A network telescope (also known as a packet telescope,[1] darknet, Internet motion sensor or black hole)[2][3][4] is an Internet system that allows one to observe different large-scale events taking place on the Internet. The basic idea is to observe traffic targeting the dark (unused) address-space of the network. Since all traffic to these addresses is suspicious, one can gain information about possible network attacks (random scanning worms, and DDoS backscatter) as well as other misconfigurations by observing it.
The resolution of the Internet telescope is dependent on the number of IP addresses it monitors. For example, a large Internet telescope that monitors traffic to 16,777,216 addresses (the /8 Internet telescope in IPv4), has a higher probability of observing a relatively small event than a smaller telescope that monitors 65,536 addresses (a /16 Internet telescope).
The naming comes from an analogy to optical telescopes, where a larger physical size allows more photons to be observed.[5]
A variant of a network telescope is a sparse darknet, or greynet, consisting of a region of IP address space that is sparsely populated with "darknet" addresses interspersed with active (or "lit") IP addresses.[2] These include a greynet assembled from 210,000 unused IP addresses mainly located in Japan.[6]
Large network telescope instances
editNetwork | Coverage | IPs | Name | Life span | Captures |
---|---|---|---|---|---|
1/8 | 100%[3] | ~16M | APNIC | 2010-02-23 (1 week) | 4.1 terabyte[3] |
44/8 | 99%[4] | ~16M | UCSD Network Telescope[note 1] | 2001-02-01‒2017-12-31 | 3.25 petabyte[7] |
2018-01-01‒2019-06-04 | |||||
74% | ~12M | 2019-06-05— | |||
35/8 | 67%[4] | ~11M | Merit Network[note 2] | 2005-10-05— | 18.2 terabyte[9] |
50/8 | 100%[3] | ~16M | ARIN | 2010-03-12 (1 week) | 1.1 terabyte[3] |
107/8 | 100%[3] | ~16M | ARIN | 2010-03-25 (1 week) | 1.2 terabyte[3] |
1,300 networks | Akamai[10] / MIT[11] | 2009/2019— | |||
/16 | 100% | 65k | HEAnet[12] | 2019-03 (1 week) | 96 gigabyte[12] |
/15 | 100% | ~130k | SURFnet[13] | ||
2a10::/12 (IPv6) | 100% | 8.3 billion trillion trillion (2^112) | RIPE NCC[14] | 2020-01-13 - 2020-01-16 (3 days) | 19M packets |
- ^ Hosted at San Diego Supercomputer Center, operated by Center for Applied Internet Data Analysis for University of California, San Diego, using Amateur Radio AMPRNet IP addresses.
- ^ Merit Network Telescope, consisting of ~5.5 million (2014),[8] or ~11 million, unused IP addresses.
See also
editReferences
edit- ^ Cheswick, Bill (August 2013). "Bill Cheswick on Firewalls" (PDF). Security. ;login: The USENIX Magazine (Interview). Vol. 38, no. 4. Interviewed by Rik Farrow. p. 21.
about this time (late 1980s) Mark Horton obtained a class A address for AT&T from the powers-that-be by simply asking. ... our Cray computer seemed to require a class A network ... took 12.0.0.0/8 and announced it to the Net, feeding the packets to a non-existent Ethernet address and running tcpdump on the traffic, which came to about 12 to 25 MB/day. Steve analyzed that traffic and wrote a fine paper. Basically, we were watching the death screams of attacked hosts that used IP address-based authentication. ... This is the first packet telescope I can remember, and I think I might even have coined the term "packet telescope," but my memory is fuzzy on that.
- ^ a b Harrop, W.; Armitage, G. (2005). "Defining and Evaluating Greynets (Sparse Darknets)". The IEEE Conference on Local Computer Networks 30th Anniversary (LCN'05)l. Sign in or purchase to access: IEEE. pp. 344–350. doi:10.1109/LCN.2005.46. hdl:1959.3/2449. ISBN 0-7695-2421-4. S2CID 18789864.
- ^ a b c d e f g Wustrow, Eric; Karir, Manish; Bailey, Michael; Jahanian, Farnam; Houston, Geoff (2010-06-09). Internet Background Radiation Revisited (PDF). Internet Measurement Conference.
Systems that monitor unused address spaces have a variety of names, including darknets, network telescopes, blackhole monitors, network sinks, and network motion sensors. ... 1/8 ... 50/8 ... 107/8 ... 35/8
- ^ a b c Benson, Karyn; Dainotti, Alberto; Claffy, K.C.; Snoeren, Alex C.; Kallitsis, Michael (2015-09-10). Leveraging Internet Background Radiation for Opportunistic Network Analysis (PDF). Internet Measurement Conference '15. Tokyo, Japan. doi:10.1145/2815675.2815702. ISBN 978-1-4503-3848-6. S2CID 6184617.
A darknet or network telescope is a collection of routed but unused IP addresses, ... UC San Diego and Merit Network operate large darknets, which we call UCSD-NT and MERIT-NT respectively. UCSD-NT observes traffic destined to more than 99% of IP addresses in a contiguous /8 block. MERIT-NT covers about 67% of a different /8 block.
