Should Network Operators Hop on the Data Plane?

 

Should Network Operators Hop on the Data Plane?

Max Resing

Hosts on the internet are continuously targeted and penetrated by so called scanners which try to automatically break into a system. Network operators apply different techniques to prevent an incident. Blocking traffic from (malicious) IPs has been proven to be successful. This requires a consistently updated and reliable list of the origins of scanning activity. The consequence is an entire industry which has emerged to provide the best IP blocklist. A typical approach to identify scanners is an infrastructure of honeypots. Such a sensor infrastructure can consist of hundreds of honeypots shared all over the world. The rise of cloud platforms has established a convenient way to deploy honeypots globally. Research has shown that some scanners target a specific IP address space. This raises the question if cloud-based global diversity is enough to identify the majority of scanners. We set up a small sensor infrastructure with honeypots not only in cloud-based environments but also in residential areas and campus networks. The resulting data set provides valuable insights in scanning activity aiming at different kinds of networks. A geographical and temporal analysis delivers indicators that different scanners target different protocols. Further, the results show that certain scanners target specific networks exclusively. Particularly scanners of residential areas are hard to discover with a cloud-only sensor infrastructure. Ultimately, we assess the completeness of the dataplane.org data feeds.

Should Network Operators Hop on the Data Plane? (pdf)

Watch the NANOG 83 Playlist