The UCSD Network Telescope

The UCSD Network Telescope is a passive traffic monitoring system built on a globally routed, but lightly utilized /9 and /10 network. Under CAIDA stewardship, this unique resource provides valuable data for network security researchers.

Introduction

The UCSD network telescope (aka a black hole, an Internet sink, darkspace, or a darknet) is a globally routed /9 and /10 network (approximately 1/256th of all IPv4 Internet addresses) that carries almost no legitimate traffic because there are few provider-allocated IP addresses in this prefix. After discarding the legitimate traffic from the incoming packets, the remaining data represent a continuous view of anomalous unsolicited traffic, or Internet Background Radiation (IBR). IBR results from a wide range of events, such as backscatter from randomly spoofed source denial-of-service attacks, the automated spread of Internet worms and viruses, scanning of address space by attackers or malware looking for vulnerable targets, and various misconfigurations (e.g. mistyping an IP address). In recent years, traffic destined to darkspace has evolved to include longer-duration, low-intensity events intended to establish and maintain botnets.

CAIDA personnel maintains and expands the telescope instrumentation, collects, curates, archives, and analyzes the data, and enables data access for vetted security researchers. As a result, 344 publications were written using datasets generated from the UCSD Network Telescope.

IBR origin

Denial-of-service Attacks

The UCSD network telescope can be used to monitor the spread of random-source distributed denial-of-service attacks. To make it difficult for the attack victim (and the victim’s ISPs) to block an incoming attack, the attacker may use a fake source IP address (similar to a fake return address in postal mail) in each packet sent to the victim (Figure 1). Because the denial-of-service attack victim can’t distinguish between incoming requests from an attacker and legitimate inbound requests, the victim tries to respond to every received request (Figure 2). When the attacker spoofs a source address in the network telescope, we observe a response destined for a computer that doesn’t exist (and therefore never sent the initial query) (Figure 3). By monitoring these unsolicited responses, researchers can identify denial-of-service attack victims and infer information about the volume of the attack, the bandwidth of the victim, the location of the victim, and the types of services the attacker targets.

The attacker sends packets with spoofed source addresses to the denial-of-service attack victim. The denial-of-service attack victim cannot differentiate between legitimate traffic and the attack packets, so the victim responds to as many of the attack packets as possible. Because the network telescope composes 1/256th of the IPv4 address space, the telescope receives approximately 1/256th of the responses to spoofed packets generated by the denial-of-service attack victim.

Figure 1: The attacker sends packets with spoofed source addresses to the denial-of-service attack victim.

Figure 2: The denial-of-service attack victim cannot differentiate between legitimate traffic and the attack packets, so the victim responds to as many of the attack packets as possible.

Figure 3: Because the network telescope composes 1/256th of the IPv4 address space, the telescope receives approximately 1/256th of the responses to spoofed packets generated by the denial-of-service attack victim.

We know of 15 papers relating to Denial-of-Service that have been written using telescope data :

Internet Worms

Many Internet worms spread by randomly generating an IP address to be the target of an infection attempt and sending the worm off to that IP address in the hope that it is in use by a vulnerable computer (Figure 4). Because the network telescope includes one out of every 256 IPv4 addresses, it receives approximately one out of every 256 probes from hosts infected with randomly scanning worms. Many worms do not scan truly randomly, and network problems (both worm-induced and independent) may prevent the network telescope from receiving probes from all infected hosts. In general, though, the telescope sees a newly infected hosts transmitting at the slow speed of 10 packets per second within 30 seconds of the infection.

Infected computers randomly attempt to infect other vulnerable computers.  The network telescope monitors approximately one out of every 256 infection attempts.

Figure 4: Infected computers randomly attempt to infect other vulnerable computers. The network telescope captures approximately one out of every 256 infection attempts.

We know of 51 papers relating to Internet Worms that have been written using telescope data:

Malicious Network Scans

Scans are automated, semi-automated, and manual attempts to locate exploitable computers on the Internet. The scan traffic often differs from other types of traffic visible on the network telescope because it is not driven by chance. Rather, the attacker’s byzantine motives in selecting scan targets appear arbitrary from the perspective of the recipient of the scan. The UCSD Network Telescope observes many types of scans continually, including ping based scans for the existence of a device at a given IP address, sequential scans of ports on a single IP address, methodical scans for a single or a small number of vulnerable ports sequentially through an IP address range, and even scans utilizing TCP resets.

Sharing Telescope Data

Privacy and Security issues

There are serious privacy and security concerns associated with Network Telescope datasets. Because some viruses and worms involve the installation of backdoors that provide unfettered access to infected computers, telescope data may inadvertently advertise these vulnerable machines. Also, while the source of some types of telescope traffic, including denial-of-service attacks and worms, is readily apparent, a significant volume of traffic is of unknown origin. Without identifying the causes of this traffic, we cannot categorically assess the security and privacy impact of releasing these data.

UCSD Network Telescope Datasets

CAIDA makes available a number of Telescope datasets for researchers who wish to study data collected at the UCSD Network Telescope.

Published research supported by Telescope Data

The UCSD Network Telescope datasets resulted in the following publications:

Acknowledgments

Department of Homeland Security (DHS) National Science Foundation (NSF)

The UCSD Network Telescope project was funded by DHS S&T cooperative agreement (FA8750-12-2-0326) Supporting Research and Development of Security Technologies through Network and Security Data Collection. The project was originally funded by NSF award, (CNS 1059439) “CRI-Telescope: A Real-time Lens into Dark Address Space of the Internet”, and subsequently by NSF Grant CNS-1730661 “STARDUST: Sustainable Tools for Analysis and Research on Darknet Unsolicited Traffic”.

Published
Last Modified