Abstracts: DUST 2021

Offered talks that submitted abstracts are listed below. Some invited participants will give talks from papers that are under double-blind submission at IMC and USENIX Security, so they are listed as anonymous.

Date: Jul 13 (Tue) - 14 (Wed) 2021, 07:30 - 12:30 PDT
Place: Closed-session Video Teleconference via Zoom

Speaker Talk Title and Abstract
ANONYMOUS IMC 2021, Paper #249 “QUICsand: Quantifying QUIC Reconnaissance Scans and DoS Flooding Events”

In this short paper, we present first measurements of Internet background radiation originating from the emerging transport protocol QUIC. Our analysis is based on the UCSD network telescope, correlated with active measurements.

We find that research projects dominate the QUIC scanning ecosystem but also discover traffic from non-benign sources. We argue that although QUIC has been carefully designed to restrict reflective amplification attacks, the QUIC handshake is prone to resource exhaustion attacks, similar to TCP SYN floods. We confirm this conjecture by showing how this attack vector is already exploited in multi-vector attacks: On average, the Internet is exposed to four QUIC floods per hour and half of these attacks occur concurrently with other common attack types such as TCP/ICMP floods.

ANONYMOUS Usenix Security 2022, Paper #145 “Spoki: Unveiling a New Wave of Scanners through a Reactive Network Telescope”

Large-scale Internet scans are a common method to identify victims of a specific attack. Stateless scanning like in ZMap has been established as an efficient approach to probing at Internet scale. Stateless scans, however, need a second phase to perform the attack, which remains invisible to network telescopes that only capture the first incoming packet and is not observed as a related event by honeypots. In this work, we examine Internet-wide scan traffic through Spoki, a reactive network telescope operating in real-time that we design and implement. Spoki responds to asynchronous TCP SYN packets and engages in TCP handshakes initiated in the second phase of two-phase scans. Because it is extremely lightweight it scales to large prefixes where it has the unique opportunity to record the first data sequence submitted within the TCP handshake ACK. We analyze two-phase scanners during a three months period using globally deployed Spoki reactive telescopes as well as flow data sets from IXPs and ISPs. We find that a predominant fraction of TCP SYNs on the Internet has irregular characteristics. Our findings also provide a clear signature of today’s scans as: (i) highly targeted, (ii) scanning activities notably vary between regional vantage points, and (iii) a significant share originates from malicious sources.

Michael Kallitsis (Merit Network / University of Michigan) ORION: Observatory for Cyber-Risks Insights and Outages of Networks

In this talk we will present the latest developments on Merit’s network telescope. We will introduce the ORION pipeline that parses the raw Darknet packets in near-real-time, constructs meaningful events (such as scanning and backscatter) and uploads them in Google’s BigQuery for 1) efficient data analysis, 2) ease of data sharing, 3) quick deployment of visualizations and dashboards and 4) effortless integration of external datasets also available in BigQuery (e.g., Censys.io data). We will also provide a brief overview of our early attempts to deploy a distributed and reactive network telescope.

We will also present a research case study that focuses on characterizing Darknet behavior and its temporal evolution. In this work we 1) first compile a rich characterization of Darknet events (e.g., scanning events) using features that describe the event’s traffic profile (intensity, duration, etc.), the targeted applications, the type of devices engaged in the event, etc., 2) then classify, in an unsupervised manner, the resulting event profiles into clusters of “similar” activity and 3) finally utilize the clustering outcomes as “signatures” that can be used to detect structural changes in the Darknet activities. If time permits, we will also perform a live demo of this framework which is currently operating (in a prototypical stage) at Merit Network.

Related project: ORION: Observatory for Cyber-Risk Insights and Outages of Networks

Rajat Tandon (USC / ISI) Quantifying Cloud Misbehavior

Clouds have gained popularity over the years as they provide high storage capacities and computing power, reduced hardware costs and an on-demand availability. Cloud users often gain superuser access to cloud machines, which is necessary to fully customize the cloud resources to user needs. But superuser access to a vast amount of resources, without support or oversight of experienced system administrators, can create fertile ground for accidental or intentional misuse. Attackers can rent cloud machines or hijack them from cloud users, and leverage them to generate unwanted traffic, such as spam and phishing, denial of service, vulnerability scans, drive-by downloads, etc. Some clouds, which engage in bulletproof hosting, knowingly permit malicious traffic generation.

