네트워크 망원경

Network telescope

네트워크 망원경(패킷 망원경,[1] 다크넷, 인터넷 모션 센서 또는 블랙홀이라고도 한다)[2][3][4]은 인터넷에서 일어나는 다양한 대규모 사건을 관찰할 수 있는 인터넷 시스템이다.기본적인 생각은 네트워크의 어두운 주소 공간을 목표로 하는 트래픽을 관찰하는 것이다.이러한 주소에 대한 모든 트래픽이 의심스럽기 때문에, 이를 관찰함으로써 네트워크 공격 가능성(랜덤 검색 웜, DDoS 백스캐터)뿐만 아니라 다른 잘못된 구성에 대한 정보를 얻을 수 있다.

인터넷 망원경의 해상도는 모니터하는 IP 주소의 수에 따라 달라진다.예를 들어, 16,777,216 주소(IPv4 /8 인터넷 망원경)에 대한 트래픽을 감시하는 대형 인터넷 망원경은 65,536 주소(/16 인터넷 망원경)를 감시하는 소형 망원경보다 상대적으로 작은 사건을 관측할 확률이 높다.

이 명칭은 유추에서 광학 망원경으로, 더 큰 물리적 크기를 통해 더 많은 광자를 관측할 수 있게 한다.[5]

네트워크 망원경의 변종은 희박한 다크넷 또는 그레이넷으로, 활성(또는 "라이트") IP 주소가 혼재된 "다크넷" 주소가 희박하게 채워져 있는 IP 주소 공간의 영역으로 구성된다.[2]여기에는 주로 일본에 위치한 미사용 IP 주소 21만 개에서 조립된 그레이넷이 포함된다.[6]

대형 네트워크 텔레스코프 인스턴스

네트워크 커버리지 IPs 이름 수명 캡처
1/8 100%[3] ~16M APNIC 2010-02-23(1주) 4.1테라바이트[3]
44/8 99%[4] ~16M UCSD 네트워크 망원경[주 1] 2001-02-01‒2017-12-31 3.25페타바이트[7]
2018-01-01‒2019-06-04
74% ~12M 2019-06-05—
35/8 67%[4] ~11M 메리트 네트워크[주2] 2005-10-05— 18.2 테라바이트[9]
50/8 100%[3] ~16M 아린 2010-03-12(1주) 1.1테라바이트[3]
107/8 100%[3] ~16M 아린 2010-03-25(1주) 1.2테라바이트[3]
1,300개의 네트워크 아카마이[10] / MIT[11] 2009/2019—
/16 100% 65k 헤아넷[12] 2019-03(1주) 96기가바이트[12]
/15 100% ~130k 서프넷[13]
2a10::/12(IPv6) 100% 8조 3천억 (2^³) RIPE NCC[14] 2020-01-13 - 2020-01-16(3일) 19M 패킷
  1. ^ 샌디에이고 슈퍼컴퓨터센터에서 주최하고 샌디에이고 캘리포니아대학 응용인터넷데이터분석센터가 아마추어 라디오 AMPRNet IP주소를 이용해 운영하고 있다.
  2. ^ Merit Network 텔레스코프(Merit Network 텔레스코프)는 약 550만(2014년)[8] 또는 사용하지 않는 약 1100만 개의 IP 주소로 구성되어 있다.

참고 항목

참조

  1. ^ Cheswick, Bill (August 2013). "Bill Cheswick on Firewalls" (PDF). Security. ;login: The USENIX Magazine (Interview). Vol. 38, no. 4. Interviewed by Rik Farrow. p. 21. about this time (late 1980s) Mark Horton obtained a class A address for AT&T from the powers-that-be by simply asking. ... our Cray computer seemed to require a class A network ... took 12.0.0.0/8 and announced it to the Net, feeding the packets to a non-existent Ethernet address and running tcpdump on the traffic, which came to about 12 to 25 MB/day. Steve analyzed that traffic and wrote a fine paper. Basically, we were watching the death screams of attacked hosts that used IP address-based authentication. ... This is the first packet telescope I can remember, and I think I might even have coined the term "packet telescope," but my memory is fuzzy on that.
  2. ^ a b Harrop, W.; Armitage, G. (2005). "Defining and Evaluating Greynets (Sparse Darknets)". The IEEE Conference on Local Computer Networks 30th Anniversary (LCN'05)l. Sign in or purchase to access: ieeexplore.ieee.org. pp. 344–350. doi:10.1109/LCN.2005.46. hdl:1959.3/2449. ISBN 0-7695-2421-4. S2CID 18789864.
  3. ^ a b c d e f g Wustrow, Eric; Karir, Manish; Bailey, Michael; Jahanian, Farnam; Houston, Geoff (2010-06-09). Internet Background Radiation Revisited (PDF). Internet Measurement Conference. Systems that monitor unused address spaces have a variety of names, including darknets, network telescopes, blackhole monitors, network sinks, and network motion sensors. ... 1/8 ... 50/8 ... 107/8 ... 35/8
  4. ^ a b c Benson, Karyn; Dainotti, Alberto; Claffy, K.C.; Snoeren, Alex C.; Kallitsis, Michael (2015-09-10). Leveraging Internet Background Radiation for Opportunistic Network Analysis (PDF). Internet Measurement Conference '15. Tokyo, Japan. doi:10.1145/2815675.2815702. ISBN 978-1-4503-3848-6. S2CID 6184617. A darknet or network telescope is a collection of routed but unused IP addresses, ... UC San Diego and Merit Network operate large darknets, which we call UCSD-NT and MERIT-NT respectively. UCSD-NT observes traffic destined to more than 99% of IP addresses in a contiguous /8 block. MERIT-NT covers about 67% of a different /8 block.
  5. ^ Moore, David; Shannon, Colleen; Voelker, Geoffrey M.; Savage, Stefan (April 2004). "Network Telescopes: Technical Report" (PDF). Technical Reports. network telescopes were named as an analogy to astronomical telescopes, ... driven by the comparison of packets arriving in a portion of address space to photons arriving in the aperture of a light telescope. ... a larger aperture increases the resolution of objects by providing more positional detail; with network telescopes, having a larger address space increases the resolution of events by providing more time detail. ... to observe one or more packets from a Code-Red-like host on a /8 with 99.999% probability requires 4.9 minutes. ... Even if the attack lasted 5 minutes, there is only a 89.9% chance that a /16 telescope would see at least 1 packet. ... thank Brian Kantor, Jim Madden, and Pat Wilson of UCSD for technical support of the Network Telescope project. ... Support for this work is provided by NSF Trusted Computing Grant CCR-0311690, Cisco Systems University Research Program, DARPA FTN Contract N66001-01-1-8933, NSF Grant ANI-0221172, National Institute of Standards Grant 60NANB1D0118, and a generous gift from AT&T. {{cite journal}}:Cite 저널은 필요로 한다. journal=(도움말)
  6. ^ Le Malécot, Erwan; Inoue, Daisuke (20 Mar 2014). Danger, Jean Luc; Debbabi, Mourad; Marion, Jean-Yves; Garcia-Alfaro, Joaquin; Heywood, Nur Zincir (eds.). The Carna Botnet Through the Lens of a Network Telescope. Foundations and Practice of Security: 6th International Symposium. La Rochelle, France. p. 427. ISBN 9783319053028. "network telescope that we operate presently amounts to approximately 210 thousand unused IPv4 addresses spread over the networks of a number of partner organizations (located in Japan and aboard). Those unused addresses form darknets ranging in size from a few addresses to whole /16 subnets ... the notion of a "greynet" ... composed of a mixture of used and unused IP addresses
  7. ^ Claffy, K.; Fomenkov, Marina; University of California San Diego; Center for Applied Internet Data Analysis (CAIDA) (2018-06-22). Rose, Fraces A.; Matyjas, John D. (eds.). Final technical report. Supporting Research and Development of Security Technologies Through Network and Security Data Collection (Report). Air Force Research Laboratory Information Directorate. pp. iii, 2, 3, 7. Sep 2012 – Dec 2017 ... Grant number: FA8750-12-2-0326 ... engaged in collecting packet-level data from the UCSD Network Telescope (which monitors a /8 IPv4 darknet) ... number of files and the total volume of data collected ... (from [2012-10-01] until [2017-12-31]) as well as cumulative size ... Telescope: number of files: 129552; Size: 2.85 PB; On-disk size (compressed), [at 2017-12-31]: 1.30 PB; Uncompressed size, [at 2017-12-31]: 3.25 PB
  8. ^ Durumeric, Zakir; Bailey, Michael; Halderman, J. Alex; University of Michigan (2014-08-08). An Internet-Wide View of Internet-Wide Scanning (PDF). USENIX Security Symposium. darknet operated at Merit Network for the period from [2013-01-01] to [2014-05-01]. ... 5.5 million addresses, ... 1.4 billion packets, or 55 GB of traffic, per day.
  9. ^ Merit Network. "Longitudinal Darknet 35/8". Blackhole Address Space Data, flowtuple. IMPACT Cybertrust. in the case of a TCP SYN flood attack with a spoofed source IP, the victim will reply with a TCP SYN-ACK to the spoofed IP; if the spoofed IP happened to be within the 35/8 address space, our darknet will capture the SYN-ACK replies ... Collection Starting: [2005-10-05]; ... Data collection is ongoing ... Size: 18.2TB Size is growing as more data is collected
  10. ^ Belson, David, ed. (2009-07-09). "Conficker" (PDF). Security. The State of the Internet. Vol. 2, no. 1. Akamai Technologies. p. 8. corroborated by similar drops in observed by CAIDA's UCSD Network Telescope, which serves a function similar to the set of Akamai servers that collect attack traffic data.
  11. ^ Richter, Philipp; Berger, Arthur (July 2019). Scanning the Scanners: Sensing the Internet from a Massively Distributed Network Telescope. ACM Internet Measurement Conference. Amsterdam, Netherlands.
  12. ^ a b O'Hara, Joseph (April 2019). "Cloud-based network telescope for Internet background radiation collection" (PDF). Trinity College Dublin: 16. Thank you to Eoin Kenny from HEAnet ... A traditional /16 network telescope was provided by HEAnet, Ireland's National Education and Research Network. ... /16 address space had been unused for a number of years before this research ... 256 times smaller than the CAIDA /8 ... recorded data rate was 1.25Mbps ... 95.6GB {{cite journal}}:Cite 저널은 필요로 한다. journal=(도움말)
  13. ^ Metongnon, Lionel; Sadre, Ramin (2018-08-20). Beyond Telnet: Prevalence of IoT Protocols in Telescope and Honeypot Measurements (PDF). ACM SIGCOMM-WTMC. p. 4. doi:10.1145/3229598.3229604. S2CID 51926045. Archived from the original (presentation slides) on 2019-07-30. a setup with /15 network telescope
  14. ^ "The Debogonisation of 2a10::/12". {{cite journal}}:Cite 저널은 필요로 한다. journal=(도움말)

추가 읽기

외부 링크

Stub icon

컴퓨터 네트워킹 기사는 단조롭다.위키피디아를 확장하여 도울 수 있다.