Subnet Filters - STARDUST


Subnet Filters

The UCSD network Telescope is a passive monitoring system that captures Internet traffic sent to a segment of IP address space owned by Amateur Radio Digital Communications. The range consists predominantly of unutilized IP addresses, meaning they are not assigned to active hosts. It also encompasses a few utilized IP address blocks. We wrote a tool to filter out any legitimate traffic inadvertently captured. Our filtering process relies on an exclusion list obtained by querying a database maintained by ARDC. This list includes all address blocks allocated by ARDC for use, including some users that announce their prefix via the Border Gateway Protocol (BGP) into the global Internet. Theoretically, we should not receive traffic from these BGP-announced networks; this filtering is a preventative measure. As of November 2023, we have enhanced our operations by automatically updating subnet filters twice daily. Additionally, for historical reference, we archive all filters going forward (starting with the timestamp 1700517778) in a swift container named amprnet-legit-networks-all-subnets. This container also has files of daily filters before this time, but there is a gap where we had not updated the pipeline to use the new database querying mechanism, i.e., we were not performing this filtering accurately. Authorized users of the telescope data can access this historical information which may help analyze the data, as it indicates which prefixes we should not see traffic from because we filter it. I.e, those address blocks are not part of our darknet.

The telescope instrumentation is in need of an overhaul to keep up with traffic growth. System resource limitations sometimes cause packets to be dropped, or failure to generate flowtuples. We are in the process of upgrading the hardware and software to accommodate this growth; we will complete this in 2024.

Acknowledgement

We are grateful to Alexander Männel, Jonas Mücke, and Matthias Wählisch from TUD Dresden University of Technology for their in-depth analysis of issues in our telescope data that led to this revision in our meta-data and documentation. This team discovered in summer 2023 some unexpected irregularities in the telescope data that they brought to our attention; these turned out to be inconsistencies in our filtering of traffic due to local network misconfiguration and an operational change in ARDC’s maintenance of their address block allocation database. We have now addressed these issues; the daily filter lists that we provide in a Swift container are synchronized to the latest ARDC data. All telescope users have access to this Swift container to inform their analysis of the data.

Published