SIGCOMM 2012
13-17 August, 2012 - Helsinki, Finland
Extracting Benefit from Harm: Using Malware Pollution
to Analyze the Impact of Political and Geophysical
Events on the Internet
A. Dainotti, R. Amman, E. Aben, K. C. Claffy
[email protected]
CAIDA/UCSD
w w w .caid a.org
CONTEXT
Analysis of large-scale Internet Outages
•Country-level Internet Blackouts
Egypt, Jan 2011
Government orders
to shut down the
Internet
(BGP withdrawals, packet-filtering,
satellite-signal jamming, ...)
•Natural disasters affecting the
infrastructure/population
climbs slowly, reaching pre-even
correlates with the restoration of p
Japan, Mar 2011
180
Earthquake
of
Magnitude 9.0
w w w .caid a.org
(b) Tohoku
er of distinct IPs per hour
EPICENTER
Cooperative Association for Internet Data Analysis
(a) Christchurch
University of California San Diego
EART
160
140
120
100
80
2
IDEA
“Extracting benefit from harm..”
•Use Internet Background Radiation (IBR) generated by
malware-infected hosts as a “signal”
Infected Host
Randomly Scanning
the Internet
UCSD Network Telescope
Darknet xxx.0.0.0/8
Cooperative Association for Internet Data Analysis
University of California San Diego
w w w .caid a.org
3
NOVELTY
Using IBR to study Internet Outages
•Revival of
S
o
D
g
rin vity
r
fe cti
n
I
A
2001
Network Telescopes
f
ic
cs
t
o
i
s
t
i nt
y d
s
i
n
d
r
r
d
u a
e
tu me
te R
r
St pre eRe
m
c
o re
a IB
m rm
p
S od
r
a
p asu
a of
m Sl o
h
r
C
O
e
C
W
of Wo
M
.. .
2002
2003
2004
2005
R d
IB site
vi
e
R
2010
f
o
y et
d
u n
St ter ges
In uta
O
2011
•Alternative/Complementary measurement approaches to study
outages
- BGP [13][28]
- Active Probing [20][42]
- Passive Traffic [22][24]
- Google services [13][14]
- Peer-to-Peer traffic [5][6]
Cooperative Association for Internet Data Analysis
University of California San Diego
w w w .caid a.org
4
THE EVENTS (1/2)
Internet Disruptions in North Africa
•Egypt
- January 25th, 2011: protests start in the country
- The government orders service providers to “shut down” the Internet
- January 27th, around 22:34 UTC: several sources report the withdrawal in the
Internet’s global routing table of almost all routes to Egyptian networks
- The disruption lasts 5.5 days
•Libya
- February 17th, 2011: protests start in the country
- The government controls most of the country’s communication infrastructure
- February 18th (6.8 hrs), 19th (8.3 hrs), March 3rd (3.7 days): three
different connectivity disruptions:
Egypt
Jan 25
Jan 27 22:12 (5.5 days)
Libya
Feb 17
Feb 18 23:15 (6.8 hours)
Mar 03 16:57 (3.7 days)
Feb 19 21:55 (8.3 hours)
●
2011
●
Feb
Mar
Figure 1: Timeline of Internet disruptions described in the paper. Times in figure are UTC (Egypt and Libya are UTC+2). The pair of red dots indicate the start
of majorCooperative
political protests
in theforrespective
countries.
Association
Internet Data
Analysis
University of California San Diego
w w w .caid a.org
5
NETWORK INFO
Prefixes, ASes, Filtering
•Egypt
- 3165 IPv4 and 6 IPv6 prefixes are delegated to Egypt by AfriNIC
- They are managed by 51 Autonomous Systems
- Filtering type: BGP only
LY
•Libya
EG
- 13 IPv4 prefixes, no IPv6 prefixes
- 3 Autonomous Systems operate in the country
- Filtering type: mix of BGP, packet filtering, satellite signal jamming
A. Dainotti, C. Squarcella, E. Aben, K. C. Claffy, M. Chiesa, M. Russo, A. Pescapè,
“Analysis of Country-wide Internet Outages Caused by Censorship”
ACM SIGCOMM Internet Measurement Conference 2011
Cooperative Association for Internet Data Analysis
University of California San Diego
w w w .caid a.org
6
ology explained in Section 4 identifies the outage as a sequence of
routing events between approximately 22:12:00 GMT and 22:34:00
GMT. The outage lasts for more than five days, during which more
active BGP IPv4 prefixes in Egypt are withdrawn. In Figure 3 each
step represents a set of IPv4 prefixes at the point in time when they
first begin to disappear from the network. Temporary fluctuations
of a route are ignored.
EGYPT
IBR: packet rate
140
packets per second
120
100
80
60
40
20
0
4
-0
02
3
-0
02
2
-0
02
1
-0
02
1
-3
01
0
-3
01
9
-2
01
8
-2
01
7
-2
01
0
:0
00
0
:0
00
0
:0
00
0
:0
00
0
:0
00
0
:0
00
0
:0
00
0
:0
00
0
:0
00
Figure 2: Unsolicited packets from IPs geolocated in Egypt to UCSD’s network telescope.
Cooperative Association for Internet Data Analysis
University of California San Diego
w w w .caid a.org
Further losses of conn
summing up to 236 wi
tion then appears as an
initial step at 22:12:26
disappear within a 20 m
prefixes remain visible.
Figure 5 shows the s
main Egyptian ASes. A
sequence for the interl
assumption on the chro
Contrary to IPv4 prefi
for IPv6 prefixes. Of th
file, only one is seen i
nounced by AS6175 (
prefix stayed visible d
cific prefixes seen in R
AS2561).
Figure 6 shows a bre
network telescope in th
other. Conficker refers
445 and packet size 48
are generated by system
not be absolutely certa
majority of packets sati
These packets typica
their source IPs are no
study based on geoloca
attacks target a victim
serve, backscatter traffi
jeopardizing our infere
7
RANDOM PROBING
E.g., Conficker
Infected Host
Randomly Scanning
the Internet
.2.3
1
.
xx
:x
DST
UCSD Network Telescope
Darknet xxx.0.0.0/8
Cooperative Association for Internet Data Analysis
University of California San Diego
w w w .caid a.org
8
BACKSCATTER
e.g., SYN+ACK replies to spoofed SYNs
ATTACKER
(spoofing
SRC IPs)
src:yyy.1.2.3
src:zzz.4.5.6
DoS VICTIM
src:xxx.1.2.3
.2.3
1
.
xx
:x
DST
UCSD Network Telescope
Darknet xxx.0.0.0/8
Cooperative Association for Internet Data Analysis
University of California San Diego
w w w .caid a.org
9
UCSD network
the IBR21:30
traffic data,
isolated
20:00 telescope.
20:30 For
21:00
22:00we first
22:30
23:00
all the traffic from IP addresses that geolocated to Egypt and Libya
for
a period
of time
including
the
outages. For
IP geolocation
we
Figure
5: Visibility
of main
Egyptian
Autonomous
Systems
via BGP during
used
two databases:
the(based
AfriNIC
Regional
Internet Registry
and
the outage
on January 27
on data
from RouteViews
and RIPE [?]
NCC’s
RIS).
Each AS GeoLite
is plottedCountry
independently;
as in[?].
Figure 3, each line drops
the
MaxMind
database
EGYPT
down at the instant in which a lasting (i.e., not temporarily fluctuating) BGP
withdrawal is first observed.
IBR: dissecting it
700
not caused by the
a responding destin
only affect inboun
16-17%. Examinati
if a network uses
directional connect
The gradual dec
all match BGP prefi
packets during the
At the end of the
more BGP routes
90
450
80
600
80
80
70
60
400
50
50
40
300
40
30
30
200
20
100
10
60
250
50
200
40
150
30
20
50
10
0
0
0
0
:0
00
4
-0
02
0
:0 0
00 :0
4 0
-0 3 0
02 -0
0
02
:0
00 0
3 :0
-0 00
02 -02 0
02 0:0
0
2 00
-0 0:
02 01 0 0
0
02 00:
1 00
:
-0
02 1 00 0
-3 :0
01 00
1
0
-3
:0
01
00
0 :00
-3 0
01 0 0
-3
0
:0
01
00 0
9 0:0
-2 0
0-129
0
01
:00
00:0
800
-82
0-12
01
000
0::0
000
727
-12010
other
distinct IPs
conficker-like (pps)
conficker-like backscatter (pps)
backscatter
other (pps)
Figure 6: Categories of unsolicited packets from IPs geolocated in Egypt
Cooperative Association
for
Data Analysis
to UCSD’s
network
telescope:
other,
backscatter.
Spikesnetin
Figure
1:Internet
Unsolicited
traffic from
IPs conficker-like,
geolocated in Egypt
to UCSD’s
University of California
San Diego traffic reflect large denial-of-service attacks against hosts in
backscatter
work
telescope: number of distinct source IP addresses observed every hour
Egypt.
