Detection of Malicious Traffic on Backbone Links by Packet Header Analysis

In order to study occurrences of malicious activities in modern Internet traffic, contemporary and highly aggregated backbone data has been analyzed regarding consistency of network and transport layer headers (i.e. IP, TCP, UDP and ICMP). As a result, a systematic listing of packet header anomalies together with their frequencies as seen “in the wild” is provided. Inconsistencies in protocol headers have been found within almost every aspect analyzed, including incorrect or incomplete series of IP fragments, IP address anomalies and other kinds of header fields not following Internet standards. This study not only presents occurrences of header anomalies as observed in today’s Internet traffic, but it also provides detailed discussions about possible causes for the inconsistencies and their security implications for networked devices.



  • Wolfgang John
  • Tomas Olovsson