Passive Data Collection: UCSD Network Telescope

SPONSORS:

The UCSD network telescope consists of a globally routed /8 network that carries almost no legitimate traffic. Because the legitimate traffic is easy to separate from the incoming packets, the network telescope provides us with a monitoring point for anomalous traffic that represents almost 1/256th of all IPv4 destination addresses on the Internet.

Because a network telescope (also known as a blackhole, an Internet sink, or a darknet) does not contain any real computers, there is no reason that legitimate traffic would be monitored by the network telescope. The network telescope collects traffic as a result of wide range of events, including misconfiguration (e.g. a human being mis-typing an IP address), malicious scanning of address space by hackers looking for vulnerable targets, backscatter from random source denial-of-service attacks, and the automated spread of malicious software called Internet worms.

While researchers at CAIDA and in the network security community are still working to identify the sources of the misconfigurations and other human errors that send traffic into the network telescope, the utility of network telescopes for identifying denial-of-service attack victims and tracking the spread of Internet worms has been more thoroughly explored.

Related work:

For more information on network telescopes, including information on how the size of the address space monitored affects the trends monitored, see Network Telescope Technical Report.

For information on other network telescopes in operation, see:

• UWisc iSink Project
• Arbor Internet Motion Sensor

For information on how to set up your own network telescope, see:

• NANOG Sinkhole Tutorial
• Team Cymru Darknet Project

Denial-of-service Attacks

The UCSD network telescope can be used to monitor the spread of random-source distributed denial-of-service attacks. When an attacker wants to make it difficult for the attack victim (and the victim's ISP(s)) to block an incoming attack, the attacker uses a fake source IP address (similar to a fake return address in postal mail) in each packet sent to the victim (Figure 1). Because the attack victim can't distinguish between incoming requests from an attacker and legitimate inbound requests, the denial-of-service attack victim tries to respond to every request it receives (Figure 2). When the attacker spoofs a source address in the network telescope, we monitor a response destined for a computer that doesn't exist (and therefore never sent the initial query) (Figure 3). By monitoring these unsolicited responses, researchers can identify denial-of-service attack victims and infer information about the volume of the attack, the bandwidth of the victim, the location of the victim, and the types of services the attacker targets.

Figure 1: The attacker sends packets with spoofed source addresses to the denial-of-service attack victim.	Figure 2: The denial-of-service attack victim cannot differentiate between legitimate traffic and the attack packets, so the victim responds to as many of the attack packets as possible.	Figure 3: Because the network telescope composes 1/256th of the IPv4 address space, the telescope receives approximately 1/256th of the responses to spoofed packets generated by the denial-of-service attack victim.

Animated Backscatter Explanation:	quicktime	mpeg

Many denial-of-service attacks do not use spoofed source IP addresses in attacking the victims; the network telescope does not monitor attacks utilizing legitimate denial-of-service attacks, and it may not monitor attacks using non-randomly spoofed IP addresses.

For more information on monitoring denial-of-service attack backscatter, see:

• Inferring Internet Denial-of-Service Activity - 2006 IEEE/ACM TOCS Paper
• Inferring Internet Denial-of-Service Activity - 2001 USENIX Security Paper
• SCO Offline from Denial-of-Service Attack

Internet Worms

Many Internet worms spread by randomly generating an IP address to be the target of an infection attempt and sending the worm off to that IP address in the hope that that address is in use by a vulnerable computer (Figure 4). Because the network telescope includes one out of every 256 IPv4 addresses, it receives approximately one out of every 256 probes from hosts infected with randomly scanning worms. Many worms do not scan truly randomly, and network problems (both worm-induced and independent) may prevent the network telescope from receiving probes from all infected hosts. In general, though, the telescope sees a newly infected hosts transmitting at the slow speed of 10 packets per second within 30 seconds of its infection.

Figure 4: Infected computers randomly attempt to infect other vulnerable computers. The network telescope monitors approximately one out of every 256 infection attempts.

For more information on monitoring the spread of Internet worms with the network telescope, see:

• Internet Quarantine: Requirements for Containing Self-Propagating Code
• Analysis of Code-Red
• Code-Red - A Case Study on the Spread and Victims of an Internet Worm
• Analysis of the Sapphire/Slammer Worm
• Inside the Slammer Worm
• The Spread of the Witty Worm (CAIDA website)
• The Spread of the Witty Worm (IEEE Security and Privacy)

Malicious Network Scans

Automated, semi-automated, and manual attempts to locate exploitable computers on the Internet. Scans often differ from other types of traffic visible on the network telescope because the scan traffic arriving at the telescope is not driven by chance. Rather, the attacker's byzantine motives in selecting scan targets appear arbitrary from the perspective of the recipient of the scan. The UCSD Network Telescope receives many types of scans continually, including ping based scans for the existence of a device at a given IP address, sequential scans of ports on a single IP address, methodical scans for a single or a small number of vulnerable ports sequentially through an IP address range, and even scans utilizing TCP resets.

Telescope Data Access

Many privacy and security concerns are associated with Network Telescope datasets. Because some viruses and worms involve the installation of backdoors that provide unfettered access to infected computers, telescope data may contain features that advertise these vulnerable machines. Also, while the source of some types of telescope traffic, including denial-of-service attacks and worms, is readily apparent, a significant volume of traffic is of unknown origin. Without identifying the traffic, we cannot assess the security and privacy impact of releasing the data.

CAIDA makes available a number of datasets for researchers who wish to study data collected at the UCSD Network Telescope. These datasets represent the major sources of telescope traffic:

• Near-Realtime Data
  • Two Days in November 2008 Dataset
• Denial-of-Service Attack Backscatter
  • Backscatter-2008 Dataset
  • Backscatter-2007 Dataset
  • Backscatter-2006 Dataset
  • Backscatter-2004-2005 Dataset
  • Backscatter-TOCS Dataset
• Worms
  • Witty Worm Dataset
  • Code-Red Worms Dataset

Research supported by Telescope Data

The UCSD Network Telescope data on Denial-of-Service Attack Backscatter and Internet Worms resulted in the following publications by external researchers:

• Publications using Backscatter Datasets
• Publications using the Witty Worm Dataset

UCSD Network Telescope Sponsors: