Unveiling the Power Of Network Telescopes for Cybersecurity
By Tom Seest
At BestCybersecurityNews, we help entrepreneurs, solopreneurs, young learners, and seniors learn more about cybersecurity.
A network telescope, also referred to as a darknet, Internet motion sensor, or black hole, is an instrument that observes large-scale events on the Internet. This enables security researchers to pinpoint the sources of different types of traffic, like randomly scanning worms, DDoS backscatter, misconfiguration, and more.
The UCSD Network Telescope is an Internet-wide passive monitoring system built upon a globally routed but lightly utilized /9 and /10 network under CAIDA stewardship. As it carries almost no legitimate traffic, it provides continuous surveillance of anomalous unsolicited activity.
Table Of Contents
Network telescopes are systems used to observe major Internet events. This enables researchers to view remote network security incidents, such as denial-of-service (DoS) attacks and the spread of Internet worms.
Network telescopes can be used to track unused or “dark” IP addresses that serve no users, commonly referred to as the darknet. This enables researchers to record network scanners, malware that targets vulnerable devices, and other suspicious activities in an effort to catch malicious actors.
The aim of the research is to develop an algorithm that can detect malicious activities and notify network administrators. This is an essential step in improving cybersecurity posture, meaning organizations must be able to recognize and monitor potential threats.
Researchers use the data gathered by the network telescope to analyze a range of cyber events, such as backscattering, DDoS attacks, worm propagation, and scanning. Furthermore, this insight can be used to improve antivirus software’s overall efficiency.
CAIDA’s network telescope at UCSD is one of a few instruments that offers an international view of the uncharted territories of the Internet. By monitoring traffic heading for this largely empty section, its staff have been able to uncover several worms and other security risks on this uninhabited part of the web.
For instance, the UCSD network telescope has monitored the Code-Red worm, which infected nearly 360,000 computers within 14 hours. Additionally, it tracked SQL Slammer and Sapphire, which spread to 75,000 machines within 10 minutes of infection.
Many security professionals were initially skeptical of using network telescopes in cybersecurity but now recognize their potential to offer valuable insights about Internet traffic and threats that target it. As a result, cybersecurity practitioners are taking advantage of these systems to strengthen their networks and avoid cyberattacks.
At present, there are numerous threats to the Internet and networks which require constant monitoring and evaluation. These include phishing attacks, DDoS attacks, ransomware attacks, spyware attacks, and more – all with the goal of gaining access to sensitive information like passwords or credit card numbers. Unfortunately, these types of incidents can also cause severe harm to organizations with which these services interact.
Network telescopes are a group of telescopes that can communicate with one another to collect data about certain events. Linking together an extensive number of telescopes improves the quality and coverage of many time-domain observations while also decreasing the cost of specialized hardware.
Network telescopes in cybersecurity can monitor the spread of worms and distributed denial-of-service attacks, especially by identifying their source. With this data, scientists can create a global early warning system and find ways to suppress outbreaks before they become pandemic-sized issues.
Numerous research groups have utilized network telescopes to monitor malicious traffic. These studies focused on backscatter from random spoofed source denial-of-service attacks, worm propagation analysis and time series and data mining techniques applied to telescope traffic.
For example, UCSD’s Network Telescope is an Internet sink built on a globally routed but lightly utilized /9 and /10 network that continuously observes anomalous unsolicited traffic – known as Internet Background Radiation (IBR). This data can be used to monitor the spread of malicious activities like worms and DDoS attacks.
Worms and viruses often spread by exploiting vulnerabilities on the Internet, such as OpenSSL, or by exploiting software vulnerabilities within operating systems to install backdoors on infected machines. If left unchecked, these malicious programs can cause extensive destruction to the computers they infect.
Research teams at the University of California, San Diego, have been monitoring the spread of “GO#WEBBFUSCATOR,” a computer virus. This malware infects computers by taking advantage of people’s lack of security by taking photos taken during Webb’s inaugural flight and then downloading an executable script if certain Word macros are enabled.
