Tuning in to the background hum of the net

By Mark Ward
Technology correspondent, BBC News

image captionData spewed out by infected PCs can spell trouble for some net addresses

Everything you do on the internet involves packets of data flying between your machine and the sites you are using, be that bidding on eBay, using a search engine or watching video clips on YouTube.

And once you stop doing that thing, the two-way swapping of data ends.

Sadly, not all use of the internet is so tidy and well-mannered. As the net has grown so has this "background hum" of rogue data activity. It now generates about 5.5 gigabits of data every second. Not enough to swamp the net's pipes but a sizeable hum nonetheless.

Several sources contribute to that total. Misconfigured hardware and leaks from private networks form part of it but the majority is generated by computer viruses seeking new victims.

"We see a large number of machines, and they are typically machines running various versions of Windows, that are not just being infected but re-infected and are continuously trying to infect others," said Geoff Huston, chief scientist at internet address body APnic, who carried out one of the first large-scale investigations of this traffic.

What those infected machines are doing is generating an IP address - a unique code assigned to all machines on the net - and then sending out a few packets of data to see if there is a potential victim at that location. If not, then they generate a new address and try again. And again. And again.

The dumbest viruses start at net address and work up from there. There are only 4.3 billion addresses in the current version of the net's addressing system, known as IPv4, so an aggressive virus has a good chance of scanning a big chunk of that before it is stopped.

Curious source

Some viruses do not take such a crude approach.

One virus in particular, Conficker, is very aggressive about finding new victims and 70% of the hum that can be blamed on viruses is down to that piece of malware.

That figure would be higher, said Mr Huston, but for the poor coding skills of whoever created Conficker.

"They got one thing slightly wrong," said Mr Huston. "Instead of seeing the entire internet they see only half of it."

This is because one of the values in the chunk of code used to generate the random IP addresses is set to zero. This puts limits on the variety of IP addresses the virus can generate.

To a degree, said Mr Huston, some of the background hum was to be expected. Research in 2001 by University of Wisconsin-Madison computer scientist David Plonka showed that one of the biggest chunks of the IPv4 address space, which constitutes 17 million addresses, generated about 1mbps of rogue data.

"Today the figure is 50mbps," said Mr Huston. "The amount of background noise has grown by a factor of 50 in ten years but that's not so surprising."

What is curious, he said, are the sources of the traffic.

"Some plain and innocuous addresses that look like random numbers attract massive amounts of traffic," he said.

Dial down

For instance, he said, research into one popular address revealed that all the traffic was coming from net-connected point-of-sale equipment (aka cash registers) sold to restaurants. Mr Huston speculated this came about because the default IP address in the hardware was not changed for the local one when the equipment was installed in a restaurant.

image captionSome net addresses are hit with a huge amount of net traffic

Another example is the range of DSL modems that had a hard-coded IP address they used to look up the correct time. As more of the gadgets were sold the amount of traffic they generated grew and grew.

"It's misadventure rather than malice," he said, "but there are a few addresses that attract megabits of traffic."

Mr Huston said the research into the background hum was carried out to check the health of IP addresses being handed out. The last thing that any regional network overseer such as APnic wanted to do was give out an addresses that was swamped with traffic.

"If you get a network that attracts megabits and you are down a DSL connection then not much is going to work," he said.

Thankfully, help is on the horizon. The move from IPv4 to a newer version known as IPv6 is underway and the new system has a vastly larger address space - 340 trillion, trillion, trillion by some estimates.

It's needed as more and more devices connect to the net, but will also limit the impact of the misconfigured equipment.

It is also so big, said Mr Huston, that it is effectively impossible for viruses to scan to find new victims.

That background hum may soon be reduced to a whisper.

More on this story

Related Internet Links

The BBC is not responsible for the content of external sites.