Understanding and Controlling Unnamed Internet Traffic

Abstract

Despite the vast research on Internet security approaches that rely on the Domain Name System (DNS) to identify malicious activities, little is known about the communications that do not utilise the DNS. For example, we might not know the portion of our outgoing network traffic that does not employ the DNS and the applications that were involved in generating this traffic . Apart from the peer-to-peer (P2P) applications that employ different techniques of exchanging peer's endpoint information, some Internet applications contain hard-coded IP addresses of needed servers, and when executed, they make direct connections with those IP addresses. The Onion Router (TOR) and some types of malware and worms are common examples of these applications. Because they do not use the DNS, none of the DNS-based security solutions can identify such activity. Again, if known ports are used in this traffic , none of the existing security tools including firewall and web proxy can stop the communication. As a result, this type of traffic may be exploited by attackers in Internet connected networks. This thesis investigates `unnamed' traffic (traffic that does not employ the DNS) and proposes a solution of passively measuring DNS usage in a network, introduces a new method that tunnels all IPv4-based applications for P2P communications, identifies and extracts unnamed Internet traffic and understands the application of it, and subsequently proposes new techniques of detecting and blocking unnamed Internet traffic. The results of our experiments on the Internet traffic of the University of Auckland (UoA) have shown that not all outgoing Internet traffic employs the DNS. Also, we realise that a noticeable portion of the unnamed Internet traffic was classified as `unknown' for standard packet analyser tools. In addition, the results of DNS measurement using our unnamed Internet traffic blocker in a home network demonstrated that 100% of the outgoing communications used the DNS or were blocked. In the future, the blocker will be deployed and tested in larger networks and more features, including supporting IPv6, an option to drop unknown and unnamed traffic and whitelisting based on Internet applications rather than IP addresses will be added to it. Also, we hope to achieve speed improvement by deploying our blocker concept in kernel rather than user space.