Nuisance Network Traffic

Introduction

As the virtual world continues to connect the four corners of the Earth, the internet has quickly become a fundamental need across the globe in every aspect of our lives. The internet continues to change and evolve as it creates a new modern world, helping shape the future. Unfortunately, so do the threats impacting those very same critical systems and connections.

While there are many obvious threats like hacktivists, nation-state adversaries and ransomware operators, there also lies a constant ever-growing undercurrent that we call nuisance traffic. The traffic is made up of undesirable, very often malicious and disruptive activity. It only materializes to the average user when its abrasive behavior erodes at our security, affecting our productivity and our ability to communicate through the connected world.

Summary

Nuisance traffic embraces a broad spectrum of unruly activities, each posing unique challenges for network operators to end users. The term nuisance traffic, while broad as a whole and new to some, encompasses very well-known traffic that we all encounter in one form or another if you’re on the internet for even the shortest length of time. The biggest and most well know contributors of nuisance traffic include:

• Aggressive online advertising:
  • Intrusive pop-ups, banner ads, retargeted and redirecting ads can hinder browsing, interrupt user flow, and compromise privacy.
• Spam:
  • Unsolicited and often irrelevant emails clog inboxes, wasting valuable time and potentially exposing users to phishing scams or malware.
• Scrapers: 
  • Automated programs, often malicious, that crawl websites and consume bandwidth, potentially disrupting legitimate traffic and compromising security.
• DDoS Attacks:
  • Distributed denial-of-service attacks overwhelm servers with massive amounts of traffic, rendering websites inaccessible and causing significant financial losses.

Analysis

Network and security administrators, who know their environments well, can easily spot anomalous aggregate traffic trends, but also out-of-profile communications between their systems and specific remote networks. For example, a city college would likely exchange a fair proportion of internet traffic with regional ISPs, from where most students, faculty, and staff work and access university resources remotely. Likewise, a significant amount of traffic flowing between the city college network and remote cybercafé halfway around the world would probably be very unusual.  These extreme examples are easy to see if you know what to look for in small, closely monitored systems.

In the global view, we extend this analogy to examine what is common and unusual for different types of environments.  For example, when we examined what attacks we see against a large private university that boasts approximately 20,000 students, multiple residence halls, and tens of thousands of public IPv4 address space at their disposal we might expect a fair amount of “nuisance” traffic to or from this environment. Yet, it turns out there is less than one event per month and even then, those alerts are relatively mild in scope.

On the other hand, when we compare the university to a hosting provider with just a fraction of the public IPv4 address space, we see a vastly different picture.  We can see many small hosting providers that exhibit tens, hundreds, or more attacks per day. One very small hosting provider sees a handful of attack alerts every day. Proportionally, this network exhibits a much higher level of nuisance traffic activity than others for its size. (Figure 1)

Evaluating Network Nuisance Traffic

We began implementing a methodology to evaluate candidate networks that we characterize as exhibiting behavior and activity that could be classified as abusive or malicious - see our prior blog around bulletproof host classifications.  We combine this classification with an approach that evaluates the candidate network based on nuisance network traffic that we can observe from our historical DDoS attack insight and related threat intelligence.  Our focus is ultimately on observed activity and threat risk.  In many, perhaps in most cases, nuisance traffic is associated only with a subset of systems within a network.  To minimize over-blocking and false positives our focus is only on those systems.

In one of the most egregious cases, we identified one modestly sized hosting network that stood out amongst many other well-known and larger providers. The data in Figure 2 shows the number of attacks we've seen sourced from one of these nuisance networks. The decrease in attacks over October and November could be from network outages, changes in blocks of IPs, or a decrease in nuisance traffic from this provider. Figure 2.

Conclusion

As network traffic ebbs and flows our monitoring and nuisance network monitoring policy will inform our filter feeds in real-time, adjusting the flow of unwanted traffic wherever it may be found.  Our approach is traffic-focused, and provider-agnostic based on observable evidence.  We find this is the balanced approach meets best meets the needs of our customers while acting only on the sources and targets of traffic that most need to be mitigated. These traffic policies and lists can be found as part of our ATLAS Intelligence Feed (AIF) within our Threat Mitigation System (TMS) and Arbor Edge Defense (AED) products. The intelligence bolsters countermeasures that already allow rate-limiting for anomalous traffic, but when we add intelligence into the mix the solution becomes much more powerful.