Identifying and Modeling
Unwanted Traffic on the Internet
by
Paul Soto
Submitted to the Department of Electrical Engineering and Computer Science
in Partial Fulfillment of the Requirements for the Degree of
Master of Engineering in Electrical Engineering and Computer Science
at the
MASSACH'JSETTS INSTITUTE OF TECHNOLOGY
November)005
0 2005 Paul Soto. All rights reserved.
The author hereby grants to M.I.T. permission to reproduce and
distribute publicly paper and electronic copies of this thesis
and to grant others the right to do so.
Author
Ddkartment'of Ele'ctrica1 Engineering and Computer Science
November 4, 2005
Certified by_
a
Dr . Rhard Lippmann
-Te
Supervisor
Accepted by___
L' Arthur C. Smith
Chairman, Department Committee on Graduate Theses
MASACUSETSINS=F
OF TECHNOLOGY
AUG 142006
LIBRARIES
BARKER
2
Identifying and Modeling
Unwanted Traffic on the Internet
by
Paul Soto
Submitted to the
Department of Electrical Engineering and Computer Science
Nov. 4, 2005
In Partial Fulfillment of the Requirements for the Degree of
Master of Engineering in Electrical Engineering and Computer Science
ABSTRACT
Accurate models of Internet traffic are important for successful testing of devices that provide
network security. However, with the growth of the Internet, it has become increasingly difficult
to develop and maintain accurate traffic models. While much Internet traffic is legitimate,
productive communications between users and services, a significant portion of Internet traffic is
the result of unwanted messages sent to IP addresses without regard as to whether there is an
active host at that address. In an eftort to analyze unwanted traffic, tools were developed that
generate statistics and plots on captured unwanted traffic to unused IP addresses. These tools
were used on a four-day period of traffic received on an inactive IPv4 class A network address
space. Each class B subnet in this address space received an average of 7 million packets
corresponding to 21 packets per second. Analyses were performed on a range of class B and C
subnets with the intent of discovering the types of variability that are characteristic of unwanted
traffic. Traffic volume over time, number of scans, destinations ports, and traffic sources varied
substantially across class B and C subnets. The results of the analyses, along with tools to replay
traffic, allow security tools to be analyzed on the LARIAT network testbed. LARIAT is a realtime adaptable network testbed developed at Lincoln Laboratory that provides an Internet-like
environment in which to test network hardware and software.
Thesis Supervisor: Dr. Richard Lippmann
Title: Information Systems Technology Senior Staff, MIT Lincoln Laboratory
3
4
Acknowledgements
I would like to give my sincere thanks to Richard Lippmann. It was a privilege to have
worked under his guidance. I valued his thought-provoking questions, which always had me
wanting to go back to the dataset for further analysis.
I am deeply grateful to have worked with William Streilein. He has been an immense
help on everything throughout the project.
Both Rich and Bill have provided me with many suggestions on avenues of approach for
analyzing and understanding the dataset They also offered useful comments and numerous
corrections on the various drafts of this thesis, helping to make it clearer and more thorough.
I would like to thank Lee Rossey and Robert Cashman for their help. Among other
things, they have provided me with ideas on the causes behind the traffic, how the traffic can be
used in real-world systems, and what consumers would want to gather from analyzed traffic.
Many thanks go to Colleen Shannon at CAIDA for her insightful observations and
remarks during the frequent reviews of the traffic result.
I would like to thank CAIDA for providing the dataset used in this research and Lincoln
Laboratory for providing the resources to analyze the dataset
Finally, my biggest thanks goes to my family for their never-ending support and
encouragement.
I cannot stress enough how much I appreciated the help everyone had provided me.
Thank you.
5
6
Contents
1 IN TR O D U CT ION ....................................................................................................................................................13
2 N E T WO RK T E R M INO L O GY ............................................................................................................................15
2.1 CLASSES OF 1Pv4 A DDRESS RANGES ...............................................................................................................15
2.2 NETW ORK TELESCOPES .....................................................................................................................................15
2.3 BACKSCATTE .....................................................................................................................................................16
3 UNWANTED TRAFFIC CHARACTERIZATION .......................................................................................17
3.1 PREVIOUS W ORK ................................................................................................................................................17
3.2 TRAFFic D ATA U SED FOR A NALYSIS ..............................................................................................................18
3.3 M ETHODOLOGY ..................................................................................................................................................19
4 T O O L S D E V E L O PE D ...........................................................................................................................................21
4.1 M EASUREM ENTS ................................................................................................................................................21
4.2 TABLES .................................................................................................................................................................24
4.3 PLO TS ...................................................................................................................................................................25
5 CHARACTERISTICS OF UNWANTED TRAFFIC ....................................................................................29
5.1 GENERAL RESULTS ............................................................................................................................................29
5. 1. 1 The Na ture of Backscatter........................................................................................................................ 30
5.1.2 ,5nortalerts.................................................................................................................................................37
5.2 CLASS B RESULTS ..............................................................................................................................................38
5.2.1 Non-Un form Backscatter........................................................................................................................ 39
5.2.2 Non-U ni rm Primary Traffi c .................................................................................................................41
5.2.3 Banded Traffi c ...........................................................................................................................................42
5.2.4 Afulti-port TCP attacks ............................................................................................................................44
5.2.5 High Volum e ICMP Destination Unreachable.................................................................................... 45
5.2.6 1CA1fP Echo R equest Sw eep.....................................................................................................................46
5.2.7 Class B UD P Sw eep..................................................................................................................................47
5.2.8 Select Tar get High Volum e UD P Traffic ..............................................................................................48
5.3 CLASS C RESULTS ..............................................................................................................................................48
5.3. 1 Packet N oise ..............................................................................................................................................49
5.4 TARGETED IP A DDRESS RESULTS ....................................................................................................................52
5.4. 1 Diurnal Packet Pattern............................................................................................................................52
5.4.2 Sim ilar Temp oral Trqffic Patternacross Class B Subnets ................................................................ 53
5.4.3 Single Target P2P Primary Trqffic ........................................................................................................56
6 C O N CL U SIO N .........................................................................................................................................................59
R E FE R E N C E S .............................................................................................................................................................61
A PPE N D IX A ...............................................................................................................................................................63
A . I - X X. 1.0.0/ 16 .....................................................................................................................................................65
A .2 - XX .49.0.0/16 ...................................................................................................................................................69
A.3 - XX .81.0.0/16 ...................................................................................................................................................73
A.4 - XX . 128.0.0/16 ................................................................................................................................................. 77
A .5 - X X . 168.0.0/16 ................................................................................................................................................. 81
A .6 - XX .204.0.0/16 ................................................................................................................................................. 85
A.7 - XX .229.0.0/16 ................................................................................................................................................. 89
A .8 - XX .243.0.0/16 ................................................................................................................................................. 93
A .9 - XX .244.0.0/16 ................................................................................................................................................. 97
A . 10 - XX .248.0.0/16 ............................................................................................................................................. 101
A. I I - XX .2 51.0.0/16 ............................................................................................................................................. 105
A PPENDIX B ............................................................................................................................................................. 109
B. I - XX . 5 5.14 5.0/24 ............................................................................................................................................. III
B.2 - X X. 128.8.0/24 ............................................................................................................................................... 115
B.3 - X X .198.188.0/24 ........................................................................................................................................... 119
BA - XX .209.239.0/24 ........................................................................................................................................... 123
B.5 - X X.218.68.0/24 ............................................................................................................................................. 127
B.6 - X X .220.236.0/24 ........................................................................................................................................... 131
B.7 - X X .226.255.0/24 ........................................................................................................................................... 135
B.8 - XX .239.255.0/24 ........................................................................................................................................... 139
B.9 - X X.248.246.0/24 ........................................................................................................................................... 143
List of Figures
Figure 1- The total amount of TCP, UDP, and [CMP packets received by each class B subnet...............30
31
Figure 2 - The three significant TCP packet types received on each class B subnet ....................................
32
Figure 3 - The remaining TCP packet types received on each class B subnet..............................................
33
Figure 4 - Backscatter received on each class B subnet......................................................................................
33
Figure 5 - Primary and backscatter traffic amounts destined to the class B subnets......................................
Figure 6 - The amount of RST/ACKs compared to SYN/ACKs that each class B subnet received...............34
Figure 7 - The amount of ACKs compared to SYN/ACKs that each class B subnet received................... 35
Figure 8 - Primary and backscatter amounts for each class B subnet as a function of destination ports ....... 36
Figure 9 - Primary and backscatter amounts for each class B subnet as a function of IP sources............... 36
38
Figure 10 - Snort alerts in 10 1B ..................................................................................................................................
40
Figure 11 - Traffic destined to 204B, where TCP traffic is non-uniform.......................................................
40
Figure 12 - Destination ports for 204B, where high ports receive a distinct pattern of traffic .....................
Figure 13 - A non-uniform distribution of packets received by each class C subnet in 204B....................41
Figure 14 - A non-uniform distribution of packets received by each class C subnet in 192B ..................... 42
43
Figure 15 - Vertical bands of traffic in the 49B destination IP address plot ...................................................
Figure 16 - Four ports on 243B received packets at the same time and with the same duration ................ 44
Figure 17 - Snort alerts for I B, where ICMP destination unreachable is the highest volume alert ............ 45
Figure 18 - An ICMP sweep going across 81 B starting at +72 hours and ending at +84 hours ................. 46
Figure 19 - Traffic destined to 168B, where vertical UDP sweeps visually outnumber the TCP sweeps.....47
49
Figure 20 - Total backscatter in the low and mid volume class C subnets.....................................................
50
Figure 21 - Total amount of traffic received by each IP address within 55.145C.........................................
51
Figure 22 - A plot of every packet received by each IP address in 55.145C...................................................
Figure 23 - A plot of every packet received by each IP address in 198.188C ................................................
51
Figure 24 - Diurnal packet per hour versus time plot for 109.116C.................................................................
53
54
Figure 25 - Packet per hour plot for 5.67C in which 210.245.191.90 sent little traffic .................................
Figure 26 - Packet per hour plot for 101.204C in which 210.245.191.90 sent a high volume of traffic ........ 55
55
Figure 27 - Packet count from the top 18 IP sources, sent to 4 IP addresses ..................................................
Figure 28 - Total backscatter received on the 23 IP addresses, based on the rightmost octet..................... 56
57
Figure 29 - Packet per hour plot of P2P traffic sent to xx.218.68.212 ...........................................................
9
10
List of Tables
Table I - Breakdown of packet types in the dataset ...........................................................................................
Table 2 - The traffic breakdown, by port, for the 5 IP addresses that had a diurnal packet pattern ...........
II
29
53
12
Chapter 1
Introduction
Accurate models of Internet traffic are required to design and test devices that process,
analyze, and act upon this traffic. Accurate estimates of traffic rates enable a manufacturer to
design and build forwarding devices, such as routers and switches, which will keep up and not
collapse under typical activity. Similarly, a commercial website designed in anticipation of a
realistic number of requests per day stands a better chance delivering services to customers than
one that has not been designed with these factors in mind. In addition to traffic rates, traffic
complexity plays an important role in testing security devices. Firewalls, intrusion detection
systems, and other security devices must be resilient to harmless traffic patterns that generate
false alarms.
As the Internet has grown, the quantity and variety of Internet traffic has increased an
enormous rate [1]. One might expect that such an increase in traffic is the result of productive
communications between a growing number of users and new web pages and service applications
now available on the Internet. While this is true to a large degree, it is also true that a significant
amount of traffic seen on the Internet is destined to hosts that either did not request or do not
expect the traffic. The increasing quantity and variety of this unrequested and unexpected traffic
makes it difficult to develop realistic models of Internet traffic [1]. For the discussion and
analysis that follows, unrequested and unexpected traffic is referred to as unwanted traffic (UT).
UT is generally composed of malicious traffic sent from worms, viruses, probes, and spyware, but
can also consist of traffic sent from misconfigured routers or applications, and traffic corrupted
by noise or interference on network transmission lines [2,3]. While there has been a large amount
of study on the volume and variety of productive traffic on the Internet, little work has been done
to understand and classify UT on the Internet.
The goal of this project is to gain an understanding of key characteristics of UT through
the use of exploratory data analysis. Toward this end, software tools were developed that
13
describe UT through plots, tables, and short summaries. These representations of UT
demonstrate that UT is complex and highly variable across subnets and time, and thus hard to
model. Instead of modeling UT, I show how it can be replayed on a network testbed, for device
testing. In addition, I attempt to classify a wide range of UT seen and catalog the attacks
commonly seen in UT.
This project is motivated by the need to develop a testing environment that includes
realistic UT. The analyses in this project will allow for the development of systems that model
the Internet with greater accuracy. One system that models and generates Internet traffic is the
Lincoln Adaptable Real-time Information Assurance Testbed (LARIAT) [4]. LARIAT generates
Internet traffic that allows hardware and software security tools, such as, intrusion detection
systems (IDS's) and firewalls, to be tested under reliable, repeatable realworld conditions
without being exposed to real Internet traffic. This is accomplished using a network of computers
that replicate Internet sites and model the various behaviors of users, such as browsing web
pages, writing documents, and sending and receiving email. While this system does a good job at
modeling typical user behavior and interaction with server machines, the generated traffic does
not contain UT, as described above. The analyses performed here make it possible to select
portions of UT to replay on LARIAT. This traffic replay will contain realistic UT traffic
characteristics previously unavailable on LARIAT.
Another motivation of this project is to enhance the current understanding of Internet
traffic. Organizations such as the Cooperative Association for Internet Data Analysis, CAIDA,
strive to "provide enhanced insight into the function of Internet infrastructure worldwide" [5].
Developing tools that enable the identification and analysis of UT, now and in the future, will
allow for the observation of trends in this area of traffic.
The rest of this thesis is laid out as follows. Chapter 2 explains the terminology used in
the paper. Chapter 3 discusses previous work done in related areas and the traffic data used in the
analysis. The methodology and analysis procedures are presented here. Chapter 4 presents the
details of how the measurements, tables, and plots of the exploratory data analysis tools work and
how their output should be interpreted. Chapter 5 discusses the results of the analyses and the
various phenomena observed in UT. Chapter 6 presents a summary of the work and considers
future directions.
14
Chapter 2
Network Terminology
This chapter defines terminology used to discuss and analyze unwanted traffic.
2.1 Classes of IPv4 Address Ranges
A class A network is a contiguous range of 224 (16,777,216) IPv4 addresses, where the
leading octet of the IP address is any constant between 1 and 126, inclusive. Each of the other
three octets can range from 0 to 255, inclusive. The CIDR equivalent subnet mask for a class A
network is /8. Class B subnets refer to an IP address range where the first two leading octets of
the IP address are constant (ex. 1.2.0.0/16). There are 216 (65,536) IP addresses within a class B
subnet. Similarly, class C subnets refer to an IP address range where the first three leading octets
of the IP address are constant (ex. 1.2.3.0/24). There are 28 (256) IP addresses within a class C
subnet.
2.2 Network Telescopes
A network telescope [6,7] is a routed but unused IP address space. An unused IP address
space is a range of IP addresses that contains no active hosts generating or replying to traffic.
Sources that send traffic to a network telescope have no reason to believe that there are active
hosts to respond to the traffic, and so there is no legitimate purpose in sending traffic to a network
telescope. A network telescope can be of any size, with larger network telescopes being more
likely to observe packets sooner from Internet events, such as worms spreading. Network
15
telescopes offer a convenient way of observing Internet-wide events, as there are no outbound
packets, which would interfere with the composition of the traffic from these events.
2.3 Backscatter
Backscatter is defined as traffic received from victims that are responding to malicious
denial-of-service (DOS) attacks. Since backscatter is response traffic, the packet types that
backscatter can consist of are limited to TCP SYN/ACKs, TCP RST/ACKs, and certain ICMP
types like Echo Reply and Destination Unreachable. Backscatter arrives at the unused address
space because the source addresses of the attack traffic are spoofed. If the source address is
spoofed randomly from the entire IPv4 address space, the probability of a backscatter packet
reaching a network telescope is n/23 , where n is the size of the network teLscope.
16
Chapter 3
Unwanted Traffic Characterization
This chapter discusses some of the previous work performed in relation to unwanted
traffic. The data used in the analyses and the methodology is also explained.
3.1 Previous Work
Only recently have researchers begun to analyze unwanted traffic. UT can be categorized
into primary and secondary unwanted traffic. Primary UT is typically an initiating packet, such
as a connection request originating from an attacker or misconfigured host. These packets are
commonly TCP SYNs, UDP, or ICMP Echo Request packets. Secondary UT is response traffic
solicited by primary traffic, where the source IP address is spoofed. These packets are commonly
TCP SYN/ACKs, TCP RST/ACKs, or ICMP Destination Unreachable. Moore et al. [8] have
looked at secondary unwanted traffic, referred to as backscatter, while Pang et al. [9] have looked
at primary unwanted traffic.
The work of Moore et al. [8], presents an in-depth analysis of backscatter traffic as
received by a network telescope. Through their analysis of three weeks worth of traffic from
February 2001, on a class A network telescope, the authors derive an estimate of the composition
of backscatter and the duration of denial-of-service attacks seen on the Internet. They observed
approximately 71% of the backscatter packets to be ICMP packets (Destination Unreachable and
TTL exceeded), 21% to be TCP RST/ACK packets, and 7% to be TCP SYN/ACK and TCP RST
packets. They also observed that 90% of the attacks lasted less than an hour. Backscatter traffic
represents a significant portion of unwanted traffic and will be a component of the data replayed
through the current research. The work of Moore et al. did not look at primary unwanted traffic,
which will be the other component of the replayed data.
17
Pang et al [9] present a second research effort related to the analysis of unwanted traffic.
In a fashion similar to the work of Moore et al., the researchers capture and analyze traffic
received at various unused IP address spaces. Denoting the unwanted traffic received as
'background radiation,' Pang et al. develop response agents that interact with primary traffic
sources. By engaging the sources of the primary traffic in communication, the researchers are
able to recognize specific attack types and develop detailed descriptions of the composition of
this component of unwanted traffic. Before developing the responding agents to any packets,
they collected a week of traffic on 10 contiguous class B subnets, from April 28 to May 5, 2004,
and a week of traffic on a class A network with 1/10 sampling, from March 11 to March 18,
2004. On the 10 class B subnets, the traffic was composed of 56.5% TCP, 39.6% ICMP, and
3.8% UDP. The top 3 TCP ports targeted, based on packet count, were 135, 445, and 139. These
three ports accounted for over 60% of the TCP SYN packets. On the class A network, the traffic
was comprised of 88.5% TCP, 0.3% ICMP, and 11.3% UDP packets. In both of these datasets,
99% of the TCP packets were TCP SYNs. Except for the ICMP packets in the 10 class B subnets
(99.9% of which were ICMP Echo Request), there were no temporal patterns observed in the
packet rate.
3.2 Traffic Data Used for Analysis
One of the goals of this project was to analyze unwanted traffic, including both primary
and backscatter UT. UT was defined as unrequested and unexpected traffic. Care was taken to
ensure that the dataset selected for analysis did not contain Internet traffic that was not UT. For
this reason, the dataset chosen was derived from a network telescope. Because these sources sent
traffic to a network telescope, which, by definition, have no active hosts, this traffic was
unrequested and unexpected, hence, unwanted traffic.
The dataset used was provided by CAIDA. It represents traffic destined for a class A
network telescope. The dataset was collected over a period of 93 hours starting from 2:30 PM
EST on Monday February 28, 2005 and ending at 11:30 AM EST on Friday, March 4, 2005. In
total, there were 160GB of trace files.
There were certain filtering requirements on the traffic data. Although the address range
of the network telescope was unused, it was not completely empty; there existed hosts on this
network that were the source of data. While none of the machines in the network telescope
communicated to the Internet, certain machines communicated to other machines within the class
18
A network. The class B subnets in the dataset that contained any machine either transmitting or
receiving internal traffic within the class A subnet were filtered. This left 123 class B subnets
free of any type of data contamination.
3.3 Methodology
The first analysis step was to break the data up into manageable segments and select the
segments to analyze. The UT to be incorporated into LARIAT will be played back onto class B
or C subnets, and so we analyzed the data as such. There were 123 class B and 31,488 class C
subnets available for analysis. Unfortunately, performing a thorough analysis on this many
subnets would have meant going through hundreds of thousands of plots and charts. As this
would have be too time consuming, a quick analysis was performed on a measurement of interest
to the users of LARIAT, namely, total traffic destined to a subnet. The class B and C subnets
were divided into those at the top, middle, and bottom of a sorted total packet count list. Then 30
subnets were thoroughly analyzed from each group, 180 subnets in total.
The second step was to choose what information to extract from the chosen subnets. The
set of measurements chosen are representative of some of the basic characteristics of network
traffic. These measurements include traffic protocol composition, destinations addresses and
ports hit, the number of source addresses sending traffic to the subnet, and the number of alerts
and scans seen in the traffic. These measurements were analyzed with respect to all the traffic,
the top 90% of traffic, and top 50% of traffic. The notion of 'top X% of traffic' is different with
each measurement, and is explained in detail in chapter 4.2.
With all these measurements, one large table was created, where each row represented a
different subnet and each column represented a measurement. The table was sorted according to
different measurements, and groupings of subnets based on similar measurements were
extrapolated.
The data revealed that class B subnets are hard to cluster based on their measurements.
This is attributed to the relative low number of class B subnets available and the different
combinations of variability found with 256 class C subnets composing a class B subnet.
However, some patterns were identified as targeted specifically to a class B subnet.
The data revealed that class C subnets are easier to cluster based on their measurements.
For example, many subnets have low traffic volume and share similar attributes in terms of
number of sources sending traffic and number of unique ports destined. The ability to cluster
19
these subnets will allow users to test security tools with a fraction of the class C subnets and yet
achieve a wide coverage of the behaviors observed.
20
Chapter 4
Tools Developed
Software tools were developed that describe UT through measurements, tables, and plots.
These tools were developed using the CoralReef [13] software suite, Dislin plotting library [14],
and custom Perl scripts. This chapter describes traffic measurements used in the exploratory data
analysis and how to interpret these measurements.
4.1 Measurements
The following is a description of each measurement taken on the subnets analyzed. In
certain measurements, three values represent the measurement with respect to the top 100%, top
90%, and top 50% of traffic. The precise definition for 'top X% of traffic' differs depending on
the measurement, and is defined explicitly in each of the applicable measurements.
1. Total packet and byte count
The totalpacket and byte count is a measure of the volume of traffic seen on a
subnet. This measurement is used as an initial classifier of subnets, where we sorted
the subnets by the total packet count, and then analyzed the subnets from the top,
middle, and bottom of this list.
2.
Average packet and byte rate
The averagepacket and byte rate for a subnet is the totalpacket and byte count
divided by the duration, in seconds, of the dataset.
3.
Peak packet and byte rate
21
The peakpacket and byte rate is the highest count of packets and bytes received by
the subnet in any one-second interval. This value represents the amount of traffic a
replay system must be able to handle to avoid dropping packets.
4.
Traffic composition in terms of percentage of TCP, UDP, and ICMP
The traffic composition indicates the percentage of TCP, UDP, and ICMP traffic
reaching the subnet. This is calculated by taking separate counts of TCP, UDP, and
ICMP packets and dividing by the total packet count for the subnet. Occasionally,
these three counts will not add up to 100%, since subnets can receive traffic protocols
other than TCP, UDP, and ICMP. However, no other traffic protocol contributed
more than 0.1% of the traffic, in any of the subnets analyzed.
5. TCP packet type breakdown
TCP packets are further broken down into counts of TCP SYN, SYN/ACK, ACK,
RST, RST/ACK, and OTHER types. TCP OTHER packets are any TCP packets
where the TCP flags do not fall into any of the previously mentioned TCP types.
6. Number of unique Snort alerts
The number of unique Snort alerts indicates how many different types of suspicious
activities are hitting a subnet based on the output from Snort [10]. Snort is a widely
deployed intrusion detection system (IDS) that uses a rule -based language to detect
potentially malicious packets. Snort was chosen as it represents a popular IDS used
in industry.
7.
Total number of Snort alerts
The total number ofSnort alerts is the sum of all the alerts, as seen by Snort,
triggered by the packets received on the subnet.
8.
Total number of scans and number of packets composing the scans
This measurement indicates the total number of scans detected by Snort along with
the sum of the packet count of each scan. In the analysis, a scan was defined as
containing at least a 1/16 packet count in relation to the number of IP addresses of the
subnet. In other words, a scan in a class C subnet, which contains 256 IP addresses,
is comprised of at least 16 packets. A scan in a class B subnet, which contains
65,536 IP addresses, is comprised of at least 4,096 packets. Although somewhat
arbitrary, 1/16 is the smallest fraction of packets pertaining to a scan that one can
easily notice in the corresponding destinationIP address index versus time plot.
9.
Total number of unique destination ports
22
The total number of unique destinationports seen in the traffic help distinguish the
level of focus of probes and attacks in the traffic. In the case of ICMP traffic, the
ICMP type is treated as unique destination ports (ex. ICMP Destination Unreachable
and ICMP TTL Exceeded would be two unique destination ports separate from any
TCP or UDP port). The top X% in this measurement is calculated by sorting the total
number of packets sent to each TCP port, UDP port, and ICMP type. The sum up the
number of packets in this list, in descending order, is taken until the packet count is at
least X% of the total packet count. A very low number of ports in the top X% mean
that most of the traffic was focused on exploiting a small set of vulnerabilities. A
high number in the top X% might mean that there was a lot of backscatter traffic
destined for random ports.
