is a tool that monitors the backscatter of spoofed
IP traffic destined to what is known as "Internet dark address space".
Imagine an attack on some IP address but with the attack originating
from totally random, spoofed IP addresses. When the victim attempts to
reply to some of these attack packets (SYN, ICMP, etc.) the response
will go back to what it assumes is the originating IP address. Some of
those replies will go back to "Internet dark address space". Dark IP
address is space that is globally routable, but currently there are no
computers in this network. In other words, there should never be any
packets destined to this particular network. If this is not clear,
one can watch a
90 second video
from CAIDA that describes this method
of using backscatter detection.
There are other Internet telescopes out there like the one at
was the first to document it and present analysis numbers and has done some more recent
in this area.
The packets that are received by the telescope can be roughly
categorized into 4 categories:
Host/Port scanning: Host/Port scanning are usually programs that
are used by hackers to learn about the computers and ports that are open
in the network (and possibly available for compromise). In this case the
Telescope would capture the packets of the scanners. A worm attack is a
program that exploits a bug in the operating system to install a virus,
that in turn, will try to spread and infect other machines on the
network. The Telescope would capture the packets sent by an infected
machine in their attempt to infect a new machine in the Telescope "dark
Backscatter from spoofed DDOS attacks throughout the world: A
Denial of Service attack, is an attack where a hacker tries to consume
network resources, by sending lots of traffic to a specific victim. The
Telescope can monitor which networks in the global Internet are under
attack by spoofed, random packets. We can understand this better with an
example. Consider the case where victim Y, somewhere in the Internet, is
under a spoofed TCP SYN attack. The victim responds with SYN-ACK to the
spoofed source address. Since the source was randomly spoofed, it most
probably would also send a SYN-ACK response to the Riverhead-IUCC
monitor network. Hence, the monitor should capture a SYN-ACK packet from
the victim. Since, the monitor network is a /16 (of which there are
65,536 such /16s networks in the Internet), we end up capturing
1/65536th of the volume of the spoofed attack (assuming the spoofing was
indeed random). The rate of the attack seen by the telescope is actually
a lower bound on the actual attack rate. This is because the telescope
receives the rate that the victim can still handle (i.e., we see SYN-ACK
packets only to the part of traffic that the victim can still handle and
provide an answer to the SYN received; if the computer is overloaded
then SYN packets will be ignored by the victim). This method was first
Inferring Internet Denial-of-Service Activity David Moore,
Geoffrey Voelker, Stefan Savage, (USENIX Security, 2001).
Configuration Mistakes: a flow that lives for a very short time, and
that cannot be categorized to one of the above categories is basically
labeled as configuation mistakes of one of the computers in the
Other: a long flow that could not be categorized to any of the
In general the distribution of packets into these four categories is as follows:
Internet telescope packet distribution
Type of packet
Attacks not seen
By far, not all DDOS attacks can be seen by a Network Telescope. Those that cannot be
Bogon attacks: A bogon attack is an attack that comes with a source IP that
should never appear in the Internet global routing tables. A
list of bogons is available from Team CYMRU.
IUCC filters out some but not all of the bogons so in general, the Network Telescope
will not see bogon attacks.
uRPF filtering: Even spoofed attacks may not reach a Network Telescope if they
are stopped along the way via a method known as Reverse Path Forwarding filtering. See
for further details.
Non-spoofed attacks: An attacker can always attack a victim directly, using
any number of
to try to overwhelm the resources of the victim. In general,
these type of attacks would be easy to backtrack and to determine who the attacker was,
so we assume most attacks are no longer of this type.
Botnet attacks: Since attacking with an identifable IP would lead to
backtracking, attackers now use what is known as a
botnet or zombies attack. By infecting many PCs and
using them as a proxy for launching their attack, attackers are able to hide
their identity. Since a botnet attack is in general not spoofed, a Network Telescope would not
see such an attack. There have been cases of botnet attacks with spoofed IP addresses
but the attacker then takes the chance that some of the attack packets might be filtered
by uRPF checking.
It is assumed, that most attacks these days on the Internet are
launched by botnets.
The dominate source port for traffic that is classified as DDOS.
This is the port that the victim was attacked with
The dominate destination port of traffic that reached the telescope
1. Information on the traffic characteristic, especially ports. We
output the top ten
in regards to viewed spoofed attacks for every day of
the last week.
2. A daily list of Machba systems that have been determined to have a
Infected systems are those that have been seen to be scanning consecutive IP addresses,
whereas a worm is defined as probing a specific list of predefined ports on random IPs.