Abstract
Internet traffic destined for unused or unreachable addresses provides critically important information on malicious and misconfigured activity. Since Internet address allocation and policy information is distributed across many devices, applications, and administrative domains, constructing a comprehensive map of unused and unreachable (“dark”) addresses is challenging. In this paper, we present an architecture that automates the process of discovering these dark addresses by actively participating with allocation, routing, and policy systems. Our approach is to adopt a local perspective revealing unreachable external addresses and unused private and local addresses, and enabling the detection of threats coming into and out of a network. To validate the approach, we construct a prototype system called the Dark Oracle that uses internal and external routing data and host configuration information, such as DHCP logs, to automatically discover dark addresses. We experimentally evaluate the prototype using data from a large enterprise network, and a regional ISP, and from deployment of the Dark Oracle on a large academic network.
| Original language | English (US) |
|---|---|
| State | Published - 2006 |
| Externally published | Yes |
| Event | 3rd Symposium on Networked Systems Design and Implementation, NSDI 2006 - San Jose, United States Duration: May 8 2006 → May 10 2006 |
Conference
| Conference | 3rd Symposium on Networked Systems Design and Implementation, NSDI 2006 |
|---|---|
| Country/Territory | United States |
| City | San Jose |
| Period | 5/8/06 → 5/10/06 |
ASJC Scopus subject areas
- Computer Networks and Communications
- Control and Systems Engineering