Network Telescope - STARDUST
A network telescope (also known as a black hole, an Internet sink, darknet, darkspace) captures Internet data from unused IP address space(s).
Currently, STARDUST is used to collect, process and share data about the traffic that is observed at the UCSD network telescope (UCSD-NT). The UCSD-NT is a large IPv4 network telescope and monitors the Internet background radiation (IBR) directed towards approximately 1/256th of all IPv4 Internet addresses. The STARDUST software and tools are designed to be used in conjunction with any IPv4 network telescope – for instance, the Merit telescope also uses some of the STARDUST infrastructure for data collection.
Uses of IBR Traffic
IBR traffic has many potential uses for research activities, as the traffic can be attributed to a wide range of interesting Internet behaviors. For instance, network scanning (both on a network level and on an application level) activity can be readily observed in IBR traffic, as the scanners often do not realise that the telescope address space is unused. New or modified scanning techniques can be detected through changes in the properties of IBR traffic. Similarly, the awareness and popularity of certain known vulnerabilties in network applications may become apparent as the number of scanning packets that target a particular application increases.
Backscatter from denial-of-service (DoS) attacks where the attacker has spoofed the source address on the attack traffic can also appear at a network telescope. The targets of DoS attacks can be inferred from the appearance of large volumes of backscatter traffic at the telescope, sourced from a single external IP address but typically destined for a wide range of monitored IP addresses. IBR traffic attributed to DoS attacks can be used to study the frequency of DoS attacks, or the types of services that are commonly being attacked.
Some malware will attempt to spread itself by sending traffic to random IP addresses, in the hope that the receiver is vulnerable to infection. This type of traffic can also therefore be visible to a network telescope, and is often especially apparent on telescopes that monitor large amounts of vacant address space. This has been most famously noticed with the Conficker worm, but trends in this type of traffic as seen by a telescope can be used to infer the growth (or decline) of various malwares and botnets over time.
Similarly, routing misconfigurations and software bugs can cause unsolicited traffic to reach a telescope. File sharing protocols (such as Bittorrent) are known to send large volumes of network maintenance traffic to telescope IP addresses, even though those addresses have never participated in file sharing before. Byte ordering errors when handling IP addresses in networking code can also result in applications sending traffic to incorrect addresses, and if the error is widespread and the software is popular then this may become apparent in the telescope traffic mix.
IBR traffic is not just useful for detecting and studying abnormal or malicious behaviors on the Internet. Because IBR is so prevalent, the observed traffic can be treated as a continuous background signal that can be used to monitor the overall connectivity of networks and geographic regions. The IODA project accepts IBR data as one of the inputs that can be used to determine whether a network operator or region has gone offline – the relative absence of IBR traffic sourced from IP addresses known to belong to the affected network or area is one possible indicator of an outage.
As analysis tools and data collection methods for network telescopes mature and therefore allow us to better sift through the traffic that is observed, we will continue to notice and, in turn, better understand more interesting behavioral variants. This is one of the goals of the STARDUST project; to lower the barrier to entry for collecting and exploring telescope data for the research community as a whole.
To learn more about the types of IBR traffic that can be seen on a network telescope and how it facilitates interesting research, we suggest a read of the IMC 2015 paper: “Leveraging Internet Background Radiation for Opportunistic Network Analysis”.