Title :
A network telescope perspective of the Conficker outbreak
Author_Institution :
Dept. of Comput. Sci., Rhodes Univ., Grahamstown, South Africa
Abstract :
This paper discusses a dataset of some 16 million packets targeting port 445/tcp collected by a network telescope utilising a /24 netblock in South African IP address space. An initial overview of the collected data is provided. This is followed by a detailed analysis of the packet characteristics observed, including size and TTL. The peculiarities of the observed target selection and the results of the flaw in the Conficker worm´s propagation algorithm are presented. An analysis of the 4 million observed source hosts is reported by grouped by both packet counts and the number of distinct hosts per network address block. Address blocks of size /8, 16 and 24 are used for groupings. The localisation, by geographic region and numerical proximity, of high ranking aggregate netblocks is highlighted. The paper concludes with some overall analyses, and consideration of the application of network telescopes to the monitoring of such outbreaks in the future.
Keywords :
IP networks; computer network security; invasive software; transport protocols; 24 netblock; 445-TCP port; Conficker outbreak; Conficker worm propagation algorithm; South African IP address space; TTL; network telescope perspective; packet characteristics; packet counts; source hosts; Grippers; IP networks; Malware; Monitoring; Operating systems; Telescopes; Conficker; Zotob; malware; network telescope;
Conference_Titel :
Information Security for South Africa (ISSA), 2012
Conference_Location :
Johannesburg, Gauteng
Print_ISBN :
978-1-4673-2160-0
DOI :
10.1109/ISSA.2012.6320455
