Abnormally Malicious Autonomous Systems and Their Internet Connectivity

Topics: IP address, Private network, Routing Pages: 31 (8864 words) Published: October 14, 2013
220

IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 20, NO. 1, FEBRUARY 2012

Abnormally Malicious Autonomous Systems
and Their Internet Connectivity
Craig A. Shue, Andrew J. Kalafut, and Minaxi Gupta

Abstract—While many attacks are distributed across botnets, investigators and network operators have recently identified malicious networks through high profile autonomous system (AS) depeerings and network shutdowns. In this paper, we explore

whether some ASs indeed are safe havens for malicious activity. We look for ISPs and ASs that exhibit disproportionately high malicious behavior using 10 popular blacklists, plus local spam data, and extensive DNS resolutions based on the contents of the blacklists. We find that some ASs have over 80% of their routable IP address space blacklisted. Yet others account for large fractions of blacklisted IP addresses. Several ASs regularly peer with ASs associated with significant malicious activity. We also find that malicious ASs as a whole differ from benign ones in other properties not obviously related to their malicious activities, such as more frequent connectivity changes with their BGP peers. Overall, we conclude that examining malicious activity at AS granularity can unearth networks with lax security or those that harbor cybercrime.

Index Terms—Autonomous systems (ASs), security.

I. INTRODUCTION

T

HE INTERNET is plagued by malicious activity,
from spam and phishing to malware and denial-of-service (DoS) attacks. Much of it thrives on armies of compromised hosts, or botnets, which are scattered throughout the Internet. However, malicious activity is not necessarily evenly distributed across the Internet: Some networks may employ

lax security, resulting in large populations of compromised
machines, while others may tightly secure their network and
not have any malicious activity. Furthermore, some networks
may exist solely to engage in malicious activity. Several recent ISP enforcement actions, such as the Atrivo and McColo autonomous system (AS) depeerings [1], [2] and the FTC closure of Pricewert networks [3], highlight that there are networks that exist simply to launch attacks. In this paper, we examine Manuscript received June 11, 2010; revised January 31, 2011; accepted May 16, 2011; approved by IEEE/ACM TRANSACTIONS ON NETWORKING Editor Z. M. Mao. Date of publication June 02, 2011; date of current version February 15, 2012. This work was supported by a contractor of United States Government under Contract DE-AC05-000OR22725 with the United States Department of Energy and by the National Science Foundation (NSF) under Grant CNS-0831988.

C. A. Shue is with the Cyberspace Sciences and Information Intelligence Research Group, Oak Ridge National Laboratory, Oak Ridge, TN 37830 USA (e-mail: cshue@ornl.gov).
A. J. Kalafut is with the School of Computing and Information Systems, Grand Valley State University, Allendale, MI 49401 USA (e-mail: kalafuta@gvsu.edu).
M. Gupta is with the School of Informatics and Computing, Indiana University, Bloomington, IN 47401 USA (e-mail: minaxi@cs.indiana.edu). Color versions of one or more of the figures in this paper are available online at http://ieeexplore.ieee.org.

Digital Object Identifier 10.1109/TNET.2011.2157699

whether we can find malicious networks in a systematic manner using existing blacklists.
A systematic detection of disproportionately malicious networks can be used to build metrics that may be used to determine if a network is harboring a significant amount of malicious activity. Such metrics may offer several practical benefits. First, ISPs could use them to build identification of malicious networks into their peering agreements. As an example, provider ISPs may use the metrics to require their customers to limit the amount of malicious activity in their networks to avoid harboring criminals. ISPs could also use the metrics to determine the effectiveness of their efforts to combat abuse and compare themselves to...

References: IEEE/ACM Trans. Netw., vol. 9, no. 6, pp. 733–745, Dec. 2001.
IEEE INFOCOM, 2002, vol. 2, pp. 618–627.
[20] A. Feldmann, O. Maennel, Z. M. Mao, A. Berger, and B. Maggs, “Locating internet routing instabilities,” in Proc. ACM SIGCOMM, 2004,
pp
Apr. 2000.
[24] R. White, “Securing BGP through secure origin BGP (soBGP),” Internet Protocol J., vol. 6, no. 3, pp. 15–22, 2003.
study of spyware on the Web,” in Proc. NDSS, 2006, pp. 17–33.
Continue Reading

Please join StudyMode to read the full document

You May Also Find These Documents Helpful

  • internet Essay
  • System and Connectivity Essay
  • Influence of Internet on the Education System Essay
  • internet cafe system Essay
  • Information System Essay
  • Essay about Malicious Software Lecture Notes
  • Malicious Attacks Essay
  • SYSTEMS Essay

Become a StudyMode Member

Sign Up - It's Free