10. Number of unique source IP hosts
This measurement represents the number of unique IP hosts (IP addresses) sending
traffic to the subnet. The maximum number of possible hosts in the IP address space
is approximately 4 billion. The top X% is taken by sorting a list of source IP
addresses, in descending order, by the total number of packets sent to this subnet.
The packets sent by each IP address is added until the total contribution of packets
sent by these source IP hosts is at least X% of the total number of packets sent. A
high number of unique source IP hosts in the top X% means there is a relatively large
number of IP addresses sending packets to this subnet. This signifies a distributed
attack or random traffic. A low number of unique source IP hosts in the top X% can
signify an attack from few sources, or backscatter arriving on the subnet due to a
spoofed source IP address in the original attack packet.
I1. Average packet and byte count per source
The averagepacket and byte count per source is calculated by dividing the total
packet and byte count by the number of unique source IP hosts sending traffic to the
subnet. The top X% is calculated by dividing the total packet and byte count by the
top X% value for the number of unique source IP hosts.
12. Number of unique destination IP hosts
This measurement is similar to the number of unique source IP hosts measurement,
except that the count is of the number of unique IP addresses inside the subnet that
received traffic. The maximum number of possible destination hosts is 65,536 in a
class B subnet and 256 in a class C subnet. Given enough time, every host in a class
B or C subnet is expected to receive at least one packet. The top X% is calculated by
23
sorting the list of destination IP addresses by total packets received. The packets
received by each destination IP address is added, in descending order, until at least
X% of the total traffic received on the subnet is accounted for. A high number of
destination IP addresses in the top X% signifies that traffic is randomly distributed
across the subnet. A low number of destination IP addresses in the top X% signifies
that an attack is being directed to a specific machines, or that these machines are
receiving backscatter.
13. Average packet and byte count per destination
The averagepacket and byte count per destination is calculated by dividing the total
packet and byte count by the number of unique destination IP addresses receiving
traffic. The top X% is calculated by dividing the total packet and byte count by the
top X% value for the number of unique destination IP addresses.
4.2 Tables
Several tables were developed as part of the analysis. Although only the top three values
for each table per subnet are shown, the software tools developed create complete tables that
account for all the traffic. The following is a description of the tables.
1. Protocol type and port destination, across TCP, UDP, and ICMP
This table shows the total packet and byte counts and percentages destined to a
unique protocol port. ICMP packets are included in this table but the ICMP type is
used in place of the destination port. This table is sorted by packet count. Table Al4 in Appendix A is an example of this table. In this example, ICMP does not show up
because no ICMP type accounted for more than 12.9% of the packets.
2.
Destination IP addresses
This table contains the total count and percentage of traffic received by each IP
address in the subnet, sorted by descending packet count. The first octet of each IP
address in the table has been replaced by 'xx' to mask the class A network from
which this dataset was collected. Table A1-5 in Appendix A is an example of this
table.
3.
Source IP addresses
24
Similar to the destinationIP addressestable, this table shows the count and
percentage of traffic each source IP address sent to the subnet. This table is sorted by
packet count. Table A 1-6 in Appendix A is an example of this table.
4. Snort alerts
This table displays each Snort alert triggered by the traffic along with a count of the
number of times the alert was triggered and a percentage of the total alert count.
Table A1-7 in Appendix A is an example of this table.
4.3 Plots
There are six plots generated for each of the class B and C subnets analyzed. The
following is a description of the types of plots generated for each subnet analyzed. Two of the
plots have minor differences between the class B and C subnet versions, and are distinguished as
different plot types in the list below.
1.
Packets per hour versus time
In the packets per hour versus time plots the X-axis represents time measured in
hours from the start of the dataset The Y-axis denotes the total packets received on
the subnet per one-hour time interval. The horizontal line in the plot denotes the
average packets per hour received on the subnet, measured over the course of the
whole dataset. The Y-axis scale was fixed at 300,000 packets per hour for all class B
subnet plots, and 14,000 packets per hour for al but one class C subnet plot. Figure
A l-I in Appendix A is an example of this plot.
2.
Bytes per hour versus time
The bytes per hour versus time plot is similar to the packet per hour versus time plot,
except the data here is in terms of bytes. The Y-axis scale was fixed at 15,000,000
bytes per hour for all class B subnet plots, and 700,000 bytes per hour for all but one
class C subnet plot. Figure A1-2 in Appendix A is an example of this plot.
3.
Destination IP address index versus time for class C subnets
In this plot, the X-axis shows time measured in hours. The Y-axis shows the decimal
value of the rightmost IP address octet. In other words, all IP addresses in the class C
subnet, 256 IP addresses, are represented on the Y-axis. Every point in the plot
represents a packet sent at a specific time to a specific IP address. Solid horizontal
25
lines form when one machine constantly received packets for a period of time.
Vertical lines represent a range of IP addresses that received packets in a very small
time interval. Although one can see horizontal and vertical lines in the plot, in reality
the plot is solely composed of points. These points are close enough together that
they form solid lines. All of the packets destined to the class C subnet were plotted.
Figure B 1-3 in Appendix B is an example of this plot. Although there are vertical
bars that have the same thickness, such as the ones at +25 and +31, the amount of
traffic within each bar cannot be assumed to be similar, as there can be a quick
succession of packets which show up as a single point.
4. Destination IP address index versus time for class B subnets
This plot is similar to the destinationIP address index versus time for class C subnets
plot, except that the Y-axis shows the decimal value of the two rightmost IP address
octets. Every single IP address in the class B subnet, 65,536 IP addresses, is
represented on the Y-axis. Since this plot contains a much greater range of IP
addresses, there are diagonal lines, in addition to horizontal and vertical lines. The
diagonal lines are similar to the vertical lines, denoting a range of IP addresses that
received packets over the course of time. Another difference in this plot arises from
the increased magnitude of packets destined to class B subnets. Although every
packet was represented with a point in the class C plots, attempting to plot all the
packets received by a class B subnet would yield an unreadable solid box in the plot
window. To develop a readable plot for the class B subnet, every
10
0
th
point (the
title of the plot contains the phrase 'skip=100' to represent this) is plotted While
making the plot readable, plotting every
10
0
th
point can lead to loss of significant
events in the plot, such as scans. To provide some degree of confidence that there
was no major loss of data, the same subnet was plotted various times, shifting the
first point used each time. A shift in the first point causes a shift in all the points
used that follow. I was able to confirm that the multiple plots of the same subnet
were similar by visually observing that the same horizontal, vertical, and diagonal
lines were visible in each plot. Figure A1-3 in Appendix A is an example of this plot.
5.
Destination port versus time
In the destinationport versus time plot, the X-axis represents time, in hours. The Yaxis is a log scale of the port numbers a packet can be destined for, between I and
65,535. Each point is plotted as a unique color and symbol depending on the packet
type. The packet types shown in this plot are UDP packets and TCP (SYN,
26
SYN/ACK, ACK, RST, RST/ACK, and OTHER) packets. ICMP packets are not
shown, as these packets are not destined to ports. The destinationport versus time
plot allows one to discern which services are receiving packets and if multiple
services are being attacked at the same time with similar duration and intensity.
Figure A 1-4 in Appendix A is an example of this plot. The points are plotted in
descending order of packet type as based on the list in the legend. This means that
packet types at the bottom of the list, such as RST/ACKs, will obscure packet types
preceding them, such as UDP.
6. Total packets to each IP address for class C subnets
In this plot, the X-axis represents each of the individual 256 IP addresses that
compose the class C subnet. The Y-axis shows the total number of packets received
over the course of the 93 hours in the dataset. This plot allows one to observe any
bias towards a single IP address or a cluster of IP addresses, in terms of packet
destination. Figure B 1-5 in Appendix B is an example of this plot. This plot shows a
bias towards the lower half of the IP range, and that certain IP addresses such as
xx.55.145.202 received eight times as many packets as the average. Figure B2-5 in
Appendix B is another example of this plot where xx. 128.8.14 received so many
packets that the quantities received by the other IP addresses do not show up because
of the magnitude of the Y-axis scale.
7.
Total packets in each class C subnet for class B subnets
This plot is similar to the totalpackets to each IP addressfbrclass C subnets plot
except that the X-axis represents each of the 256 class C subnets that compose the
class B subnets. For example, on the xx.1.0.0/16 class B subnet plot, the Y-value
corresponding to 98 on the X-axis would represent the total packets received by the
class C subnet represented by xx. 1.98.0/24. Figure Al-5 in Appendix A is an
example of this plot.
8.
Snort alerts versus time
In the Snort alerts versus time plot, the X-axis represents time measured in hours.
The Y-axis on this plot lists each of the Snort alerts seen over the course of the 93
hours, in ascending order, by alert count, where the alert count is shown in
parenthesis. Each point on the plot marks a time when a single alert was triggered.
Since some of the high-count alerts would show up as solid bars, the point is colorcoded to signify the number of alerts seen in that one-hour period. Note that the plot
will show a unique point for every single alert, so in a one-hour period, all the points
27
will be the same color, and the number of alerts in that whole one-hour period is
equivalent to the associated color in the legend. Figure B 1-6 in Appendix B is an
example of this plot.
28
Chapter 5
Characteristics of Unwanted Traffic
This chapter discusses the characteristics of the unwanted traffic arriving on the class A
network. The first section explains the general results observed across the whole class A
network. Sections 5.2 and 5.3 delve into the phenomena observed within the class B and C
subnets. Section 5.4 describes high volume traffic patterns targeted to specific IP addresses.
5.1 General Results
The 123 class B subnets in the dataset received 842 million packets over the course of 93
hours. The composition of the traffic seen in the dataset is shown in Table 1. TCP SYNs, UDP,
and ICMP Echo Request packets (comprising 90% of the ICMP packets), are considered types of
primary UT and made up 82% of the traffic, while the backscatter
Packet Type
is composed of the remaining 18% of the traffic.
The traffic breakdown differs significantly from both
Moore's and Pang's results, and hint at how much the distribution
of traffic across protocols can differ. Moore's work, which looked
at backscatter traffic in 2001, found a two-to-one ratio of ICMP
destination unreachable packets to TCP RST/ACKs and TCP
TCP SYN
% of
Total
Packets
59
TCP SYN/ACK
9
TCP RST/ACK
8
I
TCP OTHER
20
UDP
ICMP
3
Table 1 - Breakdown of packet
types in the dataset.
SYN/ACKs put together, whereas our dataset had a radically
smaller ratio of nearly one-to-fifty. Pang's 2004 study found 11% of the packets in a class A
network to be UDP and 88% of the packets to be TCP SYNs. Their class A network received
traffic at a rate of 147 packets per destination IP address per day. In our class A network 20% of
the packets were UDP and 59% of the packets were TCP SYNs. The traffic rate was 27 packets
per destination IP address per day.
29
..................
.....................
...................
On average, each class B subnet received 6.8 million packets, with 5.2 million packets on
the low end, 9.8 million packets on the high end, and two outliers with 12.0 million packets.
Figure 1 shows the amount of TCP, UDP, and ICMP packets received by each class B subnet.
The amount of ICMP and UDP traffic received at each class B subnet was consistent; however,
the amount of TCP traffic varied significantly between the lower and upper half of the class A
network. The amount of TCP traffic decreased by approximately 20%, or 1.2 million packets,
between the lower half of the class A network (from xx.0.0.0/16 to xx.127.0.0/16, there were 55
class B subnets analyzed) and the upper half of the class A network (from xx.128.0.0/16 to
xx.255.0.0/16, there were 68 class B subnets analyzed). This decrease was caused by the
unexpected distribution of backscatter traffic.
Total TCP, UDP, and
ICMP packets in each class B subnet
12 -
TCP
OUDP
10
A lCMP
6
-2
0
0
0
32
64
96
128
160
192
224
Class B subnet index
Figure 1 - The total amount of TCP, UDP, and TCMP packets received by each class B subnet.
5.1.1 The Nature of Backscatter
As explained in section 2.3, backscatter traffic is response traffic received from machines
replying to spoofed source addresses. It is typically assumed that the source address for the
packet causing backscatter is randomly spoofed, and chosen uniformly from the IPv4 address
space. Assuming uniformity in spoofed addresses allows one to calculate the amount of
backscatter on the Internet, based on the backscatter seen at a network telescope. Two wellknown exceptions to the randomness and uniformity of spoofed source addresses are reflector
attacks and broken pseudo-random number generators (PRNGs).
30
.
....
....
.....
-.......................
........
................
-...............
.........
Reflector attacks are distributed denial-of-service (DDOS) attacks in which backscatter
arrives from multiple machines to a single fixed spoofed source address [11]. The backscatter
from this type of attack is meant to disrupt a single machine. This type of attack is recognizable
since only a few hosts in a class A network would receive a large amount of backscatter traffic.
PRNGs are used to generate random numbers for IP addresses. A correctly implemented
PRNG would generate a uniform distribution of random numbers. Broken PRNGs generate
uneven distribution of random numbers. When a broken PRNG generates spoofed source or
destination IP addresses, packets will arrive to certain addresses at a higher frequency than other
addresses, and some addresses might never be generated.
Closer examination of the TCP traffic, as shown in Figure 2, illustrates that the drop in
traffic was due to a decrease in TCP SYN/ACK and RST/ACK packets. The decrease in these
two backscatter packet types at different regions of the class A network indicates that the spoofed
addresses for backscatter was not selected uniformly from the IPv4 address space. The other
types of TCP packets, which contributed to backscatter but comprised less than 1% of the TCP
packets, are shown in Figure 3. It is interesting to note, in Figure 3, that the amount of TCP
ACKs dropped precipitously in the upper half of the class A network.
Total TCP type packets in each class B subnet
SYN
6-
ASYN/ACK
5
RST/ACK
3
-2
1-1
0
0
32
64
96
128
160
192
224
Class B subnet index
Figure 2 - The three significant TCP packet types received on each class B subnet.
31
. ....
.....
..
.........
.....
..................
......
. .................
Total TCP type packets in each class B subnet
0.16
+ ACK
0.14
>
0 0.12
RST
A OTHER
E 0.10
S0.06
.
00
0.0
0 .02
0.00
0.
32
64
96
128
160
192
224
Class B subnet index
Figure 3 - The remaining TCP packet types received on each class B subnet.
The differences in backscatter between the two halves of the class A network suggest that
the backscatter addresses within the class A network were not chosen uniformly. Figure 4, which
shows the total amount of backscatter received on each of the class B subnets, reveals that even
within the two halves of the class A network, backscatter was not destined uniformly. There were
several 'fixed' quantities of backscatter received at different class B subnets throughout both
halves of the class A network Though not literally fixed, the amounts of backscatter received fall
into identified clusters with very small standard deviations. From the 123 class B subnets
analyzed, there were six clusters of total backscatter, shown in Figure 5 (ignoring 2 outliers at 6
million). Figure 5 was created by plotting the total backscatter on each of the class B subnets,
where the subnets are sorted by ascending backscatter quantities. Similarly, the total primary
traffic was sorted for all the class B subnets and plotted in Figure 5. Note that the X-axis values
do not pertain to any specific class B subnet as the primary and backscatter packet totals were
sorted independently and plotted on the same graph for easier comparison. The six clusters of
backscatter in Figure 5 form at 620,000, 1.1 million, 1.6 million, 1.9 million, 2.4 million, and 2.9
million packets. These clusters represent a set of impulses in backscatter, concentrated at six
values. Primary traffic, on the other hand, has a continuous nearly straight-line curve, which
indicates the class B subnets received a uniform distribution of packets between 4.5 and 6
million.
32
Total backscatter in each class B subnet
U)
C:
0
CL
L)
CD)
0.
0
96
64
32
160
128
224
192
Class B subnet index
Figure 4 - Backscatter received on each class B subnet.
Primary and backscatter traffic continuity
Uh
0
8-
+ Primary
7-
X Backscatter
6
5
4-
CU)
0L
0
3
2
1
0
0
20
40
80
60
100
120
Unordered class B index
Figure 5 - Primary and backscatter traffic amounts destined to the class B subnets. Both plots sorted
independently to illustrate differences in uniformity.
The two main contributors of backscatter were TCP SYN/ACK and TCP RST/ACK
packets. SYN/ACK and RST/ACK each accounted for approximately half of the backscatter.
SYN/ACKs are sent when a TCP connection attempt is successful. RST/ACKs are sent when the
TCP connection is unsuccessful due to an active computer not receiving packets on a specified
port. In effect, these two packet types compliment each other, and you would not expect to
receive one if you have received the other. However, in the dataset, there was an extremely high
33
correlation, shown in Figure 6, between the number of SYN/ACK packets and the number of
RST/ACK packets each class B subnet received. The first three clusters on the left half of Figure
6 correspond to the upper half of the class A subnet and have a ratio of between one and two
RST/ACK packets for every one SYN/ACK. The second three clusters, on the right half of
Figure 6, correspond to the lower half of the class A subnet and have a ratio of between one and
two SYN/ACK packets for every two RST/ACKs. Similarly, there is a very strong correlation
between the number of SYN/ACK packets and the number or ACK packets, shown in Figure 7.
Total number of SYN/ACK packets versus RST/ACK packets for all 123 class B subnets
1.5
1.25
1
C.)
0 2 0.75
0
0.5
E
0.25
z
0
0
0.25
0.5
0.75
1
1.25
1.5
Number of SYN/ACK packets (in millions)
Figure 6 - The amount of RST/ACKs compared to SYN/ACKs that each class B subnetreceive d (two
high volume outliers not plotted). The number of class B subnet points in each cluster from left to
right is 40, 18, 8, 36, 11, and 8.
34
Total number of SYN/ACK packets versus ACK packets for all 123 class B subnets
15000
12500
0
10000
<7500
0
E
z
-05000
2500
0NE
0
0.25
0.5
0.75
1
1.25
1.5
Number of SYN/ACK packets (in millions)
Figure 7 - The amount of ACKs compared to SYN/ACKs that each class B subnet receive d (two high
volume outliers not plotted).
While the non-uniformity of backscatter was unexpected, there were other expected
characteristics of backscatter confirmed in the dataset. One characteristic found in backscatter
was that the more backscatter a subnet received, the more destination ports there were that
received traffic. Since backscatter is a reply to a packet attempting to connect to a service on a
fixed port, the destination port is typically a random high number application port. Figure 8
shows how the number of destination ports accounting for the top 90% of traffic increases as a
class B subnet receives more backscatter. This behavior would be missed if one plots the
backscatter amount against the number of unique destination ports in all the traffic received on a
subnet, because each port is eventually expected to receive a random packet. On the same figure,
for a consistent amount of backscatter, the number of unique destination ports in the top 90%
increased as the total primary traffic decreased. This was caused by the relative increase in
backscatter as primary traffic decreased (i.e. the ratio of backscatter to primary traffic increased).
35
.........................
Primary and backscatter traffic versus destination ports
+ Primary
x Backscatter
CD
C
0
C
.
0.
0
5000
15000
10000
20000
NOmber of unique destination ports in the top 90%
Figure 8 - Primary and backscatter amounts for each class B subnet as a function of destination ports.
Another observed characteristic of backscatter was that as the amount of backscatter
decreases, the number of IP sources contributing to the top 50% of traffic increased (Figure 9).
Since backscatter is the response traffic from specific sources, more backscatter translates to these
specific sources contributing a greater percentage of the traffic. The amount of primary traffic
remained independent of the number of unique IP sources.
Primary and backscatter traffic versus unique
IP sources
8
+ Primary
7
U)
C
x Backscatter
6
5
C
CL
0
4
3
2
1
0
0
1000
Number of unique
4000
3000
2000
IP sources in the top
5000
50%
Figure 9 - Primary and backscatter amounts for each class B subnet as a function of IP sources.
36
5.1.2 Snort alerts
Overall, Snort generated few abrts. This was mainly because most of the packets in the
dataset, which included TCP SYNs, SYN/ACKs, and RST/ACKS contained no data. Much of
the malicious TCP traffic, which would have otherwise generated Snort alerts, was never sent to
the network telescope because machines could not establish a TCP connection to the IP addresses
in the class A network. The few alert types that Snort generated in high quantities were MS-SQL
worm propagation attempts, ICMP ping nmaps, and ICMP destination unreachable. Figure 10
shows an example of a typical alert plot for the class B subnets; MS-SQL worm and ICMP ping
nmap accounted for at least 90% of the alerts visible across all but one of the class B subnet alert
plots. The high volume ICMP destination unreachable alert only occurs in one of the analyzed
class B subnets, and is discussed in section 5.2.5.
The 'MS-SQL worm propagation attempt' alert is generated by Snort when the Slammer
worm packet is detected. The Slammer worm, originally released in January 2003, is a single
packet UDP (port 1434) worm that attempts to compromise a Microsoft SQL server [12]. Since
the Slammer worm, which propagates without verifying that the target IP address is active, is
contained within a single UDP packet, it is easily identified by Snort. The MS-SQL worm alerts
were diurnal with double peak rates of -2600 alerts/hour at around +4 and +10 hours.
The 'ICMP ping nmap' alert is generated when an ICMP ping packet that is likely caused
by the nmap tool, is detected. ICMP pings are used to detect whether there is a computer
operating at a specified IP address. ICMP pings generated by nmap are used to scan a subnet for
active hosts and can be a precursor to future attacks targeted at the active hosts found by the tool.
The ICMP ping nmap alerts were diurnal, with a peak rate of -1700 alerts/hour at +18 hours.
37
.
.
.. ........
-.............................
.........................
.........
Snort alerts versus time in xx101.0.0
S
I
I
I
I
I
I
alerts/hour
0 >0
*
>186
X
X
X
>373
*
X
X
X
*
>560
X
X
X
X
code
*>747
X
XX
X
X
ever
*
>934
X
XX
X
X
*
>1120
X
X
NK X > * >1307
X
X X
X
X
SNUP Age ntX (22
*
>1494
X X
X
XX
KSo Bourge queunnh (go
*
>1681
X >Xx
X X8KX
XX
XX X
X ><
X >X )X
X
TCP header len > pkt {RB
*
>1868
X)w
XW( X X<
X
wXXK
X )XXX
ICMP DUnreach Net (30 X
>2054
XX X
X XX Xx
AXX )K
XXOX
IP reserved bit get (49
>2241
|K
X<
X
X
Mc
X
MsWr trap tVp (45
a
>2428
X X XXK X )M X X X XK &(
XX XXK
X
ORTWCAN>4004 p kta (S:X X
0
>2616
X XX
X X
X
X
X
)
TC data offset < 5 (4
>)Mx XX X X XAIK
X&( >X XX
X >[<X X(
9NMP request La p (1o0:O9
X >0<
X W
Part
68 to <1 24 (178
>
AME
>X< X>OK X
1CMP redirect hoat (sm.:
X
X
X X >X X X X W<X XX A)AKM
08( X XXXX
TCP port D(Mno: X XX >0
X
X
X
X
FCMP large pack ot (no,: X
X
X X
X X
s: X XXX(4
X XX X
vDr lcn >
Icur re4imret net
rim
(1:
(X:
X
X
=tAN
TML Undt 4=0 aeda
SYN pkt w/ data (5
lnk. datagrm do code (
(B X
bare byte uni
(9
ICMP Lretri
IU DunrechI Get (16
Truna TCP opti ong (1
VMyl
IX3P
DUnre.
1drB-nQL Wormn
0
12
24
60
48
36
Time (in hours)
72
84
Figure 10 - Snort alerts in 101B.
5.2 Class B Results
There is a wide variety of phenomena to be observed within the class B subnets. As
stated earlier, the lowest volume on a class B subnet was 5.2 million packets and the highest
volume, ignoring the two outliers, was 9.8 million packets. Tables and plots for high volume
class B subnets are presented in sections A.1, A.2, A.5, A.6, and A.9 of appendix A. Tables and
plots for mid volume class B subnets are presented in sections A.3, A.4, A.7, A.8, and A. 10 of
appendix A. Tables and plots for mid volume class B subnets are presented in section A. 11 of
appendix A. While 30 class B subnets were chosen from the highest, middle, and lowest total
packet count, there was no clear characteristic separating the three categories. Instead, the
phenomena observed, including non-uniformity in traffic distribution, banded traffic, multi-port
attacks, and sweeps, seemed to have been targeted at random class B subnets. In this section,
each class B subnet is referred to by the class B subnet index followed by the letter B (ex. 244B
refers to xx.244.0.0/16). The results concerning TCP traffic are discussed in sections 5.2.1 to
38
5.2.4, followed by the ICMP traffic results in sections 5.2.5 and 5.2.6, and the UDP traffic results
in sections 5.2.7 and 5.2.8.
5.2.1 Non-Uniform Backscatter
The two subnets that received the most amount of traffic, 204B and 244B, exhibited nonuniform backscatter. Each subnet received 12 million packets, 20% more than the third highest
volume subnet. The cause of this was a dramatic increase in backscatter. 204B received more
than 2 million TCP SYN/ACKs and 244B received more than 3.5 million TCP RST/ACKs, 700
thousand and 2.2 million more packets, respectively, than the third highest SYN/ACK and
RST/ACK volume in a single subnet. This backscatter had an unusual distribution; it was
specifically targeted at the first 40 class C subnets within either class B subnets. Figure
11 shows
a high amount of TCP traffic, which appear as 'bars' at the bottom of the plot, destined for the
first 10,000 IP addresses within 204B. These destination IP bars correspond to the packets of
SYN/ACKs and RST/ACKS destined for the ports between 8,000 and 40,000 in Figure 12. The
connection between these two figures is easier to notice by observing the gap between +84 and
+90 hours; there is a single vertical line in the middle of the gap in both figures. Figure 13 shows
how the first 40 class C subnets received roughly five times the amount of traffic compared to the
other class C subnets.
39
........
-.....---....... .........-----...... ..................
in xx.204.0.0/i6 (skp=100)'
Destination IP address index versus tie
packet type
M$
57,343-|f:
-
0
m
*
TCP
UDP
ICMP
040,959
32,767
24,57516,383
8,191
0
64
72
60
46
36
Time (in hours)
24
12
0
Figure 11 - Traffic destined to 204B, where TCP traffic is non-uniform.
Destination port versus time (skip=100)
packet type-count
0
UDP
1=115
0
SYN
*
SYN/ACK
2,278,700
+
ACK
IJ513
10000
4.
4,42E =1
RST
1000
RsT/ACK
5,587,517
TP OTHER
2,247
100
0 000
W0Ol
Do
O
00 OM
0
o
00
00
oi O
WD
0Q00
0
d a o0
o od
V
00 WOOD
0 +
00,00
0 aLUm
CO
W
(P
0Q
10
1
0
|4
1
1
0
12
24
60
48
36
Time (in hours)
72
54
Figure 12 - Destination ports for 204B, where high ports receive a distinct pattern of traffic.
40
Total packets in each class C subnet in xx.204.0.0/16
500,000*
I
I
64
96
128
160
Class C subnet index
I
I
I
437.500375,000.4
312,500-
a.)
a. 250,000
0
E-1 187,500-
125,00062,500-
0
i
0
32
192
224
Figure 13 - A non-uniform distribution of packets received by each class C subnet in 204B.
Both 204B and 244B received at least 20% of their traffic from two sources,
61.177.64.171 and 61.152.91.151.
These two IP addresses belong to class B networks owned by
a Chinese telecom. Using Google to search for more information on the 61.177.64.171 IP
address, cached results revealed forum posts, where people mentioned this IP address, dating
back to within two weeks of the traffic dataset. These posts referred to links of peer-to-peer
(P2P) torrent files for illegal movie and software downloads found at 61.177.64.171, a torrent
server. It is difficult to explain the pattern of spoofed addresses used in the traffic directed
towards the torrent servers, but this serves as an example of unusual UT that would be difficult to
emulate.
5.2.2 Non-Uniform Primary Traffic
Similar to the non-uniform backscatter traffic, a few subnets received a non-uniform
distribution of primary traffic across the class C subnets within. The clearest example of this was
observed on 192B, shown in Figure 14. TCP SYNs to port 135 caused the increase in traffic,
starting at the 18th class C subnet, and gradually decreasing again. This port received 2.7 million
41
packets of approximately 48 bytes (1.8 million was the second highest amount of TCP port 135
packets destined to one class B subnet). Unlike the non-uniform backscatter traffic, no single
source contributed more than 1.2% of the traffic on this subnet, the likely reason being that the
source IP addresses were spoofed.
Total packets in each class C subnet in xx.192.0.0/16
600,000
-
437.500
-
375,000
-
312,500-
~250,000 0
E-, 157,500-
125,000
-
62,500
-
0
I
0
32
64
96
128
160
192
224
Class C subnet index
Figure 14 - A non-uniform distribution of packets received by each class C subnet in 192B.
5.2.3 Banded Traffic
One peculiar phenomenon that only appeared on one of the analyzed class B subnets,
49B, was horizontal and vertical bands of TCP traffic, shown in Figure 15. The three vertical
bands indicate increased packet activity destined to all IP addresses within the class B subnet.
Each vertical band lasted approximately 6 hours. The horizontal band lasted throughout the 93hour dataset and affected 12 class C subnets within 49B. 49B received 20% of its traffic from a
single source sending TCP SYN packets to port 445. There were 3.7 million TCP SYN port 445
packets sent to this subnet (1.8 million more than any other subnet). The bands are not simple
sweeps across an IP range, as these would appear as thin lines. Instead, the bands indicate that
42
... .....
......................................
. ..........
.............
for all IP addresses in the range, each IP address constantly received a TCP SYN port 445 packet
for 6 hours.
Destination IP address index versus time in xx.49.0.0/16 (skip=100)
packet type
m TCP
- 0
UDP
0 ICMP
57.343
Id 49,151
40,959
.
32,767
24,575
16,383
8,191
0
0
12
24
60
48
36
Time (in hours)
72
84
Figure 15 - Vertical bands of traffic in the 49B destination IP address plot.
43
............
................................................
5.2.4 Multi-port TCP attacks
Many class B subnets received short bursts of TCP packets destined to multiple ports.
Figure 16 shows an example of this behavior, seen on 243B. Between +68 and +76 hours, 243B
received TCP SYN packets destined to ports 901, 3410, 12345, and 27374. Each port received
between 1% and 2% of the total traffic. While it can be assumed that the short multi-port TCP
attacks were caused by a single event, the same cannot be said for the multiple TCP ports that
received traffic throughout the whole 93 hours. These ports (ex. 80, 135, 139, 445, 1023, 1025,
3127, 5554, and 9898) do not share unusual temporal characteristics like the four TCP ports hit
simultaneously for a short duration, and may have been caused by different events.
Destination port versus time (skip=100)
packet type-coant
UDP
[0
a 1,5o
o
SYN
A
SYN/ACK
4A91=
10000
1,480
4A.
0
NET
1000
S
0
2ST/ACK
0
TCP
4-a
100
a
00
)
oODao
[,-Y
OED
OED
(13
OuMMOE) 00 00 oWc
Co
01
0
0
CCI
cxno
0000
I
M
M MMO
OGMD 0 OOI@o amO
cO c
0
0
o
oo 00
O
TH|
C
00
0 0
CP
103
1
0
12
24
60
48
36
Time (in hours)
72
54
Figure 16 - Four ports on 243B received packets at the same time and with the same duration.
44
......................
"'""""""""""""'..................
-
mmumm.....
5.2.5 High Volume 1CMP Destination Unreachable
On the 1 B subnet, there was a high volume of ICMP destination unreachable packets.
This subnet stood out as having more than twice as many ICMP packets compared with the other
class B subnets. The majority of these ICMP packets were destined to a single IP address,
xx. 1.128.12. This was the only class B subnet where the MS-SQL worm and the ICMP ping
nmap alerts were not the top two alerts. The bottom of Figure 17 shows how the ICMP
destination unreachable packet volume peaks at +18, +42, and +90 hours.
Snort alerts versus time in xx.L.0
I
I
I
I
I
I
elerts/hour
0
>0
X
(13
(13
(5'
X
(6,
(0
(7
(121
SCAN nmap
ICMP DUnreaeh Boat (17
SUMP AgentX (17
ICMP Source Quench (12
TCP header ln > pkt (35
MOBxmtream (37
(38'
iCMP IMrtriever
ICMP DUnreach Not (48f
IF re..rvad hit .et (48,
SNPM request tep (6f
mKA
I
I
I
Unk. datagrm dcodes
Inv hardware type
SYN pkt w/ data
Kxper. TVr option.
Truno. TK7 option.
bare bytA unload
X
X
X
X
XXX X
XX
X
X
XX
X
*
0
X
*
*
*
*
*
*
X
X
>W
Xi3
xxX
XX XX
X
X
X
X
XW
X
*
*
XX
X
XX)C<
X2UC
X
X >X
XEMiG
XJm X )
X
X
X
X
)= X)
SNMP traup top (4
X
X+Xa"
>OXMK
XOW
pkt. (75 KM ( X>OXOO<XX )"K10<X
*
X>WK
XXKX
X XXX)QD0<X
XX X
)XWXX
XXXXX
TV? data offet < 5 (84 X
*
Port 53 to <1014 (100
Tcr part o(14
OOOXM)OXXX<:
xx x >O
>Mx0x0
<I XX< XxW xXx
Hf~mra add. overflow (169
X
X
host (195
ICU? redireat
x
ANCIV
xM
X
X
x
X
(31A
1CMW Jar..paket
x
x
>OK M<
XXX Xx
SAN FIN (400 Xx< K
XX
X
>XKX
X
x
SX XXXX
A0( X
MX X
X X ),W(K
>K
X
X >O X
X
PrMSCAN>4098
UIDP
>223
>447
>671
>895
>1119
>1343
>1567
>1790
>2014
>2238
>2462
>2686
>2910
>3134
len > paTload (443
SNMW public access (15167
NUAP (142M=.
WS-SQL Warm (1 as
IMP PING
ma
ICMP DUnuach (266a8
-
0
(
12
24
Figure 17 - Snort alerts for IB, where
60
36
48
Time (in hours)
72
84
ICMP destination unreachable is the highest volume alert.
45
.
........
....
5.2.6 ICMP Echo Request Sweep
Sweeps of any ICMP type were rarely seen in the analyzed class B subnets. However, on
the 81 B subnet, there was a visible ICMP echo request sweep across the whole subnet (Figure
18). The sweep started from +72 hours at the 0 IP address index and continues until +84 hours,
where it reaches the 65,535 IP address index (note: the TCP and UDP packets have been filtered
from the original plot, since the ICMP sweep cannot be seen when the plot is not in color).
Figure A3-3 in appendix A shows the same plot as Figure 18, but without the TCP and UDP
packet types filtered out from the plot. There were over 400,000 ICMP echo request packets,
approximately 6% of the traffic, directed to this subnet. Because most of the other class B
subnets received no more than 200,000 ICMP echo request packets, this sweep is likely
composed of the additional 200,000 packets. Neither 79B nor 83B, the two spatially closest class
B subnets analyzed, exhibited any ICMP sweep activity.
Destination IP address index versus time in xx.81.0.0/16 (skip=100)
57,343
I
iI
65,535
I
I
I
__1____1_1_1
I
packet type
-
U
ICMP
I
1
40,959
-
32,767
-
24,575
-
16,383
-
/
1J2
I
/
8,191
-
0
12
24
60
48
36
Time (in hours)
72
54
Figure 18 - An ICMP sweep going across 81B starting at +72 hours and ending at +84 hours.
46
......
................
..
..........
........
......
5.2.7 Class B UDP Sweep
The 168B subnet received the most amount of UDP traffic, 3.6 million packets. 40% of
the UDP traffic was 78-byte port 137 packets targeted to all machines. Port 137 UDP traffic is
typically associated with NetBIOS name queries. No other class B subnet had nearly as many
UDP sweeps visible in the destination IP address index versus time plot type, shown in Figure
19. The source IP addresses of the UDP sweeps were likely spoofed as no source contributed
more than 2% of the traffic.
Destination IP address index versus time in xx.168.0.0/16 (skip=100)
65,635
57.343
I
I
I
I
I
I
-
I
I
packet type
M TCP
UDP
-4,'hi
-lnt1-
49,151 -6
-
~i~I~L
i
4.-
40,969
I
1
~
qa
~4 )I
WA
.4,
q
I'
P2
24,575
'.4
*-
i-i
A 1 ,)
T) 32,767
Gt
ICMP
g4
0
Jet! n
16,383
40
io
. -1
.
.4
F
, !*
8,191
0
0
12
24
60
36
48
Time (in hours)
72
54
Figure 19 - Traffic destined to 168B, where vertical UDP sweeps visually outnumber the TCP sweeps.
47
5.2.8 Select Target High Volume UDP Traffic
The 128B subnet received the second highest total UDP packets, 2.4 million packets
(third highest was 1.7 million UDP packets). All of the UDP traffic was destined to a single IP
address xx.128.8.14. xx.128.8.14 received 840,000 160-byte packets to UDP port 1037. The fact
that UDP packets are primary traffic, and that no source contributed more than 2.6% of the
traffic, indicate that this activity was a DDOS attack.
5.3 Class C Results
The class C subnets plots allow us to discern the traffic behavior that composes a class B
subnet. The low packet count class C subnets received around 10,000 packets. Tables and plots
for these subnets are presented in sections B.6, B.7, and B.8 of appendix B. The mid packet
count class C subnets (i.e. ranking 15,000 out of a sorted list of -30,000 class C subnet packet
counts) had around 20,000 packets. Tables and plots for mid volume class C subnets are
presented in sections B. 1 and B.4 of appendix B. Both the low and mid packet count subnets had
a fairly even distribution of traffic, with 90% of the traffic going to an average of 216 IP
addresses amongst the 256 IP addresses within each subnet. The high packet count class C
subnets received over 500,000 packets and displayed phenomena targeted at specific IP
addresses. Each of the 30 high volume class C subnets had at least 90% of the traffic destined to
a single IP address within the class C subnet. Tables and plots for high volume class C subnets
are presented in sections B.2, B.3, B.5, and B.9 of appendix B.
In this section, each class C subnet is referred to by the second and third IP address octet
followed by the letter C (ex. 255.145C refers to xx.255.145.0/24). Only low and mid packet
count class C subnets are discussed in this section, as they have characteristics pertaining to the
subnet as a whole. Section 5.3.1 discusses an observed phenomenon where packet noise was
contained in specific IP address ranges. Phenomena found in the high volume class C subnets,
which in fact pertain to specific destination IP addresses within the subnet, are discussed in
section 5.4.
48
. ...
...............................
......................
5.3.1 Packet Noise
In the low and mid volume class C plots, there is behavior that helps explain the
differences in total backscatter between the lower and upper half of the class A network. Figure
20 is a plot of the backscatter in the low and mid volume class C subnets analyzed. The class C
index is computed by multiplying the second lIP octet (from the left) by 256 and adding that to the
third IP octet (ex. the class C index for X.Y.Z.0/24 is 256*Y+Z). Figure 20 shows that the low
and mid volume class C subnets pertaining to the class B network below 128 received on average
5,000 more backscatter packets than those above that range. This is not surprising as the
difference of 5,000 for each class C subnet, matches the 1.2 million packet difference (5,000*256
is approximately 1.3 million) between the class B subnets, explained in section 5.1. It turns out
that the packets destined to each of the class C subnets below the 128-class B octet is not
distributed evenly. The lower half of the IP range within each class C subnet received
approximately 20% more traffic than the upper half.
Total backscatter in each class C subnet analyzed
8,000
7,000
6,000
5,000
4,000
3,000
2,000
1,000
0
0
16,384
32,768
49,152
65,536
Class C index (out of 65,536 class C subnets in class A network)
Figure 20 - Total backscatter in the low and mid volume class C subnets.
Figure 21 is an example of a class C subnet, 55.145C, below the 128-class B octet. The
plot shows the total amount of traffic each of the 256 IP addresses, within the 55.145C subnet,
received. There was a 20% drop in 'noise' after the xx.55.145.128 IP address index. The
destination IP address versus time plot for 55.145C (Figure 22) reveals the cause of the drop in
noise. The lower half of the graph has 'specks' of random TCP packets distributed throughout
the whole time period. All of the class C subnets below 128 look similar in terms of the specks of
49
TCP packets seen below the 128 IP address, while those above the 128-class B octet, such as
198.188C (shown in Figure 23), were clear of those specks.
Total packets to each IP address in xx.55.145,0/24
930813
-
697Ad
651,465-
348232-
1160)
32
64
96
128
160
IF address index
192
224
Figure 21 - Total amount of traffic received by each IP address within 55.145C.
50
.............
.................
...................
Destination IF address index versus time in xx.55.146.0/24
I
255
-
223191
-i
[-
-
I I- I
;_
,1
S
A
L
-
1
packet type
"
TCP
- m
UDP
"
ICMP
- J
i:I
-~
---3: --rL-- -
0d 127-
-I
-
A
-i4
95-
-L2C-K:
63 31
-1- --.
I
- -A
f
CD159-
11
-
0
I
I
12
24
45
36
Time (in hours)
84
72
60
Figure 22 - A plot of every packet received by each IP address in 55.145C.
Destination IP address index versus time in xx.198188.0/24
255
223
I H- F
-
191CD
159-
-i
:1
Wh
iJtI --r'
1
I
J
'.
--
L
- -
II
I
1
-~ I
63
-
--
31
r
-
-
I
zI l
-
I
0
I
12
V
-
I
I
24
I
60
48
36
Time (in hours)
72
54
Figure 23 - A plot of every packet received by each IP address in 198.188C.
51
1 JDP
N
ICMP
Ft
-II
127-
packet type
TCP
-
II
- .
1**~
--
11.2I-i
* L'.!
5.4 Targeted IP Address Results
The high volume targeted IP address results are all based on the high volume class C
results. All 30 of the high volume class C subnets, which received over 500,000 packets, had at
least 91% of the packets directed to a single IP address within their class C subnet. It should be
noted that the average volume of packets received by each class C subnet across the class A
network was 27,000.
There were four phenomena observed in the 30 high volume targeted IP addresses. The
phenomena include 5 IP addresses with a diurnal packet per hour pattern, 23 IP addresses which
all had a similar temporal packet pattern, 1 IP address which received a large amount of P2P
traffic targeted at port 4662, and I IP address which received a lot of UDP port 1037 traffic
(discussed in section 5.2.8).
5.4.1 Diurnal Packet Pattern
A diurnal pattern was observed in the packet versus time plots of five class C subnets.
All of these IP addresses received between 480,000 and 700,000 packets. The diurnal pattern
targeted at the 5 IP addresses were all similar; an example of the 109.116C pattern is shown in
Figure 24. The diurnal pattern appears to be a scan for particular port vulnerabilities, since 6
ports accounted for a large percentage of the traffic. Table 2 shows that six destination ports
accounted for over 95% of the packets in these subnets.
52
. .............................................
Packets ner hour versus time
14,000
--
12,250
-
10,500
-
8,750
I
-4
7,000
0
-
f
/
,109,116.0
vrg
6,250
3,500
1,750
0
0
12
24
60
36
45
Time (in hours)
72
84
Figure 24 - Diurnal packet per hour versus time plot for 109.116C.
IP Address
TCP
x.25.161.40
x.109.116.137
x.217.229.249
x.232.94.123
x.248.246.112
21.0
21.1
21.2
21.3
21.3
20.9
21.2
21.4
21.2
21.1
1025
TCP
42
% of
TCP
19.4
18.9
19.0
19.2
19.2
Total
Traffic
per Port
80
TCP
17.0
17.9
18.0
17.8
17.8
10.8
11.5
11.8
11.6
11.5
6.6
6.7
7.0
6.9
7.3
95.7
97.3
98.4
98.0
98.2
139
TCP
445
TCP
Total %
Table 2 - The traffic breakdown, by port, for the 5 IP addresses that had a diurnal packet pattern.
5.4.2 Similar Temporal Traffic Pattern across Class B Subnets
One interesting phenomenon observed was that 23 IP addresses, which spanned distant
class B and C subnets, received a similar temporal traffic pattern This traffic pattern is divided
into two groups, where the difference between the groups was caused by a single IP source. One
53
group consisted of 10 IP addresses where the IP source, 210.245.191.90, sent 5,500 packets; the
other group consisted of the remaining 13 IP addresses where the same IP source sent 60,000
packets. The packet per hour versus time pattern of the former group is shown in Figure 25; the
pattern of the latter group is shown in Figure 26. The difference to observe between these two
figures is the increase in traffic between +22 and +38 hours, which accounts for approximately
50,000 packets. Figure 27 shows an example of the total number of packets sent by the top 18 IP
sources, to 4 of the 23 IP address destinations. The IP source on the far right of the plot can be
seen to have sent a significantly greater amount of traffic to two of the four IP destinations. In
fact, all 23 IP addresses shared the same top 18 VP sources, with the same relative amounts except
for the traffic received from IP source 210.245.191.90 (the 23 IP addresses share more than 18 IP
sources, but there was a 20% drop in total packets after the 18 th IP source). Considering that the
same IP sources are involved in the form of backscatter seen on these 23 IP addresses, a single
event is likely to have caused this phenomenon, where a distinct set of IP addresses were targeted.
Packets per hour versus time
I14,567,0
~verge
12,25010,500-8,750
P 7,000-
o 5,250
-
-
-
e4
3,6(0
1,750-
0
12
24
4
36
Time (in hours)
0
72
84
Figure 25 - Packet per hour plot for 5.67C in which 210.245.191.90 sent little traffic.
54
.......
.......................
-.................
Packets per hour versus time
14,000
-
-
-_xx.10120L0
average
12.25010,500
I
-
o 8,750A
7,000-
1,750
/
4\~
3,500 -
i
ir
r ai ii
o 5,250-
ii i
.I
e I
60
72
84
V
-
0
45
36
24
12
0
Time (in hours)
Figure 26 - Packet per hour plot for 101.204C in which 210.245.191.90 sent a high volume of traffic.
Total packets sent from top 18
IP sources to high backscatter volume IP destinations
140,000
120,000 100,000
a>
n
M xx.5.67.128
* xx.101.201.168
0 xx.206.222.64
80,000
Cn 660,000
0
-'U
CU
0 xx.253.25.8
40,000
20,000
0
N
'T
*N
0(
LO
M
')
M0
(
W
M
CD
r -(
CD
0)
M
)
CP
"t
o
0
0
)
M'
oN
T-
a)
I'
U')
0
0
-
O
Figure 27 - Packet count from the top 18 IP sources, sent to 4 IP addresses.
The only pattern distinguishing whether 210.245.191.90 sent traffic was that only those
destination IP addresses where their rightmost octet was a multiple of 16, did not receive traffic
55
..............
......................
...........
from this source, shown in Figure 28. The other octets did not seem to bias the distribution of
traffic from this IP source. The traffic from this source, 210.245.191.90, is what separates the 23
IP addresses into those that received 532,000 backscatter packets versus those that received on
average 482,000 backscatter packets. This 50,000-packet difference was solely a difference in
the volume of TCP RST/ACKs. This distinct separation of backscatter quantity may explain why
there were clusters of backscatter found in the section 5.1.1 backscatter analysis.
Total backscatter received based on rightmost
IP address octet
550,000
C,,
-
525,000
0.
aL
' 500,000
cc,
475,000
450,000
0
32
64
96
Rightmost
128
160
192
224
IP address octet
Figure 28 - Total backscatter received on the 23 IP addresses, based on the rightmost octet
These 23 IP addresses all received over 470,000 packets of backscatter. This translates to
each IP address representing approximately 10% of the backscatter observed within their class B
subnet. 2 of the 23 IP addresses analyzed actually pertained to the same class B subnet. This
suggests that the backscatter received on each of the class B subnets might have been the
aggregate of the backscatter received by 10 IP addresses within the subnets.
5.4.3 Single Target P2P Primary Traffic
One IP address, xx.218.68.212, received 486,000 packets, of which at least 92% were
TCP SYN packets to port 4662. EDonkey P2P client commonly uses this port. The attack did
not appear to start until +20 hours, shown in Figure 29; it continued throughout the rest of the
dataset period, with two large bursts of traffic lasting approximately 24 hours each. No source
contributed more than 0.1% of the packets. Unlike the P2P activity, which caused a large amount
of backscatter, discussed in section 5.2.1, this P2P activity consists of primary traffic. The likely
56
cause of the activity seen on xx.218.68.212 is that the IP address was incorrectly listed as a P2P
server.
PAekpts ner hour versus time
14,000
-
-- x 216.6 .0
--aerage
12,250 10,500 -
8,750 I
7,000
-
Q)
Ed.
0)L
5,250
3,500
1,750
0
0
12
24
60
36
48
Time (in hours)
72
Figure 29 - Packet per hour plot of P2P traffic sent to xx.218.68.212.
57
84
58
Chapter 6
Conclusion
This thesis presents the results of analyses performed on unwanted traffic received on a
class A network telescope. The results show the various types of traffic phenomena that were
observed including a variety of sweeps, diurnal and irregular traffic patterns, non-uniform traffic
distributions, and high volume attacks. These phenomena were targeted at different class B
subnets, class C subnets, and IP addresses across the whole class A network and were difficult to
predict. While one subnet would receive a certain pattern of traffic, an adjacent subnet would be
devoid of such a pattern. A large portion of the dataset could not be analyzed at the class C or
individual IP address level, and so it cannot be assumed that the list of phenomena presented is
comprehensive. In addition, many of the phenomena lasted longer than the 93-hour period of the
dataset, and so the temporal aspects of these phenomena could not be ascertained. The unusual
nature of the traffic, the inability to analyze all of the class C and individual IP address activity,
and the short duration of the dataset make it difficult to create artificial models of unwanted
traffic. Future work towards improving the understanding of UT includes automating the
statistical analysis of traffic measurements using clustering techniques, analyzing longer datasets
and classes within those datasets more efficiently, and looking at the root causes behind these
phenomena.
The results also show that the backscatter in this dataset was not uniform. When the class
B subnets were observed at the class A network level, a large disparity was seen between two
regions of the network. Assuming uniformity in backscatter, especially since uniformity can be
observed in clusters of class B subnets, can lead to gross miscalculations of backscatter
characteristics on the Internet.
59
60
I-
-,--
-
-7 -
-
-
-
- -
-
-
-
- --
-
-
References
[1]
Sally Floyd and Vern Paxson, "Difficulties in Simulating the Internet," IEEE/ACM
Transactions on Networking, Vol. 9, Issue 4, pp. 392-403, Aug. 2001.
[2]
Steven M. Bellovin, "Packets Found on an Internet," ACM SIGCOMM Computer
Communication Review, Vol. 23, Issue 3, pp. 26-31, Jul 1993.
[3]
Stuart Staniford, Vern Paxson, and Nicholas Weaver, "How to Own the Internet in Your
Spare Time," In Proceedings of the 1 Ith USENIX Security Symposium, pp. 149-167,
Aug. 2002.
