A basic challenge for analyzing Internet-scale phenomena such as worms is acquiring sufficiently broad visibility into their workings. Monitoring at a single location may miss the early stages of a worm's spread or, more generally, may lack the diverse perspectives necessary for apprehending the worm's large-scale behavior (how many nodes infected, speed of propagation, changes in activity).
Network telescopes provide powerful tools for acquiring visibility into various forms of probing such as scan by attackers and worms. They work by monitoring traffic sent to communication dead-ends such as unallocated portions of the IP address space. Since there is no legitimate reason for a host to send packets to those destinations, such traffic provides strong evidence of malicious activity -- including DDoS backscatter, port scanning, and probe activity from active worms. Telescopes can potentially provide early warning of a scanning-worm outbreak, and can yield excellent forensic information, enabling detailed understanding of a worm's spread.
When coupled with honeypots, telescopes can be used to interact with potentially malicious traffic in order to determine the intent behind the traffic, including particular vulnerabilities being exploited and follow-on activity after a compromise succeeds.
In this project, we are building a large-scale, diverse telescope, portions of which also include active honeypots. The front-end sensors are spread across a large number of address blocks. We aim to leverage not just unallocated blocks but also unallocated subblocks within allocated blocks, and welcome donations (loans) of such address space.
We reported on our initial network telescope work in:
We aim to expand on this effort both in terms of diversity and scale of the network telescope's capture cross-section, and in the richness of the honeypot responders used to interact with the remote probers. A concrete goal in this regard is a submission to ACM IMC in May, 2006.
We would very much like to thank the sponsors who have made this effort possible: