Network telescope

Last updated

A network telescope (also known as a packet telescope, [1] darknet, Internet motion sensor or black hole) [2] [3] [4] is an Internet system that allows one to observe different large-scale events taking place on the Internet. The basic idea is to observe traffic targeting the dark (unused) address-space of the network. Since all traffic to these addresses is suspicious, one can gain information about possible network attacks (random scanning worms, and DDoS backscatter) as well as other misconfigurations by observing it.

Contents

The resolution of the Internet telescope is dependent on the number of IP addresses it monitors. For example, a large Internet telescope that monitors traffic to 16,777,216 addresses (the /8 Internet telescope in IPv4), has a higher probability of observing a relatively small event than a smaller telescope that monitors 65,536 addresses (a /16 Internet telescope).

The naming comes from an analogy to optical telescopes, where a larger physical size allows more photons to be observed. [5]

A variant of a network telescope is a sparse darknet, or greynet, consisting of a region of IP address space that is sparsely populated with "darknet" addresses interspersed with active (or "lit") IP addresses. [2] These include a greynet assembled from 210,000 unused IP addresses mainly located in Japan. [6]

Large network telescope instances

NetworkCoverageIPsNameLife spanCaptures
1/8100% [3] ~16MAPNIC2010-02-23 (1 week)4.1 terabyte [3]
44/899% [4] ~16M UCSD Network Telescope [note 1] 2001-02-01‒2017-12-313.25 petabyte [7]
2018-01-01‒2019-06-04
74%~12M2019-06-05—
35/867% [4] ~11M Merit Network [note 2] 2005-10-05—18.2 terabyte [9]
50/8100% [3] ~16MARIN2010-03-12 (1 week)1.1 terabyte [3]
107/8100% [3] ~16MARIN2010-03-25 (1 week)1.2 terabyte [3]
1,300 networks Akamai [10] / MIT [11] 2009/2019—
/16100%65k HEAnet [12] 2019-03 (1 week)96 gigabyte [12]
/15100%~130k SURFnet [13]
2a10::/12 (IPv6)100%8.3 billion trillion trillion (2^112) RIPE NCC [14] 2020-01-13 - 2020-01-16 (3 days)19M packets
  1. Hosted at San Diego Supercomputer Center, operated by Center for Applied Internet Data Analysis for University of California, San Diego, using Amateur Radio AMPRNet IP addresses.
  2. Merit Network Telescope, consisting of ~5.5 million (2014), [8] or ~11 million, unused IP addresses.

See also

Related Research Articles

An Internet Protocol address is a numerical label such as 192.0.2.1 that is connected to a computer network that uses the Internet Protocol for communication. An IP address serves two main functions: network interface identification, and location addressing.

<span class="mw-page-title-main">Internet Protocol version 4</span> Fourth version of the Internet Protocol

Internet Protocol version 4 (IPv4) is the fourth version of the Internet Protocol (IP). It is one of the core protocols of standards-based internetworking methods in the Internet and other packet-switched networks. IPv4 was the first version deployed for production on SATNET in 1982 and on the ARPANET in January 1983. It is still used to route most Internet traffic today, even with the ongoing deployment of Internet Protocol version 6 (IPv6), its successor.

<span class="mw-page-title-main">IPv6</span> Version 6 of the Internet Protocol

Internet Protocol version 6 (IPv6) is the most recent version of the Internet Protocol (IP), the communications protocol that provides an identification and location system for computers on networks and routes traffic across the Internet. IPv6 was developed by the Internet Engineering Task Force (IETF) to deal with the long-anticipated problem of IPv4 address exhaustion, and was intended to replace IPv4. In December 1998, IPv6 became a Draft Standard for the IETF, which subsequently ratified it as an Internet Standard on 14 July 2017.

The Internet Protocol (IP) is the network layer communications protocol in the Internet protocol suite for relaying datagrams across network boundaries. Its routing function enables internetworking, and essentially establishes the Internet.

In computer networking, the User Datagram Protocol (UDP) is one of the core communication protocols of the Internet protocol suite used to send messages to other hosts on an Internet Protocol (IP) network. Within an IP network, UDP does not require prior communication to set up communication channels or data paths.

