The UCSD Network Telescope consists of a globally routed, but lightly utilized /8 network prefix, that is, 1/256th of the whole IPv4 address space. It contains few legitimate hosts; inbound traffic to non-existent machines - so called Internet Background Radiation (IBR) - is unsolicited and results from a wide range of events, including misconfiguration (e.g. mistyping an IP address), scanning of address space by attackers or malware looking for vulnerable targets, backscatter from randomly spoofed denial-of-service attacks, and the automated spread of malware. CAIDA continously captures this anomalous traffic discarding the legitimate traffic packets destined to the few reachable IP addresses in this prefix. We archive and aggregate these data, and provide this valuable resource to network security researchers.
The CAIDA UCSD Network Telescope Two Days in November 2008 Dataset
The UCSD network telescope consists of a globally routed /8 network that carries almost no legitimate traffic. We can filter out the legitimate traffic so the resulting data provides us with a snapshot of anomalous 'background' traffic to 1/256th of all public IPv4 destination addresses on the Internet.
The packets seen by the network telescope result from a wide range of events, including misconfiguration (e.g. mistyping an IP address), scanning of address space by attackers or malware looking for vulnerable targets, backscatter from randomly spoofed source denial-of-service attacks, and the automated spread of malware.
This dataset contains two full days of trace data from the UCSD Network Telescope: 2008-11-12 and 2008-11-19. These dates precede our detection of the Conficker A Worm on 2008-11-21. The dataset consists of 48 compressed pcap files each containing one hour of traffic observed by the UCSD Network Telescope The pcap files only contain packet headers; payload has been removed. The destination network addresses have been masked by zeroing the first eight bits of the IP address.
Caveats that apply to this dataset:
- This dataset and the types of worm and denial-of-service attack traffic contained therein are representative only of some spoofed source denial-of-service attacks. Many denial-of-service attackers do not spoof source IP addresses when they attack their victim, in which case backscatter would not appear on a telescope. Attackers can also spoof in a non-random fashion, which will incur an uneven distribution of backscatter across the IPv4 address space, including any telescope lenses. The telescope does not currently send any packets in response, which also limits insight into the traffic it sees.
Referencing this Dataset
When referencing this data, please use:The CAIDA UCSD Network Telescope "Two Days in November 2008" Dataset - < dates used >,Also, please, report your publication to CAIDA.
UCSD Network Telescope Datasets
- Historical and Near-Real-Time Network Telescope Dataset
- Aggregated Traffic Data in FlowTuple format
- Daily RSDoS Attack Metadata
- Two Years of Daily RSDoS Attack Metadata (downloadable paper supplement)
- Three Days Of Conficker Dataset
- CAIDA UCSD Network Telescope Traffic Samples
- Witty Worm Dataset
- Code-Red Worms Dataset
- Patch Tuesday Dataset
- Two Days in November 2008 Dataset
- Telescope Educational Dataset
- Telescope Dataset on the Sipscan
- Telescope Darknet Scanners Dataset
For more information on the UCSD Network Telescope, see:
For more information on the CoralReef Software Suite, see:
For more information on the Corsaro Software Suite, see:
For a non-exhaustive list of Non-CAIDA publications using Network Telescope data, see: