DDOS attacks and other network threats, such as rapid propagation worms, pose a constant threat to any organisation trying to use the Internet. The rise of huge botnets has only increased the dangers and made it harder to defend against the attacks that can occur at any time.
To have any chance of being effective in blocking these attacks, network administrators must be able to spot the danger signals early and act swiftly to minimize or prevent the damage.
One promising approach that could provide an early warning system is the network telescope, which some researchers claim, will be able to monitor and characterize malicious phenomena through specialized mathematical tools, sensors and virtual machines.
In the latest in our series of articles based on MSc theses from Royal Holloway University of London, Fotis Gagadis describes how network telescopes operate by searching the 'dark' areas of the internet where no legitimate traffic needs to go.
He explains how they work on the basis that attackers may inadvertently target non-existent areas of the Internet address range and use spoofed source addresses, which can also result in traffic being sent to non-existent addresses. Any messages reaching these unused IP addresses will by definition be illegitimate and therefore point to dangerous activity.
patch the systems, or disable any systems that might have been exposed.
Gagadis, who did his BSc in Greece, says that from an early stage he began to see the business environment in military terms, where assets need to be secured and protected. Tutors and lecturers explained security at a high level, but he wanted to get down to more detail. After completing his Greek army service, he joined Lannet Communications in Greece and began to address security challenges at first hand. "My supervisor was a CCSP and CCNP and we spent a lot of time discussing the importance of security in a network and more generally in a business environment," he says.
This led him to look for a suitable MSc course, and he says he was delighted to be received on the RHUL course, despite knowing that having majored in business administration in his first degree, he was going to have to work hard on his computer science and mathematics.
So why choose network telescopes as a thesis subject? "The subject was very interesting and also very new. The concept only arose in the research community in recent years, and I found it more challenging than other subjects that I discussed with my supervisor Dr Wolthusen.
"It is important as a concept, in my point of view, because it can help system/network administrators or researchers working on security to learn more about the behaviour of DoS, DDoS and worm attacks in a network, and how a network and the systems might behave in such incidents."
He adds that network telescopes can give security admins and researchers a better view of their network. They can make better decisions based on statistical data, and if an incident occurs in their network, they are better able to decide the best course of action. For example, disable connections, use control mechanisms to minimize exposure, Network telescopes can also complement IDS/IPS systems, he says. "In the case of CodeRed after the initial outbreak many admins or researchers knew the propagation mechanism and behaviour of this worm since the CAIDA organisation had already analyzed it with a network telescope. Therefore, admins knew that they had to patch their systems in order to protect any assets against future outbreaks of the worm if it reactivated.
Having completed his MSc last year, Gagadis now works as a system engineer at Cerner in the UK. To see his article, click HERE . This will also provide a link through to the full thesis.