In computing, Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in virtual private networks (VPNs).

The Address Resolution Protocol (ARP) is a communication protocol used for discovering the link layer address, such as a MAC address, associated with a given internet layer address, typically an IPv4 address. This mapping is a critical function in the Internet protocol suite. ARP was defined in 1982 by RFC 826, which is Internet Standard STD 37.

<span class="mw-page-title-main">Network address translation</span> Protocol facilitating connection of one IP address space to another

Network address translation (NAT) is a method of mapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. The technique was originally used to bypass the need to assign a new address to every host when a network was moved, or when the upstream Internet service provider was replaced, but could not route the network's address space. It has become a popular and essential tool in conserving global address space in the face of IPv4 address exhaustion. One Internet-routable IP address of a NAT gateway can be used for an entire private network.

A virtual private network (VPN) is a mechanism for creating a secure connection between a computing device and a computer network, or between two networks, using an insecure communication medium such as the public Internet.

<span class="mw-page-title-main">IP fragmentation</span> Process that breaks IP packets into smaller pieces

IP fragmentation is an Internet Protocol (IP) process that breaks packets into smaller pieces (fragments), so that the resulting pieces can pass through a link with a smaller maximum transmission unit (MTU) than the original packet size. The fragments are reassembled by the receiving host.

In Internet networking, a private network is a computer network that uses a private address space of IP addresses. These addresses are commonly used for local area networks (LANs) in residential, office, and enterprise environments. Both the IPv4 and the IPv6 specifications define private IP address ranges.

Internet background noise consists of data packets on the Internet which are addressed to IP addresses or ports where there is no network device set up to receive them.

IP multicast is a method of sending Internet Protocol (IP) datagrams to a group of interested receivers in a single transmission. It is the IP-specific form of multicast and is used for streaming media and other network applications. It uses specially reserved multicast address blocks in IPv4 and IPv6.

A middlebox is a computer networking device that transforms, inspects, filters, and manipulates traffic for purposes other than packet forwarding. Examples of middleboxes include firewalls, network address translators (NATs), load balancers, and deep packet inspection (DPI) boxes.

<span class="mw-page-title-main">AMPRNet</span>

The AMPRNet or Network 44 is used in amateur radio for packet radio and digital communications between computer networks managed by amateur radio operators. Like other amateur radio frequency allocations, an IP range of 44.0.0.0/8 was provided in 1981 for Amateur Radio Digital Communications and self-administered by radio amateurs. In 2001, undocumented and dual-use of 44.0.0.0/8 as a network telescope began, recording the spread of the Code Red II worm in July 2001. In mid-2019, part of IPv4 range was sold off for conventional use, due to IPv4 address exhaustion.

Stefan Savage is an American computer science researcher, currently a Professor in the Systems and Networking Group at the University of California, San Diego. There, he holds the Irwin and Joan Jacobs Chair in Information and Computer Science. Savage is widely cited in computer security, particularly in the areas of email spam, network worms and malware propagation, distributed denial of service (DDOS) mitigation and traceback, automotive hacking and wireless security. He received his undergraduate degree at Carnegie Mellon and his Ph.D. from the University of Washington.

<span class="mw-page-title-main">Internet Mapping Project</span> Collecting network paths

The Internet Mapping Project was started by William Cheswick and Hal Burch at Bell Labs in 1997. It has collected and preserved traceroute-style paths to some hundreds of thousands of networks almost daily since 1998. The project included visualization of the Internet data, and the Internet maps were widely disseminated.

An IP header is header information at the beginning of an Internet Protocol (IP) packet. An IP packet is the smallest message entity exchanged via the Internet Protocol across an IP network. IP packets consist of a header for addressing and routing, and a payload for user data. The header contains information about IP version, source IP address, destination IP address, time-to-live, etc. The payload of an IP packet is typically a datagram or segment of the higher-level transport layer protocol, but may be data for an internet layer or link layer instead.