7
-2
01
0
0
-1
:0
02
00
80
-2:0
0118
8
0
-1
:0
02
00
10
w w w .caid a.org
70
300
100
20
0
Ratio
of distinct
IPs per hour
packets
per second
60
350
packets per second
500
70
IPs per hour
packets per second
90
400
Figure 2: Unsolicite
Libya during the firs
Figure
drops 7:
to Unsolicited
approxima
work
telescope:
EgAS
the second
outage
a
icant
thefilterin
outag
placeduring
(packet
networks probably re
the first days of the10o
(ii) active traceroute probing from Ark [?]; and (iii) IBR from the
UCSD network telescope. For the IBR traffic data, we first isolated
all the traffic from IP addresses that geolocated to Egypt and Libya
for a period of time including the outages. For IP geolocation we
used two databases: the AfriNIC Regional Internet Registry [?] and
the MaxMind GeoLite Country database [?].
EGYPT
IBR: rate of distinct src IPs vs packet rate
700
reasons: (i) som
not caused by t
only affect inbo
if a network us
The gradual
packets during
more BGP rout
90
450
80
600
400
70
400
50
300
40
30
200
300
250
200
150
100
20
100
10
:0
18
0
02
4
-0
3
-0
02
2
-0
02
1
-0
02
1
-3
0
:0
00
0
:0
00
0
:0
00
0
:0
00
0
:0
00
0
:0
00
0
:0
00
0
:0
00
0
:0
00
Cooperative Association for Internet Data Analysis
University of California San Diego
01
0
-3
01
9
-2
01
8
-2
01
7
-2
01
distinct IPs
conficker-like (pps)
0
8
0
50
-1
02
0
backscatter (pps)
other (pps)
Figure 1: Unsolicited traffic from IPs geolocated in Egypt to UCSD’s net-
w w w .caid a.org
Ratio of distinct IPs per hour
IPs per hour
60
packets per second
500
350
Figure 2: Unsolic
Libya during the
drops to approxi
the second outag
place (packet filte
solated
Libya
ion we
[?] and
not caused by the data-plane going down, a BGP withdrawal may
only affect inbound connectivity, outbound packets can still be sent
if a network uses default routing for upstream connectivity.
The gradual decrease in the rates of both unique IP addresses and
packets during the outage is due to the progressive withdrawal of
more BGP routes that during the first day were kept reachable [?].
LIBYA
the first two outages
90
450
80
400
70
40
30
Ratio of distinct IPs per hour
50
packets per second
60
350
300
250
200
150
100
20
50
10
0
02
02
02
02
0
-2
0
-2
0
-2
0
-2
9
-1
9
-1
9
-1
9
8
-1
-1
0
:0
18
0
:0
12
0
:0
06
0
:0
00
0
:0
18
0
:0
12
0
:0
06
0
:0
00
0
:0
18
0
CooperativeFigure
Association
Internet Data Analysis
2:forUnsolicited
traffic
University of California San Diego
02
02
02
02
02
0
to UCSD’s network telescope originating from
Libya during the first two Libyan outages. The rate of distinct IPs per hour
w w w .caid a.org
12
THE EVENTS (2/2)
Earthquakes
•Christchurch - NZ
- February 21st, 2011 23:51:42 UTC
- Local time 22nd, 12:51:42 PM
- Magnitude: 6.1
•Tohoku - JP
- March 11th, 2011 05:46:23 UTC
- Local time 02:46:23 PM
- Magnitude: 9.0
Cooperative Association for Internet Data Analysis
University of California San Diego
w w w .caid a.org
Distance (Km)
<5
< 10
< 20
< 40
< 80
< 100
< 200
< 300
< 400
< 500
Christchurch - NZ
Networks
IP Addresses
1
255
283
662,665
292
732,032
299
734,488
309
738,062
310
738,317
348
769,936
425
828,315
1,531
3,918,964
1,721
4,171,527
Tohoku - JP
Networks
IP Addresses
0
0
0
0
0
0
0
0
5
91
58
42,734
1,352
1,691,560
3,953
4,266,264
16,182
63,637,753
41,522
155,093,650
Table
2: Networks
and IP addresses
within
a given
to the epicenWe
use
MaxMind
GeoLite
City
DBdistance
to compute
ters.
distance
from a given network to the epicenters
We use the MaxMind GeoLite City database [?] to calculate the
great-circle distance [?] from a given network to the epicenters of
the earthquakes. Table ?? shows the number of IP hosts geolocated
to within increasing radii of each epicenters. The two most striking
contrasts between the two earthquake epicenters are: (1) how much
further the Tohoku epicenter (which was in the Pacific ocean) was 13
enter
(which was
Pacific ocean)
was and (2)
bution of range
for networks
varyingValues
distance,
bins of 1k
of 0 to at500km.
of in around
1
ant
population
ofinIPthe
addresses
(100 km);
range
of 0 in
to 500km.