[4]
Lee M. Rossey, Robert K. Cunningham, David J. Fried, Jesse C. Rabek, Richard P.
Lippmann, Joshua W. Haines, and Marc A. Zissman, "LARIAT: Lincoln Adaptable Rea
time Information Assurance Testbed," IEEE Aerospace Conference Proceedings, Mar.
2002.
[5]
CAIDA mission statement, 2005.
http://www.caida.org/projects/progplan/progplan03.xml
[6]
David Moore, "Network Telescopes: Observing Small or Distant Security Events," In
Presentation at the 1 Ith USENIX Security Symposjm, 2002.
[7]
David Moore, Colleen Shannon, Geoffrey M. Voelker, and Stefan Savage, "Network
Telescopes: Technical Report," Technical Report, Cooperative Association for Internet
Data Analysis - CAIDA, Apr. 2004.
61
-
-
-
-
..........
[8]
David Moore, Geoffrey M. Voelker, and Stefan Savage, "Inferring Internet Denial-of-
Service Activity," In Proceedings of the 10th USENIX Security Symposium, pp. 9-22,
Aug. 2001.
[9]
Ruoming Pang, Vinod Yegneswaran, Paul Barford, Vern Paxson, and Larry Peterson,
"Characteristics of Internet Background Radiation," In Proceedings of the 4th ACM
SIGCOMM Conference on Internet Measurement, pp. 27-40, 2004.
[10]
Martin Roesch, Snort network intrusion prevention and detection system, 2005.
http://www.snort.org/.
[11]
Rocky K. C. Chang, "Defending against Flooding-Based Distributed Denialof-Service
Attacks: A Tutorial," IEEE Communications Magazine, Vol. 40, Issue 10, pp. 42-51, Oct.
2002.
[12]
David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, and
Nicholas Weaver, "The Spread of the Sapphire/Slammer Worm," Technical Report,
Cooperative Association for Internet Data Analysis - CAIDA, Jan. 2003.
[13]
CoralReef software suite, 2005. http://www.caida.org/tools/measurement/coralreef/.
[14]
Helmut Michels, Dislin plotting library, 2005. http://www.dislin.de/.
62
Appendix A:
Tables and Plots for Class B Subnets
63
64
A.1 - XX.1.0.0/16
Total
Avg Rate
Packets
9,804,326
29
Bytes
563,168,457
1,168
Table Al-1 - Packet and byte statistics for lB.
Peak Rate
1,140
54,420
%TCP
78.3
64.0
%UDP
16.2
31.4
%ICMP
5.5
4.6
ACK
10,845
RST
76,868
RST/ACK
923,111
OTHER
735
SYN/ACK
SYN
TCP TYPE
PKT COUNT
5,450,198
1,158,305
Table Al-2 - TCP packet types in lB.
100
31
574K
Scans
Packets
(Scans >
4K pkts)
1.1M (75)
400,657
Sources
Avg
Pkts
/Src
25
Avg
Bytes
/Src
1.4K
Destinations
Hosts
Avg
Pkts
/Dest
65,536
150
90
X
X
X
80,178
110
6.4K
52,261
169
9.6K
4
153
32.1K
1.8M
12,140
50
X
X
X
Table Al -3 - Statistics for all, the top 90%, and the top 50% of traffic in lB.
404
21.2K
%
Snort Alerts
Total
Unique
Ports
Total
Hosts
59,691
13,360
Avg
Bytes
/Dest
8.6K
Protocol - Port/ICMP Type
Packets
Packet %
Bytes
Byte %
TCP - 135
1,829,158
18.7
87,414,378
15.5
TCP - 445
1,801,637
18.4
86,758,899
15.4
UDP - 137
1,260,528
12.9
98,328,687
17.5
Table A1-4 - Top 3 packet types across ICMP, TCP, and UDP traffic by packet count, in lB.
IP Destination
Packets
Packet %
Bytes
Byte %
xx.1.50.192
471,531
4.8
19,437,178
3.5
14,396,629
256,446
2.6
xx.1.128.12
xx.1.199.75
139,617
1.4
6,732,568
Table Al-5 - Top 3 destination IPs across all packet types by packet count, in IB.
2.6
1.2
IP Source
61.152.241.175
Packets
263,933
Packet %
2.7
Bytes
11,617,276
Byte %
2.0
194.200.29.110
61.234.250.206
255,934
236,036
2.6
2.4
14,332,304
10,243,668
2.5
1.8
Table Al-6 - Top 3 source IPs across all packet types by packet count, in 1B.
Alert Name
ICMP Destination Unreachable Communication Administratively Prohibited
MS-SQL Worm Propagation Attempt
ICMP Ping NMAP
Table Al -7 - Top 3 alerts by alert count, in lB.
65
Alert Count
256,348
157,766
142,355
Alert %
44.6
27.5
24.8
...................................
Packets per hour versus time
300,000
-
262,500
-
225,000
-
187,500
-
p., 150,000
-
S.,
0
-
A!
I-
.i.J
U
112,500
-A
75,000
-
A
A
*x
A
h
- -_
-
37,500
0
0
12
60
48
36
Time (in hours)
24
84
72
Figure Al-1 - Packets per hour versus time in lB.
Bytes per hour versus time
15,000,000
7~Yo.o
13,125,000
11,250,000
Kh
9,375,000
<U,
A
M.
7,500,000
5,625,000
A
A
A
-
3,750,000
1,875,000
0
0
12
24
50
46
36
Time (in hours)
Figure A1-2 - Bytes per hour versus time in lB.
66
72
84
aXaVe r1.0.
rae
...............
Destination IF address index versus time in xx.LG.0/16 (skip=100)
I
65,535
.-- A"
4
.T
I W:
.I
I
packet type
"
"
*
21
57,343
TCP
UJDP
ICMP
H57
0
'd 49,151
"bit
T91
P P
IZ
, ?M
II I
V
7f
o40,969
. , -
W
A5
32,767
,On"
P
AS
l
!: t
I -
I
S24,575
M 16,383
PIC
V .4
'WAN
8,191
nj
-, r4
J
1,11k
44
I
- r,NJI
0
0
24
12
36
54
72
60
4a
Time (in hours)
Figure Al-3 - Destination IP address index versus time in 1B.
Destination port versus time (skip=100)
p&cket type-count
1459.431
10000
L.
0
0
a
A
A
A
SYN/ACK
+
ACK
10,846
II
0o
A
A
,a 0
0
Q ,
RST/ACK
923111
o o
Ai,6 :
'
0
ci
T''CP OTHER
736
100
In
0
'
A
0~
0z
Go
qjo
13u 4Mao'UU&Eoun
0
CD)
0
Aci
0
(:A
0
A
0
103
0
1
SYN
5.450.198
RST
1000
a. A6 6
ID
V
o
|
0
1
12
24
36
48
Time (in hours)
Figure At-4 - Destination port versus time in lB.
67
60
72
1
4
.
...
. ...........
- ...........................................
....
packets in each class C subnet in xx.1.0.0/16
Total
500,000 -
I
I
I
I
-
437,500 375,000 JS312,500 250,DO
.
-
E-, 157,500-
125,000
-
62,500
-
1
.
0-
0
vn
I
r~2
64
I
I
I
96
i
i
12
I
2I
I 2
192
160
Class C subnet index
128
224
Figure Al-5 - Total packets in each class C subnet in lB.
Snort alerts versus time in xx.1.0.0
I
I
X
Unk. datagpm doivof (g
biv hardware type (3
SYN pkt w/ data (5
Exper. Tr optiin (5
Trun-c. Tr qptiivnm (0
bar&byte unloade (7
SCAN nmap XMAS (12
ICYAP DUnraah
Boat (17
SNIM
X
X
xXX
X
X
X
XX
63 to <1t4
(10:
TCP part 0 (1X4
NTare add, overflow (185
radIrwt host (IS
SCAM FIN
(400
len > payload (443
(15167
3MPW public acnoso
ICMP PING NMAP (14235M
MS-SQL WTn (157786
ICMP IDUrench (268864
X
X
X
X X XX
Xe
XDM
> XX
X
>)OCCOW
X
X XX
9XK
>""CX
X><XX
XX >A X
XXK X XX
>08K< 'K
X X
xXX X
X
X
)MKX
X
W
X
X
X X 1W8
)MX
X
X~x2>KXK
X
X
X
X
X
X
X
X X
X
Xx
X
X
1CM Iarp. pakaet (S1A
X
X X
RK
X
trap tep (44
P0RT5CAN>4095 pkta (75 WA
Tr data offaet < 5 (4 X
IXiP
X
X
>X
I
X
X
X XX
AgntIX (17
I
I
x
X
XX
TCP header in > pkt (S5
OOS matream (0?
WM4P Lratrivor (28'
ICMP DUnreach NEt (43 K
EP reservad bit set (48,
BNMP request top (W, X
Port
I
I
>X<
ICMP Souroe Quenoh (24
SNMI
X
X
I
I
X
X
>X X.)
XXX
X X >X
X
X
X
X
>
>0 Xx
XX
MOO< X
XM X 31
>M X >
>X)
XK
X X
X
X >0=(SH|XX))OMKOX5,KK )X
X
X
X
X
72
84
XXX XX
X>OK<
UhP
0
I
0
12
I
I
24
I
I
36
I
I
Time (in hours)
Figure Al -6 - Snort alerts versus time in lB.
68
I
I
48
60
1
1
alerts/hour
0
*
*
m
M
*
*
*
*
*
>0
>223
>447
>671
>895
*>U19
>1343
>1567
>1790
>2014
>2235
*
*
>2686
>2910
>3134
>2462
A.2 - XX.49.0.0/16
Avg Rate
Total
27
9,178,836
Packets
1,560
522,324,712
Bytes
Table A2-1 - Packet and byte statistics for 49B.
Peak Rate
2,440
107,536
%TCP
83.4
69.3
%UDP
14.1
29.1
%ICMP
2.5
1.6
ACK
8,639
RST
17,030
RST/ACK
586,557
OTHER
449
SYN/ACK
TCP TYPE
SYN
1,028,269
PKT COUNT
5,964,026
Table A2-2 - TCP packet types in 49B.
%
Destinations
Ports
Sources
Scans
Avg
Avg
Avg
Hosts
Total
Hosts
Packets
Pkts
Pkts
Bytes
(Scans >
/Src
/Src
/Dest
4K pkts)
65,536
140
24
1.4K
670K (43)
57,837 381,097
298K
154
53,822
109
6.3K
8,733
75,904
X
X
262
17,537
86
53.4K
2.9M
X
2
X
- Statistics for all, the top 90%, and the top 50% of traffic in 49B.
Snort Alerts
Unique
Total
28
100
90
X
50
X
Table A2-3
Avg
Bytes
/Dest
8.0K
8.7K
13.9K
Protocol - Port/ICMP Type
Packets
Packet %
Bytes
Byte %
TCP - 445
3,715,752
40.5
178,623,634
34.2
16.6
86,572,392
12.1
1,109,883
UDP- 137
8.2
42,835,582
9.7
894,402
TCP - 135
Table A2-4 - Top 3 packet types across ICMP, TCP, and UDP traffic by packet count, in 49B.
IP Destination
Packets
Packet %
Bytes
Byte %
xx.49.10.69
44,592
0.5
2,154,271
0.4
1,577,568
0.4
32,551
xx.49.251.163
1,414,612
0.3
29,114
xx.49.251.82
Table A2-5 - Top 3 destination IPs across all packet types by packet count, in 49B.
0.3
0.3
IP Source
61.180.41.196
Packets
2,052,122
Packet %
22.4
Bytes
98,501,856
Byte %
18.9
61.152.241.175
61.234.250.206
265,155
235,071
2.9
2.6
11,671,016
10,204,596
2.2
2.0
Table A2-6 - Top 3 source IPs across all packet types by packet count, in 49B.
Alert Name
MS-SQL Worm Propagation Attempt
ICMP Ping NMAP
SNMP Public Access UDP
Table A2-7 - Top 3 alerts by alert count, in 49B.
69
Alert Count
158,173
Alert %
53.0
137,280
46.0
576
0.2
Packets per hour versus time
300,000
___xx.49.0.0
averageI
262,500
225,000
-
187,500
-
150,000
-
112,500
-
0
-4
U
75,000
37,500
A
6
-V-
0
12
0
24
45
60
36
Time (in hours)
72
84
Figure A2-1 - Packets per hour versus time in 49B.
Bytes per hour versus time
15,000,000
-2----
13.125,000
11,250,000
S9,375,000
~7,500,000
A
A
A
S5,625,000
J Y Q
VV
3,750,000
1,875,000
0
0
12
24
45
36
Time (in hours)
Figure A2-2 - Bytes per hour versus time in 49B.
70
60
72
84
av1rag
............................
....................
-
Destination IP address index versus time in xx.49.0.0/16 (skip=100)
65,535-
packet type
0 TCP
57,343-
UDP
-
a
ICMP
'49,151-
o 40,959
-
32,767
1
-24,575
12 16,3838,19100
72
60
48
36
24
12
54
Time (in hours)
Figure A2-3 - Destination IP address index versus time in 49B.
Destination port versus time (skip=100)
packet type-count
UDP
0
0
SYN
,954,06
A
SYN/ACK
1,02BPZ9
+
ACK
10000
-
1000
RST
17.030
RST/ACK
0d
0
t1,"
0
00
0
A
100
0
0
0
cSgo
do
d o 0oaoooe
am
oo
0O CL
00
0
0
0
0
w
<,
O0A
go0
0
10
1
-
A0
o
Elm CaDOmo0Goo
00
falO)00
"A
0
o
12
24
48
36
Time (in hours)
Figure A2-4 - Destination port versus time in 49B.
71
60
72
84
7CP OTHER
"9
- ..........
...........
. ............
..........................................
Total packets in each class C subnet in xx.49.0.0/16
500,000 I
437.500
-
375,O00
-
'
I
II'
64
160
128
96
Class C subnet index
JS312,500 250,000 E-
157,500-
125,000
-
62,500
-
0
32
i
i
i
i
i
i
i
0-
i
i
224
192
Figure A2-5 - Total packets in each class C subnet in 49B.
Snort alerts versus time in xx.49.0.0
aeader, length field < 8 (1
UDP port 0 (1
Unk. datagrin decode (2
SYN pkt w/ data (3
8NMP Agntl (+:
Icr Ufrtriever (4
Trunc. UPF gption. (0
bare byte unloade (7 X
ICMP DUnreach Boat (17
ICMP redirect not (0
IMF Source quench (9:
IGMP DUnreach Net (34:
7Dr hcader lan > pkt (:
PORTSCLN>4006 pkta (43:
MP requemt top (5: XX
IP remerrod bit set (89
X
7TP data offset < 5 N74
SNMF trap top (75
TC port 0 (103 XK
IMW large packet (148 X
SCAN FIX (1ia
Part 58 to <M324 (205
ICMP redireot hoot (220 X
ICMP DUareach (415
VDr an > paylad (421
SNUP publie anon (575
ICiP PING NMLP (1377I
MS-NL Worm (168172
alerts/hour
X
X
X
>183
X X
X
X
>
X
X
X
0
S>735
X
>919
X X
X
X
XXX
X
X X
X
XX
X0X<X X XX XKX
>XX)@KX >=K
X
X
>0K )M
)M X
X
WX
X X
XKX
XXXMK
X
>MC
>X
XX X
X
>
)OR
X
>(X
X AK
MX
>A<X X
X WK
X
X >R WCX
M X>X X
X >1w
X>W,
X
XX
XX
W@ X
A>W
>0W
X X
)wK
X
3KV00XXX
X
XX X
X
X
>X
X< >X
X
X
X
'w
>WX w X / M
WC X XOM X
X X X>
W
X
X
X
JMM
1K X
X X
X
X X
X
X
X
X
X
X
X
72
84
0-
12
24
60
48
36
Time (in hours)
Figure A2-6 - Snort alerts versus time in 49B.
72
>367
>551
S>1103
a
a
>1287
> 1471
>1655
>1839
>2023
>2207
>2391
>2575
A.3 - XX.81.0.0/16
Packets
Bytes
Total
6,699,348
Avg Rate
20
Peak Rate
2,970
%T CP
73.3
%UDP
20.1
%ICMP
6.6
405,173,024
1,210
131,250
56.7
38.1
5.2
RST
16,993
RST/ACK
574,614
OTHER
230
Table A3-1 - Packet and byte statistics for 81B.
SYN
SYN/ACK
TCP TYPE
PKT COUNT
3,217,758
1,041,876
Table A3-2 - TCP packet types in 81B.
ACK
8,409
|
Avg
Bytes
/Src
372,169
Sources
Avg
Pkts
/Src
18
1.1K
Destinations
Hosts
Avg
Pkts
/Dest
102
65,536
106,321
57
3.5K
51,920
116
6.9K
232K
13,910
4
893
3.8K
X
X
X
50
Table A3-3 - Statistics for all, the top 90%, and the top 50% of traffic in 81B.
241
12.8K
100
24
301K
Scans
Packets
(Scans >
4K pkts)
536K (43)
90
X
X
X
%
Snort Alerts
Total
Unique
Ports
Total
Hosts
58,006
13,695
Avg
Bytes
/Dest
6.2K
Protocol - Port/ICMP Type
Packets
Packet %
Bytes
TCP - 445
1,550,119
23.1
74,665,687
18.4
UDP-
1,115,871
16.7
87,037,938
21.5
660,758
9.9
31,727,655
7.8
137
TCP - 135
Byte %
Table A3-4 - Top 3 packet types across ICMP, TCP, and UDP traffic by packet count, in 81B.
Packets
Packet %
IP Destination
1.2
xx.81.254.184
77,003
43,880
0.7
xx.81.220.175
30,681
0.5
xx.81.220.27
Table A3-5 - Top 3 destination IPs across all packet types by packet count,
Bytes
Byte %
3,721,069
0.9
2,120,147
1,478,834
in 81B.
0.5
0.4
IP Source
61.152.241.175
Packets
265,547
Packet %
4.0
Bytes
11,687,964
Byte %
2.9
61.234.250.206
213.96.162.222
235,940
194,397
3.5
2.9
10,239,928
11,663,820
2.5
2.9
Table A3-6 - Top 3 source IPs across all packet types by packet count, in 81B.
Alert Name
Attempt
MS-SQL Worm Propagation
ICMP Ping NMAP
ICMP Destination Unreachable Communication Adminstratively Prohibited
Table A3-7 - Top 3 alerts by alert count, in 81B.
73
Alert Count
158,564
Alert %
52.8
139,164
46.3
824
0.3
.........
...................
..................
.
........
Packets per hour versus time
300,000
-
_____
xx,81.O.0
&verage
-----
xx,8LO..
average
_____
262,500
-
225,000
-
o 187,500
-
P4 150,000
-
-
112,500
-
-
75,000
-
-
A (AA
I
-
-
37,500
-
0
0
72
60
46
36
Time (in hours)
24
12
84
Figure A3-1 - Packets per hour versus time in 81B.
Bytes per hour versus time
-
13,125,000
..
-
11,250,000
-
-
-
-
15,000,000
0
9,375,000
p4 7,500,000
QJ
5,625,000
pA
AA
3,750,000
1,875,000
A
A
-A
-~_
_
_
_
__
_
/\ I
A
0
0
12
24
36
48
Time (in hours)
Figure A3-2 - Bytes per hour versus time in 81B.
74
60
72
84
.
Destination IP address index versus time in xx.1.0.0/16 (skip=100)
.
65,535
~
57,343
-
49,151
-
40,959
-
32,767
-
'
. --....
.1"
-
..
packet type
*'
*
.- *
,4 .
*
TCP
UDP
ICMP
H
0
-V
172
0
-
1:
-
-m
.AP=
ANN
14.6
K.
FSO
0
24,575 - 6,m
H1-t --..
172 16,383 ID
8,191
'
-
84
72
60
48
36
Time (in hours)
24
12
0
Figure A3-3 - Destination IP address index versus time in 81B.
port
Destination
versus time (skip=100)
paket type-count
El
UDP
0
1._43=27
SYN
A
SYN/ACK
10000
-
+
0
1000
REST
A
-&A
~
A~
A
A
A
~
0
A
A
~A
-
4~A
A
A
~o
A
100 -
c
-.
-
~A,
a0EllIUD0
00 - UM.j---------M
w
OID
CQO
18
I0
o
1ODIDO
MO]
7
0l
00O 0
0
A
C0
0 EAD
.
0
=GO---
0
~A
'tI
de
't
of
o0
a
0o
0000aCM
_
A
0
10
A
A
A
'
I
0
12
24
60
48
36
Time (in hours)
Figure A3-4 - Destination port versus time in 81B.
75
72
84
574,614
T TCP OTHER
"0ID
-
0
16,993
RST/ACK
A
A
-4
1,041,576
ACK
8,400
230
..............
...................
. .......................
Total packets in each class C subnet in xx.a1.0.0/16
500,000
-
437.500
-
375,000
-
I
I
S312,500 ,
250,000-
E-, 157,500125,000
-
62,500
-
0-
224
192
160
128
96
64
32
0
Class C subnet index
Figure A3-5 - Total packets in each class C subnet in 81B.
Snort alerts versus time in xx.81.0.0
Unk. datagrm decode (1,
SYN pkt w/ data (03
Trunc. TCP options (7
bare byte unioude (9 X
3NMP AgentX (10
DDO mistream (Mr
SCAN FIN (17
IcWa Duarenah Bout (1s
ICMP Souree Quench (22
SNMP request top (2: X
?rC? header len > pkt (33
SKMP trap top (39
ICMP DUnreaoh Net (4tq
PORTSCAN>40N0 pkta (4
IFrmwered bit set (4s
ICMP lara packet (48
TCP data offset < 5 (73
Maserved Ir protacot (140
iCM? redirect heat (3a
UP1 len > payload (446
TCF port 0 (470
ICMP DUnrceach (BZ4
ICMP PING NWAP (130166
MS-8ML Worm (168564
0-
i
X
X
XX
X
xX
x
X
>W
XX
X>
X
X
X
XAX
X
X
X
X<
&<X X
X X<XW X
XX
XX
X
WX
X
)M
>00
X XO<
>X X
X
WX
Ax X X
Ix
X
X
>O< XX X
X
X
X XK X X
X
X
W
XXX
X
X0 X XXK >-XXx
K
X
X
XX
X
X
X
X
X X XX
XK X
.M
iM
k;
I
I
I
0
12
24
X
)((
X
X
>0(
X
X
X
X
X
X
X
X
X
X
X
XX
XX
))MHK
X
X~
X
X
XX
X
X
X
X
X X&X
X
X
W
X
i
I
!
I
I-
36
60
48
Ti me (in hours)
Figure A3-6 - Snort alerts versus time in 81B.
76
I
72
I
54
alerts/hour
* >0
* >186
* >372
* >558
* >744
* >930
* >1116
* >1302
* >1488
* >1874
* >1860
a
0
>2046
>2232
>2418
>2604
A.4 - XX.128.0.0/16
Total
Avg Rate
Peak Rate
Packets
7,080,623
21
3,930
Bytes
536,255,022
1,622
278,750
Table A4-1 - Packet and byte statistics for 128B.
%TCP
63.2
39.4
%UDP
33.3
58.9
%ICMP
3.5
1.7
TCP TYPE
SYN
SYN/ACK
3,620,414
289,605
PKT COUNT
Table A4-2 - TCP packet types in 128B.
RST
31,086
RST/ACK
515,151
OTHER
61
%
ACK
3,456
Destinations
Ports
Sources
Scans
Hosts
Avg
Packets
Total
Hosts
Avg
Avg
(Scans >
Pkts
Bytes
Pkts
4K pkts)
/Src
/Src
/Dest
65,536
108
18
1.4K
308K
441K (35)
54,024 384,173
4.6K
48,421
132
X
X
1,615
110,515
58
X
X
3
1,179
3.0K
282K
1,377
2.6K
- Statistics for all, the top 90%, and the top 50% of traffic in 128B.
Snort Alerts
Unique
Total
100
30
X
90
50
X
Table A4-3
Avg
Bytes
/Dest
8.2K
10.1K
206K
Protocol - Port/ICMP Type
Packets
Packet %
Bytes
Byte %
TCP - 445
1,664,061
23.5
80,138,061
14.9
UDP-
137
1,098,741
15.5
85,862,957
16.0
TCP- 135
832,482
11.8
39,879,165
7.4
Table A4-4 - Top 3 packet types across ICMP, TCP, and UDP traffic by packet count, in 128B.
IP Destination
xx.128.8.14
Packets
Packet %
Bytes
Byte %
830,425
11.7
132,503,739
24.7
xx.128.247.192
469,569
6.6
19,373,962
3.6
7,773,099
60,694
0.9
xx.128.110.120
Table A4-5 - Top 3 destination IPs across all packet types by packet count, in 128B.
1.5
IP Source
212.64.161.175
Packets
181,920
Packet %
2.6
Bytes
23,308,759
Byte %
4.4
213.146.105.136
61.152.108.4
118,420
108,174
1.7
1.5
5,684,160
4,328,724
1.1
0.8
Table A4-6 - Top 3 source IPs across all packet types by packet count, in 128B.
Alert Name
MS-SQL Worm Propagation Attempt
ICMP Ping NMAP
SNMP Public Access UDP
Table A4-7 - Top 3 alerts by alert count, in 128B.
77
Alert Count
158,105
Alert %
51.3
136,317
44.2
7,718
2.5
.........
......
.................
