A network telescope (also known as a black hole, an Internet sink, darknet, darkspace) captures Internet data from unused IP address space(s).
Currently, STARDUST is used to collect, process and share data about the
traffic that is observed at the UCSD network telescope (UCSD-NT). The UCSD-NT
is a large IPv4 network telescope and monitors the Internet background
radiation (IBR) directed towards approximately 1/256th of all IPv4 Internet
addresses. The STARDUST software and tools are designed to be used in
conjunction with any IPv4 network telescope – for instance, the
Merit telescope also uses some of the STARDUST infrastructure
for data collection.
Uses of IBR Traffic
IBR traffic has many potential uses for research activities, as the traffic
can be attributed to a wide range of interesting Internet behaviors.
For instance, network scanning (both on a network level and on an application
level) activity can be readily observed in IBR traffic, as the scanners often
do not realise that the telescope address space is unused. New or modified
scanning techniques can be detected through changes in the properties of IBR
traffic. Similarly, the awareness and popularity of certain known
vulnerabilties in network applications may become apparent as the number
of scanning packets that target a particular application increases.
Backscatter from denial-of-service (DoS) attacks where the
attacker has spoofed the source address on the attack traffic can also appear
at a network telescope. The targets of DoS attacks can be inferred from the
appearance of large volumes of backscatter traffic at the telescope,
sourced from a single external IP address but typically destined for
a wide range of monitored IP addresses. IBR traffic attributed to DoS attacks
can be used to study the frequency of DoS attacks, or the types of services that
are commonly being attacked.
Some malware will attempt to spread itself by sending traffic to random IP
addresses, in the hope that the receiver is vulnerable to infection. This
type of traffic can also therefore be visible to a network telescope, and is
often especially apparent on telescopes that monitor large amounts of vacant
address space. This has been most famously noticed with the Conficker worm,
but trends in this type of traffic as seen by a telescope can be used to infer
the growth (or decline) of various malwares and botnets over time.
Similarly, routing misconfigurations and software bugs can cause unsolicited
traffic to reach a telescope. File sharing protocols (such as Bittorrent) are
known to send large volumes of network maintenance traffic to telescope IP
addresses, even though those addresses have never participated in file sharing
before. Byte ordering errors when handling IP addresses in networking code can
also result in applications sending traffic to incorrect addresses, and if
the error is widespread and the software is popular then this may become
apparent in the telescope traffic mix.
IBR traffic is not just useful for detecting and studying abnormal or
malicious behaviors on the Internet. Because IBR is so prevalent, the
observed traffic can be treated as a continuous background signal that can be
used to monitor the overall connectivity of networks and geographic regions.
The IODA project accepts IBR data as one of the
inputs that can be used to determine whether a network operator or region has
gone offline – the relative absence of IBR traffic sourced from IP addresses
known to belong to the affected network or area is one possible indicator of an
As analysis tools and data collection methods for network telescopes mature
and therefore allow us to better sift through the traffic that is observed,
we will continue to notice and, in turn, better understand more interesting
behavioral variants. This is one of the goals of the STARDUST project; to
lower the barrier to entry for collecting and exploring telescope data for the
research community as a whole.
To learn more about the types of IBR traffic that can be seen on a network
telescope and how it facilitates interesting research, we suggest a read
of the IMC 2015 paper: “Leveraging Internet Background Radiation for Opportunistic Network Analysis”.