Detection of malicious traffic on back‐bone links via packet header analysis

Abstract

PurposeThis study seeks to investigate modern internet back‐bone traffic in order to study occurrences of malicious activities and potential security problems within internet packet headers.Design/methodology/approachContemporary and highly aggregated back‐bone data have been analyzed regarding consistency of network and transport layer headers (i.e. IP, TCP, UDP and ICMP). Possible security implications of each anomaly observed are discussed.FindingsA systematic listing of packet header anomalies, together with their frequencies as seen “in the wild”, is provided. Inconsistencies in protocol headers have been found within almost every aspect analyzed, including incorrect or incomplete series of IP fragments, IP address anomalies and other kinds of header fields not following internet standards. Internet traffic was shown to contain many erroneous packets; some are the result of software and hardware errors, others the result of intentional and malicious activities.Practical implicationsThe study not only presents occurrences of header anomalies as observed in today's internet traffic, but also provides detailed discussions about possible causes for the inconsistencies and their security implications for networked devices.Originality/valueThe results are relevant for researchers as well as practitioners, and form a valuable input for intrusion detection systems, firewalls and the design of all kinds of networked applications exposed to network attacks.