In computer networking, tcpcrypt is a transport layer communication encryption protocol. Unlike prior protocols like TLS (SSL), tcpcrypt is implemented as a TCP extension. It was designed by a team of six security and networking experts: Andrea Bittau, Mike Hamburg, Mark Handley, David Mazières, Dan Boneh and Quinn Slack. Tcpcrypt has been published as an Internet Draft. Experimental user-space implementations are available for Linux, Mac OS X, FreeBSD and Windows. There is also a Linux kernel implementation.

<span class="mw-page-title-main">KC Claffy</span> Internet researcher

Kimberly C. "KC" Claffy is director of the Center for Applied Internet Data Analysis at the University of California, San Diego. In 2017 she was awarded the Jonathan B. Postel Service Award and inducted into the Internet Hall of Fame in 2019.

References

  1. Cheswick, Bill (August 2013). "Bill Cheswick on Firewalls" (PDF). Security. ;login: The USENIX Magazine (Interview). Vol. 38, no. 4. Interviewed by Rik Farrow. p. 21. about this time (late 1980s) Mark Horton obtained a class A address for AT&T from the powers-that-be by simply asking. ... our Cray computer seemed to require a class A network ... took 12.0.0.0/8 and announced it to the Net, feeding the packets to a non-existent Ethernet address and running tcpdump on the traffic, which came to about 12 to 25 MB/day. Steve analyzed that traffic and wrote a fine paper. Basically, we were watching the death screams of attacked hosts that used IP address-based authentication. ... This is the first packet telescope I can remember, and I think I might even have coined the term "packet telescope," but my memory is fuzzy on that.
  2. 1 2 Harrop, W.; Armitage, G. (2005). "Defining and Evaluating Greynets (Sparse Darknets)". The IEEE Conference on Local Computer Networks 30th Anniversary (LCN'05)l. Sign in or purchase to access: ieeexplore.ieee.org. pp. 344–350. doi:10.1109/LCN.2005.46. hdl:1959.3/2449. ISBN   0-7695-2421-4. S2CID   18789864.
  3. 1 2 3 4 5 6 7 Wustrow, Eric; Karir, Manish; Bailey, Michael; Jahanian, Farnam; Houston, Geoff (2010-06-09). Internet Background Radiation Revisited (PDF). Internet Measurement Conference. Systems that monitor unused address spaces have a variety of names, including darknets, network telescopes, blackhole monitors, network sinks, and network motion sensors. ... 1/8 ... 50/8 ... 107/8 ... 35/8
  4. 1 2 3 Benson, Karyn; Dainotti, Alberto; Claffy, K.C.; Snoeren, Alex C.; Kallitsis, Michael (2015-09-10). Leveraging Internet Background Radiation for Opportunistic Network Analysis (PDF). Internet Measurement Conference '15. Tokyo, Japan. doi:10.1145/2815675.2815702. ISBN   978-1-4503-3848-6. S2CID   6184617. A darknet or network telescope is a collection of routed but unused IP addresses, ... UC San Diego and Merit Network operate large darknets, which we call UCSD-NT and MERIT-NT respectively. UCSD-NT observes traffic destined to more than 99% of IP addresses in a contiguous /8 block. MERIT-NT covers about 67% of a different /8 block.
  5. Moore, David; Shannon, Colleen; Voelker, Geoffrey M.; Savage, Stefan (April 2004). "Network Telescopes: Technical Report" (PDF). Technical Reports. network telescopes were named as an analogy to astronomical telescopes, ... driven by the comparison of packets arriving in a portion of address space to photons arriving in the aperture of a light telescope. ... a larger aperture increases the resolution of objects by providing more positional detail; with network telescopes, having a larger address space increases the resolution of events by providing more time detail. ... to observe one or more packets from a Code-Red-like host on a /8 with 99.999% probability requires 4.9 minutes. ... Even if the attack lasted 5 minutes, there is only a 89.9% chance that a /16 telescope would see at least 1 packet. ... thank Brian Kantor, Jim Madden, and Pat Wilson of UCSD for technical support of the Network Telescope project. ... Support for this work is provided by NSF Trusted Computing Grant CCR-0311690, Cisco Systems University Research Program, DARPA FTN Contract N66001-01-1-8933, NSF Grant ANI-0221172, National Institute of Standards Grant 60NANB1D0118, and a generous gift from AT&T.
  6. Le Malécot, Erwan; Inoue, Daisuke (20 Mar 2014). Danger, Jean Luc; Debbabi, Mourad; Marion, Jean-Yves; Garcia-Alfaro, Joaquin; Heywood, Nur Zincir (eds.). The Carna Botnet Through the Lens of a Network Telescope. Foundations and Practice of Security: 6th International Symposium. La Rochelle, France. p. 427. ISBN   9783319053028. "network telescope that we operate presently amounts to approximately 210 thousand unused IPv4 addresses spread over the networks of a number of partner organizations (located in Japan and aboard). Those unused addresses form darknets ranging in size from a few addresses to whole /16 subnets ... the notion of a "greynet" ... composed of a mixture of used and unused IP addresses
  7. Claffy, K.; Fomenkov, Marina; University of California San Diego; Center for Applied Internet Data Analysis (CAIDA) (2018-06-22). Rose, Fraces A.; Matyjas, John D. (eds.). Final technical report. Supporting Research and Development of Security Technologies Through Network and Security Data Collection (Report). Air Force Research Laboratory Information Directorate. pp. iii, 2, 3, 7. Sep 2012 – Dec 2017 ... Grant number: FA8750-12-2-0326 ... engaged in collecting packet-level data from the UCSD Network Telescope (which monitors a /8 IPv4 darknet) ... number of files and the total volume of data collected ... (from [2012-10-01] until [2017-12-31]) as well as cumulative size ... Telescope: number of files: 129552; Size: 2.85 PB; On-disk size (compressed), [at 2017-12-31]: 1.30 PB; Uncompressed size, [at 2017-12-31]: 3.25 PB
  8. Durumeric, Zakir; Bailey, Michael; Halderman, J. Alex; University of Michigan (2014-08-08). An Internet-Wide View of Internet-Wide Scanning (PDF). USENIX Security Symposium. darknet operated at Merit Network for the period from [2013-01-01] to [2014-05-01]. ... 5.5 million addresses, ... 1.4 billion packets, or 55 GB of traffic, per day.
  9. Merit Network. "Longitudinal Darknet 35/8". Blackhole Address Space Data, flowtuple. IMPACT Cybertrust. in the case of a TCP SYN flood attack with a spoofed source IP, the victim will reply with a TCP SYN-ACK to the spoofed IP; if the spoofed IP happened to be within the 35/8 address space, our darknet will capture the SYN-ACK replies ... Collection Starting: [2005-10-05]; ... Data collection is ongoing ... Size: 18.2TB Size is growing as more data is collected
  10. Belson, David, ed. (2009-07-09). "Conficker" (PDF). Security. The State of the Internet. Vol. 2, no. 1. Akamai Technologies. p. 8. corroborated by similar drops in observed by CAIDA's UCSD Network Telescope, which serves a function similar to the set of Akamai servers that collect attack traffic data.
  11. Richter, Philipp; Berger, Arthur (July 2019). Scanning the Scanners: Sensing the Internet from a Massively Distributed Network Telescope. ACM Internet Measurement Conference. Amsterdam, Netherlands.
  12. 1 2 O'Hara, Joseph (April 2019). "Cloud-based network telescope for Internet background radiation collection" (PDF). Trinity College Dublin. p. 16. Thank you to Eoin Kenny from HEAnet ... A traditional /16 network telescope was provided by HEAnet, Ireland's National Education and Research Network. ... /16 address space had been unused for a number of years before this research ... 256 times smaller than the CAIDA /8 ... recorded data rate was 1.25Mbps ... 95.6GB
  13. Metongnon, Lionel; Sadre, Ramin (2018-08-20). Beyond Telnet: Prevalence of IoT Protocols in Telescope and Honeypot Measurements (PDF). ACM SIGCOMM-WTMC. p. 4. doi: 10.1145/3229598.3229604 . S2CID   51926045. Archived from the original (presentation slides) on 2019-07-30. a setup with /15 network telescope
  14. Aben, Emile (2020-01-17). "The Debogonisation of 2a10::/12".

Further reading

Crystal Clear app network.png

This computer networking article is a stub. You can help Wikipedia by expanding it.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.