Clairvoyance: Inferring Blocklist Use on the Internet

Vector Guo Li, Gautam Akiwate, Kirill Levchenko, Geoffrey M. Voelker, Stefan Savage

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

One of the staples of network defense is blocking traffic to and from a list of “known bad” sites on the Internet. However, few organizations are in a position to produce such a list themselves, so pragmatically this approach depends on the existence of third-party “threat intelligence” providers who specialize in distributing feeds of unwelcome IP addresses. However, the choice to use such a strategy, let alone which data feeds are trusted for this purpose, is rarely made public and thus little is understood about the deployment of these techniques in the wild. To explore this issue, we have designed and implemented a technique to infer proactive traffic blocking on a remote host and, through a series of measurements, to associate that blocking with the use of particular IP blocklists. In a pilot study of 220K US hosts, we find as many as one fourth of the hosts appear to blocklist based on some source of threat intelligence data, and about 2% use one of the 9 particular third-party blocklists that we evaluated.

Original languageEnglish (US)
Title of host publicationPassive and Active Measurement - 22nd International Conference, PAM 2021, Proceedings
EditorsOliver Hohlfeld, Andra Lutu, Dave Levin
PublisherSpringer
Pages57-75
Number of pages19
ISBN (Print)9783030725815
DOIs
StatePublished - 2021
Event22nd International Conference on Passive and Active Measurement, PAM 2021 - Virtual, Online
Duration: Mar 29 2021Apr 1 2021

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume12671 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference22nd International Conference on Passive and Active Measurement, PAM 2021
CityVirtual, Online
Period3/29/214/1/21

ASJC Scopus subject areas

  • Theoretical Computer Science
  • General Computer Science

Fingerprint

Dive into the research topics of 'Clairvoyance: Inferring Blocklist Use on the Internet'. Together they form a unique fingerprint.

Cite this