Clairvoyance: Inferring Blocklist Use on the Internet

Vector Guo Li; Gautam Akiwate; Kirill Levchenko; Geoffrey M. Voelker; Stefan Savage

doi:10.1007/978-3-030-72582-2_4

Clairvoyance: Inferring Blocklist Use on the Internet

Vector Guo Li, Gautam Akiwate, Kirill Levchenko, Geoffrey M. Voelker, Stefan Savage

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

One of the staples of network defense is blocking traffic to and from a list of “known bad” sites on the Internet. However, few organizations are in a position to produce such a list themselves, so pragmatically this approach depends on the existence of third-party “threat intelligence” providers who specialize in distributing feeds of unwelcome IP addresses. However, the choice to use such a strategy, let alone which data feeds are trusted for this purpose, is rarely made public and thus little is understood about the deployment of these techniques in the wild. To explore this issue, we have designed and implemented a technique to infer proactive traffic blocking on a remote host and, through a series of measurements, to associate that blocking with the use of particular IP blocklists. In a pilot study of 220K US hosts, we find as many as one fourth of the hosts appear to blocklist based on some source of threat intelligence data, and about 2% use one of the 9 particular third-party blocklists that we evaluated.

Original language	English (US)
Title of host publication	Passive and Active Measurement - 22nd International Conference, PAM 2021, Proceedings
Editors	Oliver Hohlfeld, Andra Lutu, Dave Levin
Publisher	Springer
Pages	57-75
Number of pages	19
ISBN (Print)	9783030725815
DOIs	https://doi.org/10.1007/978-3-030-72582-2_4
State	Published - 2021
Event	22nd International Conference on Passive and Active Measurement, PAM 2021 - Virtual, Online Duration: Mar 29 2021 → Apr 1 2021

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	12671 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	22nd International Conference on Passive and Active Measurement, PAM 2021
City	Virtual, Online
Period	3/29/21 → 4/1/21

ASJC Scopus subject areas

Theoretical Computer Science
Computer Science(all)

Online availability

10.1007/978-3-030-72582-2_4

Library availability

Discover UIUC Full Text

Cite this

Li, V. G., Akiwate, G., Levchenko, K., Voelker, G. M., & Savage, S. (2021). Clairvoyance: Inferring Blocklist Use on the Internet. In O. Hohlfeld, A. Lutu, & D. Levin (Eds.), Passive and Active Measurement - 22nd International Conference, PAM 2021, Proceedings (pp. 57-75). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 12671 LNCS). Springer. https://doi.org/10.1007/978-3-030-72582-2_4

Clairvoyance : Inferring Blocklist Use on the Internet. / Li, Vector Guo; Akiwate, Gautam; Levchenko, Kirill et al.

Passive and Active Measurement - 22nd International Conference, PAM 2021, Proceedings. ed. / Oliver Hohlfeld; Andra Lutu; Dave Levin. Springer, 2021. p. 57-75 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 12671 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Li, VG, Akiwate, G, Levchenko, K, Voelker, GM & Savage, S 2021, Clairvoyance: Inferring Blocklist Use on the Internet. in O Hohlfeld, A Lutu & D Levin (eds), Passive and Active Measurement - 22nd International Conference, PAM 2021, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 12671 LNCS, Springer, pp. 57-75, 22nd International Conference on Passive and Active Measurement, PAM 2021, Virtual, Online, 3/29/21. https://doi.org/10.1007/978-3-030-72582-2_4

Li VG, Akiwate G, Levchenko K, Voelker GM, Savage S. Clairvoyance: Inferring Blocklist Use on the Internet. In Hohlfeld O, Lutu A, Levin D, editors, Passive and Active Measurement - 22nd International Conference, PAM 2021, Proceedings. Springer. 2021. p. 57-75. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-030-72582-2_4

