iatmon

| .comments. |

During the last decade, unsolicited one-way Internet traffic has been used to study malicious activity on the Internet. To make changes in composition of one-way traffic aggregates more detectable, we have developed iatmon (Inter-Arrival Time Monitor), a freely available measurement and analysis tool that allows one to separate one-way traffic into clearly-defined subsets.

Download

Download iatmon-2.1.2

About iatmon

iatmon is a monitor that reads network trace data from a file, or a live interface, using the WAND group's libtrace library. It builds a hash table of source addresses for one-way traffic, i.e. traffic coming from source S that elicits no response from any host in site H (host address blocks h1, h2, .. hn), and writes summary files describing the one-way sources.

Given this basic structure, we have implemented two methods of classifying the sources of incoming one-way traffic. These are:

Source types - Determined by the number of source addresses and ports it sends packets to
Source groups - Determined by the statisctics of its packet inter-arrival time (IAT) distribution

Other iatmon pages

PAM 2012 paper

One-way traffic monitoring with iatmon. Provides background info, explains types and groups in more detail, and present some results from measurements in San Diego in the first half of 2011.
SAN 2011 types

Stacked-bar plots of source types for all of 2011 (sources and Bytes)
SAN 2011 groups

Stacked-bar plots of source groups for all of 2011 (sources and Bytes)

Installing iatmon

iatmon is - for now anyway - intended to install and run in a normal usercode environment. The installation steps are:

download the latest distribution tarball.

Unpack the tarball file and change into the unpacked directory.

tar zxf iatmon-x.y.z.tgz            # Unpack the tarball into iatmon-x.y.z directory
cd  iatmon-x.y.z

Read the README and INSTALL files carefully

Run the configure script and the make script.

./configure                         # Build owt_conf.h, the 'features required' file
make                                # build OWTmonitor.so

Now you can run iatmon.rb (in the iatmon-x.y.z directory)

Configuring iatmon

iatmon consists of a Ruby outer block that uses OWTmonitor, a C extension module to read and process the trace packets. The C module passes information back to the Ruby outer block, which may - for example - write summary files at regular intervals.

C sources for the OWTmonitor module are in the owt-c directory; the owt-rb/owt-monitor.rb file provides a Ruby configuration interface for it. All the features of iatmon are configurable. Their values are set in the file owt-config.rb, which defines them as Ruby constants. Some example owt-config.rb files are provided in the owt-config directory; they have names of the form <hostname>.rb, i.e. <name of host running iatmon>.rb.

mk-owt-config.rb is called as the last processing step in ./configure;

if there is an existing owt-config.rb file, use it
otherwise, if owt-config/<hostname>.rb exists, use that
otherwise create a new owt-config file

The owt-config.rb file is a Ruby source file, with comments explaining what each defined Constant is used for. You should examine it carefully, and edit it to suit your site requirements.

Feedback, bug reports, suggestions

Any user feedback - bug reports, suggestions for improvements, etc, is welcome. Please email nevil@caida.org or n.brownlee@auckland.ac.nz