Software Engineering Institute

In the early months of 2006, a small private network (the Network) suffered a noticeable degradation of its network performance. A network traffic capture and analysis was conducted and used to investigate the network performance issues. This paper presents partial results of that analysis. The first analysis of the captured data showed that the Network contained a host that had been compromised at some time in the past and was currently being used to support the online gaming activity of over 174,000 distinct player source addresses around the globe. The initial finding was the result of a manual investigation of unusual time and volume traffic spikes from arbitrarily chosen time slices. Subsequent work was conducted on searching for a traffic signature which could be representative of the presence of the game such that future discovery of game activity could be automated. Gaming traffic is predominantly UDP traffic of high byte volumes, typically targeted at a given range of destination ports. This analysis also searches for a specific TCP traffic pattern that is suggestive of a game signature. Network traffic patterns that emerge after access to the compromised host has been closed are labeled as SCAR traffic, for Severed Connection Anomalous Records.