Packets per hour versus time
300,000
___xx.i26io.0
vrg
262,500
-
225,000
-
t__
-
66
0
P1
157,500
150,000
-
112,500
-
/
-
A
A VU
75,000
A A
M
p
37,500
0
0
12
48
36
24
60
72
84
Time (in hours)
Figure A4-1 - Packets per hour versus time in 128B.
Bytes per hour versus time
15,000,000
-
13.125,000
-
11,250,000
-
9,375,000
-
0
7,500,000
- ----
-
A
P4
5,625,000
A/A
_
A
A A4
A
1
\A
I!
3,750,000
1,875,000
0
0
12
24
60
45
36
Time (in hours)
Figure A4-2 - Bytes per hour versus time in 128B.
78
72
54
xx.128.0.0
average
, 'L=-
-- -
--- -
- ---
- -
.-....................
.....
..........................
.....
- -=
- -A
Destination IP address index versus time in xx.128.0.0/16 (skip=100)
65,535
57,343
.*
.-
packet type
"
TCP
*
UDP
*
ICMP
-
49,151
W.
.~
40,969
-
4
*
-..
-
---
-
~,,
32,767
~~
,,
0
.k.-
- .)by
24 575
M
_
~
'W&
~'-
16,383
~
4
8,191
0
72
60
36
48
Time (in hours)
24
12
0
54
Figure A4-3 - Destination IP address index versus time in 128B.
Destination port versus time (skip=10O)
pwtket
typ&--eount
0
UDP
0
SYN
A
SYN/ACK
+
&CK
10000
--
A,468
1000
RST/ACK
-615.1
7
100
.
oWcooouo
OCM 0 0mr
x
-
000
O
0
0
0 0
0MBDaG
95'
0
01(E
10
1
1
0
I
I
12
I
I
24
I
I
I
I
I
II
60
48
36
Time (in hours)
Figure A4-4 - Destination port versus time in 128B.
79
72
54
TCP
at.
OTHER
.....
.....
..
..........................
Total packets in each class C subnet in xxI28.0.0/18
437.500
-
375,000
-
I
I
I
I
500,000
I
'
S312,500-
4.250,000E
187,500
-
125,000
-
62,500
-
0-
0
32
II
I
I
224
192
160
128
96
Class C subnet index
64
-
~
I
I
I
Figure A4-5 - Total packets in each class C subnet in 128B.
Snort alerts versus time in xx.128.0.0
SCAN FIN (1C;
Reserved IF protocol (2
SCAN STN FIN (2
SYN pkt w/ data (5
bar byte unicode (5
ICP Unareaah Boat (15
SNUP AgentX (Io X X X
X
ICMP Sourcs Quench (19
Tcr header ien > pkt (a8
X
X
XX
PORTSCAN>4090 pkta (33 X X X
sr trap Uop (U4
>W
ICP DUnrech Net (4: X
IF re.rved bit .et (47
X X >=K
SNMP request top (64
HWare add. averflow (54
X X"x X
TC? .ata ofshot < 5 (65,
Part 58 to d 4 (10Z
TCP port a (133:
X X
ICMP large packet (144
X
X
X
ICMP redireat host (214
lUMP DUnreach (1890
XX
.X
UDP len > payload (3M7
SWM? public access (7710
ICMP PING NMAP (136512
MS-SQL Warn (15810,
X
X
X
X X
X
W
X
>0*0
X
X
>80OU'K
XX(
X
12
X
48
Time (in hours)
80
X XWXN
X
>&=8
60
M
X
>X
XM
X
>w<
X
X
W
72
>
AM
X
X
m
.
Figure A4-6 - Snort alerts versus time in 128B.
X
XX<*K>x~x
X
36
X
XX
X
24
X N
(0X X
]SEEK<
m ew
0-i
J
X X
>"
>0(
X
<X
X X<>X
XKX
X
X XX
X
X X
X
X
X
X
XX
X
X
AX0<
X
X Xx' 0X
XX Mx
X
>W
X>00<
X<
X
X
XX
X
X
X3K X X
X X|K
i
i
X
X
w
i
a
I
.
84
X
lK
alerts/hour
* >0
* >215
* >431
* >647
* >863
* >1079
* >1294
* >1510
* >1726
* >1942
* >2158
>2373
>2589
* >2805
* >3021
A.5 - XX.168.0.0/16
Total
Avg Rate
Peak Rate
Packets
8,544,791
26
2,650
Bytes
563,926,084
1,684
117,206
Table A5-1 - Packet and byte statistics for 168B.
%TCP
55.0
39.4
%UDP
42.4
59.2
%ICMP
2.6
TCP TYPE
SYN
SYN/ACK
PKT COUNT
3,821,079
282,380
Table A5-2 - TCP packet types in 168B.
RST
17,452
RST/ACK
519,781
OTHER
Avg
Bytes
/Src
1.5K
Destinations
Avg
Pkts
/Dest
130
65,536
6.5K
100
24
304K
Scans
Packets
(Scans >
4K pkts)
521K (46)
90
X
X
X
%
Snort Alerts
Unique
Total
ACK
3,057
Ports
Total
Hosts
52,512
379,794
Sources
Avg
Pkts
/Src
23
58
80,961
95
1.4
341
Hosts
Avg
Bytes
/Dest
8.6K
53,769
143
9.3K
24.3K
1.8M
15,411
50
X
X
X
2
176
Table A5-3 - Statistics for all, the top 90%, and the top 50% of traffic in 168B.
277
15.8K
Protocol - Port/ICMP Type
UDP-
137
Packets
Packet %
Bytes
Byte %
3,437,748
40.2
268,147,878
47.6
14.4
1,688,090
19.8
81,324,677
TCP - 445
TCP- 135
787,759
9.2
38,162,440
6.8
packet
count,
in
168B.
and
UDP
traffic
by
TCP,
packet
types
across
ICMP,
Table A5-4 - Top 3
IP Destination
xx.168.88.0
xx.168.171.94
Packets
Packet %
Bytes
Byte %
471,637
5.5
19,445,706
3.5
72,452
0.9
3,498,028
0.6
xx.168.190.53
43,929
0.5
2,123,544
0.4
Table A5-5 - Top 3 destination IPs across all packet types by packet count, in 168B.
IP Source
65.93.159.190
Packets
169,930
Packet %
2.0
Bytes
13,254,540
Byte %
2.4
138.89.152.173
129.44.61.42
116,279
110,295
1.4
1.3
9,069,762
8,603,010
1.6
1.5
Table A5-6 - Top 3 source IPs across all packet types by packet count, in 168B.
Alert Count
Alert %
MS-SQL Worm Propagation Attempt
158,928
52.3
ICMP Ping NMAP
142,832
47.0
432
0.1
Alert Name
Short UDP Packet, Length Field > Payload Length
Table A5-7 - Top 3 alerts by alert count, in 168B.
81
..........
..................
Packets per hour versus time
300,000
-
X.18 .0
___
262,500
-
225,000
-
verageI
-
C.,
157,500
0
C1)
p.,
CD
150,000
13
IAA
112,500
A
[f~
J\A
-
-
[A
75,000
37,500
0
I
I
0
12
60
48
36
Time (in hours)
24
72
84
Figure A5-1 - Packets per hour versus time in 168B.
Bytes
per hour versus time
15,000,000
xz.168.0.0
- F:---average
13,125,000
-
11,250,000
0
A
9,375,000
7,500,000
-
CU
.1
5,625,000
-
-V\
3,750,000
1,875,000
0
0
12
24
36
48
Time (in hours)
Figure A5-2 - Bytes per hour versus time in 168B.
82
60
72
84
..............
Destination IP address index versus time in x168.0.0/16 (skip=100)
1. -- s
65,535
57,343
....L ...6-..
Am-A--An
.......,4-
IL
nu 49,151
-~
packet type
M
a
M
TCP
UIJDP
ICMP
mA.~rME~~
.',
a
-
V
II
3 r
rm
ti
40,969 -
.,424,575
-P
zA
- -4 -
~
32,767
n.e
L~I~
16,383
i
--
8,191
0
64
72
60
48
36
24
12
0
Time (in hours)
Figure A5-3 - Destination IP address index versus time in 168B.
Destination port versus time (skip=100)
packet type-count
0 UD)P
3,e31.gep
0
10000
-
a
-
+
SYN/ACK
252,3B0
ACK
3,057
EST
o 1000
-
T
V
100 I)
ED
a0]]
I
oJ
W
A=aw%
0
Ic
0
o ap8
0
0 C
D
'a
CU
0 MD M3
d.,fl=ff...Im.%o
0DM
^ n. A a
o
00
Co%
5
0
900
a
pow
e
10
|I
0
17,4e3
RST/ACK
-
1
SYN
3,81.O7P
I
I
12
I
24
I
36
I
I
48
I
Time (in hours)
Figure A5-4 - Destination port versus time in 168B.
83
|
60
1
|
72
1
i
84
'
I
TCP
OTHER
341
........ .. . ........
-
Total packets in each class C subnet in xx.168.0.0/16
i
i
500,000
437,500
-
375,000
-
.3312,500 ,.2
5 0 00 0
,
-
-A
E
157,500125,000
-
62,500
-
0-
160
128
96
Class C subnet index
64
32
0
224
192
Figure A5-5 - Total packets in each class C subnet in 168B.
Snort alerts versus time in xx.168.0.0
I
I
I
3CAN
ICMP
I
I
I
I
I
i
I
A
alerts/hour
E >0
>186
*
X
X
>373
*
X
X
X
X
>559
X
*
X
XK
X<
* >746
XX
X X
X
* >932
X
X
XX X >
* >1119
X X
X
* >1305
)>X X
X
X X0<
XK X
X X )t§CX
* >1492
X X>
X X
X
X
AK x> * >1678
X
X X
XX XX
MK X
>1865
U
wK X
X X
XX
>2051
X WK X >X
AK X
>2238
M)K<
X
X
XI<
XE(
* >2424
XXX
X > * >2611
X
X X)OK X
XX X
X X XX
X
X X X
datagrm deaode (1)
SEMP public access (2)
ICMP Dunreach Hast (5)
BYN pkt w/ data (8]
AP webtrands scanner (10)
bare byte unioada (141 X
X X
at! (181
snWP
X
SNMP trap top (281
?CP header lee > pkt (28)
ICMP Source quench (3SS
X
SNU request top (A)
ICUP DUnreach Net (40) X(
IP reserved b~t set (44)
?ORTSCAK>4086 pkta (AS] 9< XXX
TCP data uSed < 5 (75)
Part 5$ to <1024 1041]
X X
TCP part 0 (108)
101r arg packet (147) X
UnIL
Fw
(3o:
X X
X
X X
X
))WX8
X
redirect heat (Z18)
ICMP DUnreach (429
UD? lea > paylad (432)
IM? PING NMAP (142am,
X
X
X
X
XK X
X
X
X
X ANM X
W
X
X X8W
0
)
12
X
X
X
S
SCM
&E+
ts-SQL Worm (15=8805
X
X
24
36
48
Time (in hours)
Figure A5-6 - Snort alerts versus time in 168B.
84
60
72
84
A.6 - XX.204.0.0/16
Avg Rate
Peak Rate
Total
18,220
Packets
11,987,846
36
728,750
1,871
626,254,640
Bytes
Table A6-1 - Packet and byte statistics for 204B.
%TCP
87.1
74.1
%UDP
11.1
24.7
%ICMP
1.8
1.2
SYN
SYN/ACK
TCP TYPE
2,378,700
4,428,012
PKT COUNT
Table A6-2 - TCP packet types in 204B.
RST
15,958
RST/ACK
3,567,517
OTHER
2,247
ACK
1,513
378,074
Sources
Avg
Pkts
/Src
32
Avg
Bytes
/Src
1.7K
Destinations
Avg
Hosts
Pkts
/Dest
65,536
183
38,679
279
14.7K
45,198
239
12.2K
8.8M
7,034
31
194K
97
X
X
X
50
Table A6-3 - Statistics for all, the top 90%, and the top 50% of traffic in 204B.
852
39.0K
100
26
302K
Scans
Packets
(Scans >
4K pkts)
760K (53)
90
X
X
X
%
Snort Alerts
Unique
Total
Ports
Total
Hosts
53,030
18,470
Avg
Bytes
/Dest
9.6K
Protocol - Port/ICMP Type
Packets
Packet %
Bytes
Byte %
TCP - 445
1,643,270
13.7
79,141,390
12.6
55,645,126
8.9
9.7
1,159,156
TCP- 135
14.3
1,147,945
9.6
89,539,710
UDP - 137
Table A6-4 - Top 3 packet types across ICMP, TCP, and UDP traffic by packet count, in 204B.
IP Destination
Packets
Packet %
Bytes
Byte %
xx.204.171.140
64,601
0.5
3,121,276
0.5
2,634,288
0.5
54,053
xx.204.237.82
0.5
2,603,037
53,884
xx.204.47.46
Table A6-5 - Top 3 destination IPs across all packet types by packet count, in 204B.
0.4
0.4
IP Source
61.177.64.171
Packets
1,676,994
Packet %
14.0
Bytes
73,787,736
Byte %
11.8
61.152.91.151
211.204.30.94
1,096,223
520,458
9.1
4.3
43,849,916
24,981,984
7.0
4.0
Table A6-6 - Top 3 source IPs across all packet types by packet count, in 204B.
Alert Name
MS-SQL Worm Propagation Attempt
ICMP Ping NMAP
ICMP Destination Unreachable Communication Administratively Prohibited
Table A6-7 - Top 3 alerts by alert count, in 204B.
85
Alert Count
158,308
Alert %
52.4
141,336
46.8
458
0.2
..
..
....
.......
-....................................
...................
Packets per hour versus time
300,000
-
262,500
-
225,000
-
167,500
-
150,000
-
I0
I1)
.4.'
112,500
-
Ilk
---
x.204.0.0
average
-
At
Ak
-
-
75,000
37,500
0
0
12
60
48
36
Time (in hours)
24
72
Figure A6-1 - Packets per hour versus time in 204B.
Bytes per hour versus time
15,000,000
-
-- xx.204.0.01
-
0
13.125.000
-
11,250,000
-
9,375,000
A4 7,500,000
M
-
A
I
5,625,000
3,750,000
1,875,000
0
I
I
0
12
24
60
45
36
Time (in hours)
Figure A6-2 - Bytes per hour versus time in 204B.
86
72
84
-
average
Destination IF address index versus time in xx.204.0.D/16 (skip=100)
65,535
packet type
57,343
TCP
UDP
ICMP
0
N
'
.
'd49,151
p40,969
32,767
24,575
,
12
0
36
24
48
60
64
72
Time (in hours)
Figure A6-3 - Destination IP address index versus time in 204B.
Destination Dort versus time (skip=100)
paeket
type-ount
*
SYN
*
SYN/ACK
10000
-4-,
I-
0
1000
0
3,7,7
Aar
'S
-4-,
ii
100
II.)
10
0
1
'
0
I
I
12
24
I
I
I
36
48
Time (in hours)
Figure A6-4 - Destination port versus time in 204B.
87
1
60
36
2
72
64
TCP
OTHER
2,247
..........
.....
..........................
.................
......
Total packets in each class C subnet in xx.204.0.0/16
500,000
III-
I
437.500
-
375,000
-
S312,500-
o,250,000
-
E, 157,500-
125,000-
S2500
-7
LAA
O
-L-
32
C
96
64
160
128
224
192
Class C subnet index
Figure A6-5 - Total packets in each class C subnet in 204B.
Snort alerts versus time in xx.204.0.0
S
ardware type (X
X
Reserved IP protocol (1:
bare byte unicode (10
X
X
X
SYN pkt w/ data (IX: XX
X
X
SNP AgentiX (3: <K
X
X X
>
FIN (1:
X
XX
X
X XX
ICMP DUnreach Heet (26. X
XX
X
X
SNMP trap top (28:
'CP header len > pkt (a: X X X
XX X
WKX X
X
TOCP port 4 (28:.
X X
X< X
ICMP DUnreaeh Net (A0] X
XX
X XEXOOOX
X
EP reserved bit set (4?!
>0X XX X(
W
X
PORSCAN>40s pkta (63: W X X<
X
X
>WC
Stow request top (":
X
X
IM? Source Quench L4:
X X XX
XX
X XX
TCP data aofset < 5 (87,
add. overflow (123]
Hire
ICM? large packet (153) X
X
Port OZ to <aIR4 (m:
X
X
IMP redir ect host (3WB X X
XX X
UDP len > paoed (425
ICMP Utrneach (468
IcON PING NUAP (1435W x
WS-SQL Worm (15800W*
SCA
x
xx
>X
alerts/hour
K X
X
XX
X
xK
W
>)AK X
00
X
X >X
24
36
X
X
X
X
X
XI
X
MK
XX
>
X
XX(
X
X
48
88
)X:
A W
X4=2B W
MK8(
X
3K X
X
X
Time (in hours)
Figure A6-6 - Snort alerts versus time in 204B.
X
XX >W
m
12
W
"XX *XX<
XOXX
KK
X >W<
)K
X
X >0<
m
XX
,
X
/AC<
)0OCXXX
I
i
I
i
I
p
I
I
I
Inv
60
X
X XX
m
a
72
X0
X><
KX
84
*
*
*
*
*
*
M
*
a
*
*
*
>165
>371
>557
>743
>929
>1115
>1301
>1456
>1672
>18658
>2044
>2230
>2416
>2602
...................
A.7 - XX.229.0.0/16
Total
Avg Rate
Peak Rate
Packets
6,209,234
19
1,540
76,713
Bytes
382,977,523
1,144
Table A7-1 - Packet and byte statistics for 229B.
%TCP
75.1
57.7
%UDP
21.2
40.2
%ICMP
3.7
2.1
SYN
I SYN/ACK
TCP TYPE
PKT COUNT
3,785,241
283,895
Table A7-2 - TCP packet types in 229B.
RST
17,826
RST/ACK
523,502
OTHER
43
100
23
300K
Scans
Packets
(Scans>
4K pkts)
635K (50)
Avg
Bytes
/Src
373,498
Sources
Avg
Pkts
/Src
17
1.0K
Destinations
Hosts
Avg
Pkts
/Dest
95
65,536
90
X
X
X
118,494
47
3.0K
51,528
109
6.6K
1.5K
96.6K
9,107
50
X
X
X
3
2,113
Table A7-3 - Statistics for all, the top 90%, and the top 50% of traffic in 229B.
341
17.8K
%
Snort Alerts
Unique
Total
ACK
3,102
Ports
Total
Hosts
52,384
2,275
Avg
Bytes
/Dest
5.8K
Protocol - Port/ICMP Type
Packets
Packet %
Bytes
Byte %
TCP - 445
1,583,517
25.5
76,278,180
19.9
23.1
88,552,308
18.3
1,135,286
UDP- 137
TCP- 135
969,172
15.6
47,099,093
12.3
ICMP,
TCP,
and
UDP
traffic
by
packet
count,
in
229B.
Table A7-4 - Top 3 packet types across
IP Destination
Packets
Packet %
Bytes
Byte %
xx.229.251.176
484,057
7.8
19,973,460
5.2
9,331,825
193,626
3.1
xx.229.80.19
xx.229.140.73
102,853
1.7
4,968,571
Table A7-5 - Top 3 destination IPs across all packet types by packet count, in 229B.
2.4
1.3
IP Source
61.109.112.63
Packets
127,344
Packet %
2.1
Bytes
6,112,512
Byte %
1.6
83.129.81.10
61.152.108.4
118,905
118,194
1.9
1.9
6,183,060
4,729,532
1.6
1.2
Table A7-6 - Top 3 source IPs across all packet types by packet count, in 229B.
Alert Name
MS-SQL Worm Propagation Attempt
ICMP Ping NMAP
Short UDP Packet, Length Field > Payload Length
Table A7-7 - Top 3 alerts by alert count, in 229B.
89
Alert Count
158,061
Alert %
52.7
139,182
46.4
445
0.2
..................
..........
............
Packets per hour versus time
300,000
-
225,000
-
167,500
-
150,000
-
112,500
-
IU
p.,
L....
4.
1.
4.
4
L
~
I
~
T
-
262,500
I0
-4.
.7
U
p.,
AAI
75,000
average
---
xx229.0.0
average
-
IA-
-
37,500
xx.229.0.0
---
I
m
-r
-
0
0
12
24
60
36
45
Time (in hours)
72
84
Figure A7-1 - Packets per hour versus time in 229B.
Bytes per hour versus time
15,000,000
-
13,125.000
-
11,250,000
-
-
9,375,000
0
7,500,000
-
5,625,000
-
3,750,000
-
A
I
-
A!
A
\q
--
1,875,000
0
0
12
24
60
45
36
Time (in hours)
Figure A7-2 - Bytes per hour versus time in 229B.
90
72
84
A
-----.....
...
.................
...................
Destination IP address index versus time in xx.229.0.0/16 (skip=1001
65,535
-
.
.,
T. -
57,343
49,151 -
'
packet type
N TCP
U IDP
* ICMP
-X-
40,969 32,767
24,575
4)
-t
:
16 ,383
-iW
-6
0
24
12
V-P
72
60
48
36
Time (in hours)
54
Figure A7-3 - Destination IP address index versus time in 229B.
Destination port versus time (skip=100)
packet type-count
10000
S..
0
1000
j4~
A
-~
AA
0
0
%o00
000
0
oc
000
0i
0
0
OQ
10
|
l
I
I
i
1
0
12
o
SYN
3,7We,241
A
SYN/ACK
z2s,aw
+
ACK
S;A02
EST
17,8w6
TCP OTHER
43
0
0
UDP
1,317,737
RST/ACK
100
0
0
24
36
48
Time (in hours)
Figure A7-4 - Destination port versus time in 229B.
91
60
72
84
00.
--
-
-- I w
17 ....
.
.......
.........
................
................
- - -..-- . ..
Total packets in each class C subnet in xx229.0.0/16
i
500,000
I
'
- -
I
'
437,500 375,000 .0312,500 -
.250,000
0
-
157,500-
E
125,000
-
62,500
-
032
160
128
96
Class C subnet index
64
224
192
Figure A7-5 - Total packets in each class C subnet in 229B.
Snort alerts versus time in xx.229.0.0
SNMP
ICMP
x
Hart (11)
xiaeode (t11
X
X
X
X< X
W(
X
TCP port 0 (1491
Port 5S to <1024 (205)
ICILl lara, packst (21a)
ICMP radilrat hest (227
Heerved IF protoool (317:
INP DUnreadh (39)
UDP
len
>
><
X
X
X
X
X
xK
X )X
Xx >K
X
X >x
X
X
)<
X
S1w X
X MX0ox
& X
>
X
X
X
X
XX
X
X
X
X
X
XX
3xWXX
X)AC X X
XMX X
X X X X
>OX X 3
xx
W xx
X XX< X
X
>I<
MX
X
X
X
X
MS-SQL Warm (i5h0)
0)
X R
x<
X
XXX
x)X
X
X
X X
parload (445
NMAP (10132
MIK X
X
W
X<xxx
X
X XOK
data offset < 5 (o)
ICMP PING
X
X
pkte (0)0
SNMP request top (e8)
X
X
X
X
XXX<
POMNC5AN>40111
TCP
W
(2e)
SXMP trap top (32)
W resrved bit .et (47)
TCP header len > pkt (47)
><X
X
XX
X
12
24
60
36
48
Time (in hours)
Figure A7-6 - Snort alerts versus time in 229B.
92
X >
X
X
>X
X
X
X
SYN pkt w/ data (13)
ICUP Sauroa 4;uaneh (27:
IW DUnruach Net
X
X
Agentx (6)
DUareach
bare byte
I
I
I I
SCAN PIN (1)
X
72
54
alerts/hour
0 >0
M
>185
* >370
* >555
* >740
* >925
* >1110
* >1295
* >1480
* >1665
* >1850
>2035
>2220
* >2405
* >2590
A.8 - XX.243.0.0/16
Peak Rate
Total
Avg Rate
738
19
Packets
6,368,592
40,888
391,935,243
1,171
Bytes
Table A8-1 - Packet and byte statistics for 243B.
%TCP
76.8
60.0
%UDP
19.7
38.1
%ICMP
3.5
1.9
ACK
1,480
RST
15,470
RST/ACK
181,311
OTHER
21
SYN/ACK
SYN
TCP TYPE
151,263
4,491,391
PKT COUNT
Table A8-2 - TCP packet types in 243B.
%
Destinations
Scans
Ports
Sources
Avg
Hosts
Avg
Packets
Total
Hosts
Avg
(Scans >
Pkts
Bytes
Pkts
4K pkts)
/Src
/Src
/Dest
65,536
97
752K (56) 48,984 383,538
17
1.0K
301K
106
48
3.0K
53,977
X
16
120,112
X
195
16,329
1,343
2.4K
153K
3
X
X
- Statistics for all, the top 90%, and the top 50% of traffic in 243B.
Snort Alerts
Total
Unique
100
25
90
X
50
X
Table A8-3
Avg
Bytes
/Dest
6.0K
6.5K
11.1K
Protocol - Port/ICMP Type
Packets
Packet %
Bytes
Byte %
TCP - 445
1,647,118
25.9
79,324,868
20.2
21.5
16.9
84,054,438
1,077,621
UDP- 137
51,427,972
13.1
1,061,316
16.7
TCP- 135
Table A8-4 - Top 3 packet types across ICMP, TCP, and UDP traffic by packet count, in 243B.
