Skip to Content
[CAIDA - Center for Applied Internet Data Analysis logo]
Center for Applied Internet Data Analysis
www.caida.org > workshops : telescope
2011 CAIDA Workshop on Network Telescopes

On March 22, 2011, CAIDA hosted the first workshop on the network and security research using Network Telescopes. The agenda included short presentations by participants, discussions, and interactions. Some participants attended remotely via web videoconference.

The attendance at the workshop was by invitation only.

Workshop Summary

In the last decade, network telescopes have been used to observe unsolicited Internet traffic sent to unassigned address space. Network telescopes allow global visibility into and historical trend analysis of a wide range of security-related events, including scanning address space for vulnerable targets, random spoofed source denial-of-service attacks, the automated spread of malicious software such as Internet worms or viruses, and miscellaneous misconfigurations. Traffic destined to darkspace is evolving to include longer-duration, low-intensity events intended to establish and maintain botnets.

The goals of the workshop were to:

  1. introduce members of relatively small but also surprisingly disconnected community of darknet researchers;
  2. to inform participants about ongoing Network Telescope activities in various organizations; and
  3. to explore opportunities for and discuss appraoches to collaboration and data-sharing.

Common themes of the discussions included:

Research Needs

  • automatic signature detection technology, for coordinating early detection of anomalous events on darknets around the world
  • use of clustering (and why it isn't working)
  • common s/w requirements and development vectors e.g., geolocation, breakdown by transport and network protocols, packet interarrival times

Darkspace Operations

  • how to share address space, as pressure mounts to turn over honeynet, through deflector nets or "monkey nets"
  • announcing darknets from different locations at different times ("hotpotato honeynet")
  • "Darkspace Construction and Maintenance" (FloCon2011 talk), which lit and unlit hosts to see how much traffic it attracts (lots)

Technology Applications

  • using honeynet data to help infer reputation of IP addresses, correlated with other sources of blacklist data

Data Sharing and Community Building

  • WOMBAT: Worldwide Observatory of Malicious Behaviors and Attack Threats honeypots, crawlers, contextual analysis, annotation, data (WAPI) query interface allows correlation between distributed datasets
  • Worldwide Intelligence Network Environment (WINE)
    • Symantec's platform for vigorous experimentation methods for academics
    • real world data: spam, malware, binaries in wild, DNS queries, etc.
    • Must use data on site, code to data, mutual NDA with publication rights
    • author keeps intellectual property
  • community building activities: e.g., community wiki - annotated a databse of honeynets with which software they run and how they conduct risk assessment
  • Open question: What should be made available from darknets on an operational basis, i.e, information about traffic coming in to allow researchers to trigger further collection?

Organizing committee

  • kc claffy (CAIDA, UCSD)
  • Nevil Brownlee (University of Auckland, New Zealand)
  • Michael Bailey (University of Michigan)

Attendees

  Last Modified: Mon Mar-5-2012 11:29:47 PST
  Page URL: http://www.caida.org/workshops/telescope/index.xml