Li, Vector Guo ; Akiwate, Gautam ; Levchenko, Kirill et al. / Clairvoyance : Inferring Blocklist Use on the Internet. Passive and Active Measurement - 22nd International Conference, PAM 2021, Proceedings. editor / Oliver Hohlfeld ; Andra Lutu ; Dave Levin. Springer, 2021. pp. 57-75 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{78ffd1f178c2444c8f7e7459e62a4227,

title = "Clairvoyance: Inferring Blocklist Use on the Internet",

abstract = "One of the staples of network defense is blocking traffic to and from a list of “known bad” sites on the Internet. However, few organizations are in a position to produce such a list themselves, so pragmatically this approach depends on the existence of third-party “threat intelligence” providers who specialize in distributing feeds of unwelcome IP addresses. However, the choice to use such a strategy, let alone which data feeds are trusted for this purpose, is rarely made public and thus little is understood about the deployment of these techniques in the wild. To explore this issue, we have designed and implemented a technique to infer proactive traffic blocking on a remote host and, through a series of measurements, to associate that blocking with the use of particular IP blocklists. In a pilot study of 220K US hosts, we find as many as one fourth of the hosts appear to blocklist based on some source of threat intelligence data, and about 2% use one of the 9 particular third-party blocklists that we evaluated.",

author = "Li, {Vector Guo} and Gautam Akiwate and Kirill Levchenko and Voelker, {Geoffrey M.} and Stefan Savage",

note = "Publisher Copyright: {\textcopyright} 2021, Springer Nature Switzerland AG.; 22nd International Conference on Passive and Active Measurement, PAM 2021 ; Conference date: 29-03-2021 Through 01-04-2021",

year = "2021",

doi = "10.1007/978-3-030-72582-2_4",

language = "English (US)",

isbn = "9783030725815",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer",

pages = "57--75",

editor = "Oliver Hohlfeld and Andra Lutu and Dave Levin",

booktitle = "Passive and Active Measurement - 22nd International Conference, PAM 2021, Proceedings",

address = "Germany",

}

TY - GEN

T1 - Clairvoyance

T2 - 22nd International Conference on Passive and Active Measurement, PAM 2021

AU - Li, Vector Guo

AU - Akiwate, Gautam

AU - Levchenko, Kirill

AU - Voelker, Geoffrey M.

AU - Savage, Stefan

PY - 2021

Y1 - 2021

N2 - One of the staples of network defense is blocking traffic to and from a list of “known bad” sites on the Internet. However, few organizations are in a position to produce such a list themselves, so pragmatically this approach depends on the existence of third-party “threat intelligence” providers who specialize in distributing feeds of unwelcome IP addresses. However, the choice to use such a strategy, let alone which data feeds are trusted for this purpose, is rarely made public and thus little is understood about the deployment of these techniques in the wild. To explore this issue, we have designed and implemented a technique to infer proactive traffic blocking on a remote host and, through a series of measurements, to associate that blocking with the use of particular IP blocklists. In a pilot study of 220K US hosts, we find as many as one fourth of the hosts appear to blocklist based on some source of threat intelligence data, and about 2% use one of the 9 particular third-party blocklists that we evaluated.

AB - One of the staples of network defense is blocking traffic to and from a list of “known bad” sites on the Internet. However, few organizations are in a position to produce such a list themselves, so pragmatically this approach depends on the existence of third-party “threat intelligence” providers who specialize in distributing feeds of unwelcome IP addresses. However, the choice to use such a strategy, let alone which data feeds are trusted for this purpose, is rarely made public and thus little is understood about the deployment of these techniques in the wild. To explore this issue, we have designed and implemented a technique to infer proactive traffic blocking on a remote host and, through a series of measurements, to associate that blocking with the use of particular IP blocklists. In a pilot study of 220K US hosts, we find as many as one fourth of the hosts appear to blocklist based on some source of threat intelligence data, and about 2% use one of the 9 particular third-party blocklists that we evaluated.

UR - http://www.scopus.com/inward/record.url?scp=85107280918&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85107280918&partnerID=8YFLogxK

U2 - 10.1007/978-3-030-72582-2_4

DO - 10.1007/978-3-030-72582-2_4

M3 - Conference contribution

AN - SCOPUS:85107280918

SN - 9783030725815

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 57

EP - 75

BT - Passive and Active Measurement - 22nd International Conference, PAM 2021, Proceedings

A2 - Hohlfeld, Oliver

A2 - Lutu, Andra

A2 - Levin, Dave

PB - Springer

Y2 - 29 March 2021 through 1 April 2021

ER -

Clairvoyance: Inferring Blocklist Use on the Internet

Abstract

Publication series

Conference

ASJC Scopus subject areas

Online availability

Library availability

Related links

Fingerprint

Cite this