Network telescope

A network telescope (also known as a packet telescope,[1] darknet, Internet motion sensor or black hole)[2][3][4] is an Internet system that allows one to observe different large-scale events taking place on the Internet. The basic idea is to observe traffic targeting the dark (unused) address-space of the network. Since all traffic to these addresses is suspicious, one can gain information about possible network attacks (random scanning worms, and DDoS backscatter) as well as other misconfigurations by observing it.

The resolution of the Internet telescope is dependent on the number of IP addresses it monitors. For example, a large Internet telescope that monitors traffic to 16,777,216 addresses (the /8 Internet telescope in IPv4), has a higher probability of observing a relatively small event than a smaller telescope that monitors 65,536 addresses (a /16 Internet telescope).

The naming comes from an analogy to optical telescopes, where a larger physical size allows more photons to be observed.[5]

A variant of a network telescope is a sparse darknet, or greynet, consisting of a region of IP address space that is sparsely populated with "darknet" addresses interspersed with active (or "lit") IP addresses.[2] These include a greynet assembled from 210,000 unused IP addresses mainly located in Japan.[6]

  1. ^ Cheswick, Bill (August 2013). "Bill Cheswick on Firewalls" (PDF). Security. ;login: The USENIX Magazine (Interview). Vol. 38, no. 4. Interviewed by Rik Farrow. p. 21. about this time (late 1980s) Mark Horton obtained a class A address for AT&T from the powers-that-be by simply asking. ... our Cray computer seemed to require a class A network ... took 12.0.0.0/8 and announced it to the Net, feeding the packets to a non-existent Ethernet address and running tcpdump on the traffic, which came to about 12 to 25 MB/day. Steve analyzed that traffic and wrote a fine paper. Basically, we were watching the death screams of attacked hosts that used IP address-based authentication. ... This is the first packet telescope I can remember, and I think I might even have coined the term "packet telescope," but my memory is fuzzy on that.
  2. ^ a b Harrop, W.; Armitage, G. (2005). "Defining and Evaluating Greynets (Sparse Darknets)". The IEEE Conference on Local Computer Networks 30th Anniversary (LCN'05)l. Sign in or purchase to access: IEEE. pp. 344–350. doi:10.1109/LCN.2005.46. hdl:1959.3/2449. ISBN 0-7695-2421-4. S2CID 18789864.
  3. ^ Wustrow, Eric; Karir, Manish; Bailey, Michael; Jahanian, Farnam; Houston, Geoff (2010-06-09). Internet Background Radiation Revisited (PDF). Internet Measurement Conference. Systems that monitor unused address spaces have a variety of names, including darknets, network telescopes, blackhole monitors, network sinks, and network motion sensors. ... 1/8 ... 50/8 ... 107/8 ... 35/8
  4. ^ Benson, Karyn; Dainotti, Alberto; Claffy, K.C.; Snoeren, Alex C.; Kallitsis, Michael (2015-09-10). Leveraging Internet Background Radiation for Opportunistic Network Analysis (PDF). Internet Measurement Conference '15. Tokyo, Japan. doi:10.1145/2815675.2815702. ISBN 978-1-4503-3848-6. S2CID 6184617. A darknet or network telescope is a collection of routed but unused IP addresses, ... UC San Diego and Merit Network operate large darknets, which we call UCSD-NT and MERIT-NT respectively. UCSD-NT observes traffic destined to more than 99% of IP addresses in a contiguous /8 block. MERIT-NT covers about 67% of a different /8 block.
  5. ^ Moore, David; Shannon, Colleen; Voelker, Geoffrey M.; Savage, Stefan (April 2004). "Network Telescopes: Technical Report" (PDF). Technical Reports. network telescopes were named as an analogy to astronomical telescopes, ... driven by the comparison of packets arriving in a portion of address space to photons arriving in the aperture of a light telescope. ... a larger aperture increases the resolution of objects by providing more positional detail; with network telescopes, having a larger address space increases the resolution of events by providing more time detail. ... to observe one or more packets from a Code-Red-like host on a /8 with 99.999% probability requires 4.9 minutes. ... Even if the attack lasted 5 minutes, there is only a 89.9% chance that a /16 telescope would see at least 1 packet. ... thank Brian Kantor, Jim Madden, and Pat Wilson of UCSD for technical support of the Network Telescope project. ... Support for this work is provided by NSF Trusted Computing Grant CCR-0311690, Cisco Systems University Research Program, DARPA FTN Contract N66001-01-1-8933, NSF Grant ANI-0221172, National Institute of Standards Grant 60NANB1D0118, and a generous gift from AT&T.
  6. ^ Le Malécot, Erwan; Inoue, Daisuke (20 Mar 2014). Danger, Jean Luc; Debbabi, Mourad; Marion, Jean-Yves; Garcia-Alfaro, Joaquin; Heywood, Nur Zincir (eds.). The Carna Botnet Through the Lens of a Network Telescope. Foundations and Practice of Security: 6th International Symposium. La Rochelle, France. p. 427. ISBN 9783319053028. "network telescope that we operate presently amounts to approximately 210 thousand unused IPv4 addresses spread over the networks of a number of partner organizations (located in Japan and aboard). Those unused addresses form darknets ranging in size from a few addresses to whole /16 subnets ... the notion of a "greynet" ... composed of a mixture of used and unused IP addresses