Network Telescopes: Technical Report

A network telescope is a portion of routed IP address space in which little or no legitimate traffic exists. Monitoring unexpected traffic arriving at a network telescope provides the opportunity to view remote network security events such as various forms of flooding denial-of-service attacks, infection of hosts by Internet worms, and network scanning. In this paper, we examine the effects of the scope and locality of network telescopes on accurate measurement of both pandemic incidents (the spread of an Internet worm) and endemic incidents (denial-of-service attacks) on the Internet. In particular, we study the relationship between the size of the network telescope and its ability to detect network events, characterize its precision in determining event duration and rate, and discuss practical considerations in the deployment of network telescopes.

[1]  Jeffrey O. Kephart,et al.  Directed-graph epidemiological models of computer viruses , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[2]  Steven M. Bellovin,et al.  There Be Dragons , 1992, USENIX Summer.

[3]  Steven M. Bellovin,et al.  Packets found on an internet , 1993, CCRV.

[4]  Herbert W. Hethcote,et al.  The Mathematics of Infectious Diseases , 2000, SIAM Rev..

[5]  Robert Stone,et al.  A Snapshot of Global Internet Worm Activity , 2001 .

[6]  Kevin J. Houle,et al.  Trends in Denial of Service Attack Technology , 2001 .

[7]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[8]  Donald F. Towsley,et al.  Code red worm propagation modeling and analysis , 2002, CCS '02.

[9]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[10]  Donald F. Towsley,et al.  Monitoring and early warning for internet worms , 2003, CCS '03.

[11]  Kevin A. Kwiat,et al.  Modeling the spread of active worms , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[12]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[13]  Vinod Yegneswaran,et al.  On the Design and Use of Internet Sinks for Network Abuse Monitoring , 2004, RAID.

[14]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.