skip to main content
research-article

Estimating internet address space usage through passive measurements

Published: 31 December 2013 Publication History

Abstract

One challenge in understanding the evolution of Internet infrastructure is the lack of systematic mechanisms for monitoring the extent to which allocated IP addresses are actually used. Address utilization has been monitored via actively scanning the entire IPv4 address space. We evaluate the potential to leverage passive network traffic measurements in addition to or instead of active probing. Passive traffic measurements introduce no network traffic overhead, do not rely on unfiltered responses to probing, and could potentially apply to IPv6 as well. We investigate two challenges in using passive traffic for address utilization inference: the limited visibility of a single observation point; and the presence of spoofed IP addresses in packets that can distort results by implying faked addresses are active. We propose a methodology for removing such spoofed traffic on both darknets and live networks, which yields results comparable to inferences made from active probing. Our preliminary analysis reveals a number of promising findings, including novel insight into the usage of the IPv4 address space that would expand with additional vantage points.

Supplementary Material

Errata (errata-dainottia.pdf)
This errata is to help viewers/readers identify/properly understand our contribution to the SIGCOMMCCR Newsletter. Volume 44 Issue 1, (January 2014) on pages 42-49.

References

[1]
http://seclists.org/nanog/2009/Feb/2.
[2]
A. Dainotti, A. King. CAIDA Blog: Carna botnet scans confirmed. http://blog.caida.org/best_available_data/2013/05/13/carna-botnet-scans/.
[3]
Advanced Network Technology Center, University of Oregon. Route Views Project. http://www.routeviews.org/.
[4]
K. Benson, A. Dainotti, k. claffy, and E. Aben. Gaining Insight into AS-level Outages through Analysis of Internet Background Radiation. In Traffic Monitoring and Analysis Workshop (TMA), Apr 2013.
[5]
R. Beverly and S. Bauer. The spoofer project: inferring the extent of source address filtering on the internet. In USENIX Workshop on Steps to Reducing Unwanted Traffic on the Internet, SRUTI'05.
[6]
R. E. Beverly, IV. Statistical learning in network architecture. PhD thesis, MIT, 2008. AAI0820515.
[7]
CAIDA. Supplemental data: Estimating Internet address space usage through passive measurements. http://www.caida.org/publications/papers/2013/passive_ip_space_usage_estimation/supplemental/, 2013.
[8]
E. Chien. Downadup: Attempts at Smart Network Scanning. http://www.symantec.com/connect/blogs/downadup-attempts-smart-network-scanning, 2009.
[9]
Z. Durumeric, E. Wustrow, and J. A. Halderman. ZMap: Fast Internet-wide scanning and its security applications. In Proceedings of the 22nd USENIX Security Symposium, 2013.
[10]
J. Heidemann, Y. Pradkin, R. Govindan, C. Papadopoulos, G. Bartlett, and J. Bannister. Census and survey of the visible Internet. In 8th ACM SIGCOMM conference on Internet measurement, IMC '08.
[11]
J. Horchert and C. Stöcker. Mapping the internet: A hacker's secret internet census. Spiegel Online, March 2013.
[12]
Information of Sciences Institute, University of Southern California. LANDER project:Internet address census it49c-20120731. http://www.isi.edu/ant/traces/internet_address_census_it49c-20120731.README.txt, 2012.
[13]
Information of Sciences Institute, USC. Internet Address Survey Binary Format. http://www.isi.edu/ant/traces/topology/address_surveys/binformat_description.html, 2012.
[14]
Information of Sciences Institute, USC. ANT Census of the Internet Address Space - browsable map. http://www.isi.edu/ant/address/browse/index.html, 2013.
[15]
Insecure.Com LLC. Nmap Security Scanner. http://nmap.org.
[16]
A. Langley. Probing the viability of TCP extensions. Technical report, Google Inc., Sep 2008.
[17]
Merit Network, Inc. Merit Darknet IPv4. http://software.merit.edu/darknet/.
[18]
R. Munroe. xkcd: MAP of the INTERNET 2006. http://blog.xkcd.com/2006/12/11/the-map-of-the-internet/.
[19]
R. Pang, V. Yegneswaran, P. Barford, V. Paxson, and L. Peterson. Characteristics of internet background radiation. In Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, IMC '04, pages 27--40, New York, NY, USA, 2004. ACM.
[20]
A. Sebastian. Default Time To Live (TTL) values. http://www.binbert.com/blog/2009/12/default-time-to-live-ttl-values/, 2009.
[21]
A. N. Shannon V. Spires. Exhaustive search system and method using space-filling curves. Patent, 10 2003. US 6636847.
[22]
SWITCH. Swiss Tele Communication System for Higher Education. http://www.switch.ch/.
[23]
S. Templeton and K. Levitt. Detecting spoofed packets. In DARPA Information Survivability Conference and Exposition, 2003.
[24]
University of California, San Diego. The UCSD Network Telescope. http://www.caida.org/projects/network_telescope/.
[25]
E. Wustrow, M. Karir, M. Bailey, F. Jahanian, and G. Huston. Internet background radiation revisited. In 10th ACM SIGCOMM conference on Internet measurement, IMC '10.
[26]
S. Zander, L. L. H. Andrew, G. Armitagei, and G. Huston. Estimating IPv4 Address Space Usage with Capture-recapture. In IEEE Workshop on Network Measurements (WNM 2013).

Cited By

View all
  • (2024)Survey of cyberspace surveying and mappingProceedings of the 2024 3rd International Conference on Cyber Security, Artificial Intelligence and Digital Economy10.1145/3672919.3672932(66-71)Online publication date: 1-Mar-2024
  • (2024)DarkSim: A similarity-based time-series analytic framework for darknet trafficProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3688426(241-258)Online publication date: 4-Nov-2024
  • (2024)NetShuffle: Circumventing Censorship with Shuffle Proxies at the Edge2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00036(3497-3514)Online publication date: 19-May-2024
  • Show More Cited By

Index Terms

  1. Estimating internet address space usage through passive measurements

        Recommendations

        Comments

        Information & Contributors

        Information

        Published In

        cover image ACM SIGCOMM Computer Communication Review
        ACM SIGCOMM Computer Communication Review  Volume 44, Issue 1
        January 2014
        61 pages
        ISSN:0146-4833
        DOI:10.1145/2567561
        Issue’s Table of Contents
        Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        Published: 31 December 2013
        Published in SIGCOMM-CCR Volume 44, Issue 1

        Check for updates

        Author Tags

        1. darknet
        2. internet address space
        3. ipv4 address space
        4. network telescope
        5. passive measurements
        6. spoofed traffic

        Qualifiers

        • Research-article

        Contributors

        Other Metrics

        Bibliometrics & Citations

        Bibliometrics

        Article Metrics

        • Downloads (Last 12 months)35
        • Downloads (Last 6 weeks)1
        Reflects downloads up to 23 Jan 2025

        Other Metrics

        Citations

        Cited By

        View all
        • (2024)Survey of cyberspace surveying and mappingProceedings of the 2024 3rd International Conference on Cyber Security, Artificial Intelligence and Digital Economy10.1145/3672919.3672932(66-71)Online publication date: 1-Mar-2024
        • (2024)DarkSim: A similarity-based time-series analytic framework for darknet trafficProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3688426(241-258)Online publication date: 4-Nov-2024
        • (2024)NetShuffle: Circumventing Censorship with Shuffle Proxies at the Edge2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00036(3497-3514)Online publication date: 19-May-2024
        • (2024)Internet Outages During Times of Conflict2024 IEEE International Conference on Systems, Man, and Cybernetics (SMC)10.1109/SMC54092.2024.10831186(1945-1950)Online publication date: 6-Oct-2024
        • (2024)Ensemble Voting for Enhanced Robustness in DarkNet Traffic DetectionIEEE Access10.1109/ACCESS.2024.348902012(177064-177079)Online publication date: 2024
        • (2024)You Can Find Me Here: A Study of the Early Adoption of GeofeedsPassive and Active Measurement10.1007/978-3-031-56252-5_11(228-245)Online publication date: 11-Mar-2024
        • (2024)Systematic Literature Review and Assessment for Cyber Terrorism Communication and Recruitment ActivitiesTechnology Innovation for Business Intelligence and Analytics (TIBIA)10.1007/978-3-031-55221-2_5(83-108)Online publication date: 22-Mar-2024
        • (2023)Aggressive Internet-Wide Scanners: Network Impact and Longitudinal CharacterizationCompanion of the 19th International Conference on emerging Networking EXperiments and Technologies10.1145/3624354.3630583(1-8)Online publication date: 5-Dec-2023
        • (2023)Destination Unreachable: Characterizing Internet Outages and ShutdownsProceedings of the ACM SIGCOMM 2023 Conference10.1145/3603269.3604883(608-621)Online publication date: 10-Sep-2023
        • (2022) Dark-TRACER : Early Detection Framework for Malware Activity Based on Anomalous Spatiotemporal Patterns IEEE Access10.1109/ACCESS.2022.314596610(13038-13058)Online publication date: 2022
        • Show More Cited By

        View Options

        Login options

        View options

        PDF

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader

        Media

        Figures

        Other

        Tables

        Share

        Share

        Share this Publication link

        Share on social media