The UCSD network telescope consists of a globally routed /8 network that monitors large segments of lightly utilized address space with permission of its holders. Because there is little legitimate traffic in this address space, the network telescope provides a monitoring point for anomalous traffic that represents almost 1/256th of all IPv4 destination addresses on the Internet.
The CAIDA UCSD Near-Real-Time Network Telescope Dataset
The UCSD network telescope consists of a globally routed /8 network that carries almost no legitimate traffic. We can filter out the legitimate traffic so the resulting data provides us with a snapshot of anomalous 'background' traffic to 1/256th of all public IPv4 destination addresses on the Internet.
The packets seen by the network telescope result from a wide range of events, including misconfiguration (e.g. mistyping an IP address), scanning of address space by attackers or malware looking for vulnerable targets, backscatter from randomly spoofed source denial-of-service attacks, and the automated spread of malware.
CAIDA continously captures traffic from the UCSD Network Telescope. The resulting traffic traces become available in near-real time as one-hour long compressed pcap files. A moving time window, approximately covering the most recent two months of data, are stored on spinning disk, and are available for analysis.
Once data slide out of the near-real-time window, they are converted to an aggregated form using the Corsaro software suite. These Corsaro "flow-tuples" are available for analysis from February 2008 onwards. The pcap files are then off-loaded to tape storage, and are no-longer available on disk for immediate analysis.
The CAIDA UCSD Near-Real-Time Network Telescope Dataset consists of two parts:
- Most recent 60-days of raw telescope traffic (in pcap format)
- Aggregrated flow data for all telescope traffic since February 2008 (in Corsaro flow tuple format)
- Aggregated DDoS metadata representing DDoS activity seen in the telescope data
Data Access Policy
These data must be analyized on CAIDA machines, and cannot be downloaded
Once researchers are approved for access to this dataset, they will be set up with an account on a CAIDA machine that provides direct access to the Telescope traffic traces required for their research. CAIDA enforces a "take software to the data" policy for the two-month stretch of near-real-time data in this dataset: all analysis must be performed on CAIDA computers; no download of raw data will be allowed. CAIDA will provide several basic tools to access the dataset, incl. CoralReef and Corsaro. In addition, researchers will be allowed to upload their own analysis software.
Note that access to these data is limited by available computing resources. In case more requests are received than our resources can handle, CAIDA reserves the right to prioritize access. Accounts will be valid for a nominal six months in which the research is expected to be completed. If a shorter period than six months suffices, then indicate this explicitly in the description of your research when you apply for this dataset; we will take this into account when assigning priorities to research projects.
Caveats that apply to this dataset:
This dataset and the types of worm and denial-of-service attack traffic contained therein are representative only of some spoofed source denial-of-service attacks. Many denial-of-service attackers do not spoof source IP addresses when they attack their victim, in which case backscatter would not appear on a telescope. Attackers can also spoof in a non-random fashion, which will incur an uneven distribution of backscatter across the IPv4 address space, including any telescope lenses. The telescope does not currently send any packets in response, which also limits insight into the traffic it sees.
Acceptable Use Agreement
Access to these data is subject to the terms of the IMPACT Acceptable Use Agreement
When referencing this data (as required by the AUA), please use:The CAIDA UCSD Near-Real-Time Network Telescope - < dates used > ,Also, please, report your publication to CAIDA.
Since April 2016 access to these data is provided through the website of the Information Marketplace for Policy and Analysis of Cyber-risk and Trust (IMPACT).
- Access to these data can be requested through IMPACT
UCSD Network Telescope Datasets
- Three Days Of Conficker Dataset
- Near-Real-Time Network Telescope Dataset
- CAIDA UCSD Network Telescope Traffic Samples
- Witty Worm Dataset
- Code-Red Worms Dataset
- Patch Tuesday Dataset
- Two Days in November 2008 Dataset
- Telescope Educational Dataset
- Telescope Dataset on the Sipscan
- Telescope Darknet Scanners Dataset
For more information about the use of these data in studies of internet censorship, see:
- A. Dainotti, C. Squarecella, E. Aben, K. Claffy, M. Chiesa, M. Russo, and A. Pescape, "Analysis of Country-wide Internet Outages Caused by Censorship",Internet Measurement Conference (IMC), Berlin, Germany, Nov 2011, pp. 1--18, ACM
- A. Dainotti, R. Amman, E. Aben, and K. Claffy, "Extracting benefit from harm: using malware pollution to analyze the impact of political and geophysical events on the Internet", ACM SIGCOMM Computer Communication Review (CCR), vol. 42, no. 1, pp. 31--39, Jan 2012.
For more information on Conficker and worm attacks, see:
For more information on Backscatter and Denial-of-Service attacks, see:
For more information on the UCSD Network Telescope, see:
For more information on the CoralReef Software Suite, see:
For more information on the Corsaro Software Suite, see:
For a non-exhaustive list of Non-CAIDA publications using Network Telescope data, see: