Experiences and Observations from the NoAH Infrastructure

Abstract

Monitoring large chunks of unused IP address space yields interesting observations and useful results. However, the volume and diversity of the collected data makes the extraction of information a challenging task. Additionally, the maintenance of the monitoring infrastructure is another demanding and time-consuming effort. To overcome these problems, we present several visualization techniques that enable users to observe what happens in their unused address space over arbitrary time periods and provide the necessary tools for administrators to monitor their infrastructure. Our approach, which is based on open-source standard technologies, transforms the raw information at the network level and provides a customized and Web-accessible view. In this paper, we present the design, implementation and early experiences of the visualization techniques and tools deployed for the NoAH project, a large-scale honey pot-based infrastructure. Additionally, we provide a traffic analysis of data collected over a six month period of our infrastructure's operation. During the data collection period, we observed that the number of attackers continually increased as did the volume of traffic they generated. Furthermore, interesting patterns for specific types of traffic have been identified, such as the diurnal cycle of the traffic targeting TCP port 445 (Windows Directory Services), the port that receives the largest volume of attack traffic.