Cloud-based network telescope: design, deployment and traffic analysis via data mining

A network telescope, also known as darknet, is a passive monitoring system designed to collect unsolicited traffic directed to unused IPv4 address space. This tool provides valuable insights into large-scale cybersecurity threats, scanning patterns, and trends in Internet traffic. In this work, we explore the implementation of a network telescope that leverages cloud providers’ IP addresses rather than generic public IPs, as commonly done in several related works. The objective is to highlight the advantages of using cloud-owned addresses, e.g., increased visibility or unique traffic sources. To this end, we first compared the services offered by major cloud providers and selected the most suitable option. We then monitored 256 cloud-owned IP addresses over a one-month period to maximize the coverage of our analysis. Furthermore, to gain deeper insights into activities occurring in the cloud, certain subnets periodically hosted fake services with varying levels of interactivity, such as Layer 4 responders and honeypots, while the remaining subnets operated purely as telescope sensors. We replicated the same setup in a darknet hosted on our campus, leveraging campus-owned IP space. This unique testbed provided information-rich network traces, which we initially analysed through macro-level observations. We then applied data mining techniques to uncover more complex scanning patterns, characterizing both overall scanning activity and the behaviour of specific groups of hosts.