The UCSD Network Telescope
A Real-time Monitoring System for
Tracking Internet Attacks
Stefan Savage
David Moore, Geoff Voelker, and Colleen Shannon
Department of Computer Science and Engineering &
Cooperative Association for Internet Data Analysis (at SDSC)
University of California, San Diego
Context
• The Internet has an open communications model
– Benefits: Flexible communication, application innovation
– Drawbacks: Many opportunities for abuse
• The Dark Side to the Internet
–
–
–
–
Denial-of-Service Attacks
Network Worms and Viruses
Automated Scanning/Break-in Tools
Etc…
• Question: How big a problem is it really?
Jacobs School of Engineering – Department of Computer Science and Engineering
UCSD CSE
COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS
Media – “The sky is falling… every day”
Jacobs School of Engineering – Department of Computer Science and Engineering
UCSD CSE
COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS
Consulting Groups & Surveys
• Consultancy estimates
– “Losses … could total more than $1.2 billion”
- Yankee Group report on yr 2000 DDoS attacks
– Cost of Slammer worm $750M-$1B
- Computer Economics report on yr 2000 DDoS attacks
- Others say numbers are different
- Data source, methodology, error, biases unknown
- Surveys
- E.g. CSI/FBI survey reported 38% of respondents
encountered DoS activity in 2000
- Summary of anecdotes = good data?
Jacobs School of Engineering – Department of Computer Science and Engineering
UCSD CSE
COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS
Why is this so hard?
• Quantitative attack data isn’t available
• Inherently hard to acquire
– Few content or service providers collect such data
– If they do, its usually considered sensitive
• Infeasible to collect at Internet scale
– How to monitor enough to the Internet to obtain a representative
sample?
– How to manage thousands of bilateral legal negotiations?
• Data would be out of date as soon as collected
Jacobs School of Engineering – Department of Computer Science and Engineering
UCSD CSE
COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS
Network Telescopes
• A way to observe global network phenomena with
only local monitoring
• Key observation:
large class of attacks use random addresses
• Worm’s frequently select new host to infect at random
• Many DoS attacks hide their source by randomizing source
addresses
• Network Telescope
– A monitor that records packets sent to a large range of
unused Internet addresses
– Since attacks are random, a telescope samples attacks
Jacobs School of Engineering – Department of Computer Science and Engineering
UCSD CSE
COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS
Example: Monitoring Worm Attacks
• Infected host scans for other vulnerable hosts by randomly generating
IP addresses
Jacobs School of Engineering – Department of Computer Science and Engineering
UCSD CSE
COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS
What can we infer?
• How quickly the
worm is spreading?
• Which hosts are
infected and when?
• Where are they
located?
• How quickly are
vulnerabilities being
fixed?
Jacobs School of Engineering – Department of Computer Science and Engineering
UCSD CSE
COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS
Example:
Monitoring Denial-of-Service Attacks
• Attacker floods the victim
with requests using random
spoofed source IP addresses
• Victim believes requests are
legitimate and responds to
each spoofed address
• Network telescope can infer
that a site sending
unsolicited reply packets is
being attacked
Jacobs School of Engineering – Department of Computer Science and Engineering
UCSD CSE
COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS
What can we infer?
• Number of attacks?
• How big are they?
How long?
• Who is being attacked?
35
Percent of Attacks
30
Week 1
Week 2
Week 3
25
20
15
10
5
0
unknown
net
com
ro
br
org
edu
ca
de
uk
Top-Level Domain
Jacobs School of Engineering – Department of Computer Science and Engineering
UCSD CSE
COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS
What’s special about the
UCSD Network Telescope?
• Our Telescope is very large and size does matter
– The more addresses monitored, the more accurate,
quick and precise the results
• We have access to more than 1/256 of all Internet
addresses (> 16M IP addresses)
– Unprecedented insight into global attack activity
– Can detect new attacks and worms in seconds with
low error
Special thanks to Jim Madden & Brian Kantor from UCSD Network
Operations whose support makes this research possible
Jacobs School of Engineering – Department of Computer Science and Engineering
UCSD CSE
COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS
Summary
• High quality global estimates on Internet security events
(Worms, DDoS)
– ~4000 DoS attacks per week; attacks on network infrastructure
– Have observed worms spreading faster than
50M hosts per second
• Collecting ongoing longitudinal data set (20GB/day)
• Value of data & methodology
– Research: widely used in modeling network attacks and designing
defenses
– Operations: identifies infected hosts and sites being attacked;
variant of backscatter analysis now used by top ISPs
– Policy: helps justify and prioritize resources appropriately
Jacobs School of Engineering – Department of Computer Science and Engineering
UCSD CSE
COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS
Current Work
• Network Honeyfarm
– Cluster of dummy servers whose sole purpose is to be
infected and observed
– Collect detailed analysis of new attacks
– Can be extended to capture non-random attacks (e.g.
e-mail, instant messenger) which is weakness of
telescope
• Automated network defenses
– Automatically detect, characterize and suppress new
network attacks or outbreaks
– Respond orders of magnitude more quickly humans can
Jacobs School of Engineering – Department of Computer Science and Engineering
UCSD CSE
COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS