[Planetlab-announce] network telescope
llp at CS.Princeton.EDU
Thu Apr 15 16:31:24 EDT 2004
I have a request to make of PlanetLab sites... There is an effort
to collect information about worms, ddos backscatter, and other suspect
activity on the Internet. Our ability to do this sort of analysis would
greatly enhanced by having access to IP address blocks spread across the
Internet, for example, at as many PlanetLab sites as possible. My
request is for sites to contribute blocks of, say, 16 otherwise unused
addresses to PlanetLab. I have attached a note from Vern Paxson
the idea, a so called "network telescope". Please let me know if your
site would be willing to contribute (assign) some number of addresses to
PlanetLab for this purpose.
A basic challenge for analyzing Internet-scale malicious phenomena such
as worms and automated scanning is acquiring sufficiently broad
into their workings. Monitoring at a single location may for example
the early stages of a worm's spread or, more generally, lack the diverse
perspectives necessary for capturing large-scale behavior.
A powerful tool for acquiring such broader visibility is a "network
telescope". Network telescopes monitor traffic sent to communication
dead-ends such as unallocated portions of the IP address space or ports
on endhosts for which no server is listening. Since there is no
reason for a host to send packets to those destinations, such traffic
provides strong evidence of malicious activity - including DDoS
port scanning, and probe activity from worms.
Our goal is to build a large-scale telescope with significantly more
sampling breadth and diversity than current telescopes. This telescope
will be structured as two layers. Its front-end sensors will be spread
across a large number of address blocks and monitoring points to achieve
sampling diversity. We'll use both unallocated address blocks (which
attackers can learn about fairly easily) but also unused subblocks
allocated blocks. This latter "dark address space" is much more
for an attacker to learn about and also enables highly diverse
of the sensors.
It's this latter that we're hoping can be done in conjunction with PL
nodes. In particular, the way we picture it working is that the PL
will have multiple addresses assigned to them. A monitor running on the
host then tunnels traffic it receives on the extra addresses over to the
analysis point. It could also tunnel traffic sent to its "normal"
but for which there's no listener.
One crucial issue with building a large telescope is *filtering*. For a
very large telescope, the volume of data collected can be enormous.
for many forms of analysis we can often filter out a great deal of the
traffic. For example, for worm detection we can drop traffic seen by
sensor rather than forwarding it if the traffic does not correspond to
worm activity of possible interest (e.g., it's instead DoS backscatter,
or activity from known worms). Because PL nodes can do computation
they forward traffic over the tunnel (unlike, for example, telescope
based on using routers), they make ideal platforms for developing such
More information about the Announce