An Analysis of Internet Background Radiation within an African IPv4 netblock

- Hendricks, Wadeegh

Title
An Analysis of Internet Background Radiation within an African IPv4 netblock
Creator
Hendricks, Wadeegh
ThesisAdvisor
Irwin, Barry Vivian William
Subject
Computer networks -- Monitoring –- South Africa
Subject
Dark Web
Subject
Computer networks -- Security measures –- South Africa
Subject
Universities and Colleges -- Computer networks -- Security measures
Subject
Malware (Computer software)
Subject
TCP/IP (Computer network protocol)
Date
2020
Type
text
Type
Thesis
Type
Masters
Type
MSc
Identifier
http://hdl.handle.net/10962/103791
Identifier
vital:32298
Description
The use of passive network sensors has in the past proven to be quite effective in monitoring and analysing the current state of traffic on a network. Internet traffic destined to a routable, yet unused address block is often referred to as Internet Background Radiation (IBR) and characterised as unsolicited. This unsolicited traffic is however quite valuable to researchers in that it allows them to study the traffic patterns in a covert manner. IBR is largely composed of network and port scanning traffic, backscatter packets from virus and malware activity and to a lesser extent, misconfiguration of network devices. This research answers the following two questions: (1) What is the current state of IBR within the context of a South African IP address space and (2) Can any anomalies be detected in the traffic, with specific reference to current global malware attacks such as Mirai and similar. Rhodes University operates five IPv4 passive network sensors, commonly known as network telescopes, each monitoring its own /24 IP address block. The oldest of these network telescopes has been collecting traffic for over a decade, with the newest being established in 2011. This research focuses on the in-depth analysis of the traffic captured by one telescope in the 155/8 range over a 12 month period, from January to December 2017. The traffic was analysed and classified according the protocol, TCP flag, source IP address, destination port, packet count and payload size. Apart from the normal network traffic graphs and tables, a geographic heatmap of source traffic was also created, based on the source IP address. Spikes and noticeable variances in traffic patterns were further investigated and evidence of Mirai like malware activity was observed. Network and port scanning were found to comprise the largest amount of traffic, accounting for over 90% of the total IBR. Various scanning techniques were identified, including low level passive scanning and much higher level active scanning.
Format
122 pages, pdf
Publisher
Rhodes University, Faculty of Science, Computer Science
Language
English
Rights
Hendricks, Wadeegh
  • Hits: 4305
  • Visitors: 4493
  • Downloads: 273

Collections

RU Department of Computer Science
Thumbnail File Description Size Format
SOURCE1 HENDRICKS-MSc-TR20-01.pdf 7 MB Adobe Acrobat PDF
  • Disclaimer
  • Privacy
  • Copyright
  • Contact