Please use this identifier to cite or link to this item: http://hdl.handle.net/1959.3/217997

Download PDF (CAIA-TR-110720A) (Adobe Acrobat PDF, -1 bytes)

Title

How device misconfiguration drives TCP traffic to parts of 1.0.0.0/8: an initial investigation

Author(s)

Rossi, Mattia;  Armitage, Grenville;  Huston, Geoff

Abstract

The Internet community is near the 'bottom of the barrel' for unallocated IPv4 address prefixes. Network 1.0.0.0/8 was allocated in January 2010 for use on the public Internet, despite being unofficially utilised in various ways for many years. Recent work has revealed this prefix to be quite 'dirty', with significant levels of public UDP and TCP traffic already inbound to certain parts of 1.0.0.0/8. By running a simplified honeypot on 1.1.1.0/24 and 1.2.3.0/24 for two days in March 2010 we have elicited new insights into the nature of the TCP traffic polluting these prefixes. Our honeypot replied to inbound TCP SYN packets with a SYN-ACK, thereby eliciting a variety of subsequent response packets from sources actively trying to connect into 1.1.1.0/24 or 1.2.3.0/24 space. By analyzing captured packet payloads, sequences, retransmission patterns and burst rates within such TCP flows, we find that most TCP traffic into these prefixes is caused by some form of misconfiguration rather than malice, and we discuss the possible causes for these misconfigurations.

Publication type

Technical report

Research centre

Swinburne University of Technology. Faculty of Information and Communication Technologies. Centre for Advanced Internet Architectures

Source

Centre for Advanced Internet Architectures: technical reports, No. 110720A (Jul 2011)

Publication year

2011

Keyword(s)

Internet;  IPv4;  Network 1 0 0 0/8;  Network traffic;  TCP;  Transmission Control Protocol;  UDP;  User Datagram Protocol

Publisher

Centre for Advanced Internet Architectures, Swinburne University of Technology

Publisher URL

http://caia.swin.edu.au/reports/

Copyright

Copyright © 2011 The Authors.

Full text