Subnet Analysis

Subnets are usually dedicated to a particular activity or purpose. Externally, these divisions are related to organizational divisions, for example the U of C has been allocated the 136.159.0.0/16 prefix. Internally, an organization may subdivide their address space into smaller subnets. For instance, the University of Calgary may allot departments a /24 subnet (or multiple subnets) on which to conduct departmental activities. As a consequence, the type of activities conducted on each subnet can differ. These variations in activity cause variations in the network heartbeats on each subnet. In this section, we investigate the characteristics of heartbeats as they manifest on different types of subnets.

Subnets have varying levels of administration. The most strictly controlled subnets are known as managed subnets. Subnets that have little to no administration are referred to as unmanaged subnets. At the U of C, we have both managed and unmanaged subnets available for analysis. The unmanaged BYOD subnets can be further divided into wired and wireless subnets.

Managed subnets are the more strictly controlled variety. At the U of C, they are administered

by the University’s IT staff or departmental staff. Machines on these subnets are usually not in-tended for personal use. Instead they house computer systems that provide infrastructure services like Web site hosting and domain name resolution of workstations managed by the IT group for research or administrative purposes.

Unmanaged subnets at the U of C represent an “always connected” environment for students, faculty, and staff. In practice, this results in these subnets being used for personal and business needs. As such, the majority of the machines are personal and administered by the user, creating a BYOD environment. In the wired BYOD environment, users must have a physical connection to the network (typically Ethernet). The wireless BYOD environment has no such restriction. In our case, the student residence network is our wired BYOD environment, and the campus-wide wireless LAN is our wireless BYOD environment.

5.3.1 Inbound vs. Outbound

Figure 5.6 shows a breakdown of the heartbeat traffic observed on several different subnets. We selected the five busiest managed subnets (based on the volume of connections) from the Depart-ment of Computer Science, the five busiest wireless BYOD subnets, and the five busiest wired BYOD subnets for comparison. Figure 5.6(a) is for outbound heartbeats, while Figure 5.6(b) is for inbound heartbeats. On each graph, the subnet numbers are anonymized, but are in the same position in each graph for comparison.

(a) Outbound Heartbeats

(b) Inbound Heartbeats

Figure 5.6: Subnet analysis of heartbeats based on directionality.

Figure 5.6 shows several differences in the heartbeats observed in managed and unmanaged (BYOD) subnets.

The managed portions of the network produce relativity few outbound heartbeats. Those that do produce heartbeats differ depending on what the subnet is used for. Subnet 1 houses key infras-tructure servers such as DNS and Web servers, and produces only a few heartbeats, all of which are on system ports. Subnet 2 produces heartbeats primarily directed toward managed services, while subnet 3 produces heartbeats mainly related to games and end-user applications. Subnet 5 contains a NAT device that accounts for all heartbeats on this subnet. It forwards traffic from end-user devices and thus produces a significant number of P2P heartbeats and end-end-user application heartbeats. Thus, this subnet appears as a hybrid of managed and BYOD subnets.

The unmanaged subnets tend to have many more outbound heartbeats. These heartbeats are primarily composed of UDP traffic, however TCP also has a significant presence. The UDP heart-beats primarily utilize the user port range and are dominated by P2P heartheart-beats, as one might expect. However, there are also lots of gaming heartbeats. The TCP heartbeats in the system port range use ports 80 and 443 almost exclusively. Heartbeats in this category are directed primarily to software vendors, managed (cloud) services, Web pages, CDNs, and various service providers.

Those in the user port range are composed primarily of P2P traffic, however there are also lots of heartbeats directed to Apple, Skype, and managed service providers. The few ICMP heartbeats consist of innocuous echo requests.

The inbound heartbeat activities differ depending on the purpose of the managed portions of the network. Though subnet 1 produced the fewest outbound heartbeats, Figure 5.6(b) shows that it receives the most inbound. The TCP heartbeats received are directed to Web servers and a Linux mirror site for OS updates. The UDP heartbeats are mostly NTP-related, with a few being DNS-related. Subnet 2 receives heartbeats from various service providers. Heartbeats received by subnet 3 are primarily P2P heartbeats directed to a specific host. Heartbeats directed toward subnet 5 are related to the NAT devices, and have a similar composition to the outgoing heartbeats. ICMP heartbeats on managed subnets are mostly ICMP echo requests, however there are also lots of port unreachable messages.

On the unmanaged (BYOD) subnets, the number of inbound heartbeats is dwarfed by the num-ber of outbound heartbeats. However, the relative composition of each is similar. Like the outbound heartbeats, the inbound heartbeats are mostly composed of UDP traffic. The UDP heartbeats are almost all related to P2P applications. A small portion is related to (persistent) scanning that was attempting to locate NetBIOS-capable hosts. Unlike the outbound heartbeats, there were very few TCP heartbeats. The TCP heartbeats are mostly generated by software vendors and managed ser-vices, although there is little usage of ports 80 and 443. The majority of TCP heartbeats occur on user/dynamic ports.

5.3.2 Regular vs. Irregular

In addition to differences in direction, we also observed a dichotomy related to regularity. Fig-ure 5.7 illustrates this difference. Note that the scale of the y-axis in FigFig-ure 5.7(a) has a maximum of 200, unlike Figure 5.7(b) and Figure 5.6, which have a maximum of 9,000. This was done to make the smaller values easier to see.

Regular heartbeats were much more prevalent on managed subnets than on BYOD subnets.

Due to the mixed administration of the University’s network, we only have managed/unmanaged mappings from some subnets. Of the 232 regular heartbeats identified, 106 were sent or received by subnets for which we had definite mappings. Figure 5.7(a) shows that 102 heartbeats were related to the managed portion, 4 were related to the wireless BYOD network, and none were related to the wired BYOD subnet. The heartbeats on the managed subnets were primarily related to key services such as NTP, HTTP (related to an OS update service), and DNS. Wireless heartbeats were all on TCP ports 80 and 443. These had to do with periodic data updates for user applications.

(a) Regular Heartbeats

(b) Irregular Heartbeats

Figure 5.7: Subnet analysis of heartbeats based on regularity.

Conversely, there are fewer irregular heartbeats on the managed subnet. This is a direct conse-quence of there simply being few heartbeats on the managed portion in general. Therefore, despite

the differences in regular heartbeats, the differences in irregular heartbeats are negligible. This reinforces the idea that irregular heartbeats are normal behaviour.

This analysis suggests that regular heartbeats are more likely to be related to important services than user applications. These “always on” services allow clients to consistently perform manage-ment functions such as clock synchronization or domain name cache updates. In order for this to occur, both client and server must be relatively stable, implying that they have fixed addresses and are rarely powered off non-deterministically. Thus, prominent regular heartbeats may indicate the presence of important services and hosts. However, irregularity does not in itself indicate that a host is unimportant.