Network telescope explained

A network telescope (also known as a packet telescope,[1] darknet, Internet motion sensor or black hole)[2] [3] [4] is an Internet system that allows one to observe different large-scale events taking place on the Internet. The basic idea is to observe traffic targeting the dark (unused) address-space of the network. Since all traffic to these addresses is suspicious, one can gain information about possible network attacks (random scanning worms, and DDoS backscatter) as well as other misconfigurations by observing it.

The resolution of the Internet telescope is dependent on the number of IP addresses it monitors. For example, a large Internet telescope that monitors traffic to 16,777,216 addresses (the Internet telescope in IPv4), has a higher probability of observing a relatively small event than a smaller telescope that monitors 65,536 addresses (a Internet telescope).

The naming comes from an analogy to optical telescopes, where a larger physical size allows more photons to be observed.[5]

A variant of a network telescope is a sparse darknet, or greynet, consisting of a region of IP address space that is sparsely populated with "darknet" addresses interspersed with active (or "lit") IP addresses.[2] These include a greynet assembled from 210,000 unused IP addresses mainly located in Japan.[6]

Large network telescope instances

Network Coverage IPs Name Life span Captures
100% ~16M APNIC 2010-02-23 (1 week) 4.1 terabyte
99% ~16M 2001-02-01‒2017-12-31 3.25 petabyte[7]
2018-01-01‒2019-06-04
74% ~12M 2019-06-05—
67% ~11M 2005-10-05— 18.2 terabyte[8]
100% ~16M ARIN 2010-03-12 (1 week) 1.1 terabyte
100% ~16M ARIN 2010-03-25 (1 week) 1.2 terabyte
1,300 networks Akamai[9] / MIT[10] 2009/2019—
100% 65k HEAnet[11] 2019-03 (1 week) 96 gigabyte
100% ~130k SURFnet[12]
(IPv6) 100% 8.3 billion trillion trillion (2^112) RIPE NCC[13] 2020-01-13 - 2020-01-16 (3 days) 19M packets

See also

Further reading

External links

Notes and References

  1. Bill Cheswick on Firewalls. Security.
    login: The USENIX Magazine
    . August 2013. 38. 4. 21. Bill. Cheswick. William Cheswick. Rik Farrow. about this time (late 1980s) Mark Horton obtained a class A address for AT&T from the powers-that-be by simply asking. ... our Cray computer seemed to require a class A network ... took and announced it to the Net, feeding the packets to a non-existent Ethernet address and running tcpdump on the traffic, which came to about 12 to 25 MB/day. Steve analyzed that traffic and wrote a fine paper. Basically, we were watching the death screams of attacked hosts that used IP address-based authentication. ... This is the first packet telescope I can remember, and I think I might even have coined the term "packet telescope," but my memory is fuzzy on that..
  2. Book: Defining and Evaluating Greynets (Sparse Darknets). IEEE. Sign in or purchase to access. 10.1109/LCN.2005.46. 1959.3/2449. 0-7695-2421-4. The IEEE Conference on Local Computer Networks 30th Anniversary (LCN'05)l. 2005. Harrop. W.. Armitage. G.. 344–350. 18789864.
  3. Internet Background Radiation Revisited. Internet Measurement Conference. 2010-06-09. Eric. Wustrow. Manish. Karir. Michael. Bailey. Farnam. Jahanian. Geoff. Houston. Systems that monitor unused address spaces have a variety of names, including darknets, network telescopes, blackhole monitors, network sinks, and network motion sensors. ... 1/8 ... 50/8 ... 107/8 ... 35/8.
  4. Leveraging Internet Background Radiation for Opportunistic Network Analysis. 2015-09-10,2015-10-28--> . Karyn. Benson. Alberto. Dainotti. K.C.. Claffy. Kimberly C. Claffy. Alex C.. Snoeren. Alex Snoeren. Michael. Kallitsis. 10.1145/2815675.2815702. Internet Measurement Conference '15 . Tokyo, Japan. 978-1-4503-3848-6. 6184617. A darknet or network telescope is a collection of routed but unused IP addresses, ... UC San Diego and Merit Network operate large darknets, which we call UCSD-NT and MERIT-NT respectively. UCSD-NT observes traffic destined to more than 99% of IP addresses in a contiguous block. MERIT-NT covers about 67% of a different block..
  5. Web site: Network Telescopes: Technical Report. Technical Reports. April 2004. David. Moore. Colleen. Shannon. Geoffrey M.. Voelker. Stefan. Savage. Stefan Savage. network telescopes were named as an analogy to astronomical telescopes, ... driven by the comparison of packets arriving in a portion of address space to photons arriving in the aperture of a light telescope. ... a larger aperture increases the resolution of objects by providing more positional detail; with network telescopes, having a larger address space increases the resolution of events by providing more time detail. ... to observe one or more packets from a Code-Red-like host on a with 99.999% probability requires 4.9 minutes. ... Even if the attack lasted 5 minutes, there is only a 89.9% chance that a telescope would see at least 1 packet. ... thank Brian Kantor, Jim Madden, and Pat Wilson of UCSD for technical support of the Network Telescope project. ... Support for this work is provided by NSF Trusted Computing Grant -0311690, Cisco Systems University Research Program, DARPA Contract N66001-01-1-8933, NSF Grant -0221172, National Institute of Standards Grant 60NANB1D0118, and a generous gift from AT&T..
  6. The Carna Botnet Through the Lens of a Network Telescope. 427. Foundations and Practice of Security: 6th International Symposium. Jean Luc. Danger. Mourad. Debbabi. Jean-Yves. Marion. Joaquin. Garcia-Alfaro. Nur Zincir. Heywood. 20 Mar 2014. La Rochelle, France. "network telescope that we operate presently amounts to approximately 210 thousand unused IPv4 addresses spread over the networks of a number of partner organizations (located in Japan and aboard). Those unused addresses form darknets ranging in size from a few addresses to whole subnets ... the notion of a "greynet" ... composed of a mixture of used and unused IP addresses. Erwan. Le Malécot. Daisuke. Inoue. 9783319053028.
  7. Final technical report. Supporting Research and Development of Security Technologies Through Network and Security Data Collection. 2018-06-22. K.. Claffy. Kimberly C. Claffy. Marina. Fomenkov. University of California San Diego. University of California, San Diego. Center for Applied Internet Data Analysis (CAIDA). Air Force Research Laboratory Information Directorate. Fraces A.. Rose. John D.. Matyjas. iii,2,3,7. 2012 – 2017 ... Grant number: FA8750-12-2-0326 ... engaged in collecting packet-level data from the UCSD Network Telescope (which monitors a IPv4 darknet) ... number of files and the total volume of data collected ... (from [2012-10-01] until [2017-12-31]) as well as cumulative size ... Telescope: number of files: 129552; Size: 2.85 PB; On-disk size (compressed), [at 2017-12-31]: 1.30 PB; Uncompressed size, [at 2017-12-31]: 3.25 PB.
  8. Web site: Longitudinal Darknet . Merit Network. Blackhole Address Space Data, flowtuple. in the case of a TCP SYN flood attack with a spoofed source IP, the victim will reply with a TCP SYN-ACK to the spoofed IP; if the spoofed IP happened to be within the address space, our darknet will capture the SYN-ACK replies ... Collection Starting: [2005-10-05]; ... Data collection is ongoing ... Size: 18.2TB Size is growing as more data is collected. IMPACT Cybertrust. Merit Network.
  9. David. Belson. Conficker. The State of the Internet. 2009-07-09. 2. 1. 8. Security. Akamai Technologies. corroborated by similar drops in observed by CAIDA's UCSD Network Telescope, which serves a function similar to the set of Akamai servers that collect attack traffic data..
  10. Scanning the Scanners: Sensing the Internet from a Massively Distributed Network Telescope. ACM Internet Measurement Conference. Amsterdam, Netherlands. July 2019. Philipp. Richter. Arthur. Berger.
  11. Web site: Cloud-based network telescope for Internet background radiation collection. 16. Joseph. O'Hara. Trinity College Dublin. April 2019. Thank you to Eoin Kenny from HEAnet ... A traditional /16 network telescope was provided by HEAnet, Ireland's National Education and Research Network. ... address space had been unused for a number of years before this research ... 256 times smaller than the CAIDA ... recorded data rate was 1.25Mbps ... 95.6GB.
  12. Beyond Telnet: Prevalence of IoT Protocols in Telescope and Honeypot Measurements. Lionel. Metongnon. Ramin. Sadre. 2018-08-20. ACM SIGCOMM-WTMC. 4. 10.1145/3229598.3229604. 51926045. a setup with network telescope. free.
  13. Web site: Emile . Aben . 2020-01-17 . The Debogonisation of 2a10::/12.