text-only page produced automatically by LIFT Text Transcoder Skip all navigation and go to page contentSkip top navigation and go to directorate navigationSkip top navigation and go to page navigation
National Science Foundation Home National Science Foundation - Computer & Information Science & Engineering (CISE)
Computer & Information Science & Engineering (CISE)
design element
CISE Home
About CISE
Funding Opportunities
Awards
News
Events
Discoveries
Publications
Advisory Committee
Career Opportunities
Advisory Committee for Cyberinfrastructure
See Additional CISE Resources
View CISE Staff
CISE Organizations
Advanced Cyberinfrastructure (ACI)
Computing and Communication Foundations (CCF)
Computer and Network Systems (CNS)
Information & Intelligent Systems (IIS)
Proposals and Awards
Proposal and Award Policies and Procedures Guide
  Introduction
Proposal Preparation and Submission
bullet Grant Proposal Guide
  bullet Grants.gov Application Guide
Award and Administration
bullet Award and Administration Guide
Award Conditions
Other Types of Proposals
Merit Review
NSF Outreach
Policy Office
Additional CISE Resources
Contact CISE OAD
Subscribe to receive special CISE announcements
Serving and Working at NSF
Assistant Director's Presentations and Congressional Testimony
CISE Dear Colleague Letters
CISE Distinguished Lecture Series
Webcasts/Webinars
Designing Disruptive Learning Technologies Webinars
WATCH Series
Workshops
CS Bits & Bytes
Big Data Research Initiative
US Ignite at NSF
CISE Strategic Plan for Broadening Participation
Science, Engineering and Education for Sustainability NSF-Wide Investment (SEES)
Other Site Features
Special Reports
Research Overviews
Multimedia Gallery
Classroom Resources
NSF-Wide Investments

Email this pagePrint this page

Discovery
Network Telescope Offers Global View of Internet's Dark Side

UCSD's network telescope looks at the dark side of the Internet--traffic destined for a part of the Internet with legal addresses but no active computers. By watching this supposedly dark Internet, researchers have shed light on malicious activities.

World map showing the spread of the Code Red worm in 2001
Video available View video

The spread of the Code Red worm in 2001 was captured by the UCSD Network Telescope.
Credit and Larger Version

October 13, 2004

Something weird is happening in Romania. That was only one of the surprises that researchers with the Cooperative Association for Internet Data Analysis (CAIDA) found when they began analyzing data from UCSD's network telescope -- one of only a handful of such instruments that provide a global view of the dark side of the Internet.

Unlike many network monitoring tools, UCSD's network telescope looks at the literal dark side of the Internet -- Internet traffic destined for an unoccupied section of the Internet, with legal addresses but no active computers. By monitoring this supposedly dark section of Internet, the CAIDA team has shed new light on denial-of-service attacks and Internet worm infestations.

"The telescope provides us with a unique window on activities that shouldn't be happening," said David Moore, senior technical manager for CAIDA, which is based at the San Diego Supercomputer Center at the University of California, San Diego (UCSD). "The telescope gives us a view of what's going on and what might be coming up, as well as clues for how to build better defense systems."

In July 2001, for example, the network telescope captured a picture of the Internet buckling under the spread of the Code Red worm, which infected nearly 360,000 computers in less than 14 hours. Then in a mere 10 minutes in January 2003, the Sapphire (or Slammer) worm infected at least 75,000 computers -- an estimated 90 percent of the computers vulnerable to that worm. Then in March 2004, the Witty worm infected 12,000 computers all running the same software, from an Internet security company no less.

"Each of these worms pushed the envelope in a different way," Moore said. "Code Red was a wake-up call, that these things could happen so fast. Slammer came along and did the same thing in 10 minutes.

"Witty infected a smaller number of hosts, but it still worked. It showed that niche products are not necessarily immune. Witty is also the first destructive worm to succeed. It shows an attack sophisticated enough to keep a machine up long enough to spread before killing it."

Among the lessons learned from CAIDA's analysis of the telescope data is "the extent to which home and small office users have on Internet health," said CAIDA researcher Colleen Shannon. "These are the biggest pool of systems that make the attacks possible."

A second lesson is that the patching model for fixing security problems just isn't working, according to Shannon. Even though vendors had released patches to eliminate the vulnerabilities exploited by each of the three worms, thousands of computers were still infected.

While the telescope has shed light on Internet worms, that wasn't the primary reason it was established. The idea came almost by accident, Moore said. As part of their ongoing Internet analysis, CAIDA had set up monitors to watch traffic on parts of the Internet. And they soon noticed a lot of what they imagined was junk data -- messages destined for vacant Internet addresses.

(Some of the traffic picked up by the telescope is, in fact, junk -- caused by broken software, errors or typos. Understanding this "background noise" is important for developers of security tools who need to distinguish true junk from malicious behavior.)

Closer analysis revealed that much of the so-called junk was actually the fall-out from denial-of-service (DoS) attacks, in which an Internet server is overloaded with phony requests for information. Because the phony requests often forge a random return address, the victim sends some responses into the unoccupied section of Internet monitored by the network telescope.

By analyzing these misguided responses, CAIDA researchers and their UCSD collaborators painted an eye-opening picture of DoS attacks on the Internet. Their results confounded the expectations of security experts.

"There's a continuous background level of attacks," Shannon said. "People didn't know the attacks were going on continuously. There are people who use them as a personal tool to get revenge, or even to slow down game performance."

While the network telescope can see high-profile attacks, such as the controversial December 2003 attack on the SCO Group, Inc. that CAIDA analysis indicates was genuine, most denial-of-service attacks are short attacks on low-profile sites.

For example, computers in Romania, according to CAIDA's analysis, had an extremely high attack rate relative to the Internet infrastructure in that country; the attack rate landed Romania in the top 10 countries in number of attacks. While Romania has a low overall volume of Internet traffic, the country is a notorious hotbed for hackers. While there's no way to know for sure, Moore suspects that Romanian hackers may use the attacks for personal vendettas.

Besides worms and DoS attacks, the telescope can also see scanning activity -- automated tools methodically testing Internet addresses to find systems with vulnerabilities or previously installed back doors.

Further analysis of telescope data—currently one terabyte per month is being collected—might reveal other clues to how the dark side works. For example, the telescope might show whether a new attack is targeting a specific system or is the result of some global activity, which would allow system administrators to respond appropriately.

The network telescope is also part of an NSF cybersecurity research center. The Center for Internet Epidemiology and Defenses at UCSD and the International Computer Science Institute in Berkeley, Calif., is dedicated to wiping out the Internet worms and viruses that infect thousands upon thousands of computers and cause billions of dollars in down time, network congestion and potentially lost data.

"You really have to know how things behave out there" to defeat these epidemics, Moore said of the telescope's role in the center. The center is working to understand how the Internet's open communications and software vulnerabilities permit worms to propagate. The research team wants to use this information to devise a global-scale early warning system to detect epidemics in their early stages, to develop forensics capabilities for analyzing wide-ranging infections and to develop ways to suppress outbreaks before they reach pandemic proportions.

-- David Hart

Investigators
David Moore
Stefan Savage
Geoffrey Voelker

Related Institutions/Organizations
University of California-San Diego

Locations
California

Related Programs
Trusted Computing

Related Awards
#0311690 Quantitative Network Security Analysis
#0221172 Routing and Peering Analysis for Enhancing Internet Performance and Security

Total Grants
$610,000

Related Agencies
Defense Advanced Research Projects Agency (DARPA)
National Institute of Standards and Technology (NIST)

Related Websites
Witty worm: http://www.caida.org/analysis/security/witty/
Spread of Code Red worm: http://www.caida.org/analysis/security/code-red/
CAIDA Network Telescope: http://www.caida.org/analysis/security/telescope/
Slammer (or Sapphire) worm: http://www.caida.org/analysis/security/sapphire/
Fall-out from denial-of-service (DoS) attacks: http://www.caida.org/outreach/papers/2001/BackScatter/

border=0/


Email this pagePrint this page
Back to Top of page