IP Destination
Packets
Packet %
Bytes
xx.243.174.77
93,871
1.5
4,535,629
1,322,235
27,435
0.4
xx.243.172.166
0.4
1,321,513
xx.243.246.65
27,422
Table A8-5 - Top 3 destination IPs across all packet types by packet count, in 243B.
IP Source
211.243.194.82
83.129.66.115
61.35.241.4
Byte %
1.2
0.3
0.3
Packets
Packet %
Bytes
Byte %
689,308
119,435
66,429
10.8
1.9
1.0
33,086,784
6,210,620
3,188,592
8.4
1.6
0.8
Table A8-6 - Top 3 source IPs across all packet types by packet count, in 243B.
Alert Name
MS-SQL Worm Propagation Attempt
ICMP Ping NMAP
Short UDP Packet, Length Field > Payload Length
Table A8-7 - Top 3 alerts by alert count, in 243B.
93
Alert Count
158,555
Alert %
52.6
141,024
46.8
462
0.2
-.- .....
..
.............
........
Packets per hour versus time
300,000
7~3.o.O
-
262,500
-
225,000
-
~ag~J
167,500-
0
124
150,000
-
112,500
-
75,000
-
37,500
-
V
C.)
0-
AAl)
A~MA
q
0
ff ---
\j VT4JT- V V
60
45
36
24
12
72
84
Time (in hours)
Figure A8-1 - Packets per hour versus time in 243B.
Bytes per hour versus time
15,000,000
~
---
0
13,125,000
-
11,250,000
-
9,375,000
7,500,000
-
5,625,000
-
w
3,750,000
2
A
A,
A
-
A
/\A
jm l
-
1,875,000
0
0
12
24
60
45
36
Time (in hours)
Figure A8-2 - Bytes per hour versus time in 243B.
94
72
84
xx243.0.0
average
--
........................
Destination IF address index versus time in xx.243.0.0/16 (skip=100)
-
40,959
-
32,767
-
24,575
-
packet type
* TCP
- N
UDP
M ICMP
V
si*
b~h
-
~.. -_______________
lf~
-
4
a-fl !9 9! ~
$4
.
~
-E
aI
5'.*49,151
-4----
g 1-
I19
57,343-
M
jL...
J.~
65,535
~r~d~U ~
N
--
rd
14
-
I.
:
-
-
-
!-4
-.
-- -
-SA
16,383
-
6
-.4
f4
3J
8,191
0- r
0
-
"F
60
45
Time (in hours)
84
72
36
24
12
Figure A8-3 - Destination IP address index versus time in 243B.
Destination port versus time (skip=00j
p&Cket type-CoUnt
o UDP
7 ;_
11,1501,8
10000
jV
'Y-
11L a-
0
SYN
4,491,391
A
SYN/ACK
+
ACK
-I-,
1.
0
1000
'S
.4~4
15,470
4
0
RST/ACK
0
0
0
0
181.311
0
TCP OTHER
21
-
100
0
II)
000D0
0
001 M
00 0 K EJ
0=ICCOC00=iE 00 00 COW
0M0
0,
1113
CM 01
CCI 0
000
e-
0
JE M W
110 9IX
C13 a C
MM
OOZE>0 001M
C (W0
0 oo
00
CP
0
0
0
10-
~1
0
-
I
I
12
I
I
24
I
36
45
I
Time (in hours)
Figure A8-4 - Destination port versus time in 243B.
95
60
I
I
72
I
54
|
'
F
.
.......
--------------------------------.
.....
...................
Total packets in each class C subnet in xx.243.0.0/16
-
500,000
-
437.500
-
375,000
-
1
I
I
I
I
I
I
312,500.250,000 -
E, 157,500
-
125,000
-
62,500
-
0-
o
32
192
160
128
96
Class C subnet index
64
224
Figure A8-5 - Total packets in each class C subnet in 243B.
Snort alerts versus time in xx.243.00
i
X
datagrm decode (1)
Jnv hardware typs (9)
MF webtrend. ocanner (3)
bare byte unioade (3 X
TPrP Get (5)
>( X
SNMP AgentX ()
SYN pkt w/ data (9)
X
X
TCP part 0 (12)
X
ICMP DUnreach Bost (13)
X
X
ICMP Source Quah (22)
X
<
Xx=
-CP header l.n > pkt (3)
WR X
X
W,
ItP IlUnreach Not (33) W
X
XX X>)XOC
XX X
IP reserved bit set (S:
XX
SNMP request top (4)
X
X X X )X XX
XXx' X XX
PORTSCAN>40958 pkts (58) X > OK
X
X X X
X
)M
SMMP trap top (83)
X
EWare add. averflow (89)
Ao X<
X
X
TC? data offset < 0 (1o1
X
X
KCM large packet (8s X
CMP redirect hoAe (40)
ICMP DUnreach (97)
XX
X X
X X
UDF len > payliud (453)
ICM? PING XMAP (14104
*)M
MS-39L Worm (168564] WM+X
Unk.
X
X
<
)X
X
W
XXX<
X NW X
X
X
I
0)
elerts/hour
M >0
* >187
* >375
X
X X
X
* >562
X
) * >750
Xx
* >937
X
XX
* >1125
* >1312
* >1500
XX
X
* >1687
X
A)XC
A#< U >1875
X
I'xX
X X
>2062
X X ><
>2250
)
X
>2437
X(XX X <X X< X X X >< *
* >2625
XK YV<
X X
X
12
24
X
AM
I I
X
M]
X
36
48
Time (in hours)
96
X
>X
I
Figure A8-6 - Snort alerts versus time in 243B.
)
X
I
60
7
72
X
MK
84
li
..
..........
A.9 - XX.244.0.0/16
Avg Rate
Peak Rate
Total
12,029,925
36
12,690
Packets
508,750
Bytes
626,345,354
1,871
Table A9-1 - Packet and byte statistics for 244B.
TCP TYPE
SYN
SYN/ACK
PKT COUNT
4,590,350
2,039,287
Table A9-2 - TCP packet types in 244B.
100
24
302K
Scans
Packets
(Scans >
4K pkts)
972K (59)
90
X
X
X
%
Snort Alerts
Unique
Total
I
ACK
1,399
%TCP
87.5
74.7
%UDP
10.6
24.1
%ICMP
1.9
1.2
RST
17,314
RST/ACK
3,824,517
OTHER
2,174
397,024
Sources
Avg
Pkts
/Src
30
Avg
Bytes
/Src
1.6K
Destinations
Avg
Hosts
Pkts
/Dest
65,536
184
Avg
Bytes
/Dest
9.6K
48,597
223
11.7K
43,470
249
12.6K
907
41.6K
Ports
Total
Hosts
53,087
18,326
6,634
X
21
35
172K
7.9M
X
50
X
Table A9-3 - Statistics for all, the top 90%, and the top 50% of traffic in 244B.
Protocol - Port/ICMP Type
Packets
Packet %
Bytes
Byte %
TCP - 445
1,793,459
14.9
86,361,152
13.8
13.6
9.1
85,321,392
UDP- 137
1,093,864
8.4
1,088,412
9.1
52,728,327
TCP - 135
Table A9-4 - Top 3 packet types across ICMP, TCP, and UDP traffic by packet count, in 244B.
IP Destination
Packets
Packet %
0.3
xx.244.103.213
37,237
36,960
0.3
xx.244.214.245
30,026
0.3
xx.244.165.223
Table A9-5 - Top 3 destination IPs across all packet types by packet count,
Bytes
Byte %
1,808,922
0.3
1,785,738
1,454,028
in 244B.
0.3
0.2
IP Source
61.177.64.171
Packets
1,380,146
Packet %
11.5
Bytes
60,726,424
Byte %
9.7
61.152.91.151
220.78.67.194
1,223,757
495,142
10.2
4.1
48,952,460
23,766,816
7.8
3.8
Table A9-6 - Top 3 source IPs across all packet types by packet count, in 244B.
Alert Name
MS-SQL Worm Propagation Attempt
ICMP Ping NMAP
ICMP Destination Unreachable Communication Administratively Prohibited
Table A9-7 - Top 3 alerts by alert count, in 244B.
97
Alert Count
157,742
142,389
511
Alert %
52.2
47.1
0.2
Packets per hour versus time
300,000
-
262,500
-
-
225,000
-
-
.4.,
150,000
----
xx244.0.0
average
K>bI
-
187,500
0
---
-
A
t\A
-
112,500
h
A
75,000
37,500
0
0
12
24
46
36
60
72
84
Time (in hours)
Figure A9-1 - Packets per hour versus time in 244B.
Bytes per hour versus time
15,000,000
-
13,125,000
-
11,250,000
-
---
9,375,000M.
0)
7,500,000
-
el
k--
5,625,000
(V
if
i
I
I
i i
V
-
3,750,0001,875,000
i J i i i i iA1il 1
y
UJv
-
0-
,
0
I
I
12
24
46
36
Time (in hours)
Figure A9-2 - Bytes per hour versus time in 244B.
98
60
72
84
x.244.0.0
..
.........................
Destination IP address index versus time in xx.244.0.0/16 (skip=100)
65,535
packet type
57,343 -.
-
0
m
M
TCP
UDP
ICMP
S49,151-
w 40,959 S32,76724,575 16,383-
-
8,19100
54
72
60
48
36
24
12
Time (in hours)
IP address index versus time in 244B.
Figure A9-3 - Destination
Destination port versus time (skip=10O)
p&cket type-count
*
UDP
0
SYN
4,390,350
A
SYN/ACK
+
ACK
10000
0
1000
2,o3,287
1,399
NOT
17,314
&AA
RST/ACK
0
'S
1,Z74.019
3,824,517
AA-
TCP OTHER
A
-
100
4)
CMi]n
0
00fJ0ODifl
a
0
00W
3
O
0WW0O
0DOO 0
0a]i
0
0m
01 M Co 13
OW MMn~o
Lo
i
0
oo
To 0 li
11
00
,000
WtunO
[1 0
M
M
0
00 0 0
(E'
10-
1
I
0
I
I
I
I
I
12
24
36
48
Time (in hours)
Figure A9-4 - Destination port versus time in 244B.
99
60
72
54
- -...............
-,Cm
I ~~ ~~ ~ ~~~~ ~~~~~ ~~~
....
.......
....
Total packets in each class C subnet in xx.244.00/18
500,000
437.500
-
375,000
-
250,000,)~
E-
157,500
125,000
-
62,500
-
0-
224
192
160
128
96
64
32
0
Class C subnet index
Figure A9-5 - Total packets in each class C subnet in 244B.
Snort alerts versus time in xx.244.0.0
Reserved IP protocol (11
bare byte niode (4
UDP port 0 (7)
SUN FIN (a
X X
X
Source Quench (20:
len > pkt (21:
PORTSCAN>400 pkte (59) <X X))N0(
X
M? data offset < 5 (KI)
ICMP large paokaet (lMD) X
ICMP redirect host (348) X
UDP len > payload (442)
(UN? IUiirenoh ( 6
1CM? PKNG NWAP (142189
4t
FAIK:X
lAS-SQL Wwmo (1677A
0
X>X
X
>X
>
W
m
X *
XM0w X
MK
I
24
36
x
xx
X X
X
X
X
X
X XX
E
M3
48
Time (in hours)
Figure A9-6 - Snort alerts versus time in 244B.
100
X
~
X( X<
>0 X
X
X
X X
X
XX X
X
XX
X
12
X
X
xXCK
X
X E
XX
X
X
x
0X
XX
>WX
X
X<
X
X X XK
XX
X4K
I
X
X
)W
X
xx<
XOxVcWx
I
alerts/hour
>
X
X
XX X
XX
X
X XX
X
X
X
X
X X
ICMr DUnreach foet (35:
SUMP trap top1 (52
0
i
i
I
i
X
X XX
XX
X
X
X
X
X
TCP header
SNW request top (41)
IP reservud bit met (6a'
I
X
X
WMP DUkzeach Not (42)
TCP part 0 (45)
i
X
SYN pkt w/ data (0) C
SNMP AgentZ (20)
SCM
I
,
I
i
I
i
60
M
M
I
I
72
84
>WK
M
*
*
*
*
*
*
*
a
n
IN
>0
>186
>372
>558
*>744
>930
>1116
>1302
>1458
>1674
>1860
>2046
>2232
>2418
>2604
A.10 - XX.248.0.0/16
Total
Avg Rate
Peak Rate
Packets
7,216,170
22
3,300
Bytes
435,681,460
1,301
145,000
Table AIO-1 - Packet and byte statistics for 248B.
TCP TYPE
SYN
I SYN/ACK
PKT COUNT
5,279,886
157,363
Table A10-2 - TCP packet types in 248B.
I
ACK
2,250
%TCP
79.0
63.3
%UDP
17.8
34.8
%ICMP
3.2
1.9
RST
25,100
I RST/ACK
OTHER
208
185,049
455,334
Sources
Avg
Pkts
/Src
16
Avg
Bytes
/Src
957
Destinations
Hosts
Avg
Pkts
/Dest
65,536
110
161,093
40
2.5K
51,670
126
7.5K
50
X
X
X
3
3,845
938
62.8K
7,989
Table AIO-3 - Statistics for all, the top 90%, and the top 50% of traffic in 248B.
452
23.5K
100
25
295K
Scans
Packets
(Scans >
4K pkts)
637K (51)
90
X
X
X
%
Snort Alerts
Unique
Total
Ports
Total
Hosts
49,015
16
Avg
Bytes
/Dest
6.6K
Protocol - Port/ICMP Type
Packets
Packet %
Bytes
Byte %
TCP - 445
1,782,117
24.7
85,820,186
19.7
13.0
16.2
56,572,837
1,168,738
TCP - 135
19.9
15.4
86,747,466
UDP - 137
1,112,147
Table A10-4 - Top 3 packet types across ICMP, TCP, and UDP traffic by packet count, in 248B.
IP Destination
Packets
Packet %
Bytes
Byte %
xx.248.246.112
692,920
9.6
33,349,840
7.7
3.9
13,671,411
283,109
80,480
1.1
3,882,780
across all packet types by packet count, in 248B.
3.1
0.9
xx.248.134.58
xx.248.18.222
Table A 10-5 - Top 3 destination
IPs
IP Source
220.87.74.65
Packets
471,795
Packet %
6.5
Bytes
24,533,340
Byte %
5.6
83.129.66.115
68.72.89.180
114,492
60,719
1.6
0.8
5,953,584
2,914,512
1.4
0.7
Table A1O-6 - Top 3 source IPs across all packet types by packet count, in 248B.
Alert Name
Attempt
MS-SQL Worm Propagation
ICMP Ping NMAP
Short UDP Packet, Length Field > Payload Len gth
Table A10-7 - Top 3 alerts by alert count, in 248B.
101
Alert Count
157,516
Alert %
53.4
135,307
45.8
446
0.2
...............
Packets
per
hour versus time
262,500 -
-
225,000
-
-
0
157,500
-
-
I-
150,000
-
300,000
/
112,500
A
75,000
At A
LI-V
I\
xx.248.0.0
---
average
-----
-
37,500
0
0
12
24
60
45
36
Time (in hours)
72
84
Figure A10-1 - Packets per hour versus time in 248B.
Bvtes ner hour versus time
15,000,000
-
13,125,000
-
11,250,000
-
9,375,000
-
7,500,000
-
5,625,000
-
3,750,000
-
4'
/\
A
,- 'I V Q V ,
At
1,875,000 0-
i
0
i
12
24
60
45
36
Time (in hours)
Figure A10-2 - Bytes per hour versus time in 248B.
102
72
84
-
verage-
. .. .....
. .....
...
........
....
. ..
............................................
Destination IP address index versus time in xx.248.0.0/16 (skip=100)
65,535
packet type
"
*
57,343
TCP
D
IJDP
ICMP
49,151
40,959
Ai
32,767
14-
0
24,575
.-I
-T
16,383
-
,-
-
--
--
1-
^
-
-
8,191
i*
0
24
12
0
60
48
36
72
54
Time (in hours)
Figure A10-3 - Destination IP address index versus time in 248B.
Destination port versus time (skip=100)
p&.ket type-count
13 UDP
CAA
10000
0
A
%_____
lll
-.
o
1.288,101
SYN
A
SYN/ACK
+
ACK
5,279,B86
2,250
EST
28,100
1000
PST/ACK
185.049
-4
TCP OTHER
208
100
0o
4
0
00
C9 0
000 000
0
10
1
I
0
I
I
12
24
I
I|
48
600
36
Time (in hours)
Figure A10-4 - Destination port versus time in 248B.
103
7
72
84
.....
.
- .....................
.........
..............
...
. .....
.............
Total packets in each class C subnet in xx.248.0.0/16
.
500,000
-
437,500
-
375,000
-
312,500
-
d.260,00
-
I
-
E, 157,500125,000
-
62,500
-
0- I
)
I
I
I
I
32
I
I
'
I
224
192
160
128
96
Class C subnet index
64
Figure A10-5 - Total packets in each class C subnet in 248B.
Snort alerts versus time in xx.245.0.0
hardware type (a:
SYN pkt w/ data (0:
X
bare byte unioade (9
ONaP AgeutK (e:
X
DUOS matream (19:
ICMP DUnreach Host (a:
SCAN FIN (27:
SHMP trap top (2
ICMP Sure Qveneh (31:
ICWP sUnramh Not (39: *K
SNMP request top (4:
TCP part 0 (AS'
TCP header lei > pkt (AS'
IP resrad bit set (AS:
FORTSCAU>AOW pkt. (W1: XM
HSare ad& averflow (SO
TCP data affet < 5 (a3:
XX
X
XW
X
XX
XX
XX
X
XX
X
XX
X)K X X
X
XX >8X
)MM
X
X)3 WK< >NM@1C
NK
X X
X
x
I
12
X
X
WX
X
X
X
XX X >
>WE
X
X XX
AK >3
>DEKX
>X X
X< X
~xXX >x
X
X
X
X)imc
>X
XK
X
X
XX XX
XKX
XX
X
W*KWX
X
___
-
)
X
K
X
w
I
X
X
>WgKX
)XX
X
XX
X
X XX
X
X X
X
W
Reserved IF protocol (57:
X X
ICMP rcdireot heat (0oa:
ICM? DXnreach (489.
X
UDF lea > payload (440:
ICP PITNG NMAP (15WO8D I ___________________
MS-ML Worm (167516 FM*
I
X
X(
K
X
X
X
)0K
X
X
>Ox
X
VWCM largn packet (a#,: X
0-
alerts/hour
X
ITv
x.~
I
I
I
I
24
36
48
Time (in hours)
Figure A1O-6 - Snort alerts versus time in 248B.
104
60
72
84
*
*
*
*
*
*
*
*
*
*
>0
>184
>369
>554
>739
>924
>1108
>1293
>1478
>1663
>1848
U
>2032
>2217
>2402
*>2587
A.11 - XX.251.0.0/16
Total
Avg Rate
Peak Rate
Packets
5,548,817
17
1,350
Bytes
352,415,753
1,052
64,653
Table A1-1 - Packet and byte statistics for 251B.
%TCP
73.0
55.1
%UDP
23.1
42.8
%ICMP
3.9
2.1
TCP TYPE
SYN
SYN/ACK
PKT COUNT
3,651,252
149,694
Table A11-2 - TCP packet types in 251B.
RST
15,063
RST/ACK
180,622
OTHER
67
ACK
1,322
383,100
Sources
Avg
Pkts
/Src
14
Avg
Bytes
/Src
920
Destinations
Avg
Pkts
/Dest
65,536
85
139,494
36
2.3K
52,630
95
6.0K
X
2
3,214
863
61.4K
12,538
50
X
X
Table Al 1-3 - Statistics for all, the top 90%, and the top 50% of traffic in 251B.
221
12.4K
100
25
297K
Scans
Packets
(Scans >
4K pkts)
591K (43)
90
X
X
X
%
Snort Alerts
Unique
Total
Ports
Total
Hosts
49,015
12
Hosts
Avg
Bytes
/Dest
5.4K
Protocol - Port/ICMP Type
Packets
Packet %
Bytes
Byte %
TCP - 445
1,673,220
30.2
80,599,136
22.9
UDP-
1,106,091
19.9
86,275,098
24.5
846,056
15.3
41,066,937
11.7
137
TCP- 135
Table AlI-4 - Top 3 packet types across ICMP, TCP, and UDP traffic by packet count, in 251B.
IP Destination
xx.251.72.243
xx.251.5.1
xx.251.200.186
Table A1-5 - Top 3 destination IPs across all
Byte %
Packets
Packet %
Bytes
95,372
1.7
4,608,147
1.3
39,036
0.7
1,886,030
0.5
23,973
0.4
1,155,027
0.3
packet types by packet count, in 25 lB.
IP Source
217.94.211.66
Packets
114,762
Packet %
2.1
Bytes
5,508,576
Byte %
1.6
83.129.64.175
61.153.17.25
111,785
106,688
2.0
1.9
5,812,820
4,694,272
1.7
1.3
Table All-6 - Top 3 source IPs across all packet types by packet count, in 251B.
Alert Name
MS-SQL Worm Propagation Attempt
ICMP Ping NMAP
ICMP Destination Unreachable Communication Administratively Prohibited
Table Al1-7 - Top 3 alerts by alert count, in 251B.
105
Alert Count
157,331
137,691
397
Alert %
53.0
46.4
0.1
71
.....................
..................
..
........
....
.....
..................
Packets per hour versus time
300,000
4
L......
+ -i-----
+ -1----
+ -i-----
+
±
-
xx251O.0
--
average
262,500
225,000
157,500
-
150,000
-
0
.,
A
p
IV
10
r14
112,500
75,000
-
A
A
37,500
A
-
A
A!
0
0
45
60
36
Time (in hours)
24
12
72
84
Figure A1-1 - Packets per hour versus time in 251B.
Bytes per hour versus time
15,000,000
-
4
4
~-I------
4
-I------
+ -i------
~
+ -'----
T7::TLo21.]0
13,125,000
--
11,250,000
-
9,375,000
P4 7,500,000
-
M
5,625,000
A
3,750,000
-IJ
V
A
,
A
nX\ A A.
\)/Q
-
IK
A
1,875,000
0
0
12
24
60
36
45
Time (in hours)
Figure Al1-2 - Bytes per hour versus time in 251B.
106
72
64
V-
- - - --- - - - --
0
- -
--
- - - - --
. ................
......
..........
-............
.
. ..............................
Destination IP address index versus time in xx.251.0.0/16 (skip=100
65,535 iI
I
57,343
2- ----4 -i--- !- A..
I*.,'
Avg
.~
-
*e
M 49,151
4
I
I
-- .7P I .-
I
t
- *
4r
hr.-
-4
-
32,767
-
24,575
-
-MV
40,959
packet type
M TCP
- *
UDP
* ICMP
P
J.
-Ia
'4,
-it
-4
16,383
iU
-
8,191
-. -
4~,~
0
I
I
12
0
,
4
24
-
-
-
64
72
48
60
36
Time (in hours)
Figure AI1-3 - Destination IP address index versus time in 25 1B.
Destination port versus time (skip=100)
packet type-count
10000
*-W'I~~~~
*1
A.~
.~
3~
N+ -
~i_4-'
~
-
~
U
U~AL
'4Z~
-
1000
A
0
A
0
3
1 O 1O
O oME
COO
00
D ,
0 U C 0
00 dD0CQGD
0
000
01
D 01EI3
0 031 Jf
AD40 0
00
1
C
0
K(WDO 4co n
000=x0 ODD 00Ce5 DO COO
0/
000
10
1
0
12
24
60
48
Time (in hours)
36
Figure AtI-4 - Destination port versus time in 251B.
107
A
SYN/ACK
14s694
+
ACK
1,322
18.W822
-
100
J
SYN
RST/ACK
0
M E~ L
0
16,083
S
-A
[
UIYP
1.,27%544
I~AT' 74K 0
0
*D GM
0l
4~~24!
ki
72
64
0
'W:
TCP
8?
OTHER
------- ---
....
-- -- ----..............................
xx251.0.0/16
Total packets in each class C subnet in
500,000 ,I
437,500
-
375,000
-
250,000 E157,500
-
125,00 -
62,500
-
0
64
32
0
224
192
160
128
96
Class C subnet index
Figure All-5 - Total packets in each class C subnet in 251B.
Snort alerts versus time in xx.251.0.0
.
1
e
I
I
i
i
a
alerts/hour
0 >0
X
X
aw
(
XX
X
M<
XX
XXXM<
X
>X>XX X X
X
X
> K >wK
X
X
X X
X<X
>X x
WAx
12
24
X
XX X X
X
X
X
X
XX
X
>
X
X
>XX
XX
I)
X)>X
XX
X W
>)W X
>w
W X
>W>VK
MM
X X
X
W
X
X
IOM)CNQ>
IM
_____
48
Figure Al1-6 - Snort alerts versus time in 251 B.
108
60
>549
>732
>915
>1098
>1281
>1464
>1847
>1830
>2013
>2196
>2379
>2562
>UKEK
X
Time (in hours)
*
*
>183
>366
IKX >
X
XX
36
U
X
m
-]M
0
X
X
*
*
*
*
*
*
*
*
*
X
X
X
X
X X
X
XX
XX
X
X
X
>
X
X
X
X
bare byte unioade (9 X
>0<
X
SYM pkt w/ data (10
1CMP DUnreaoh Beat (17
ICWP Scarce Queah (29
X
AM(
SWMP trap top (30 X
X
X
TCP header len > pkt (20
X>O< X
X
SCAN FIN (33 K & X
X>XX
X
IMIP DUnreach Net (S4 X
X
X
SWPW request top (A2
X X X
X
PORTCAN>4000 pkta (43 K
Reserved IP proto=l (51
X
X
IP remred bMt met (54
X <X>X X
TCP part 0 (U4
X XK
Tcr data offset < a (au
OX XMK
X
ICHr large packet (190 X
X
'X
>X<
IC redirect h
(348 @ot
XX
UDP 14M > paylcad (3495
ICIP DUnremch (397
ICMP PING NMAP (157690
M3-iQL Worm (16751
0
.
i
e
X
XK
BIMP AguntX (6
i
I
.
datagrm decode (1
2ader, length field < 8 (1
UDP port 0 (a
Unk.
