Network Telescopes: Observing Small or Distant Security Events

A network telescope is a portion of routed IP address space on which little or no legitimate traffic exists. Monitoring unexpected traffic arriving at a network telescope yields a view of certain remote network events. Among the visible events are various forms of flooding DoS attacks, infection of hosts by Internet worms, and network scanning. In this presentation, we'll examine questions such as: How large should my network telescope be? How well can one go backwards from a local view to an estimate of the global phenomenon? How big (in packets sent) or long (in duration) must an event be to be seen? What can I see from my own backyard telescope?