In this work, we analyze 13 datasets, containing various types of unwanted traffic, to quantify cloud misbehavior and identify clouds that most often and most aggressively generate unwanted traffic. We find that although clouds own only 5.4% of the routable IPv4 address space (with 94.6% going to non-clouds), they often generate similar amounts of scans as non-clouds, and contribute to 22-96% of entries on blocklists. Among /24 prefixes that send vulnerability scans, a cloud’s /24 prefix is 20-100 times more aggressive than a non-cloud’s. Among /24 prefixes whose addresses appear on blocklists, a cloud’s /24 prefix is almost twice as likely to have its address listed, compared to a non-cloud’s /24 prefix. Misbehavior is heavy-tailed among both clouds and non-clouds. OVH and DigitalOcean are two of the most misused clouds across all our datasets. We discern that maliciousness of a cloud is heavy-tailed, with top 25 clouds contributing 90% of all the scans from clouds, and 10 clouds contributing more than 20% of blocklist entries.

Shane Alcock (Alcock Network Intelligence / University of Waikato) Using Apache Spark to Analyze STARDUST Flowtuples

This talk will describe my experiences (so far) with building a framework to support large-scale analysis of flowtuple data using an Apache Spark cluster. The aim has been to abstract away the complexity of interfacing with Spark and allow users to express their queries in the simplest terms possible, using a custom Python API developed specifically for working with STARDUST data.

ANONYMOUS IMC 2021, Paper #4 “Enlightening the Darknets: Augmenting Darknet Visibility with Active Probes”

Darknets collect unsolicited traffic reaching unused address spaces. They bring insights into malicious activities, such as the rise of botnets and DDoS attacks. However, darknets provide a shallow view, as traffic is never answered. We here quantify how their visibility is increased by responding to some traffic. To this end, we deploy interactive responders (e.g., honeypots) that can answer unsolicited traffic.

Simple at first sight, determining how to answer requires ingenuity: From the selection of the protocol to talk to the risk of polluting the collectors with uninteresting data or saturating the infrastructure. We consider four deployments: Darknets, simple L4-Responders, vertical L7-Responders tied to specific ports, and “AcmePot”, a new horizontal honeypot that identifies protocols on-the-fly on any port.

We contrast these alternatives by analyzing traffic attracted by each deployment. We show that interactive responders increase the value of darknet data, uncovering patterns otherwise unseen. We measure Side-Scan phenomena in which whenever a host starts responding to a particular port, it attracts traffic to other sometimes random ports. AcmePot unveils attacks that darknets and classic L7-honeypots would not observe, e.g., large-scale activities on non-standard ports. Some strategies, however, trap senders in certain states, thus hindering visibility too. Beyond our findings, our comprehensive analysis can inform the deployment of future monitoring infrastructures combining both darknets and active probes.

Michael Collins and Stephen Schwab (USC / ISI) Categorizing and Analyzing Discrete Dark Traffic Classes

In this talk, we will discuss how to finely divide darkspace traffic and address the problems involved in identifying emergent populations with new behaviors. In our analysis of this data, we have further subdivided the two classic categories of scanning and backscatter into other behaviors, including quasi-legitimate (known) scanners, short scanners, and traditional hostile scanners. We will discuss what information can be gathered from different classes, our decision tree for splitting out categories, and how to maintain these categories over time.

This research was developed with funding from the Defense Advanced Research Projects Agency (DARPA). The views, opinions and/or findings expressed are those of the author and should not be interpreted as representing the official views or policies of the Department of Defense or the U.S. Government.

Ramakrishna Padmanabhan (CAIDA / UC San Diego) IODA: Internet Outage Detection and Analysis

The IODA (Internet Outage Detection and Analysis) system monitors the Internet continuously to identify macroscopic Internet outages affecting the edge of the network, i.e., significantly impacting a network operator (AS) or a large fraction of a country. It uses three orthogonal data sources (Active Probing, BGP, and Internet Background Radiation captured at network telescopes) to detect outages and enables visualizing Internet connectivity in near-realtime on a public site.

IODA’s website has been publicly accessible since 2016 and is actively used by diverse stakeholders, including researchers, ISPs, government regulators, civil society actors, and the general public. By providing the ability to monitor Internet outages arising due to a variety of causes—including government-mandated shutdowns, cable cuts, and power outages—IODA enables both short-term diagnosis of ongoing events and also long-term Internet reliability trends.

Related website: IODA

Nathan Thai (GreyNoise) GreyNoise 101

GreyNoise Intelligence collects and identifies unsolicited traffic with the goal of reducing alert fatigue for customers. In this talk, we will focus on the technical implementation of our distributed darknet, challenges we face with processing traffic, and how customers use this type of data.

Related website: GreyNoise

Eric Ziegast (Farsight Security, Inc) Farsight current darknet data collection

Start a conversation: Search for “grants” on Farsight’s main website ; https://www.farsightsecurity.com/grant-access/ ; Slides available by email:

Last Modified