Less is More? Exploring the Impact of Scaled-Down Network Telescopes on Security and Research
Resumo
Cyber threat intelligence relies on network telescopes for detecting attack, and emerging threats, traditionally utilizing a substantial portion of the IPv4 address space. However, the escalating scarcity and value of this resource force universities and companies to grapple with the challenge of re-purposing their address spaces, potentially impacting cybersecurity effectiveness and hindering research efforts. In this paper we investigate the historical usage of IPv4 addressing space in network telescopes and explores the impact of reducing this space on their ability to identify attackers and collect valuable research data. Our findings reveal that even halving the allocated space for a network telescope may still permits the detection of 80% of unique cyber attack sources, and the address allocation schema have low influence in this detection.
Referências
Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., Durumeric, Z., Halderman, J. A., Invernizzi, L., Kallitsis, M., et al. (2017). Understanding the mirai botnet. In 26th USENIX security symposium (USENIX Security 17), pages 1093–1110.
APNIC (2024). Apic ipv4 exhaustion. [link]. (Accessed on 2024/04/16).
Balkanli, E. and Zincir-Heywood, A. N. (2014). On the analysis of backscatter traffic. In 39th Annual IEEE Conference on Local Computer Networks Workshops, pages 671–678. IEEE.
Cabana, O., Youssef, A. M., Debbabi, M., Lebel, B., Kassouf, M., Atallah, R., and Agba, B. L. (2021). Threat intelligence generation using network telescope data for industrial control systems. IEEE Transactions on Information Forensics and Security.
CAIDA (2018). Supporting research and development of security technologies through network and security data collection. [link]. (Accessed on 01/21/2024).
CAIDA (2024). Historical and Near-Real-Time UCSD Network Telescope Traffic Dataset. [link]. Accessed on 2024/04/16.
Chindipha, S. D., Irwin, B., and Herbert, A. (2018). Effectiveness of sampling a small sized network telescope in internet background radiation data collection. In Southern Africa Telecommunication Networks and Applications Conference (SATNAC).
Cooke, E., Bailey, M., Mao, Z. M., Watson, D., Jahanian, F., and McPherson, D. (2004a). Toward understanding distributed blackhole placement. In Proceedings of the 2004 ACM workshop on Rapid malcode, pages 54–64.
Cooke, E., Bailey, M., Watson, D., Jahanian, F., and Nazario, J. (2004b). The internet motion sensor: A distributed global scoped internet threat monitoring system. Technical Report CSE-TR-491-04.
d’Andréa, E., François, J., Festor, O., and Zakroum, M. (2023). Multi-label classification of hosts observed through a darknet. In NOMS 2023-2023 IEEE/IFIP Network Operations and Management Symposium, pages 1–6. IEEE.
Fachkha, C. and Debbabi, M. (2016). Darknet as a source of cyber intelligence: Survey, taxonomy, and characterization. IEEE Communications Surveys & Tutorials.
Google Cloud (2023). Google cloud virtual private cloud (vpc) pricing. [link]. Accessed: 2024/04/16.
Han, C., Takeuchi, J., Takahashi, T., and Inoue, D. (2022). Dark-tracer: Early detection framework for malware activity based on anomalous spatiotemporal patterns. IEEE Access, 10:13038–13058.
Harder, U., Johnson, M. W., Bradley, J. T., and Knottenbelt, W. J. (2006). Observing internet worm and virus attacks with a small network telescope. Electronic Notes in Theoretical Computer Science, 151(3):47–59.
Harrop, W. and Armitage, G. (2005). Defining and evaluating greynets (sparse darknets). In The IEEE Conference on Local Computer Networks 30th Anniversary (LCN’05) l, pages 344–350. IEEE.
Huides, A., Santhanam, A., and Lehwess, M. (2023). Identify and optimize public ipv4 address usage on aws — networking & content delivery. [link]. Accessed: 2024/04/16.
IPv4 Global (2023). November 2023 sales report. [link]. Accessed: 2024/04/16.
Jonker, M., King, A., Krupp, J., Rossow, C., Sperotto, A., and Dainotti, A. (2017). Millions of targets under attack: a macroscopic characterization of the dos ecosystem. In Proceedings of the 2017 Internet Measurement Conference, IMC ’17, page 100–113, New York, NY, USA. Association for Computing Machinery.
LACNIC (2024). Estadísticas de asignación de lacnic. [link]. (Accessed on 2024/04/16).
Le Malécot, E. and Inoue, D. (2014). The carna botnet through the lens of a network telescope. In Foundations and Practice of Security: 6th International Symposium, FPS 2013, La Rochelle, France, October 21-22, 2013, Revised Selected Papers, pages 426–441. Springer.
Merit Network (2024). Orion Network Telescope – Merit. [link]. Accessed: 2024/04/16.
Moore, D., Shannon, C., Voelker, G. M., and Savage, S. (2004). Network telescopes: Technical report.
Pauley, E., Barford, P., and McDaniel, P. (2023). DScope: A Cloud-Native internet telescope. In 32nd USENIX Security Symposium (USENIX Security 23), pages 5989–6006, Anaheim, CA. USENIX Association.
Pemberton, D., Komisarczuk, P., and Welch, I. (2007). Internet background radiation arrival density and network telescope sampling strategies. In 2007 Australasian Telecommunication Networks and Applications Conference, pages 246–252.
Richter, P. and Berger, A. (2019). Scanning the scanners: Sensing the internet from a massively distributed network telescope. In Proceedings of the Internet Measurement Conference, pages 144–157.
Richter, P., Gasser, O., and Berger, A. (2022). Illuminating large-scale ipv6 scanning in the internet. In Proceedings of the 22nd ACM Internet Measurement Conference, IMC ’22, page 410–418, New York, NY, USA. Association for Computing Machinery.
RIPE (2024). What is ipv4 run out? [link]. (Accessed on 2024/04/16).
Soro, F., Allegretta, M., Mellia, M., Drago, I., and Bertholdo, L. M. (2020). Sensing the noise: Uncovering communities in darknet traffic. In 2020 Mediterranean Communication and Computer Networking Conference (MedComNet), pages 1–8.
Soro, F., Drago, I., Trevisan, M., Mellia, M., Ceron, J., and J. Santanna, J. (2019). Are darknets all the same? on darknet visibility for security monitoring. In 2019 IEEE International Symposium on Local and Metropolitan Area Networks (LANMAN), pages 1–6. ISSN: 1944-0375.
Strowes, S. D., Aben, E., Wilhelm, R., Obser, F., Stagni, R., and Formoso, A. (2020). Debogonising 2a10::/12: Analysis of one week’s visibility of a new/12. In TMA.
Wagner, D., Ranadive, S. A., Griffioen, H., Kallitsis, M., Dainotti, A., Smaragdakis, G., and Feldmann, A. (2023). How to operate a meta-telescope in your spare time. In Proceedings of the 2023 ACM on Internet Measurement Conference, IMC ’23, page 328–343, New York, NY, USA. Association for Computing Machinery.