HoDiNT: Distributed architecture for collection and analysis of Internet Background Radiation

Resumen

Attacks on the Internet are constant, with different typologies and processes. The initial stages usually involve an enumeration of targets and available services, generating what is known as Internet Background Radiation (IBR). Capturing and analysing this traffic has proven to be crucial for the early identification and detection of attacks. Commonly used architectures for the acquisition of background traffic are based on “black holes”, which are systems that collect this traffic by advertising large blocks of unused IP addresses to the Internet, identifying the traffic received as IBR. These systems have a number of inherent drawbacks, such as the requirement to process large volumes of data, and deal with the existence of a large amount of repetitive data, the fact that they are easily identifiable by the IP addresses used and, finally, that they are expensive to maintain. With the aim of improving the above undesired characteristics, this paper proposes “HoDiNT” (HOme DIstributed Network Telescope), a distributed architecture for the acquisition of Internet Background Radiation. HoDiNT is implemented with low-cost advanced acquisition techniques and without the need to use specific IP address ranges, making it easier to hide the sensors. An initial scan of the traffic received for one month is performed on the probes deployed, and a subsequent analysis is performed on the collected data to draw conclusions.