Colleen Shannon

Inferring Internet denial-of-service activity

In this article, we seek to address a simple question: “How prevalent are denial-of-service attacks in the Internet?” Our motivation is to quantitatively understand the nature of the current threat as well as to enable longer-term analyses of trends and recurring patterns of attacks. We present a new technique, called “backscatter analysis,” that provides a conservative estimate of worldwide denial-of-service activity. We use this approach on 22 traces (each covering a week or more) gathered over three years from 2001 through 2004. Across this corpus we quantitatively assess the number, duration, and focus of attacks, and qualitatively characterize their behavior. In total, we observed over 68,000 attacks directed at over 34,000 distinct victim IP addresses---ranging from well-known e-commerce companies such as Amazon and Hotmail to small foreign ISPs and dial-up connections. We believe our technique is the first to provide quantitative estimates of Internet-wide denial-of-service activity and that this article describes the most comprehensive public measurements of such activity to date.

Inside the Slammer worm

The Slammer worm spread so quickly that human response was ineffective. In January 2003, it packed a benign payload, but its disruptive capacity was surprising. Why was it so effective and what new challenges do this new breed of worm pose?.

Code-Red: a case study on the spread and victims of an internet worm

On July 19, 2001, more than 359,000 computers connected to the Internet were infected with the Code-Red (CRv2) worm in less than 14 hours. The cost of this epidemic, including subsequent strains of Code-Red, is estimated to be in excess of

Beyond folklore: observations on fragmented traffic

2.6 billion. Despite the global damage caused by this attack, there have been few serious attempts to characterize the spread of the worm, partly due to the challenge of collecting global information about worms. Using a technique that enables global detection of worm spread, we collected and analyzed data over a period of 45 days beginning July 2nd, 2001 to determine the characteristics of the spread of Code-Red throughout the Internet.In this paper, we describe the methodology we use to trace the spread of Code-Red, and then describe the results of our trace analyses. We first detail the spread of the Code-Red and CodeRedII worms in terms of infection and deactivation rates. Even without being optimized for spread of infection, Code-Red infection rates peaked at over 2,000 hosts per minute. We then examine the properties of the infected host population, including geographic location, weekly and diurnal time effects, top-level domains, and ISPs. We demonstrate that the worm was an international event, infection activity exhibited time-of-day effects, and found that, although most attention focused on large corporations, the Code-Red worm primarily preyed upon home and small business users. We also qualified the effects of DHCP on measurements of infected hosts and determined that IP addresses are not an accurate measure of the spread of a worm on timescales longer than 24 hours. Finally, the experience of the Code-Red worm demonstrates that wide-spread vulnerabilities in Internet hosts can be exploited quickly and dramatically, and that techniques other than host patching are required to mitigate Internet worms.

The internet measurement data catalog

Fragmented IP traffic is a poorly understood component of the overall mix of traffic on the Internet. Many assertions about the nature and extent of fragmented traffic are anecdotal rather than empirical. In this paper we examine the causes and attributes of measured fragment traffic, in particular, the effects of NFS, streaming media, networked video games, tunneled traffic, and the prevalence of packet fragmentation due to improperly configured machines.To understand the prevalence, causes, and effects of fragmented IP traffic, we have collected and analyzed seven multiday traces from four sources. These sources include a university commodity access link, two highly aggregated commercial exchange points, and a local NAP. Although there is no practical method of ascertaining whether any data provide a representative sample of all Internet traffic, we include data sources that cover several different types of WANs with traffic from commercial entities, educational and research institutions, and large government facilities.The dominant causes of fragmentation are streaming media and tunneled traffic. Although rumored to be the main impetus for IP packet fragmentation, NFS is not among the top ten causes.

Characteristics of fragmented IP traffic on internet links

Internet data remains one of the basic components of computer science network research. Despite its necessity, available data is limited by legal, social, and technical constraints on its collection and distribution. Thus, optimal distribution of knowledge about available data is a valuable service to the research community. To this end, CAIDA has developed the Internet Measurement Data Catalog to:provide a searchable index of available dataenhance documentation of datasets via a public annotation systemadvance network science by promoting reproducible researchThis paper describes the impetus, design, and planned deployment of the Internet Measurement Data Catalog.

Community-oriented network measurement infrastructure (CONMI) workshop report

Fragmented IP traffic is a unique component of the overall mix of traffic on the Internet. Many assertions about the nature and extent of fragmented traffic are anecdotal rather than empirical. In this paper we examine the causes and attributes of measured fragment traffic and contrast those results with commonly cited beliefs. In particular, the effects of NFS, streaming media, networked video games, and tunneled traffic are quantified, and we estimate the prevalence of packet fragmentation due to improperly configured machines.To understand the prevalence, causes, and effects of fragmented IP traffic, we have collected and analyzed seven multi-day traces from three sources. These sources include a university commodity access link, a highly aggregated commercial exchange point, and a local NAP. Although there is no practical method of ascertaining whether any data provide a representative sample of all Internet traffic, we do include data sources that cover several different types of WANs with traffic from commercial entities, educational and research institutions, and large government facilities.

Internet quarantine: requirements for containing self-propagating code

This report summarizes issues discussed at the first CONMI workshop held on 30 March 2005 in Boston, Massachusetts. Sponsored by the National Science Foundations Office of Cyberinfrastructure (OCI-0532233), the workshop was intended to begin a discussion regarding the viability and utility of a community-oriented network measurement infrastructure. This report was published 20 December 2005 online at: http://www.caida.org/workshops/conmi/.