Internet Background Noise (IBN)
is a study of the current traffic that fill up the internet that 'unnecessary route from there to here and vice versa'. from a glance most of the IBN traffic is resulting from the worm(s) appeared year ago yet - they still making an appearance in internet. with this our traffic is pretty much fill with unnecessary traffic. from here - i'm doing a study on traffic background differentiation, is this traffic from [1] worm [2] misconfiguration and [3] attack. anyway - emphasis has been put up on [1] since - pretty much study was put on worm propagation and characterisationi and defense method.
it's interesting to note early last year - during the early stage of IBN study - i found out that slammer and cyberkit are pretty much around (see this - measuring worm activity)
through out last year - i've made few presentation on 'honeypot and IBN' - Brief Presentation and HITB04
another point to note that - the noise is made 'cos that traffic goes to unused address space. therefore - any traffic that passing by those network is called 'noise - IBN' since there is no legitimate hosts and services appeared in the segment. that's why i'm utilising on honeypot network for IBN study. it shall be question that - how come the traffic goes to that particular host - yet - the host doesn't serve for that purpose - ie: apache that received iis attack/worm based.
scoping down later - i would say that - instead of the three categories - worm, misconfiguration and attack/probe - therefore i would say it becomes two - ie: malicious activity and misconfiguration. where malicious activity will contain - worm, virus, attack, probe whereas for a later ie: misconfiguration would be resulted from software misconfiguration or hardware misconfiguration.
anyway, it's worthwhile to note that - what would be the right time/ideal to call certain worm as a 'noise'?. i would think that all worm is a noise 'cos they appeared to where or to certain host that doesn't serve what they are looking for. my box got loads of sql-probe (slammer) where we have no of them around. but looking at wormability or bug-poc-worm - it would take some time to call that as a worm 'cos typically people find bug - then it cames the poc code where people will use to exploit stuff then later s'one will take that poc and re-code so that process can be automated (autorooter)? - from here once the exploit code became automated and it jumps from one host to another then this where the widesperead of the worm happen.
coming down to detection methos - currently - u can have mix-n-match possible method such as sink hole, black hole or darknet or build your own one. whatever u name it - the concept is the network must be reachable and no connection going out ( no service ) - then u can route that traffic to ur box and have it pcap capture - voila! u have simple darknet on ur own. in doing the pcap analysis - i've put together some very basic concept in here
coming down to level of noise - as just posted KYE:Tracking Botnet - there is no surpise that millions of botnets around. when i was around at cert - i did some simple 'dark ip' noise measurement which u can view it here
it is intresting to note that from my noise measurement - i have too much traffic from windows machine that probe/attempt to port 445, 139 and 135. this could be measure using passive fingerprint (p0f) [note - graph will be up soon]


more to come .....
rage against time!!!
'noise attributes'
lots more of stastical approach
data to present
a day in the net

reference:
Watching the Net's background radiation
Danger zone
The polluted Internet
The end of the internet is nigh
The Internet's background radiation - who pays? [Letters]
Major Aussie ISP Disconnecting Trojaned PCs
Monitoring and Early Warning for Internet Worms
Internet Intrusions: Global Characteristics and Prevalence
Simulating realistic network worm traffic for worm warning system design and testing
Rescorla, E., Is finding security holes a good idea?, Workshop on Economics and Information Security 2004, May 2004


By: kamal hilmi othman
last update - s'where in 2005 Update: need to update always