A Traffic Analysis of a Small Private Network Compromised by an On-line Gaming Host

In the early months of 2006 a small private network (the Network) suffered a noticeable degrading of its network performance. A network traffic capture and analysis was conducted and used to investigate the network performance issues. This paper presents partial results of that analysis. The network traffic capture formed part of an experimental use of the SilkTools tm [1] capture and analysis suite developed by CERT personnel at Carnegie Mellon University. During the first analysis of the captured data it was discovered that the Network contained a host that had been compromised at some time in the past and was currently being used to support the on-line gaming activity of over 174,000 distinct player source addresses around the globe. These players were believed to be participating in the Half-life tm [2] firstperson shooter game (the Game). The initial finding was the result of a manual investigation of unusual time and volume traffic spikes from arbitrarily chosen time slices. Subsequent work was conducted on searching for a traffic signature which could be representative of the presence of the Game such that future discovery of Game activity could be automated. Gaming traffic is predominantly UDP traffic of high byte volumes, typically targeted at a given range of destination ports. This analysis also searches for a specific TCP traffic pattern that is suggestive of a Game signature. Network traffic patterns that emerge after access to the compromised host has been closed are labeled as SCAR traffic, for Severed Connection Anomalous Records