- ^ Moore, David; Shannon, Colleen; Voelker, Geoffrey M.; Savage, Stefan (April 2004). "Network Telescopes: Technical Report" (PDF). Technical Reports.
network telescopes were named as an analogy to astronomical telescopes, ... driven by the comparison of packets arriving in a portion of address space to photons arriving in the aperture of a light telescope. ... a larger aperture increases the resolution of objects by providing more positional detail; with network telescopes, having a larger address space increases the resolution of events by providing more time detail. ... to observe one or more packets from a Code-Red-like host on a /8 with 99.999% probability requires 4.9 minutes. ... Even if the attack lasted 5 minutes, there is only a 89.9% chance that a /16 telescope would see at least 1 packet. ... thank Brian Kantor, Jim Madden, and Pat Wilson of UCSD for technical support of the Network Telescope project. ... Support for this work is provided by NSF Trusted Computing Grant CCR-0311690, Cisco Systems University Research Program, DARPA FTN Contract N66001-01-1-8933, NSF Grant ANI-0221172, National Institute of Standards Grant 60NANB1D0118, and a generous gift from AT&T.
- ^ Le Malécot, Erwan; Inoue, Daisuke (20 Mar 2014). Danger, Jean Luc; Debbabi, Mourad; Marion, Jean-Yves; Garcia-Alfaro, Joaquin; Heywood, Nur Zincir (eds.). The Carna Botnet Through the Lens of a Network Telescope. Foundations and Practice of Security: 6th International Symposium. La Rochelle, France. p. 427. ISBN 9783319053028.
"network telescope that we operate presently amounts to approximately 210 thousand unused IPv4 addresses spread over the networks of a number of partner organizations (located in Japan and aboard). Those unused addresses form darknets ranging in size from a few addresses to whole /16 subnets ... the notion of a "greynet" ... composed of a mixture of used and unused IP addresses
- ^ Claffy, K.; Fomenkov, Marina; University of California San Diego; Center for Applied Internet Data Analysis (CAIDA) (2018-06-22). Rose, Fraces A.; Matyjas, John D. (eds.). Final technical report. Supporting Research and Development of Security Technologies Through Network and Security Data Collection (Report). Air Force Research Laboratory Information Directorate. pp. iii, 2, 3, 7.
Sep 2012 – Dec 2017 ... Grant number: FA8750-12-2-0326 ... engaged in collecting packet-level data from the UCSD Network Telescope (which monitors a /8 IPv4 darknet) ... number of files and the total volume of data collected ... (from [2012-10-01] until [2017-12-31]) as well as cumulative size ... Telescope: number of files: 129552; Size: 2.85 PB; On-disk size (compressed), [at 2017-12-31]: 1.30 PB; Uncompressed size, [at 2017-12-31]: 3.25 PB
- ^ Durumeric, Zakir; Bailey, Michael; Halderman, J. Alex; University of Michigan (2014-08-08). An Internet-Wide View of Internet-Wide Scanning (PDF). USENIX Security Symposium.
darknet operated at Merit Network for the period from [2013-01-01] to [2014-05-01]. ... 5.5 million addresses, ... 1.4 billion packets, or 55 GB of traffic, per day.
- ^ Merit Network. "Longitudinal Darknet 35/8". Blackhole Address Space Data, flowtuple. IMPACT Cybertrust.
in the case of a TCP SYN flood attack with a spoofed source IP, the victim will reply with a TCP SYN-ACK to the spoofed IP; if the spoofed IP happened to be within the 35/8 address space, our darknet will capture the SYN-ACK replies ... Collection Starting: [2005-10-05]; ... Data collection is ongoing ... Size: 18.2TB Size is growing as more data is collected
- ^ Belson, David, ed. (2009-07-09). "Conficker" (PDF). Security. The State of the Internet. Vol. 2, no. 1. Akamai Technologies. p. 8.
corroborated by similar drops in observed by CAIDA's UCSD Network Telescope, which serves a function similar to the set of Akamai servers that collect attack traffic data.
- ^ Richter, Philipp; Berger, Arthur (July 2019). Scanning the Scanners: Sensing the Internet from a Massively Distributed Network Telescope. ACM Internet Measurement Conference. Amsterdam, Netherlands.
- ^ a b O'Hara, Joseph (April 2019). "Cloud-based network telescope for Internet background radiation collection" (PDF). Trinity College Dublin. p. 16.
Thank you to Eoin Kenny from HEAnet ... A traditional /16 network telescope was provided by HEAnet, Ireland's National Education and Research Network. ... /16 address space had been unused for a number of years before this research ... 256 times smaller than the CAIDA /8 ... recorded data rate was 1.25Mbps ... 95.6GB
- ^ Metongnon, Lionel; Sadre, Ramin (2018-08-20). Beyond Telnet: Prevalence of IoT Protocols in Telescope and Honeypot Measurements. ACM SIGCOMM-WTMC. p. 4. doi:10.1145/3229598.3229604. S2CID 51926045.
a setup with /15 network telescope
- ^ Aben, Emile (2020-01-17). "The Debogonisation of 2a10::/12".
Further reading
edit- Bellovin, Steven M. (1992-08-15). There be dragons (PDF). Third Usenix UNIX Security Symposium. Archived from the original (PDF) on 2004-12-07. Retrieved 2019-07-31.
- Bellovin, Steven M. (1993-08-23). "Packets found on an Internet" (PDF). Computer Communications Review. 23 (3): 26–31. doi:10.1145/174194.174199. S2CID 35537646. Archived from the original (PDF) on 2004-12-07. Retrieved 2019-07-31.
External links
edit- CAIDA Network Telescope at University of Californian, San Diego
- Darknet project at Team Cymru Darknet