-
Analysis of 8.76.0.0/16 in the MAWI data set
Phil Burdette, Ryan Easton, Zack Loether, Derrick Spooner
The class B subnet that we analyzed was 8.76.0.0/16. During the course
of the data collection period, this net block saw 25,457 unique
traffic flows composed of 384,211 individual packets. This particular
class B network was chosen for analysis over the others because of its
size. It is large enough the provide interesting analysis points
without being so huge that there would be too much data to
analyze. Based upon the analysis conducted, we have come to the
conclusion that this net block is probably entirely, or at least
largely comprised of a corporate network. Some of our key findings
included SMB scanning and possible worm infection. This was evident by
performing flow analysis on the data packets that were captured. For
an event analysis, we compared out net block.s activity to a DDoS
attack of a Belarusian news site. A similar attack on our network
would be extremely noticeable do to the significant increase in web
traffic to our web servers.
-
Analysis of 193.52.0.0 and the MAWI set
Ron Bandes,
Francis Fbgormittah,
Robert Jackson Lee,
Allison MacFarlan
Political, environmental and network unrest were prevalent in the
world on March 30th and 31st 2009. The primary concern in the
information technology world was a worm called .Conficker. that
had morphed two previous times and whose purpose and source code
was still being extensively analyzed. There was general fear that
on April 1st Conficker would expand its influence and release a
nefarious payload or a destructive attack on the world.s networks.
Because of the time of our sample and the global focus on
Conficker, we used this circumstance as the internet-wide
.event. for our case study, and analyzed all the data in our
sample to determine if Conficker had a significant effect on the
large Class B network we chose for analysis (193.52.x.x). This was
the problem we were trying to solve:
Was Conficker exhibited on our network, and if so, could we prove it?
-
Network Situational Awareness
Group Project Report
Chanon Sinitskul, Napat Ratanasirintrawoot, Will Zickefoose
In order to make an architecture improvement to the class B
network block of 173.94.00/16, a one-day traffic flows data has
been analyzed to profile the network. The dataset used for the
analysis was captured from a trans-Pacific transit point from
March 30, 2009 3pm to March 31, 2009 3pm.
The profiling shows that the network traffic mainly comprises of
TCP traffic, especially HTTP traffic which contributes 77% of the
traffic. Other significant TCP traffic includes HTTPS, SMTP, RTPS,
and FTP traffic. While the UDP traffic and ICMP traffic
contributes 14.61% and 0.49% of the traffic, respectively. Major
network components were identified as follows.
-
Network Situational Awareness
Applying Concepts to a Specific Data Source
Chris Canning, Joan Downing, Chris King,
Bob Weiland
We were tasked with performing an analysis using the MAWI Sample
Point Data F data set provided through the WIDE Project. Our
analysis was based on data collected over 24 hours of network
traffic on the 144.44.0.0/16 class B network, which will be
referred to as .our network.. This network was chosen through
analyzing the network traffic provided. Our network had the third
highest flows and network traffic, so we figured this would
provide us with enough data to perform a thorough analysis.
Our network was comprised of a number of Web Servers, DNS Servers,
and Mail Servers, which were determined by analyzing flow traffic
corresponding to services that would be hosted by the respective
types of servers. Servers that processed a large amount of data on
a known port would be more likely to host that service. In
addition to servers, there were a number of client machines hosted
on the network that had traffic similar to that of a normal user.
-
A Network Flow Analysis of One Anonymous Class B Network
Michael Hanley, Brent Kennedy, Devon Rollins
On March 31, 2009 starting at approximately 1500 hours GMT, the
MAWI Working Group cooperated with CAIDA, The Cooperative
Association for Internet Data Analysis, to conduct a large--.scale
internet data collection project. The MAWI Working Group
contributed by sampling a trans--.Pacific link using tcpdump1 to
collect packet capture data and then annonimyzing and truncating
the data using tcpdpriv2. This data appears to us to be in a
network block--.preserving anonymized state, provides an
incredibly valuable tool for students (undergraduate and graduate,
alike) to perform traffic analysis both at the granular packet
level, and with the appropriate tools, at a net flow level. For
the purposes of this paper, 24 hours worth of packet capture
(pcap) data from sample point .F. was converted to net flow data
and packed into files compatible with the SiLK suite, developed at
the CERT Coordination Center at Carnegie Mellon University.s
Software Engineering Institute. We have been asked to analyze one
/16 network from this dataset of our choice.
-
Network Situational Awareness: Internet Traffic Analysis
46.168.0.0/16
Michael Scotto,
Danial Ranjha
The following report discusses analysis of anonymized class B
network 46.168.0.0/16. This network was chosen randomly from a
list of all class B addresses in the MAWI data source on a major
routing point in the internet. Data from the analysis was
performed using the SILK network flow data analysis tool. During
our analysis we acquired some very interesting
information. Perhaps one of the most interesting finds is the lack
of identifiable client traffic detected on the MAWI data
collection point. We believe this to be caused by client traffic
routing through a different other than our data source.