[IUCC logo] [IDC logo]

The IUCC/IDC Internet Telescope


An Internet Telescope is a tool that monitors the backscatter of spoofed IP traffic destined to what is known as "Internet dark address space". Imagine an attack on some IP address but with the attack originating from totally random, spoofed IP addresses. When the victim attempts to reply to some of these attack packets (SYN, ICMP, etc.) the response will go back to what it assumes is the originating IP address. Some of those replies will go back to "Internet dark address space". Dark IP address is space that is globally routable, but currently there are no computers in this network. In other words, there should never be any packets destined to this particular network. If this is not clear, one can watch a 90 second video from CAIDA that describes this method of using backscatter detection.

The Israel InterUniversity Computation Center (IUCC) has assigned a /16 (former Class B - with 65,536 IP addresses), which is "dark space", as a place where the InterDisciplinary Center in Herzliya Israel, has been able to install a network monitor, which receives "backscatter" packets from all over the Internet. Before the IDC, Riverhead Networks operated the telescope before being bought out by Cisco.

There are other Internet telescopes out there like the one at SWITCH. CAIDA was the first to document it and present analysis numbers and has done some more recent research in this area.

Attacks seen

The packets that are received by the telescope can be roughly categorized into 4 categories:

  1. Host/Port scanning: Host/Port scanning are usually programs that are used by hackers to learn about the computers and ports that are open in the network (and possibly available for compromise). In this case the Telescope would capture the packets of the scanners. A worm attack is a program that exploits a bug in the operating system to install a virus, that in turn, will try to spread and infect other machines on the network. The Telescope would capture the packets sent by an infected machine in their attempt to infect a new machine in the Telescope "dark space" network.
  2. Backscatter from spoofed DDOS attacks throughout the world: A Denial of Service attack, is an attack where a hacker tries to consume network resources, by sending lots of traffic to a specific victim. The Telescope can monitor which networks in the global Internet are under attack by spoofed, random packets. We can understand this better with an example. Consider the case where victim Y, somewhere in the Internet, is under a spoofed TCP SYN attack. The victim responds with SYN-ACK to the spoofed source address. Since the source was randomly spoofed, it most probably would also send a SYN-ACK response to the Riverhead-IUCC monitor network. Hence, the monitor should capture a SYN-ACK packet from the victim. Since, the monitor network is a /16 (of which there are 65,536 such /16s networks in the Internet), we end up capturing 1/65536th of the volume of the spoofed attack (assuming the spoofing was indeed random). The rate of the attack seen by the telescope is actually a lower bound on the actual attack rate. This is because the telescope receives the rate that the victim can still handle (i.e., we see SYN-ACK packets only to the part of traffic that the victim can still handle and provide an answer to the SYN received; if the computer is overloaded then SYN packets will be ignored by the victim). This method was first introduced by Inferring Internet Denial-of-Service Activity David Moore, Geoffrey Voelker, Stefan Savage, (USENIX Security, 2001).
  3. Configuration Mistakes: a flow that lives for a very short time, and that cannot be categorized to one of the above categories is basically labeled as configuation mistakes of one of the computers in the Internet.
  4. Other: a long flow that could not be categorized to any of the above groupings.

In general the distribution of packets into these four categories is as follows:

Internet telescope packet distribution
Type of packetpercentage
Host/port scanning
DDOS backscatter
Configuration mistakes

Attacks not seen

By far, not all DDOS attacks can be seen by a Network Telescope. Those that cannot be seen are:

  1. Bogon attacks: A bogon attack is an attack that comes with a source IP that should never appear in the Internet global routing tables. A list of bogons is available from Team CYMRU. IUCC filters out some but not all of the bogons so in general, the Network Telescope will not see bogon attacks.
  2. uRPF filtering: Even spoofed attacks may not reach a Network Telescope if they are stopped along the way via a method known as Reverse Path Forwarding filtering. See slide 118 for further details.
  3. Non-spoofed attacks: An attacker can always attack a victim directly, using any number of attack tools to try to overwhelm the resources of the victim. In general, these type of attacks would be easy to backtrack and to determine who the attacker was, so we assume most attacks are no longer of this type.
  4. Botnet attacks: Since attacking with an identifable IP would lead to backtracking, attackers now use what is known as a botnet or zombies attack. By infecting many PCs and using them as a proxy for launching their attack, attackers are able to hide their identity. Since a botnet attack is in general not spoofed, a Network Telescope would not see such an attack. There have been cases of botnet attacks with spoofed IP addresses but the attacker then takes the chance that some of the attack packets might be filtered by uRPF checking. It is assumed, that most attacks these days on the Internet are launched by botnets.


The dominate source port for traffic that is classified as DDOS. This is the port that the victim was attacked with

The dominate destination port of traffic that reached the telescope

1. Information on the traffic characteristic, especially ports. We output the top ten destination ports and source ports in regards to viewed spoofed attacks for every day of the last week.

2. A daily list of Machba systems that have been determined to have a worm or been infected. Infected systems are those that have been seen to be scanning consecutive IP addresses, whereas a worm is defined as probing a specific list of predefined ports on random IPs.

This page is maintained by Hank Nussbacher (hank@mail.iucc.ac.il) and Anat Bremler-Barr (bremler@idc.ac.il)