The Potential of Erroneous Outbound Traffic Analysis to Unveil Silent Internal Anomalies

TL;DR

This paper explores how analyzing erroneous outbound traffic, which includes unresponsive packets and ICMP errors, can reveal internal network anomalies and security threats often missed by traditional inbound-focused methods.

Contribution

It introduces erroneous outbound traffic as a novel data source for detecting internal network issues and demonstrates its effectiveness through large-scale analysis.

Findings

Uncovered misconfigurations and obsolete deployments

Identified compromised hosts and security threats

Showed the overlooked value of erroneous outbound traffic

Abstract

Passive measurement has traditionally focused on inbound traffic to detect malicious activity, based on the assumption that threats originate externally. In this paper, we offer a complementary perspective by examining outbound traffic, and argue that a narrow subset -- what we term erroneous outbound traffic -- is a lighter and revealing yet overlooked data source for identifying a broad range of security threats and network problems. This traffic consists of packets sent by internal hosts that either receive no response, trigger ICMP errors, or are ICMP error messages themselves generated in response to unsolicited requests. To demonstrate its potential, we collect and analyse erroneous traffic from a large network, uncovering a variety of previously unnoticed issues, including misconfigurations, obsolete deployments and compromised hosts.