Values
of
around
1observed
indicate
no
the amount
of
distinct
IPsof
in su
IB
pulation
ofInternet
IPare
addresses
(100
km);ofand
(2)
nearby
we
computed
the
number
distinc
P addresses
withininfrastructure,
500 km
Tohoku’s
epiin the amount
of us
distinct
IPs observed
in the
IBR.maximum
Plotting t
allow
to roughly
estimate
resses
are
within
500
km
of
Tohoku’s
epiludes Tokyo),
consistent
withper
the orders
ofseen
magallowby
us tothe
roughly
estimate
the maximum
radius(annotat
⇥con
source
IP
addresses
hour
telescope
over
two
max
earthquake
on network
connectivity
Tokyo),
consistent
with
the
orders
of
magulation in Japan.
earthquake on network connectivity (annotated in figure).
ntiguous
in Japan. 24-hour periods before and after earthquake. We define
metric to express the effects of the disasters on
c to express the effects of the disasters on
Figure
??
shows
the by
same
diagram
frastructure,
we
computed
the
number
of
distinct
Iucture,
the
number
of
distinct
source
IP
addresses
seen
the
Figure
??
shows
the
same
diagram
for
thetele
Chris
ti we computed the number of distinct
quake,
where a significant
value
of ✓ is
eshour
perseen
hourbyseen
by
the
telescope
over
two
conquake,
where
a
significant
value
of
✓
is
observable
thethe
telescope
over two conscope
over
interval
t
,
where
t
,
...,
t
are
1-hour
time
i
1
n
20km
from
the
epicenter
(✓
=
2.4).
Figu
periods
before
and
after
earthquake.
We
define
20km
from
the
epicenter
(✓
=
2.4).
Figures
??
and
??
s before and
We define
- aftertiearthquake.
number of distinct
source IP addresses seen by the telescope over
of distinct
source
IP ∆ti,
addresses
by the teleslots
following
the
and
t 1 , ..., t n are those preceding
tinct
source
IPinterval
addresses
seenevent
by seen
the telethe
3
terval
ti-, where
t1tn, ...,
tntime
aretime
1-hour
time 3the event
t
,
where
t
,
...,
are
1-hour
i
1
n
i
1
1-hour
slots
following
it.
We
then
define
the
ratio
✓
as
in
Eq.
??,
event and
are
those
nte and
t -1 , ...,t 1t, ...,
preceding
n 1-hour
n aretthose
timepreceding
slots preceding the event
2.5
2.5
1
n
tio
as in✓Eq.
the✓ratio
as ??,
in Eq. ??,
(x=20,y=2.4) (x=20,y=2.4)
24
X
2
2
24
24
X X
I ti
I ti I t
1.5
i
1.5
i= 1
i= 1
i= 1
24
✓ = 24
(1)
✓
=
(1)
✓ = 24 1
(1
X X
24
1
I tj
X
I tj
ti
0.5
j=1
I tj 0.5
j=1
i=
1
0
ator of how many IP addresses, in the geoj=1
0
n indicator of how many IP addresses, in the geoθ - Ratio of distinct IPs before/after earthquake
θ - Ratio of distinct IPs before/after earthquake
In search of a metric to express the effects of
nearbyA
Internet
infrastructure,
we
computed
the
nu
SIMPLE METRIC
sourcetoIPevaluate
addresses
per
hour
seen
by
the
telescop
impact and extension
tiguous 24-hour periods before and after earthqu
I
the number of distinct source IP addresses s
scope over the interval t , where t , ..., t
slots following the event and t , ..., t are
it. We then define the ratio ✓ as in Eq. ??,
✓=
X
I
38 60
02
36 0
0 24
34 0
0 22
32 0
0 0
30 2 0
0 8
28 1 0
0 6
26 1 0
0 4
24 1
0 0
22 12
0 0
20 10
0
18 80
0
16 60
0
14 40
0
12 20
0
10
0
80
60
40
20
0
ch we observe IBR, likely lost connectivity
24
Km
m
which
we
observe
IBR,
likely
lost
connectivity
g the earthquake. We consider 24-hour periKm
which
indicator
how
many IP addresses,
in
the
geo
owing
theprovides
earthquake.
