Analyzing Internet Background Radiation with Reflective Network Telescopes

Analyzing Internet Background Radiation with Reflective Network Telescopes

연구 분야: Safety

학회: ANRW '25: Proceedings of the 2025 Applied Networking Research Workshop

Traditional darknets rely on unused address space to capture Internet Background Radiation (IBR), but this approach is becoming less viable as IPv4 space exhausts and attackers evade known darknets. This paper explores leveraging routine ICMP error traffic to recover IBR in operational networks using reflective network telescopes, without reserving address space or inspecting user traffic. We deployed two reflective network telescopes that passively record only ICMP Type 3 and Type 11 messages at a transit ISP PoP for 30 days, and captured 900 GB of data containing 14.9M probe packets. Analysis of the extracted payloads revealed 122,730 Internet scanners and 58,333 probable victims of randomly spoofed DoS attacks. Our results show that ICMP Type 3 errors could expose high-volume UDP scanning, while ICMP Type 11 errors provided balanced protocol coverage. As ICMP error traffic is much lower in volume than user traffic, this method offers a scalable and privacy-preserving approach to gathering threat intelligence.