The UCSD network telescope can monitor all types of traffic, from malicious attacks to scanning activity. It has even detected worms that spread automatically and DoS attacks targeting computers in specific countries.
Data collected by a network telescope can be used to gauge a country’s Internet security posture. For instance, research conducted by CAIDA revealed that Romania had an unusually high attack rate compared to its overall Internet traffic volume – suggesting it’s an attractive target for hackers. Furthermore, this information can be used to detect and track country-level Internet penetration rates as well as assess how government policies impact access to broadband internet services.
Network telescopes in cybersecurity can assist in recognizing and mitigating network security events. For instance, it may detect the source of an Internet worm that could do extensive damage to your organization’s systems, or it could detect a denial-of-service attack that could cause data loss and network congestion.
The network telescope also allows for the observation of large-scale, high-volume events that are typically not observed by traditional monitoring sources. This traffic, known as darknet traffic, consists of various activities like random scanning worms and DDoS backscatter packets.
These types of data have been extensively studied by many researchers and are considered one of the best sources of cybersecurity information. Unfortunately, they also carry serious privacy and security risks, such as advertising vulnerable machines and disclosing backdoors created by worms or viruses that could grant access to an infected computer.
Network telescopes not only alert you to threats, but they can also slow down attackers and make it more difficult for them to break into your networks. Segmenting your networks helps keep sensitive resources like sensitive data separate from other network assets, thus protecting them from theft or compromise.
Another advantage of employing a network telescope is that it provides insight into the security landscape surrounding industrial control systems (ICS). Due to their vast number and potential for disruption, these devices make ideal targets for malicious actors.
Due to these reasons, ICSs are frequently the target of reconnaissance campaigns that scan across broad internet blocks in search of vulnerable systems. These attacks can have devastating effects on ICS operations and result in prolonged downtime or network congestion.
These reconnaissance attacks are typically directed at a single system or group of computers but can sometimes spread infection to other systems as well. If your organization is large or government-affiliated, such an incident could prove disastrous for everyone involved – including your entire enterprise and government agencies.
Network telescopes monitor Internet traffic destined for an area of IP address space that serves no users, known as the “dark” or “unused” part of the network. These data streams could give network operators and system administrators a better insight into potential threats such as malicious scans, malware, and other dubious activity.
In February, cybersecurity researchers at the University of California, San Diego’s Cooperative Association for Internet Data Analysis (CAIDA) used a network telescope to track worm infestations in Romania – known as an epicenter for hackers. They discovered that Romanian computers were being particularly hard hit, an unexpected finding given their relatively low volume of Internet traffic.
Network telescopes can be invaluable in detecting and analyzing hacker activities, but they come with certain limitations when used for cybersecurity purposes. Most commonly, they cannot accurately detect coordinated scanning events caused by malware – particularly worms that spread rapidly and may contain numerous backdoors that allow an attacker to gain access to a system. This limitation makes them ineffective against threats like ransomware.
Network telescopes face a unique set of challenges when trying to monitor coordinated scanning activities, including the dynamic nature of internet traffic. Real-time data monitoring is essential to capture even the tiniest and most significant anomalies in this stream.
The UCSD network telescope is a globally routed, lightly utilized /9 and /10 network that captures an ongoing view of anomalous unsolicited traffic referred to as Internet Background Radiation (IBR). IBR can be caused by numerous events like random-source distributed denial-of-service attacks, automated spread of Internet worms and viruses, scanners seeking vulnerable devices or misconfigurations, as well as various types of packet spoofing.
Therefore, it can be challenging to clean darknet data for use in threat intelligence generation. This paper proposes a probabilistic darknet preprocessing model and an innovative approach for inferring large-scale orchestrated probing campaigns using network telescope data. Furthermore, it presents an effective algorithm for analyzing darknet data and detecting scans targeting open resolvers like DNS or SSDP.
Please share this post with your friends, family, or business associates who may encounter cybersecurity attacks.