We
consider
he
phenomena
over a fullan
1-day
cycle:24-hour
IBR of periFigure 4: Impact of Christchurch’stearthquake
on
network
c
j
Cooperative
Association
for
Internet
Analysis
pture
the
phenomena
over
aData
full
1-day cycle:
IBR
togram of IBR,
for networks
at varying
distance,
inearthquak
bins of 1
of human
activity,
being
mostly
generated
Figure
4:likely
Impact
oflost
Christchurch’s
graphical
area
from
which
we
observe
connectivity
University of California San Diego
a range of togram
0 to 500km.
This
metric suggests
a maximum
ofj=1
for networks
at varying
distanc
atterns
14
s [?]. of human activity, being mostly generated
w w w .caid a.org
X
I
asters on
f distinct
two conWe define
the teleour time
receding
(1)
Figure 3: Impact of Tohoku’s earthquake on network connectivity: distribution of for networks at varying distance, in bins of 1km each, across a
range of 0 to 500km. Values of around 1 indicate no substantial change
in the amount of distinct IPs observed in IBR. Plotting the data this way
allow us to roughly estimate the maximum radius ⇥max of impact of the
earthquake on network connectivity (annotated in figure).
RADIUS OF IMPACT
rough estimate based on θ
- We compute θ for address ranges geolocated at different distances from the
Figure
?? shows
the same
theofChristchurch
epicenter
of the
earthquake
(0 todiagram
500km inforbins
1km each) earthquake, where
a significant
value of
✓ is observable
up toof⇢unique
- θ around
1 indicates
no substantial
change
in the number
max = IP
20km observed
from the epicenter
(✓ = 2.4).
and ?? map the proxaddresses
in IBR before
and Figures
after the??event.
Christchurch
3
θ - Ratio of distinct IPs before/after earthquake
t striking
ow much
ean) was
; and (2)
ku’s epiof mag-
Km
2.5
(x=20,y=2.4)
2
1.5
1
0.5
0
50
0
48
0
46
0
44
0
42
0
40
0
38
0
36
0
34
0
32
0
30
0
28
0
26
0
24
0
22
0
20
0
18
0
16
0
14
0
12
0
10
80
60
40
20
0
0
the geonectivity
Km
Cooperative
Association
for
Internet
Data
Analysis
our peri-University of California San Diego
cle: IBR
Figure 4: Impact of Christchurch’s earthquake on network connectivity: hisw w w .caid a.org
15
the earthquake. We consider 24-hour perie phenomena over a full 1-day cycle: IBR
Figure 4: Impact o
togram
of
for
n
of human activity, rough
being estimate
mostly generated
based
on
θ
P
a
range
of
0
to
5
preting such bins, we only count (plot data for) bins from which
[?].
ddresses
the telescope observed at least 1 IP per hour in the 24-hour period
⇥
of
20km,
0
max
mum
radius
⇢
of
impact
of
the
earthWe call
maximumFigure
distance
at which
observe
a value
preceding
earthquake.
?? shows
thatwe
some
networks
lookof θ
maxthethe
0
significantly
> 1 by the earthquake, which could be true or could reflect
less affected
0
ctivity,
in errors
Figure
we plot
a histogram
0
in the??
geolocation
mappings
we used.
91
Tohoku
imity of the net
r2,734
network prefixes (address ranges)
geolo91,560
66,264from the epicenter of Tohoku’s earthces
epicenters
for
b
637,753
093,650
in bins of 1km each. Values of ✓ around
While plottin
epicenlthechange
in the number of unique IP adregion in which
before and after the event. Figure ?? shows
earthquake, we
reduction in the number of IP addresses
plots ✓ for all t
lculate the
er theof earthquake, i.e., ✓ is significantly
value on the x a
icenters
geolocated
es
up
to
304km
from
the
epicenter,
where
quake
on
the
reg
ost striking
how distance
much
16
he
from
theofepicenter
where
thisconnectivity: distritogether with th
Figure
3: Impact
Tohoku’s earthquake
on network
RADIUS OF IMPACT
θ - Ratio of distinct IPs before/after earthquake
90
80
70
60
50
40
30
(x=304,y=9.3)
20
10
0
0
50
0
48
0
46
0
44
0
42
0
40
0
38
0
36
0
34
0
32
0
30
0
28
0
26
0
24
0
22
0
20
0
18
0
16
0
14
0
12
0
10
80
Cooperative Association for Internet Data Analysis
University of California San Diego
w w w .caid a.org
Km
to the Internet following the earthquake. We consider 24-h
ods in order to capture the phenomena over a full 1-day c
follows diurnal patterns of human activity, being mostly g
geo coordinates of most affected networks
by (infected) users’ PCs [?].
