search menu icon-carat-right cmu-wordmark

A Traffic Analysis of a Small Private Network Compromised by an Online Gaming Host (Presentation)

In this presentation, Ron McLeod describes the results of an analysis to investigate performance issues on a small private network.

Software Engineering Institute


In the early months of 2006, a small private network (the Network) suffered a noticeable degradation of its network performance. A network traffic capture and analysis was conducted and used to investigate the network performance issues. This paper presents partial results of that analysis. The first analysis of the captured data showed that the Network contained a host that had been compromised at some time in the past and was currently being used to support the online gaming activity of over 174,000 distinct player source addresses around the globe. The initial finding was the result of a manual investigation of unusual time and volume traffic spikes from arbitrarily chosen time slices. Subsequent work was conducted on searching for a traffic signature which could be representative of the presence of the game such that future discovery of game activity could be automated. Gaming traffic is predominantly UDP traffic of high byte volumes, typically targeted at a given range of destination ports. This analysis also searches for a specific TCP traffic pattern that is suggestive of a game signature. Network traffic patterns that emerge after access to the compromised host has been closed are labeled as SCAR traffic, for Severed Connection Anomalous Records.

Part of a Collection

FloCon 2006 Collection

This content was created for a conference series or symposium and does not necessarily reflect the positions and views of the Software Engineering Institute.