|
Unsolicited traffic sent to advertised network space that does not host active
services provides insights about misconfigurations as well as potentially
malicious activities, including the spread of Botnets, DDoS campaigns, and
exploitation of vulnerabilities. Network telescopes have been used for many
years to monitor such unsolicited traffic. Unfortunately, they are limited by
the available address space for such tasks and, thus, limited to specific
geographic and/or network regions.
In this paper, we introduce a novel concept to broadly capture unsolicited Internet traffic, which we call a ``meta-telescope''. A meta-telescope is based on the intuition that, with the availability of appropriate vantage points, one can (i) infer which address blocks on the Internet are unused and (ii) capture traffic towards them—both without having control of such address blocks. From this intuition, we develop and evaluate a methodology for identifying unlikely to be used Internet address space and build a meta-telescope that has very desirable properties, such as broad coverage of dark space both in terms of size and topological placement. Such meta-telescope identifies and captures unsolicited traffic to more than 350k /24 blocks in more than 7k ASes. Through the analysis of background radiation towards these networks, we also highlight that unsolicited traffic differs by destination network/geographic re-gion as well as by network type. Finally, we discuss our experience and challenges when operating a meta-telescope in the wild. |