Networksthe
within
each respective
To estimate
maximum
radius ⇢max of impact of t
quake on Internet connectivity, in Figure ?? we plot a h
of ✓ values calculated for network prefixes (address range
cated at different distances from the epicenter of Tohok
quake, from 0 to 500km in bins of 1km each. Values of
1 indicate no substantial change in the number of uniq
dresses observed in IBR before and after the event. Figure
that there is a significant reduction in the number of IP
observed before and after the earthquake, i.e., ✓ is sig
(a) Christchurch
(b) Tohoku
above 1, for address ranges up to 304km from the epicent
✓ =5: 9.3.
Weselected
consider
distancemaximum
from the
epicenter
w
17
Figure
Networks
withinthe
the estimated
radius
of im-
EXTENSION OF IMPACT
Cooperative Association for Internet Data Analysis
University of California San Diego
w w w .caid a.org
(a) Christchurch
(b) Tohoku
(b) Tohoku
Figure 5: Networks selected within the estimated maximum radius of impact of the earthquake (20km for Christchurch and 304km for Tohoku). We
based our geolocation on the publicly available MaxMind GeoLite Country
Varying
the radius, we pick the highest value of θ calculated
database.
θ - Ratio of distinct IPs before/after earthquake
A measure of impact
(x=137,y=3.59)
3.5
(x=6,y=2.0)
20
3
2.5
0
2
1.5
(x=137,y=3.59)
3.5
(x=6,y=2.0)
3
1
0.5
Figure 7:
reaching
⇢max =
Figure 6: Measuring the impact of the earthquake on network connectivit
rate of di
as seen by the telescope: value of ✓ for all networks within a given rang
th
from the epicenter. The peak value ✓max reached by ✓ can before
be considere
the magnitude of the impact.
is on 19above 10
the slow
kilometers from its epicenter, consistent with the stronger
magni
0
0
50
0
48
0
46
0
44
0
42
0
40
0
38
0
36
0
34
0
32
0
30
0
28
0
26
0
24
0
22
0
20
0
18
0
16
0
14
0
12
0
10
80
60
40
20
0
θ - Ratio of distinct IPs before/after earthquake
40
4
for the whole set of networks within the corresponding circle
4
100
Figure 5: Networks selected within the estimated maximum radius 80
of im
pact of the earthquake (20km for Christchurch and 304km for Tohoku). W
based our geolocation on the publicly available MaxMind GeoLite Countr
60
database.
“MAGNITUDE”
•
Number of distinct
(a) Christchurch
2.5
Km
Christchurch
2
1.5
1
0.5
0
Tohoku
0
50
0
48
0
46
0
44
0
42
0
40
0
38
0
36
0
34
0
32
0
30
0
28
0
26
0
24
0
22
0
20
0
18
0
16
0
14
0
12
0
10
80
60
40
20
0
tude of Tohoku’s earthquake (see Table ??) and news reports re
garding its impact on buildings and power infrastructure. Table ??
Km
summarizes these indicators found for both earthquakes. Figur
Tohoku
Christchurch Tohoku
from the
Magnitude
(✓
)
2
at
6km
3.59
at
137km
Cooperative
Association
for Internet Data Analysis
Figure
6: Measuring
the impact of the earthquake on network
max connectivity
University of California San Diego
Radius (⇢max )
20km
as seen by the telescope: value of ✓ for all networks
within a given
range 304km IPs per h
Christchurch
Tohoku
18
w w w .caid a.org
θ - Ratio of distinc
1.5
before the earthquake were above 140-160 IPs/hour on weekdays (weekend
is on 19-20 February), while the first peak after the earthquake is slightly
above 100 IPs/hour. Levels remain lower for several days, consistent with
the slow restoration of power in the area.
1
IP RATE IN TIME
0.5
0
0
50
0
48
0
46
0
44
0
42
0
40
0
38
0
36
0
34
0
32
0
30
0
28
0
26
0
24
0
22
0
20
0
18
0
16
0
14
0
12
0
10
80
60
40
20
0
Km
Christchurch
Figure ?? plots the same graph for IBR traffic associated with the
Tohoku earthquake, within a maximum distance max = 304 km
from the epicenter. The much steeper drop in the number of unique
IPs per hour sending IBR traffic is consistent with the Tohoku earthquake’s much larger magnitude than that of the Christchurch earthquake. In the days after the event the IBR traffic starts to pick up
again, but does not reach the levels from before the event during
the analyzed time interval, also consistent with the dramatic and
lasting impact of the Tohoku earthquake on Northern Japan.
Tohoku
reflects the dynamics of the event
Figure 6: Measuring the impact of the earthquake on network connectivity
as seen by the telescope: value of ✓ for all networks within a given range
from the epicenter. The peak value ✓max reached by ✓ can be considered
the magnitude of the impact.
140
120
Magnitude (✓max )
100Radius (⇢max )
Christchurch
2 at 6km
20km
Tohoku
800
700
Number of distinct IPs per hour
Number of distinct IPs per hour
climbs slowly, reaching pre-event levels only after a week, which
correlatesfrom
withits
theepicenter,
restorationconsistent
of power in
the the
Christchurch
area [?].
kilometers
with
stronger
magniChristchurch
tude of Tohoku’s earthquake (see Table ??) and news reports regarding180its impact on buildings and power infrastructure. Table ??
EARTHQUAKE
160
summarizes
these indicators found for both earthquakes.
Tohoku
3.59 at 137km
304km
80
Table 3: Indicators of earthquakes’ impact on network connectivity as observed by60the UCSD network telescope.
40
500
400
300
100
2
-2
03
0
-2
03
8
-1
03
6
-1
03
4
-1
03
2
-1
03
0
-1
03
8
-0
03
6
-0
03
0
:0
00
0
:0
00
0
:0
00
0
:0
00
0
:0
00
0
:0
00
0
:0
00
0
:0
00
0
:0
00
0
:0
00
0
:0
00
0
:0
00
0
:0
00
0
:0
00
0
:0
00
0
:0
00
0
:0
00
0
:0
00
4
-0
4
-0
03
03
2
-0
03
8
-2
02
6
-2
02
4
-2
02
2
-2
02
0
-2
02
8
-1
02
w w w .caid a.org
600
200
20
IBR traffic also reveals insight into the evolution of the earthquake’s 0impact on network connectivity. Figure ?? plots the number of distinct source IPs per hour of packets reaching the telescope
from networks within the max = 20 km radius from the epicenter
of Christchurch’s earthquake. All times are in UTC. The time range
starts
approximately
one week
the earthquake
and ends traffic
two
Figure
7: Rate of unique
sourcebefore
IP addresses
found in unsolicited
reaching
theWe
UCSD
network
telescope
networks
weeks
after.
would
not expect
thefrom
IBR
traffic geolocated
to drop towithin
zero, a
= 20kmFirst,
rangenot
from
Christchurch
earthquake disabled
epicenter. by
The
max reasons.
for⇢two
all the
networks
are necessarily
of distinct IPs per hour drops immediately after the earthquake. Peaks
therate
earthquake.
Second, the geolocation
database
services we use
Internet
Data Analysis
before theCooperative
earthquake Association
were above for
140-160
IPs/hour
on weekdays (weekend
areisnot
accurate.
University
of California
Diego
on 100%
19-20
February),
while theSan
first
peak after the earthquake is slightly
For
fewIPs/hour.
days before
event,
peaks
are always
above 140
abovea 100
Levelsthe
remain
lower
for several
days, consistent
with
EARTHQUAKE
Figure 8: Rate of unique source IP addresses found in unsolicited traffic
reaching the UCSD network telescope from networks geolocated within
⇢max = 304km of the Tohoku earthquake epicenter. The rate of distinct
IPs per hour shows a considerable drop after the earthquake which does not
return to previous levels even after several days.
19
further confirm that the variations in rate of unique IP addresses
are anomalous compared to IBR behavior typically observed by
the telescope, we plot over a longer time frame (two months)
surrounding the earthquake using two sliding 24-hour windows before and after each point plotted. Figure ?? plots a two-month period of values for networks within a ⇥max = 20 km range
of the Christchurch earthquake’s epicenter. Normally, values of
stay within an envelope [0.7 , 1.3], but the value of breaks out
above the 1.3 upper bound exactly when the earthquake hits. Another lower spike shortly after the earthquake may have been due
to blackouts caused by attempts to restore electricity. The corresponding drop is also visible, although less obvious, in Figure ??.
The coincidence of the spike in with the earthquake suggests the
utility of as a meaningful indicator of disruption to network infrastructure.
2
θ - Ratio of distinct IPs before/after earthquake
EVALUATING Θ
1.8
1.6
1.4
variations over a long time period
1.2
1
•2 months period of observation
•θ normally stays within [0.7 - 1.3]
-2
03
4
-2
03
0
-2
03
6
-1
03
2
-1
03
8
-0
03
4
-0
03
8
-2
02
4
-2
02
0
-2
02
6
-1
02
2
-1
02
8
-0
02
4
-0
02
1
θ - Ratio of distinct IPs before/after earthquake
θ - Ratio of distinct IPs before/after earthquake
0.4
2
Figure
10: Ratio of number of IP addresses reaching the UCSD darknet in
two successive 24-hour periods (before vs after the given data point) from
1.8
networks within a ⇥max = 304 km range from the Tohoku earthquake’s
epicenter. Although we use a different distance threshold than for the
1.6
values in the Christchurch plot in Figure ??, there is a similar breakout
above a ratio of 1.3 exactly when the earthquake strikes.
1.4
1.2
8
-2
4
epicenter. Although we use a different distance threshold than for the
03
0
-2
03
6
-2
03
2
-1
03
8
-1
03
4
-0
03
8
-0
03
4
-2
02
0
-2
02
6
-2
02
2
-1
02
-1
02
8
4
-0
02
1
-0
02
-3
01
w w w .caid a.org
EARTHQUAKE
source IP addresses of traffic destined to the darknet addresses, we
1
can
identify when sizeable geographic regions appear to have lost
connectivity. Country-level disruptions appear particularly promi0.8
nently in the data analysis since geolocating IP addresses to countries is more
accurate
0.6
Telescope
was than finer-grained geolocation, e.g, to cities.
switched off
EARTHQUAKE
The ubiquitous
presence of this pollution in the
data plane also alhere
0.4
lows us to infer events, such as packet-filtering-based censorship,
not observable in other types of data, e.g., BGP. We used four case
studies from 2011 to test our approach: two episodes of broad-scale
Figurecountry-level
10: Ratio of number
of IPmotivated
addresses reaching
the UCSD
darknet
politically
censorship,
and two
high inmagtwo successive
24-hour periods (before vs after the given data point) from
nitude earthquakes.
networks within a ⇥max = 304 km range from the Tohoku earthquake’s
Our preliminary approach has several limitations. First, the re20
8
4
9: Ratio of number of unique IP addresses reaching the UCSD darknet in twoCooperative
successive Association
24-hour periods
(before
vs Analysis
after the given data point)
for Internet
Data
from networks
within
a ⇥max
20 km range from the Christchurch
University
of California
San=Diego
EARTHQUAKE
1.4earthquake’s epicenter. We plot this
value over this two-month period,
Telescope was
switched off
here
Tohoku
-2
03
0
-2
03
6
-2
03
2
-1
03
8
-1
03
4
-0
03
8
-0
03
4
-2
02
0
-2
02
6
-2
02
2
-1
02
8
-1
02
4
-0
02
1
-0
02
-3
01
1.6Figure
0.6
-3
01
Christchurch
1.6 that the variations in rate of unique IP addresses
er confirm
nomalous compared to IBR behavior
typically observed by
EARTHQUAKE
1.4 we plot
lescope,
over a longer time frame (two months)
unding the earthquake using two sliding 24-hour windows beand after
1.2 each point plotted. Figure ?? plots a two-month peof values for networks within a ⇥max = 20 km range
e Christchurch
earthquake’s epicenter. Normally, values of
1
within an envelope [0.7 , 1.3], but the value of breaks out
e the 1.3
upper bound exactly when the earthquake hits. An0.8
lower spike shortly after the earthquake may have been due
ackouts caused by attempts to restore electricity. The corre0.6
Telescope was
off although less obvious, in Figure ??.
ding drop is alsoswitched
visible,
here
oincidence of the spike in with the earthquake suggests the
0.4
y of as
a meaningful indicator of disruption to network inucture.
0.8
CONCLUSION
ongoing work
•IBR is an effective source of data for the analysis of network
outages caused by events of different type
•Future work
- Integrate and combine analysis of multiple data sources (BGP, IBR, active
measurement, ...)
- Analysis of AS/Link-level topology
- Automated detection + triggered active measurements
Cooperative Association for Internet Data Analysis
University of California San Diego
w w w .caid a.org
21
THANKS
Cooperative Association for Internet Data Analysis
University of California San Diego
w w w .caid a.org
22