ &XP&&&¥ & &
' '')'1 '',]' '0]'''']'''']''''])'' ])'')]0 E 3&&&&&&&&&&&&&&&
' '' '1 )')E]'''']'''']'''']0 E ])')E]'(DD] &$&&&&&&&&&$&&&&
' '' '1 (. .] ).]C (]0E'D] '()]-C '])-E(]'''' &&& &&&&&& 3 &&&
' '','1 ')' ]',,']'('(]' ')]'(' ]' ' &&& &&&&&&&&
bdNOG10 maz@iij.ad.jp 24

25. 6to4 reflections
• Someone is using 6to4 with an IPv4 address from our
prefix, and we got a reply
Using 6to4
with wrong IPv4 address
configuration
6to4 relay
bdNOG10 maz@iij.ad.jp 25

26. 6to4 reflections
• Guesses
• Configuration error and weird implementation made
6to4 enabled, and the host tried to access the Internet
through it?
• Someone using 6to4 space for IPv6 SYN-flooding?
• We also observe ’ICMP6 TTL expired’ packet related
to 6to4
bdNOG10 maz@iij.ad.jp 26

27. Sudden traffic
• 300Mbps toward a single destination
• Many sources from different countries and economies
• UDP, random source and destination port
• Don’t fragment, 1052 bytes
bdNOG10 maz@iij.ad.jp 27

28. The sudden traffic
• Firstly I assumed a P2P, but it looks strange
• I couldn’t feel the intent of ‘commutation’ from the
payloads
• That’s just my feeling
• So I counted
• The byte distribution of the payload
bdNOG10 maz@iij.ad.jp 28

29. Byte distributions sometimes tell
something
pdf docx
jpg m4apptx
bdNOG10 maz@iij.ad.jp 29

30. The byte distribution is too flat
The UDP datagram
bdNOG10 maz@iij.ad.jp 30

31. Analysis of the sudden traffic
• The payload is totally random
• No intention for communication
• OK, I suppose this a DDoS attack
• But to the destination that is not serving anything?
• Just mistake?
• Lesson learned
• Without any particular reason, sometimes you suddenly
become a target of DDoS
bdNOG10 maz@iij.ad.jp 31

32. There was this kind of packet as
well..
- - , P45P , P0P , -P625 P D I P
-PP P , P< P P> P > P <P9 9<PP3 E 8
-PP<: P ;9P P< 9 P 9P P P PP > 11
-PP P P P P > P < P ;P ; PP1111 ;< I
-PP P >P P >P P P ; ;P PP;< 9 D ;
/ DA 0
-PP P P P P P P P : PP< I>I .
-PP P P P P P :P P PP I>I . >I
-PP P P < P <P P P > P , <PP I 9DED
-PP > P P < P P >P ,P < >P PPE 9DED E
-PP <P P P P P P P PP 5
-PP P P P P P P P PP >I >
-PP P P P : P P P P PPI . >I
-PP P P P P P P P PP I>I I>I
, -PP P P P P P P 9PPPPPPP >I
;<P I P P;<P 9 DP P;<P DIP P;<P EEIP P;< .
IP II - 777 :AD .
; E< P:AD .
P:AD .
I>I P 777 ; I I>I .
; E<P PI>I .
PI>I .
I>I P PI>I P 777.
; E<P PI>I .
I>I .
>I P IP P P9DED E P P9DED E P 5P P 777P
>I P>I .
>I PI>I PI>I P>I
bdNOG10 maz@iij.ad.jp 32

33. Summary
• We have background noise in the Internet (IPv4)
• Malicious activities are observed
• Yes, of course
• Security service providers are also scanning you
• Some other non-intentional or aftereffect-ish
activities are also happening in the Internet
• If you are unlucky, you might receive many packets
without any particular reason
bdNOG10 maz@iij.ad.jp 33