DScope: A Cloud-Native Internet Telescope
DScope is a cloud-native interactive Internet telescope deployed to AWS. By interactively collecting traffic from scanners contacting public cloud IPs, DScope provides a vantage point on attacks against cloud infrastructure and other systems.
This website offers information on DScope, collected data, and emergent trends in Internet and cloud exploitation.
DScope is an open data project operated by the Madison Security and Privacy Research Group at the University of Wisconsin–Madison. For more information on accessing and using data collected by DScope, click here.
Background and Project Overview
Traditionally, Internet telescopes are unused portions of the IP address space that are used to receive traffic sent from the broader Internet. Because no legitimate services are hosted at these addresses, the traffic received is background radiation. While these telescopes are useful, the traffic they receive may not be indicative of what deployed services would, and their inability to interact prevents characterizing application payloads. As services continue to transition to public clouds, and protocol semantics move up the stack (for instance, HTTP has become the common denominator of many Web APIs), measurement techniques must adapt to characterize new threats.
DScope aims to complement existing telescopes by bypassing the above limitations. Instead of being deployed to a fixed IP space, DScope works by continually allocating new IP addresses from Amazon Web Services. These IPs are pulled from the broader AWS pool, and are indistinguishable from other cloud server IPs. As a result, the traffic DScope receives aligns with what would be expected by any cloud service. Each IP is held for 10 minutes. During this time, DScope accepts TCP connections on all ports and acknowledges traffic but does not send application-layer responses. This collects TCP banner information from clients, which proves useful for identifying trends and threats.
DScope Features
To build DScope, we had to rethink how internet measurement apparatus are designed and deployed. As a result, DScope has a variety of advantages over existing measurement techniques. For further technical details, see the Telescope Architecture page and our paper at the 2023 USENIX Security Symposium.
Cloud IP Addresses
DScope is deployed in situ with cloud services. Adversaries targeting the cloud inherently also contact DScope, allowing measurement of these threats.
Interactive Measurement
DScope is interactive, meaning it receives application-layer data from clients. This allows identification of exploits and discovery of new vulnerabilities.
Quality over Quantity
Despite having a smaller footprint than conventional telescopes, DScope collects a broad sample of cloud-targeted traffic. This smaller dataset covers new phenomena while being easier to study.
Statistically Sound Measurement
Because DScope’s footprint is randomly sampled across millions of cloud IPs, measurements generalize across the AWS IP pool broadly.
Service Lifecycle
Unlike honeynets and honeyfarms that sit on fixed IP address ranges, DScope’s agility through the IP space allows it to measure how attackers respond to newly-deployed services.
Cost-Effective and Low-impact
DScope runs on spare (spot) compute capacity on Amazon Web Services. As a result, it costs less to run than conventional telescopes and does not negatively impact cloud providers.