- Title
- An Analysis of Internet Background Radiation within an African IPv4 netblock
- Creator
- Hendricks, Wadeegh
- ThesisAdvisor
- Irwin, Barry Vivian William
- Subject
- Computer networks -- Monitoring –- South Africa
- Subject
- Dark Web
- Subject
- Computer networks -- Security measures –- South Africa
- Subject
- Universities and Colleges -- Computer networks -- Security measures
- Subject
- Malware (Computer software)
- Subject
- TCP/IP (Computer network protocol)
- Date
- 2020
- Type
- text
- Type
- Thesis
- Type
- Masters
- Type
- MSc
- Identifier
- http://hdl.handle.net/10962/103791
- Identifier
- vital:32298
- Description
- The use of passive network sensors has in the past proven to be quite effective in monitoring and analysing the current state of traffic on a network. Internet traffic destined to a routable, yet unused address block is often referred to as Internet Background Radiation (IBR) and characterised as unsolicited. This unsolicited traffic is however quite valuable to researchers in that it allows them to study the traffic patterns in a covert manner. IBR is largely composed of network and port scanning traffic, backscatter packets from virus and malware activity and to a lesser extent, misconfiguration of network devices. This research answers the following two questions: (1) What is the current state of IBR within the context of a South African IP address space and (2) Can any anomalies be detected in the traffic, with specific reference to current global malware attacks such as Mirai and similar. Rhodes University operates five IPv4 passive network sensors, commonly known as network telescopes, each monitoring its own /24 IP address block. The oldest of these network telescopes has been collecting traffic for over a decade, with the newest being established in 2011. This research focuses on the in-depth analysis of the traffic captured by one telescope in the 155/8 range over a 12 month period, from January to December 2017. The traffic was analysed and classified according the protocol, TCP flag, source IP address, destination port, packet count and payload size. Apart from the normal network traffic graphs and tables, a geographic heatmap of source traffic was also created, based on the source IP address. Spikes and noticeable variances in traffic patterns were further investigated and evidence of Mirai like malware activity was observed. Network and port scanning were found to comprise the largest amount of traffic, accounting for over 90% of the total IBR. Various scanning techniques were identified, including low level passive scanning and much higher level active scanning.
- Format
- 122 pages, pdf
- Publisher
- Rhodes University, Faculty of Science, Computer Science
- Language
- English
- Rights
- Hendricks, Wadeegh
- Hits: 4390
- Visitors: 4580
- Downloads: 276
Thumbnail | File | Description | Size | Format | |||
---|---|---|---|---|---|---|---|
View Details Download | SOURCE1 | HENDRICKS-MSc-TR20-01.pdf | 7 MB | Adobe Acrobat PDF | View Details Download |