The UCSD network telescope consists of a globally routed /8 network that monitors large segments of lightly utilized address space with permission of its holders. Because there is little legitimate traffic in this address space, the network telescope provides a monitoring point for anomalous traffic that represents almost 1/256th of all IPv4 destination addresses on the Internet.
The CAIDA UCSD Network Telescope "Three Days Of Conficker" Dataset
The UCSD network telescope consists of a globally routed /8 network that carries almost no legitimate traffic. We can filter out the legitimate traffic so the resulting data provides us with a snapshot of anomalous 'background' traffic to 1/256th of all public IPv4 destination addresses on the Internet.
The packets seen by the network telescope result from a wide range of events, including misconfiguration (e.g. mistyping an IP address), scanning of address space by attackers or malware looking for vulnerable targets, backscatter from randomly spoofed source denial-of-service attacks, and the automated spread of malware.
This dataset contains data from the UCSD Network Telescope for three days between November 2008 and January 2009, exactly one month apart. The first day (21 November 2008) covers the onset of the Conficker A infection. On the second day, 21 December 2008, only Conficker A was active; and during the third and final day (21 January 2009) both Conficker A and B were active. Please, note that these are "raw" traces: no attempt has been made to identify or filter any packets as specifically Conficker-related. This dataset contains 68 compressed pcap files each containing one hour of traces. The total size of the dataset is 69 GB (16, 19 and 34 GB for each of the three days). The pcap files only contain packet headers; payload has been removed. The destination network addresses have been masked by zeroing the first eight bits of the IP address.
Note that the CAIDA UCSD Network Telescope Dataset "Two days in November 2008" (http://www.caida.org/data/passive/telescope-2days-2008_dataset.xml), with traces for 12 and 19 November 2008, contains two typical days of "background radiation" as seen by the Network Telescope just prior to the detection of Conficker A. That dataset has been processed the same way as this Conficker dataset (see below), and can be useful in differentiating Conficker-infected traffic from "clean" background radiation.
Caveats that apply to this dataset:
- This dataset and the types of worm and denial-of-service attack traffic contained therein are representative only of some spoofed source denial-of-service attacks. Many denial-of-service attackers do not spoof source IP addresses when they attack their victim, in which case backscatter would not appear on a telescope. Attackers can also spoof in a non-random fashion, which will incur an uneven distribution of backscatter across the IPv4 address space, including any telescope lenses. The telescope does not currently send any packets in response, which also limits insight into the traffic it sees.
Referencing this Dataset
When referencing this data, please use:The CAIDA UCSD Network Telescope "Three Days Of Conficker" - < dates used >,Also, please, report your publication to CAIDA.
Since April 2016 access to these data is provided through the website of the Information Marketplace for Policy and Analysis of Cyber-risk and Trust (IMPACT).
- Access to these data can be requested through IMPACT
For more information on Conficker and worm attacks, see:
For more information on the UCSD Network Telescope, see:
For more information on the CoralReef Software Suite, see:
For more information on the Corsaro Software Suite, see:
For a non-exhaustive list of Non-CAIDA publications using Network Telescope data, see:
UCSD Network Telescope Datasets