72
84
Appendix B:
Tables and Plots for Class C Subnets
109
110
B.1 - XX.55.145.0/24
Avg Rate
Peak Rate
Total
254
0.07
23,037
Packets
51,283
4.6
Bytes
1,415,624
Table B1-1 - Packet and byte statistics for 55.145C.
SYN
SYN/ACK
TCP TYPE
3,588
11,869
PKT COUNT
Table B1-2 - TCP packet types in 55.145C.
%
%TCP
76.3
58.2
%UDP
20.8
40.2
%ICMP
2.9
1.6
RST
32
RST/ACK
1,845
OTHER
0
ACK
27
Destinations
Sources
Ports
Scans
Hosts
Avg
Avg
Avg
Total
Hosts
Packets
Pkts
Bytes
Pkts
(Scans >
/Dest
/Src
/Src
16 pkts)
90
256
757
12
681
1,870
7.5K (30)
963
94
220
41
2.6K
512
147
X
X
119
97
308
18.8K
38
X
4
X
- Statistics for all, the top 90%, and the top 50% of traffic in 55.145C.
Snort Alerts
Unique
Total
6
100
X
90
50
X
Table BI-3
Avg
Bytes
/Dest
5.5K
5.8K
7.1K
Protocol - Port/ICMP Type
Packets
Packet %
Bytes
Byte %
TCP - 135
5,078
22.0
243,752
17.2
22.8
323,388
18.0
4,146
UDP- 137
5.9
83,044
7.5
1,724
TCP - 445
Table B1-4 - Top 3 packet types across ICMP, TCP, and UDP traffic by packet count, in 55.145C.
IP Destination
Packets
Packet %
Bytes
Byte %
xx.55.145.202
871
3.8
43,144
3.1
13,592
0.9
211
xx.55.145.143
10,266
0.9
206
xx.55.145.44
Table BI-5 - Top 3 destination IPs across all packet types by packet count, in 55.145C.
2.7
2.5
IP Source
61.152.241.175
61.234.250.206
Packets
970
890
Packet %
4.2
3.9
Bytes
42,696
38,692
Byte %
3.0
2.7
211.219.84.18
722
3.1
34,656
2.5
Table B1-6 - Top 3 source IPs across all packet types by packet count, in 55.145C.
Alert Name
MS-SQL Worm Propagation Attempt
ICMP Ping NMAP
Portscan > 16 Packets
Table BI-7 - Top 3 alerts by alert count, in 55.145C.
11
Alert Count
602
327
30
Alert %
62.5
34.0
3.1
......
.
...............
..............
.....
...................
Packets per hour versus time
14,D00
xx,55.140.0
--
..-
average
12.25010,500-~
o 8,750P 7,000V
5,2503,5001,750-
12
0
24
36
45
60
72
84
Time (in hours)
Figure B1-1 - Packets per hour versus time in 55.145C.
Bytes per hour versus time
700,000
-
'
--
612,500525,000-
: 437,500 350,000Pq
262,500 175,00087,500
0
12
24
36
46
Time (in hours)
Figure B1-2 - Bytes per hour versus time in 55.145C.
112
60
72
84
xxL.145J
- -average
-
................
..............
-.............
......................
Destination IP address index versus time in xx.55.1450/24
II
255
I
--
1-
--
223-
rL191
-
--- -
1270
-KC
95-
type
0 TCP
UDP
0 ICMP
-L
ii::
$-~
41-
-L
.1-~
I.-
1.)
63
I
-i
I
rpacket
711
-. -- a
-r
F I
!'j-1
1
z
- -1
31 -
0
I
I
I
45
36
Time (in hours)
24
12
0
60
84
72
Figure BI-3 - Destination IP address index versus time in 55.145C.
Destination port versus time
packet type-eount
y::
o UDP
4793
o
SYN
*
SYN/ACK
+
ACK
27
3,BB
AAAA
c~
oft
1000- 00 _
0
o 4=0-0 a
-
UASO
U00coo
A
A
Aorn 1
'N
tD0,4"
011
&Q0 wk
EST
32
A
-~
AA
RST/ACK
1.845
C29;
7CP OTHE!R
0
100
00 000 MO
0a 0
aoo
/
0)
0
0
0
0
a
C0oo 0A
0
0
0
0
ooODO
CI0
OL
0
GOu
0
oo
0
00 000
00
0
0
00-
10
1 -t
0
I
'
12
I
24
I
I
45
36
Time (in hours)
Figure B1-4 - Destination port versus time in 55.145C.
113
60
72
54
0:
-
............
.............................
.....
........
packets to each IP address in xx.55.145.0/24
Total
813-
.3
551
-
465 E 345
232-
A~AJkAAkAvWvc~L 4~MAJ 'J
116-
1
|
I
I
0
I
I
I
I
I
I
I
I
160
128
96
IF address index
64
32
192
224
Figure B1-5 - Total packets to each IP address in 55.145C.
Snort alerts versus time in xx.55.145.0
I
I
I
I
I
I
alerts/hour
* >0
Truno.
TCP optia 28 (1:
ICUP DUnreaah N
at (1:
1CM? DUnrmn
h (K1
PORTSCAN>I
pkta
(w
* >1
*
*
*
*
*
*
M
* >2
>3
>5
>6
>7
>8
>10
>11
*
>12
*
>16
X
X
X
X
K
X
X X X
>M><0<
XK
XX
XX>XX
X
*
ICMP PING NMAP
U1m
(n
M1-0qL Worm
0
12
I
I
I
(
24
36
48
Time (in hours)
Figure B1-6 - Snort alerts versus time in 55.145C.
114
I
60
72
84
>13
>15
>17
B.2 - XX.128.8.0/24
Total
Avg Rate
Peak Rate
Packets
858,412
2.7
1,050
Bytes
136,753,757
426
278,750
Table B2-1 - Packet and byte statistics for 128.8C.
TCP TYPE
SYN
SYN/ACK
8,175
791
PKT COUNT
Table B2-2 - TCP packet types in 128.8C.
%
%TCP
1.2
0.4
%UDP
98.6
99.5
%ICMP
0.2
0.1
RST
272
RST/ACK
967
OTHER
0
ACK
13
Snort Alerts
Unique
Total
100
7
90
X
50
X
Table B2-3
Scans
Ports
Sources
Destinations
Packets
Total
Hosts
Avg
Avg
Hosts
Avg
(Scans >
Pkts
Bytes
Pkts
16 pkts)
/Src
/Src
/Dest
2,907
4.5K (20)
985
2,437
352
56.1K
256
3.4K
X
X
1
84
9.2K
1.5M
1
840K
X
X
1
25
18.6K
3.5M
1
840K
- Statistics for all, the top 90%, and the top 50% of traffic in 128.8C.
Avg
Bytes
/Dest
534K
135M
135M
Protocol - Port/ICMP Type
Packets
Packet %
Bytes
Byte %
UDP - 1037
839,327
97.8
135,382,959
99.0
UDP- 137
5,599
0.7
436,722
0.3
TCP- 135
3,859
0.5
183,444
0.1
Table B2-4 - Top 3 packet types across ICMP, TCP, and UDP traffic by packet count, in 128.8C.
IP Destination
Packets
Packet %
Bytes
Byte %
xx.128.8.14
840,247
97.9
135,479,180
99.1
xx.128.8.82
848
0.10
41,468
19,942
350
0.04
xx.128.8.33
Table B2-5 - Top 3 destination IPs across all packet types by packet count, in 128.8C.
0.03
0.01
IP Source
192.12.94.30
Packets
58,592
Packet %
6.8
Bytes
2,368,412
Byte %
1.7
192.55.83.30
192.42.93.30
42,695
39,887
5.0
4.7
1,828,498
1,629,782
1.3
1.2
Table B2-6 - Top 3 source IPs across all packet types by packet count, in 128.8C.
Alert Name
Short UDP Packet, Length Field > Payload Length
MS-SQL Worm Propagation Attempt
ICMP Ping NMAP
Table B2-7 - Top 3 alerts by alert count, in 128.8C.
115
Alert Count
1,602
630
584
Alert %
55.1
21.7
20.1
..
..
...
. --..
...
.....
....
...
.. ....
...
.
Packets per hour versus time
45,000
-
39,375
-
33,750
-
28,125
-
22,500
-
-
16,575
-
-
11,250
-
xx.128.8.0
---
_
average
-
A
A
AA
A
-
A
5,625
0
0
12
24
60
48
36
Time (in hours)
72
84
Figure B2-1 - Packets per hour versus time in 128.8C.
Bytes per hour versus time
5,300,000
-
4,637,500 3,975,000
3,312,500
-
2,650,000
-
P4
0
K
A
1,957,500
1,325,000
-
-
A
662,500
0
0
12
24
60
45
36
Time (in hours)
Figure B2-2 - Bytes per hour versus time in 128.8C.
116
72
84
average
- -..
0 NO MEMEN
9; -
- I -
-
- ------------------------------ ------------"-LLLLL LL--- --
-
____
Destination IP address index versus time in xx.128.5.0/24
255 I
)
223 -
-4
-4-
I I
rpacket
I
I
I
I
-
1
..
191-
I *t
LZ
169
0i
LZ
0)
127-
-F
-
I s A~
-
-
41
S-
I
JiJ
;.
If
I...
31A.1
? I -*.
:f: '.I.J-4
7*,,--0 I{]
I
I
I
I
I
12
I
36
24
l
:1~
~
.~
-
-~i
I~
£~I1~-
1
1d
1
I
"A
,
-1
0
--P -I
-j -.'-..
TAU
-~.
4
*1.
83
type
N TCP
UDP
M ICMP
48
Time (in hours)
60
I
84
72
Figure B2-3 - Destination IP address index versus time in 128.8C.
Destination port versus time
packet type--count
C3
UOP
0
SYN
W75
A
SYN/ACK
+
ACK
t3
848.157
10000
A
z
<M0
0
0
0
1000
4o
CDD 0
7sn
NST
A-
RST/ACK
967
0
0
TCP OTHER
0
100
cy0 Cow CM 0UKNF
3
0A
Do a
:3D0 CD
3
0D
0
0 0
0
00 00
0
o 00 0 oXDm anmGL cNm0 CX)UI 00
0
0
El00)0
c
098 0 0 0
0 a:00
0
OD
0 in
O
aDflACEa
0
0
0
0
0
0
0
000
CODO 0 000
10
1
I
0
I
12
I
I
I
24
36
.
,
48
I
Time (in hours)
Figure B2-4 - Destination port versus time in 128.8C.
117
i
60
i
72
i
84
-
Total packets to each IP address in xx.28.8.0/24
I
I
I
850,000-
743,750-
637,500
-
531,260
-
6,425,00O
-
.
a.)
E, 318,750-
212,500
-
106,250
-
0)
224
192
160
128
96
64
32
IF address index
Figure B2-5 - Total packets to each IP address in 128.8C.
Snort alerts versus time in xx.128.8.J
SNIP
Xx
trap to
PO4TSCAN>11S
20 X
pkcto
1CM! DUrenc
ICMP
PING
MS-SQ.
I
I
I
II
I
MAP
X
><
X
XX
(07:
X<X
X XX
1K
X
X
X
X
X
X
(614
W>arm
X
CII? lon> payload 1602]
0-
I
0
12
24
I
I
I
60
45
36
Time (in hours)
Figure B2-6 - Snort alerts versus time in 128.8C.
118
I
72
I
84
alerts/hour
* >0
* >106
* >213
* >320
* >427
* >534
* >640
* >747
* >854
* >961
* >1068
>1174
>1251
* >1388
* >1496
B.3 - XX.198.188.0/24
Avg Rate
Peak Rate
Total
353
1.8
584,973
Packets
74
16,896
24,797,791
Bytes
Table B3-1 - Packet and byte statistics for 198.188C.
SYN/ACK
SYN
TCP TYPE
138,992
39,605
PKT COUNT
Table B3-2 - TCP packet types in 198.188C.
100
9
941
Scans
Packets
(Scans >
16 pkts)
6.8K (22)
90
X
X
X
%
Snort Alerts
Unique
Total
%TCP
98.0
95.9
%UDP
1.1
2.8
%ICMP
0.9
1.3
RST
208
RST/ACK
392,590
OTHER
17
ACK
1,852
8,672
Sources
Avg
Pkts
/Src
67
Avg
Bytes
/Src
2.9K
59
8.9K
368K
Ports
Total
Hosts
13,323
8,196
Destinations
Hosts
Avg
Pkts
/Dest
2.3K
256
1
2.OM
1
6
49.3K
X
2,339
X
50
X
Table B3-3 - Statistics for all, the top 90%, and the top 50% of traffic in 198.188C.
Avg
Bytes
/Dest
96.9K
537K
22M
537K
22M
Protocol - Port/ICMP Type
Packets
Packet %
Bytes
Byte %
TCP - 445
16,871
2.9
812,605
3.3
1.8
450,840
1.0
5,780
UDP- 137
1.2
305,967
0.8
4,500
ICMP - Destination Unreachable
Table B3-4 - Top 3 packet types across ICMP, TCP, and UDP traffic by packet count, in 198.188C.
IP Destination
Packets
Packet %
Bytes
Byte %
xx.198.188.220
537,113
91.8
22,108,578
89.2
xx.198.188.96
16,798
2.9
811,838
3.3
xx.198.188.6
14,961
2.6
722,049
2.9
Table B3-5 - Top 3 destination IPs across all packet types by packet count, in 198.188C.
IP Source
61.152.108.4
Packets
106,312
Packet %
18.2
Bytes
4,254,316
Byte %
17.2
210.245.191.90
61.129.70.220
61,258
47,611
10.5
8.1
2,450,332
1,938,756
9.9
7.8
Table B3-6 - Top 3 source IPs across all packet types by packet count, in 198.188C.
Alert Name
Attempt
Worm
Propagation
MS-SQL
ICMP Ping NMAP
TCP Port 0 Traffic
Table B3-7 - Top 3 alerts by alert count, in 198.188C.
119
Alert Count
624
229
30
Alert %
66.3
24.3
3.2
....
...................
Packets per
hour versus time
14,000
12,250
-
10,500
-
0 8,750
-
P4 7,000
-
5,250
-
xx1-8.188.0
___average
-
3,500
1,750
0
0
12
24
36
60
48
72
84
Time (in hours)
Figure B3-1 - Packets per hour versus time in 198.188C.
Bytes per hour versus time
700,000--
612,500
-
525,000
-
437,500
-
a 350,000
-
tl
A
0262,500 -
175,000
-
87,500
-
0-
I
1
0
14
7
12
24
60
36
453
Time (in hours)
Figure B3-2 - Bytes per hour versus time in 198.188C.
120
72
84
-average
......................
..........
......
.....
Destination IP address index versus time in xx.19818B.0/24
'
255
.
223 -
,
q
127
4-)
t -
41
liii.'
Ii
-i
0.
0
I I I
12
IF
* Ii
0
TCP
m
_
UDP
ICMP
.
r
II
60
45
36
24
-
--
-
31
packet type
'I
~'
--
f
- j
4~
63
It
*IiiiI
..i~.
~
-
M
~F
I~I
95
4-..
- -
1!~
I~I~
I.'
F I
-
-4
-
.
p . -
-
-
I
191 -1-
159
f...1
.1 .
R j...-
i~
84
72
Time (in hours)
Figure B3-3 - Destination IP address index versus time in 198.188C.
Destination port versus time
pmcket type-eouat
.
10000
o
UDP
5A34
0
A
SYN
39*5
SYN/ACK
+
ACK
-
-
1aggz
1,862
1000
EST
0,
RST/ACK
392.90
-
7
100
0 00
A
10f
o
0
00
0
0
0
:1
1
0
12
24
36
48
Time (in hours)
Figure B3-4 - Destination port versus time in 198.188C.
121
60
72
54
TCP
17
OTHER
.............
Total packets to each I? address in xx.198.18.0/24
540,000 II
I
I
I
I
I
I
.
472,500 405,000
-
337,500 -
.5
. 270,000 -
E
202,500
-
135,000
-
67,500
-
II
224
A
IA
96
64
32
a
192
160
128
IP address index
I
Figure B3-5 - Total packets to each IP address in 198.188C.
Snort alerts versus time in xx.198.188.0
I
UDP
IJn >
TCP header
I
I
I
I
I
I
I
I
I
I
X
X
len > pkt (X
X
X
IP reserved bit ast (2
POR1Y.UAG
X
X X
XK
pkts (21:XXX
X
>X
XX
XX
XK X
X
ICP DUnresah (22 :
<W X
Tc? porI 0 (00
X
XX
-A-;!1
OMN~3E
X
X
XX X X
X
XX X
X
X X ><
A
XX
X
X
X X
XX X
>XX
XXI
X
ICMP FING INMAP (Mg
V,>0GAGMDK=Ao
MS-SQL Worin (6d2
0
o
I
II
12
24
36
I
B3-6 - Snort alerts versus time in 198.188C.
122
I
I
45
Time (in hours)
Figure
I
alerts/hour
payload (1
M? requet t.op (2
I
I
60
I'
72
54
*
*
>7
>9
*
*
>10
*
*
>11
>12
>13
>14
>15
B.4 - XX.209.239.0/24
Total
Avg Rate
Peak Rate
Packets
23,029
0.07
235
Bytes
1,473,260
4.7
11,280
Table B4-1 - Packet and byte statistics for 209.239C.
TCP TYPE
SYN
SYN/ACK
417
13,811
PKTCOUNT
Table B4-2 - TCP packet types in 209.239C.
100
4
1,408
Scans
Packets
(Scans >
16 pkts)
6.4K (28)
90
X
X
X
%
Snort Alerts
Unique
Total
Ports
Total
Hosts
482
10
%TCP
65.3
49.1
%UDP
30.1
48.6
%ICMP
4.6
2.3
RST
38
RST/ACK
527
OTHER
0
I
ACK
8
2,397
Sources
Avg
Pkts
/Src
10
Avg
Bytes
/Src
615
751
28
1.8K
Destinations
Hosts
Avg
Pkts
/Dest
256
90
223
50
X
X
X
2
41
285
18.2K
105
Table B4-3 - Statistics for all, the top 90%, and the top 50% of traffic, in 209.239C.
Avg
Bytes
/Dest
5.8K
93
6.0K
110
7.0K
Protocol - Port/ICMP Type
Packets
Packet %
Bytes
Byte %
TCP - 135
5,959
26.0
291,360
19.8
137
5,898
25.6
460,044
31.2
TCP - 3127
3,200
13.9
153,708
10.4
UDP-
Table B4-4 - Top 3 packet types across ICMP, TCP, and UDP traffic by packet count, in 209.239C.
IP Destination
Packets
Packet %
Bytes
Byte %
xx.209.239.167
695
3.0
35,064
2.4
xx.209.239.5
xx.209.239.154
Table B4-5 - Top 3 destination
IPs
15,237
369
1.6
249
1.1
12,558
across all packet types by packet count, in 209.239C.
1.0
0.9
IP Source
221.160.90.43
Packets
734
Packet %
3.2
Bytes
35,232
Byte %
2.4
67.82.117.166
84.171.134.66
691
611
3.0
2.7
33,168
29,328
2.3
2.0
Table B4-6 - Top 3 source IPs across all packet types by packet count, in 209.239C.
Alert Name
ICMP Ping NMAP
MS-SQL Worm Propagation Attempt
Portscan > 16 Packets
Table B4-7 - Top 3 alerts by alert count, in 209.239C.
123
Alert Count
784
593
28
Alert %
55.8
42.1
2.0
.............
................
.....
.
......
......
per
Packets
14,000
hour versus time
----
xx209.239.0
-_---
average
12,25010,500-
o 8,750P, 7,000w
0 5,2503,5001,750-
0
12
24
36
45
60
72
84
Time (in hours)
Figure B4-1 - Packets per hour versus time in 209.239C.
Bytes per hour versus time
700,000-
-
-__
612,500525,000--
437,500 r.
350,000262,500 175,00087,500\-
0
12
24
NI'---36
48
Time (in hours)
Figure B4-2 - Bytes per hour versus time in 209.239C.
124
60
72
84
xx209239.0
average
Destination IP address index versus time in xx.209.239.0/24
~
255
__
223191
1-4
no
>i
I
JJ
LL1
-
I
-
t
______________
packet type
i
.-
--
0 TCP
U DP
-
ICMP
I
-
159-
-I
127-
..j.
-
S.
-'j
0
95-
M.
:41
-
63-
JL
31
--
:1
-
0
12
0
60
48
36
Time (in hours)
24
-
84
72
Figure B4-3 - Destination IP address index versus time in 209.239C.
Destination port versus time
I
I II I
I
I
I
I
I
I
Ia I
A
a00
o
00IC
we o
0
04,
0
paoktet
0
0
0
A
type-COIunt
0 UDP
6.9Z7
A e
A
0
0
SYN
13,811
A
SYN/ACK
+
ACK
aS
EST
38
i
417
> 0MAm
r.
1000
-
0
ow
A
0
0
A
AM:0A
j&
0
0
0
a 00 000M DcD
0
CAD
* CO0
0
0
0
V*Cb
AA
0
0000
A
0
RST/ACK
527
0
41
:1 9=PM~wMMwt0 naw
100
M OOM
00
O
0
00 CU
0
E
S
00
on0
0
0
MC3 MI
0
a000
o aWQ M
Ol C0aflMO 0 CM
0
£1
0
0
0l
0
0c
0
(P
0
0
0wU
110MM C~~in
0 000 =
10-
I
o
I
12
24
36
48
Time (in hours)
Figure B4-4 - Destination port versus time in 209.239C.
125
60
1
I
72
1
84
TCP OTHER
0
.........
..
..
........
..........
...
Total
780
-
665
-
570
-
packets to each IP address in xx.209.239.0/24
475 -
.
1,380 0
E- 2135 19095-
160
128
96
64
32
)
-
.
,
0-
192
224
IF address index
Figure B4-5 - Total packets to each IP address in 209.239C.
Snort alerts versus time in xx.209.2390
I
I
I
alerts/hour
UDP
len
>
payload (V
PORTSCAN>16 pkta (28'
XX
X<
X
X
X
X
X
X ><XX
X >X
X
0
*
*
*
*
*
*
*
*
*
*
>0
>1
>2
>3
>4
>6
>7
>8
>9
>10
>12
>13
>14
*
*
MS-SQL Worm (5231
ICM? PING NMA? (704
0 -r
01
*
'
i
2
I
I
24
45
36
Time (in hours)
Figure B4-6 - Snort alerts versus time in 209.239C.
126
60
I
I
72
54
>15
>16
B.5 - XX.218.68.0/24
Peak Rate
Avg Rate
Total
1.5
280
504,197
Packets
13,428
75
24,810,656
Bytes
Table B5-1 - Packet and byte statistics for 218.68C.
100
90
7
X
1,226
X
Scans
Packets
(Scans >
16 pkts)
4.9K (18)
X
50
X
X
X
Snort Alerts
Total
Unique
%UDP
1.1
2.5
%ICMP
0.1
0.1
RST
485
RST/ACK
968
OTHER
2
ACK
10
SYN
SYN/ACK
TCP TYPE
892
495,351
PKT COUNT
Table B5-2 - TCP packet types in 218.68C.
%
%TCP
98.8
97.4
36,964
21,485
Sources
Avg
Pkts
/Src
14
21
Avg
Bytes
/Src
671
5,051
50
2.5K
Ports
Total
Hosts
870
1
1
1.0K
Destinations
Hosts
Avg
Pkts
/Dest
256
2.0K
486K
1
1
486K
Avg
Bytes
/Dest
96.9K
24M
24M
Table B5-3 - Statistics for all, the top 90%, and the top 50% of traffic, in 218.68C.
Protocol - Port/TCMP Type
Packets
Packet %
Bytes
Byte %
TCP - 4662
486,016
96.4
23,589,016
95.1
UDP - 137
4,629
0.9
361,062
1.5
TCP - 445
3,693
0.7
178,218
0.7
Table B5-4 - Top 3 packet types across ICMP, TCP, and UDP traffic by packet count, in 218.68C.
IP Destination
Packets
Packet %
Bytes
Byte %
xx.218.68.212
486,226
96.4
23,599,560
95.1
2,869
0.57
138,901
xx.218.68.7
0.05
9,702
229
xx.218.68.20
Table B5-5 - Top 3 destination IPs across all packet types by packet count, in 218.68C.
0.56
0.04
IP Source
217.217.141.2
Packets
702
Packet %
0.14
Bytes
33,696
Byte %
0.14
82.235.3.100
219.54.84.76
522
488
0.10
0.10
25,056
23,424
0.10
0.09
Table B5-6 - Top 3 source IPs across all packet types by packet count, in 218.68C.
Alert Name
MS-SQL Worm Propagation Attempt
ICMP Ping NMAP
Ports can > 16 Packets
Table B5-7 - Top 3 alerts by alert count, in 218.68C.
127
Alert Count
630
Alert %
51.4
571
46.6
18
1.5
- - -- ----
#bm
I
--
-
-
-
---
............
.............................
......
. . .....
.
.........................
Packets per hour versus time
14,000
0
-
12,250
-
-
10,500
-
-
8,750
-
-
7,000
-
-
---
_
xx28.8.0
average
CI
.i11
5,250
3,500
1,750
0
0
12
12
45
36
24
84
72
60
Time (in hours)
Figure B5-1 - Packets per hour versus time in 218.68C.
Bytes per hour versus time
'
700,000
'
'
'
'
'
'
'
'
'
'
'
'
''
- --
612.500
525,000
:0 437,500
350,000
K
P,
262,500
175,000
87,500
0
0
12
24
60
48
36
Time (in hours)
Figure B5-2 - Bytes per hour versus time in 218.68C.
128
72
84
average
--
M
..............
....
......
-
Aft
Destination IP address index versus time in xx.21B.58.0/24
I
255
223
-
191
-
I
:*.
.Ii'
.
A
iii
I
*1
I
I
159127-
I
I-
95I
- - i,
63-
-
I
Ij
1-4
0
I
I
-
.rn..
~
---
.1'
1'
packet type
0 TCP
1JDP
M ICMP
Pi
I
-< -
4
31 0 ---.
0
-n
-
--l.aA
.1
-
ai
36
24
12
I
60
45
54
72
Time (in hours)
Figure B5-3 - Destination IP address index versus time in 218.68C.
Destination port versus time
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
p&oket type-eount
0 UDP
S44
10000 -
6A-
Q
&
A~
4J
1000
-
010
A
A
-
A
SYN/ACC
+
ACK
a
EST
-
485
-
RST/ACK
988
7
100
000
C
000
0
00
mom~
0
:D
0
O'fl00
0
00
ca
0
0
M
0
0
Q>
0
000'f
0
0
0Q
0
E
:
00 0
(0)
10
-
0
-
I
12
I
I
24
I
I
36
1
1
45
Time (in hours)
Figure B5-4 - Destination port versus time in 218.68C.
129
60
72
54
'CF OTHER
2
Total packets to each IP address in xx.21i.68.0/24
490,000
-
428,750
-
367,500
-
.W 306,250
-
I
I
192
224
I
E,245,000 0
E
153,750122,500
-
61,250
-
0)
128
96
64
32
160
1
IP address index
Figure B5-5 - Total packets to each IP address in 218.68C.
Snort alerts versus time in xx.218.68.0
I
TTL limit
II
i
I
I
alerts/hour
0 >0
* >1
* >2
* >3
* >4
* >5
* >6
>7
*
* >8
>9
*
xceded (1
7IP data offset < 5 (1
X
ICMP WnDreah (2
UDP an > payloa
PORTS|CAe
a
>10
a
>12
>13
>14
X
(
X X
pkto (17
X
X
X
X XX<
X
X<
X
*
ICMP INr NMAr (70
ACWINM'AN
489MMOOa 0 -122KSIOIM
MS-SQL Worm (630
0 -
0
1
24
60
48
36
Time (in hours)
Figure B5-6 - Snort alerts versus time in 218.68C.
130
72
84
O
>11
B.6 - XX.220.236.0/24
Packets
Bytes
Total
9,223
Avg Rate
0.03
Peak Rate
454
%TCP
57.9
%UDP
36.4
%ICMP
5.7
737,756
2.8
55,350
34.5
63.2
2.3
RST
24
RST/ACK
516
OTHER
0
Table B6-1 - Packet and byte statistics for 220.236C.
TCP TYPE
SYN
SYN/ACK
PKT COUNT
4,143
470
Table B6-2 - TCP packet types in 220.236C.
%
ACK
4
Snort Alerts
Unique
Total
100
5
90
X
X
50
Table B6-3
Scans
Ports
Sources
Destinations
Avg
Hosts
Avg
Packets
Total
Hosts
Avg
(Scans >
Pkts
Bytes
Pkts
16 pkts)
/Src
/Src
/Dest
36
7
548
256
1.9K (9)
408
1345
928
37
X
36
614
14
1.1K
222
X
13.9K
106
44
2
26
182
X
X
- Statistics for all, the top 90%, and the top 50% of traffic in 220.236C.
Protocol - Port/ICMP Type
UDP-
137
Avg
Bytes
/Dest
2.9K
3.1K
3.6K
Packets
Packet %
Bytes
Byte %
2,700
29.3
210,600
28.6
14.5
2,188
23.7
106,824
TCP - 135
4.5
681
7.4
32,936
TCP - 445
Table B6-4 - Top 3 packet types across ICMP, TCP, and UDP traffic by packet count, in 220.236C.
IP Destination
Packets
Packet %
Bytes
Byte %
xx.220.236.113
112
1.2
6,750
0.9
108
1.2
4,796
xx.220.236.111
4,624
93
1.0
xx.220.236.130
Table B6-5 - Top 3 destination IPs across all packet types by packet count, in 220.236C.
0.7
0.6
IP Source
83.129.46.113
24.72.12.113
Packets
444
431
Packet %
4.8
4.7
Bytes
23,088
20,688
Byte %
3.1
2.8
66.135.248.40
242
2.6
11,616
1.6
Table B6-6 - Top 3 source IPs across all packet types by packet count, in 220.236C.
Alert Name
MS-SQL Worm Propagation Attempt
ICMP Ping NMAP
Portscan > 16 Packets
Table B6-7 - Top 3 alerts by alert count, in 220.236C.
131
Alert Count
627
Alert %
97.6
286
30.9
9
1.0
.. .
..
...........................
. ...
.........
..
...........
.
Packets per hour versus time
14,000 -
---
-
xL.220.236.0
average
12,25010,500-
o 8,750P,
7,000-
J
5,2503,5001,750-
0
12
24
36
45
Time (in hours)
60
72
84
Figure B6-1 - Packets per hour versus time in 220.236C.
Bytes per hour versus time
700,000-
'xx220236.0
-
612,500-525,000--
p
437,500 -
) 350,000S262,500
175,00087,5001
0-
0
12
24
36
Ca
48
Time (in hours)
Figure B6-2 - Bytes per hour versus time in 220.236C.
132
60
72
84
_--
average
Destination IP address index versus time in xx.220.236 .0/24
I
255
I
-!i
packet type
-~
~-
223191
-
--
- --
-
P-
N
*
1
_*
ICMP
I-I
-
-A
fo
0
TCP
UDP
-I
95
-
tf-.~I
127-
~
- - -
-
-
-
L-
~4I
-l-
1
-
li-t
-31-
0
84
72
60
48
36
Time (in hours)
24
12
Figure B6-3 - Destination IP address index versus time in 220.236C.
Destination port versus time
i
10000
I
I
I
I
packet type-count
0 UDP
t, I A
74
X
A
AO0 0
0 04
OD
0
O~
o
~
0
0 G1
000
0
&
M
a
4A0
A
aA
A
E
'W1-
00
Ca. 6D0 -~AM
OD00
A
AA
A
SYN
4,143
A SYN/ACK
0
+
,h...
1000-
I
SA
D
-+
I
C
]
4
a
ACK
4
IMM,
0
4&
EST
0
RST/ACK
516
0IUTW
100~
EP
U
0
omoco 000 ao
on co oM =0
0
0
0 01
in.
000
inm
+
0
0
ok
00
a
oM
.
0 0
10
1 i
0
I
I
12
I
I
24
I
I
I
48
36
Time (in hours)
Figure B6-4 - Destination port versus time in 220.236C.
133
TCP
0
Conoaoom ao
0
0
7
o0I
Oeninnain
me
0I OD
cIean
I
I
I
60
72
84
OTHER
.....
...
Total packets to each IP address in xx.220.238.0/24
130
I
I
-
I
I
I
I
192
224
I
I
11397
-
45
-
32
-
Co
0
4 1
44
400
0
0
32
64
96
126
160
IP address index
Figure B6-5 - Total packets to each IP address in 220.236C.
Snort alerts versus time in xx.220.236.0
PORTSCANI>1
I
t
I
I
I
alerts/hour
* >0
* >1
* >2
* >3
* >4
* >5
* >6
* >7
* >9
* >10
(
UVr 1ie > payla4
ICMP DUnreac
I
I
I
I
X
(
pkt. (2
XX
X
X
>0(
1
X
X
*
*
ICWP PING NMAP (210
MS-SQL
Worm
0
I
0
I
I
I
I
12
24
36
48
Time (in hours)
Figure B6-6 - Snort alerts versus time in 220.236C.
134
60
72
54
>11
>12
>13
>14
>15
B.7 - XX.226.255.0/24
Packets
Bytes
Total
10,543
Avg Rate
0.04
Peak Rate
224
%TCP
46.7
%UDP
51.1
%ICMP
2.2
825,213
2.8
10,753
29.0
70.0
1.0
RST
43
RST/ACK
50
OTHER
0
Table B7-1 - Packet and byte statistics for 226.255C.
SYN
SYN/ACK
TCP TYPE
69
4,552
PKT COUNT
Table B7-2 - TCP packet types in 226.255C.
%
Snort Alerts
Unique
Total
100
4
666
90
X
X
Scans
Packets
(Scans >
16 pkts)
1.5K (3)
X
ACK
4
241
1,707
Sources
Avg
Pkts
/Src
6
8
1,009
9
Ports
Total
Hosts
Avg
Bytes
/Src
483
770
Destinations
Hosts
Avg
Pkts
/Dest
41
256
46
3.6K
123
8.0K
205
43
280
19.6K
2
19
X
X
50
X
Table B7-3 - Statistics for all, the top 90%, and the top 50% of traffic in 226.255C.
Avg
Bytes
/Dest
3.2K
Protocol - Port/ICMP Type
Packets
Packet %
Bytes
Byte %
UDP- 137
3,011
28.6
234,858
28.5
14.9
122,600
24.2
2,546
TCP - 445
9.0
16.0
74,272
1,688
UDP - 38293
Table B7-4 - Top 3 packet types across ICMP, TCP, and UDP traffic by packet count, in 226.255C.
IP Destination
Packets
Packet %
Bytes
Byte %
xx.226.255.212
2,174
20.6
105,566
12.8
77,153
16.4
1,729
xx.226.255.255
6,906
1.0
106
xx.226.255.217
Table B7-5 - Top 3 destination IPs across all packet types by packet count, in 226.255C.
9.4
0.8
IP Source
168.171.13.3
Packets
1,286
Packet %
12.2
Bytes
56,584
Byte %
6.9
220.117.199.6
222.121.11.249
740
573
7.0
5.4
35,520
27,504
4.3
3.3
Table B7-6 - Top 3 source IPs across all packet types by packet count, in 226.255C.
Alert Name
MS-SQL Worm Propagation Attempt
Short UDP Packet, Length Field > Payload Length
Portscan > 16 Packets
Table B7-7 - Top 3 alerts by alert count, in 226.255C.
135
Alert Count
658
4
3
Alert %
98.8
0.6
0.5
-
--
-
,- - =
-
- -- ..........
...
. .........
.......
Packets per hour versus time
---
-_---
xx226.255.0
average
12.250-
10,5000
8,750-
P, 7,000-
ri 5,2503,500-
1,7500
0
-
I01.
12
24
36
48
60
Time (in hours)
72
84
Figure B7-1 - Packets per hour versus time in 226.255C.
Bytes per hour versus time
700,000
-
xx226.2550
average
612,500525,000-
; 437,500 350,000N
a)
.0.;
COI
262,500 175,00087,500-
0
12
24
48
60
Time (in hours)
36
Figure B7-2 - Bytes per hour versus time in 226.255C.
136
72
84
Destination IP address index versus time in xx.226.255.0/24
1.[k...
1.
223-
-
-J
0
-
4
-I-
I
159I
127-
0
-A
I
I
[I.]
M TCP
-
*
UDP
ICMP
*.
I
.1
I'
-i
951
-4
.
I
j
-
-I
packet type
I.
Qi
P,
I
*
f-K
.1
-4-
-.
-
-r.
'
I
'
I
I
I
I
265
63-
-
-
-I
31II
n
24
12
0
60
45
36
84
72
Time (in hours)
Figure B7-3 - Destination IP address index versus time in 226.255C.
Destination port versus time
I I I I I,'
I
0a
00
0
'k
0
0
Q~
0'
0
10000
0
...
1000
00 0
QA
aSQ.
a
,0AD
A
0
I
A
0
_Upacket type-count
:
:
0
CM
0
0
COC
0
CDOCP0
0
AD
o
oco
EJoo
0oo
UDP
0
SYN
*
SYN/ACK
OR
+
ACK
4
0
+
£0
0
1
0
0
0
0
QL
1A,IU
11.
00
0
0
C
60
a.
0D
ow0
cm0
or ouP ooo
EST
48
A
B-
aijo
RST/ACK
50
92
-7
'CP
0
100
l
CI]0
-00
0
o
0o
0
0
0
0
0
111
n0
0
0
X
0
o
0
0
M
0
0
0
10
1
O
12
24
48
36
Time (in hours)
Figure B7-4 - Destination port versus time in 226.255C.
137
60
72
84
OTHEI|R
Total packets to each IP address in xx.226.255.0/24
'
2,200 -1
'
V
i
1.925 -I
E1,100 -
5502750
64
I
I
I
32
0
96
224
192
128
160
IF address index
Figure B7-5 - Total packets to each IP address in 226.255C.
Snort alerts versus time in xx.226.255.0
i
alerts/hour
>0
0
ICMP
DUnreabCh
X
(
*
*
*
>1
>2
>3
*
>4
*
>7
a
>15
*
PORTSCLA>1S
UP
len
>
X
X
3:
pkti
*
*
*
a
X
payload (4:
a
&
MS-SQL Wqrm (057
*
i
!
0
0
12
24
60
46
36
Time (in hours)
Figure B7-6 - Snort alerts versus time in 226.255C.
138
1
I
72
I
8I
54
>8
>8
>9
>10
>12
>13
>14
>16
B.8 - XX.239.255.0/24
Peak Rate
Avg Rate
Total
445
0.03
Packets
8,150
19,608
2.7
731,397
Bytes
Table B8-1 - Packet and byte statistics for 239.255C.
TCP TYPE
SYN
SYN/ACK
78
990
PKT COUNT
Table B8-2 - TCP packet types in 239.255C.
%
%TCP
16.5
9.1
%UDP
80.6
89.8
%ICMP
2.9
1.1
RST
31
RST/ACK
50
OTHER
ACK
8
Destinations
Sources
Scans
Ports
Hosts
Avg
Hosts
Avg
Avg
Packets
Total
Pkts
Pkts
Bytes
(Scans >
16 pkts)
/Src
/Src
/Dest
9
842
256
32
622
0 (0)
238
869
35
X
7
357
21
1.9K
211
X
55
19.1K
74
1
16
259
X
X
- Statistics for all, the top 90%, and the top 50% of traffic in 239.255C.
Snort Alerts
Total
Unique
100
4
90
X
X
50
Table B8-3
1
Avg
Bytes
/Dest
2.9K
3.2K
4.5K
Protocol - Port/ICMP Type
Packets
Packet %
Bytes
Byte %
UDP- 137
UDP - 38293
4,230
1,692
51.9
20.8
329,940
74,448
45.1
10.2
34.2
619
7.6
250,076
UDP - 1434
Table B8-4 - Top 3 packet types across ICMP, TCP, and UDP traffic by packet count, in 239.255C.
Bytes
Packets
Packet %
IP Destination
21.3
77,998
1,737
xx.239.255.255
9,532
1.9
151
xx.239.255.82
5,428
1.0
85
xx.239.255.217
Table B8-5 - Top 3 destination IPs across all packet types by packet count, in 239.255C.
Byte %
10.7
1.3
0.7
IP Source
168.171.13.3
201.252.46.157
Packets
1,290
229
Packet %
15.8
2.8
Bytes
56,760
17,862
Byte %
7.8
2.4
85.96.117.162
229
2.8
17,862
2.4
Table B8-6 - Top 3 source IPs across all packet types by packet count, in 239.255C.
Alert Name
MS-SQL Worm Propagation Attempt
Short UDP Packet, Length Field > Payload Length
ICMP Destination Unreachable Communication Administratively Prohibited
Table B8-7 - Top 3 alerts by alert count, in 239.255C.
139
Alert Count
616
4
1
Alert %
99.0
0.6
0.2
Packets per hour versus time
14,00
'
---
xx255.0
average
-
12,25010,500-
o 8,750P* 7,000-
5,2503,5001,750-
0
12
24
36
48
60
72
84
Time (in hours)
Figure B8-1 - Packets per hour versus time in 239.255C.
Bytes per hour versus time
700,000..-
_-
612,500525,000437,500 r.,
a)
~350,000-5 ,O)
a)
, 262,500 175,00087,500-
0
12
24
60
48
36
Time (in hours)
Figure B8-2 - Bytes per hour versus time in 239.255C.
140
72
84
xx239.2M.0
average
Destination IP address index versus time in xx.239.255.0/24
-
'4
I...'
-
~T
-
II
-- - .
.I -
-
]:I
I
.
-
.
127
0
-- -
...
packet type
F..
-fI-.i
'I.
I
II..
-
0 TCP
UDP
-
- ICMP
-
I -
-
I.
--
i
'~1:1
*
-*1
95I
-1.
-
6331
I.
I
-
I-
i
-l I .1
-I-
-
I:.
.1 * I.
.*~
159 -
I
g
- --
- . I'
**.I
-
I
I
I
I
I:
223 0 191
I
I
255
*.
I'
I.
* I.
-
.1
I' * I
0
60
48
36
Time (in hours)
24
12
72
64
I
I
Figure B8-3 - Destination IP address index versus time in 239.255C.
Destination port versus time
I
I
I
I
I
AOAOO % a 50ib
Q
"
10000
0
000
oOxWoi+0
A
4A
&
O O OA
0
alO
U1MxCbOwM
A
m
Cam
u'
0 0 0 aaell]
.o
o
4
000
CO-
a
0
0
A
0
A
C
M &
0000o
0
eDcHO e] 0
oCE00(mo
100
V
0
3
0 0 0
cm
00
Uo Ie 0
c0
0
::DCOc
ht
G
01
0
Q
Q
0
0
atJ
z
A
0
000
0
00
0 l
0
10-
1
0
12
24
_
_
_
_
_
46
36
Time (in hours)
Figure B8-4 - Destination port versus time in 239.255C.
141
60
72
SYN
SYN/ACK
75
ACK
FST
31
=0
w
[C
noiinM=ODOnMG3neo0
Oat] [pU(Laoainx
0
+
0
0|
Cd
_
packet type-count
o UDP
A
0 0 awofmEMCmm 0A
0 AO (11)
9h
0 0
(M
0
__
0
CA
A
cA
I
00 'O
0
64
RST/ACK
60
T lCP OTHER
Total
packets to each IP address in xx.239.255.0/24
I
1,800 I
I
I
I
I
I
I
I
'
I
'
I
1,575
1,350
.3
1,125
m,
900
E-
675
450
225 -I
I
-~
'
0
T3 -
'
'I
32
96
64
160
128
192
224
IF address index
Figure B8-5 - Total packets to each IP address in 239.255C.
Snort alerts versus time in xx.239.255.0
I
|I.i
I
alerts/hour
0
ICMP DUnreach
SCAN
>1
>2
>3
>4
>5
>6
M >7
>9
*
* >10
>11
U
>12
X
(1
>0
*
*
*
*
*
*
FIN (1)
>13
UDP
lan
M-5,QL Worm
* >14
* >15
X
> payload (4:
(015.
0
1~~
0
12
24
I
I
I
I
I
45
36
Time (in hours)
Figure B8-6 - Snort alerts versus time in 239.255C.
142
60
72
54
B.9 - XX.248.246.0/24
Total
707,941
Peak Rate
181
8,688
103
34,403,749
Bytes
Table B9-1 - Packet and byte statistics for 248.246C.
Packets
Avg Rate
2.1
TCP TYPE
SYN
SYN/ACK
524
PKT COUNT
692,595
Table B9-2 - TCP packet types in 248.246C.
100
10
1,078
Scans
Packets
(Scans >
16 pkts)
5.7K (41)
90
X
X
X
%
Snort Alerts
Total
Unique
ACK
582
Ports
Total
Hosts
433
51,238
Sources
Avg
Pkts
/Src
14
5
27,819
23
%TCP
99.2
98.2
%UDP
0.7
1.7
%ICMP
0.1
0.1
RST
7,183
RST/ACK
812
OTHER
119
Avg
Bytes
/Src
671
Destinations
Hosts
Avg
Pkts
/Dest
256
2.8K
1.1K
1
1
85
4.1K
3
4,177
X
X
X
50
Table B9-3 - Statistics for all, the top 90%, and the top 50% of traffic in 248.246C.
Avg
Bytes
/Dest
134K
693K
33M
693K
33M
Bytes
Byte %
Packets
Packet %
Protocol - Port/ICMP Type
21.1
7,257,139
21.3
150,797
TCP - 1025
20.9
21.1
7,181,840
149,216
TCP - 42
6,548,915
19.0
19.2
135,969
TCP- 80
in
248.246C.
traffic
by
packet
count,
across
ICMP,
TCP,
and
UDP
B9-4
Top
3
packet
types
Table
IP Destination
Packets
Packet %
Bytes
Byte %
xx.248.246.112
692,920
97.9
33,349,840
96.9
9,534
0.03
202
xx.248.246.249
6,952
139
0.02
xx.248.246.94
Table B9-5 - Top 3 destination IPs across all packet types by packet count, in 248.246C.
0.03
0.02
IP Source
207.157.30.46
Packets
2,621
Packet %
0.4
Bytes
125,736
Byte %
0.4
193.170.238.69
193.224.106.40
2,413
2,311
0.3
0.3
115,824
110,928
0.3
0.3
Table B9-6 - Top 3 source IPs across all packet types by packet count, in 248.246C.
Alert Name
MS-SQL Worm Propagation Attempt
ICMP Ping NMAP
Portscan > 16 Packets
Table B9-7 - Top 3 alerts by alert count, in 248.246C.
143
Alert Count
609
391
41
Alert %
56.5
36.3
3.8
Packets ner hour versus time
14,000
-
x7248246.0
--
verage
--
12,250 10,500
-
0
8,750 -
P.,
7,000-
1'
I
VA____
V
__
6,250r.,
3,5001,7500
I
0
i
12
I
I
24
j
I
36
45
I
60
i
72
I
84
Time (in hours)
Figure B9-1 - Packets per hour versus time in 248.246C.
Bvtes ner hour versus time
700,000
-
612,500
-
525,000 ; 437,500
/
350,000
-
/
I
262,500
175,000
87,500
0
0
12
24
36
45
Time (in hours)
Figure B9-2 - Bytes per hour versus time in 248.246C.
144
60
72
84
--
xx248246.0
average
Destination IP address index versus time in xx.248.246.0/24
255
f-I i
ii
f:7t7.1
-i iI
223 -
U-it
21
S63-
**
-I -
-r- .
U
I
II
----Ii
r-I
fl
I*'*If
31-
1n1111
.1
*i1
packet type
I' IL
I I
*
TCP
-
UDP
*
ICMP
IITIf iii
ill
*j~ii
'I
I!
'1
jt
.1! I ii*
+ 1~..
~.i
*1~
..
I'l
IILi
A
~1~~~~
24
12
0
iI,..*~I.
I ill
-
4-II
0
- -- '--- d
-
r
$
ri-
127-
-- .1-
-1
1 - -.
191 -
-4.
=
45
36
64
72
60
Time (in hours)
Figure B9-3 - Destination IP address index versus time in 248.246C.
Destination port versus time
packet type-couLt
UDP
o
SYN
A
SYN/ACK
+
ACK
10000
d
4
o
p
AQ- 0 0
A
0
0&cqa
aon 0 4N
00 10
Q0A
1ST
7.183
-,-
RST/ACK
812E
01
0
0
TCP OTHER
11
100
0
0)
0
10
1
I
0
12
I
I
24
I
I
36
I
I
I
45
60
Time (in hours)
Figure B9-4 - Destination port versus time in 248.246C.
145
I
I
72
I
I
54
Total
JS
packets to each IP address in xx.24B.246.0/24
I
700,000
-
612.500
-
525,000
-
437,500
-
II
I
I
I
I
I
I
a,350,000E, 262,500 -
175,000
-
87,500 -
-
'
0
0
I
I
I
I
1
1 I
1
224
192
160
128
96
IF address index
64
32
Figure B9-5 - Total packets to each IP address in 248.246C.
Snort alerts versus time in xx.248.246.0
Eburve Quguch
X
i
X
SYN pkt w/ data (2
TCP pot 0 (3
TCP
header Ia
(:,
PING NMAP
X
>8
*
*
>11
>12
>13
>14
X
X<
X
X X XXOX X
X<
XX
XxW X<XX<X)X
X
XXK
X
X X
(30:
US-SQL Worm (0
0
I
0
*
*
X
> pkl (2
POMR1ANA pkto (AO
ICMP
X
X
ICMF DUnrewsh (:
ICE data abu.t <
alerts/hour
0 >0
M >1
M >2
>3
*
>4
*
* >5
>6
*
* >7
X
UDP len > payload (I
IC7
I
I
I
I
II
I
I
12
24
36
I
I
I
45
I
60
I
I
72
I
1
84
Time (in hours)
Figure B9-6 - Snort alerts versus time in 248.246C.
146
q~9
1
>9