Skip to Content
[CAIDA - Center for Applied Internet Data Analysis logo]
Center for Applied Internet Data Analysis
www.caida.org > data : passive : telescope-darknet-scanners_dataset.xml
UCSD Network Telescope -- Darknet Scanners Dataset

The UCSD Network Telescope consists of a globally routed, but lightly utilized /8 network prefix, that is, 1/256th of the whole IPv4 address space. It contains few legitimate hosts; inbound traffic to non-existent machines - so called Internet Background Radiation (IBR) - is unsolicited and results from a wide range of events, including misconfiguration (e.g. mistyping an IP address), scanning of address space by attackers or malware looking for vulnerable targets, backscatter from randomly spoofed source denial-of-service attacks, and the automated spread of malware. CAIDA continously captures this anomalous traffic discarding the legitimate traffic packets destined to the few reachable IP addresses in this prefix. We archive and aggregate these data, and provide this valuable resource to network security researchers.

|   Data Sources:    Passive    Active    Other    External   |

The CAIDA UCSD Network Telescope Darknet Scanners Dataset

The UCSD network telescope consists of a globally routed /8 network that carries almost no legitimate traffic. We can filter out the legitimate traffic so the resulting data provides us with a snapshot of anomalous 'background' traffic to 1/256th of all public IPv4 destination addresses on the Internet.

The packets seen by the network telescope result from a wide range of events, including misconfiguration (e.g. mistyping an IP address), scanning of address space by attackers or malware looking for vulnerable targets, backscatter from randomly spoofed source denial-of-service attacks, and the automated spread of malware.

This dataset contains IP addresses that conduct horizontal scans of UCSD's network telescope. We use Bro's default parameters (the same source IP address is used to contact 25 unique destination IP addresses on the same destination port/protocol) within 5 minutes.

We include the following information:

  • IP addresses
  • Scanned port
  • Scanned protocol
  • Timestamp scan began
  • Scanning statistics that may be used as heuristics for determining scanning strategy.
All timestamps are in UTC.

This dataset is a derivative of the UCSD Network Telescope realtime flow tuple dataset (see http://www.caida.org/data/passive/telescope-near-real-time_dataset.xml.

We run a custom corsaro plugin on each day of flow tuple data, recording any IP address that sends packets on the same protocol/destination port to at least 25 darknet IP addresses a span of 5 minutes.

For each entry in our daily list of scanners (source IP, destination port, protocol) we collect hourly statistics, including hours of the day where the scanner did not meet the 25 IPs in 5 minutes criteria. We generate hourly statistics using a second corsaro plugin.

Referencing this Dataset

When referencing this data, please use:

The CAIDA UCSD Network Telescope "Darknet Scanners" Dataset - < dates used >,
http://www.caida.org/data/passive/telescope-darknet-scanners_dataset.xml
Also, please, report your publication to CAIDA.

UCSD Network Telescope Datasets

References

For more information on the UCSD Network Telescope, see:

For more information on the CoralReef Software Suite, see:

For more information on the Corsaro Software Suite, see:

For a non-exhaustive list of Non-CAIDA publications using Network Telescope data, see:

  Last Modified: Mon Nov-5-2018 13:34:36 PST
  Page URL: http://www.caida.org/data/passive/telescope-darknet-scanners_dataset.xml