Following the recent study on the level of background traffic observed in network 22.214.171.124/8 (http://www.potaroo.net/studies/1slash8/1slash8.html), APNIC has been allocated two further IPv4 address blocks by the IANA, namely 126.96.36.199/8 and 188.8.131.52/8. An experiment has been undertaken with these address blocks by advertising routes to these two address blocks, and recording all incoming traffic received in response to the routing advertisements. This document reports on the results of this experiment.
APNIC expresses its appreciation for the generous assistance provided by NTT and Merit in undertaking these experiments.
In collaboration with APNIC, AS38639 (NTT) announced routes to 184.108.40.206/8 and 220.127.116.11/8 from 16 April 2010 until 24 April 2010. These routes originated from an NTT facility located in Japan. AS237 (Merit) then announced these same /8 routes for the period from 27 April 2010 until 5 May 2010. These routes originated in the US, originating from their systems in the USA. In both cases these were the only routing advertisements within these address blocks. The data collectors in both cases were unfiltered, and the data collection system was entirely passive.
Figures 1 and 2 show the traffic profile for network 14/8.
(The graph utility used here does not make this adequately clear, but in Figures 1 - 10 the red trace is the total traffic, the blue trace is TCP, the green trace is UDP, the violet trace is ICMP and the cyan trace is all other protocols.)
The following two figures show the comparable data set for network 18.104.22.168/8.
All four packet traces show a similar traffic pattern. Each /8 attracts some 17 - 25Mbps of incoming traffic. Of this, some 60% of the traffic is TCP and 35% is UDP, with the remainder being predominately ICMP.
The traffic shows a pronounced diurnal pattern, which most visible in the TCP component of the traffic. There is no clear weekday / weekend delineation.
In terms of protocol distribution, the distribution of incoming bytes in these two address blocks are shown in Table 1. This table also includes previously collected data concerning the protocol distribution in 22.214.171.124/8.
|Protocol||Proportion of Traffic|
Of note here is that the incoming traffic in network 126.96.36.199/8 was dominated by UDP traffic at a ratio of 10:1 (which was later analysed to be predominately SIP / RTP traffic directed to the address 188.8.131.52), while the incoming traffic in networks 184.108.40.206/8 and 220.127.116.11/8 is predominately TCP traffic, at a ratio of 5:2.
Also of note in terms of traffic profile, incoming TCP traffic in network 18.104.22.168/8 showed no marked diurnal pattern, while the TCP traffic in both 22.214.171.124/8 and 126.96.36.199/8 show a marked diurnal variation.
The second view of the overall traffic profile is by packet count rather than traffic (byte) counts. The packet profile of incoming traffic in these two network blocks is shown in the following two figures.
Each /8 attracts between 3,500 and 5,000 packets per second, where between 66% (14/8) to 72% (223/8) of the incoming packets are TCP, between 25% (14/8) and 27% (223/8) are UDP and the remaining 10% being ICMP.
In terms of protocol distribution, the distribution of incoming bytes in these two address blocks are shown in Table 2. This table also includes previously collected data concerning the protocol distribution in 188.8.131.52/8.
|Protocol||Proportion of Traffic|
Again, there is a marked difference in the traffic profile in terms of packet counts, between network 184.108.40.206/8 and these other two network blocks, where networks 220.127.116.11/8 and 18.104.22.168/8 show a far higher proportion of TCP packets.
The third form of traffic profile is in terms of packet size distribution. TCP packets are predominately 62 octet SYN packets (18,873M of the 20,158M TCP packets (94%) were TCP SYN packets in the 22.214.171.124/8 data set collected by AS237).
Of note in the data collected at AS237 is the ICMP and "other protocol" extended bursts of larger packet size collected at AS237. These bursts were not observed by AS38639 (Figures 9 and 10). In the AS38639 data set the ICMP packets directed as net 126.96.36.199/8 show a slightly larger degree of variance in size than those observed directed to 188.8.131.52/8.
The following figures show the distribution of traffic across the two /8 address blocks, divided up into each of the 256 /16 address blocks. Figures 11 and 12 show this distribution for 184.108.40.206/8, and Figures 13 and 14 show the same distribution for network 220.127.116.11/8.
In all cases the level of incoming traffic lies between 10Kbps to 200Kbps, with a visible diurnal component. In the case of the block 18.104.22.168/8 no single /16 appears to attract an extraordinary level of traffic as compared to the remaining pool of /16 addresses. In the case of 22.214.171.124/8 a single /16, namely 126.96.36.199/16) appears to attract between 500Kbps and 800Kbps.
The distribution of average traffic levels for each of these /8s is shown in the following 4 figures.
All four data collections show a pronounced break in the "middle" of the address block. The low half of the address blocks (188.8.131.52/9 and 184.108.40.206/9) have an average traffic load of 130Kbps per /16, while the upper half of the blocks (220.127.116.11/9 and 18.104.22.168/9) have an average traffic load of 30Kbps. This will be examined in the next section.
Of the 20,581 million TCP packets directed to network 223 when advertised by AS237, some 14,447 million TCP packets were directed to port 445. TCP port 445 is used by Microsoft systems to support the Server Message Block (SMB) protocol, used for file sharing. It is also a very common vector for attacks on Microsoft Windows systems.
Taking a one hour sample period at 1800 UTC to 1900 UTC on 16 April, using the AS38639 data collected for net 22.214.171.124/8, there were a total of 153,821,993 packets received by the collector. Of these, 1,283,494 TCP packets were directed to port 445 in the "high" /9 of 126.96.36.199/9 (or 0.8% of the total packet count), as compared to 92,618,523 in the low /9 (or 60% of the total packet count).
Reports of the behaviour of the Conficker virus point to a outcome of the virus' random IP generation routine for port 445 scanning where bit 9 of the randomly generated IP address is always 0, as is bit 24 (http://www.caida.org/research/security/ms08-067/conficker.xml). The outcome of bit 9 being clear is that Conficker will only scan the "low" /9 of any /8 network block using the random IP generator.
This is the most likely reason for the disparity in incoming traffic levels between the "low" and "high" /9s in these network blocks. It also indicates that some 100Kbps per /16 in the bottom half of each of the address blocks is attributable to Conficker's port 445 scanning activity. The total traffic component of Conficker is some 40% of the total traffic load directed to these network blocks, and 60% of the total packet count, indicating the significant extent to which unpatched Windows systems continue to be vulnerable to this particular virus.
The following four figures show the distribution of traffic levels per /24 in network 188.8.131.52/8 (Figures 19 and 20) and network 184.108.40.206/8 (Figures 21 and 22).
The two peaks in all these distributions are evidently due to Conficker scanning across the low /9 of the address block. It appears that the Conficker scanning traffic element is common across the entire IPv4 address range, and this additional traffic component of some 500bps per /24 directed to TCP port 445 in the low /9 of these two address blocks is not an anomaly that warrants any particular action in terms of reservation of addresses from allocations or assignments.
In terms of potentially anomalous /16s in 220.127.116.11/8, outside of this division into the lower and upper halves, the blocks 18.104.22.168/16, 22.214.171.124/16 and 126.96.36.199/16 appear to have a higher level of incoming traffic in both experiments. The average measurements of incoming traffic for these three /16s are shown in Table 3.
A more detailed examination of the load for these three /16s using the AS237 data set is shown in Figures 23, 24 and 25.
There are also a further /16 that has a highly active /24, namely 188.8.131.52/16, whose traffic profile as seen by AS237, is shown in Figure 26.
Closer inspection of the entire 184.108.40.206/8 data at a level of granularity of individual /24's in 220.127.116.11/8 across the two experiments shows that there are 4 individual /24s that appear to consistently receive traffic in excess of 50Kbps in both experiments, and a further 2 /24s that received higher than normal volumes in one experiment, but not in the other.
The traffic profile for 18.104.22.168/8 (Figures 17 and 18) indicates anomalous traffic directed to networks in 22.214.171.124/16 and 126.96.36.199/16. These address blocks can be further broken into its constituent /24s, as shown in Figures 27 through 30.
It is evident that the major component of this traffic is directed at 188.8.131.52/24, and within that /24 some 60% of the packets are directed to 184.108.40.206 and 11% are directed to 220.127.116.11.
There is a somewhat different profile for 18.104.22.168/16 (Figures 29 and 30).
It is evident that the major component of this traffic in 22.214.171.124/16 is being directed to 126.96.36.199/24. Within this /24, the overall majority of the traffic is being directed to the single address 188.8.131.52. A web search for this address reveals that a possible cause for unsolicited traffic being directed is traffic leakage from a commercial "secure" VPN client package. It appears that this VPN product uses 184.108.40.206 as a default network adapter interface. What is being observed here appears to be leakage of traffic into the public network from this default configuration state where VPN traffic is being directed to the address 220.127.116.11. The traffic level of this leakage of VPN traffic into the public Internet is between 300Kbps and 500Kbps.
There are two further /16s that have individual /24s that are attracting abnormally high traffic levels, namely 18.104.22.168/16 and 22.214.171.124/16 (Figures 31 and 32).
In summary, there are 2 /24's in 126.96.36.199/8 that were measured as receiving more than 50Kbps of traffic in both experiments. A further 2 /24's had more than 50Kbps of incoming traffic in one experiment, but not in the other. These results are summarized in Table 4.
There are four /24s in network 14 that appear to consistently attract more than 50Kbps of incoming traffic level. These are:
Two further /24s appear anomalous at this stage:
It is recommended that these six /24s be withheld from regular allocation or assignment for a period of six months, to allow for more detailed testing of the extent to which this incoming traffic profile is sustained.
There are two /24s in network 223 that also appear to attract significantly higher levels of traffic than the remainder of the address block. These are:
Two further /24s appear anomalous at this stage:
It is recommended that these four /24s be withheld from regular allocation or assignment for a period of six months, to allow for more detailed testing of the extent to which this incoming traffic profile is sustained.