The CAIDA UCSD Network Telescope "Patch Tuesday" Dataset
The UCSD network telescope consists of a globally routed /8 network that carries almost no legitimate traffic. We can filter out the legitimate traffic so the resulting data provides us with a snapshot of anomalous 'background' traffic to 1/256th of all public IPv4 destination addresses on the Internet.
The packets seen by the network telescope result from a wide range of events, including misconfiguration (e.g. mistyping an IP address), scanning of address space by attackers or malware looking for vulnerable targets, backscatter from randomly spoofed source denial-of-service attacks, and the automated spread of malware.
This dataset contains data from darkspace observations in the first six months of 2012. The data has been preprocessed with the Corsaro Software Suite. The data is split into files that each contain one hour of data. For each hour we provide one file with flow information in the Corsaro FlowTuple format, and one file containing the source type analysis in the Corsaro Smee format. Note that the corresponding FlowType and Smee Corsaro plugins are required to read the files. The total size of this dataset is 2.1 TB.
The destination network addresses have been masked by zeroing the first eight bits of the IP address. Source addresses have been anonymized using Cryptopan anonymization with a single key.
The research described in the paper "The Day After Patch Tuesday: Effects Observable in IP Darkspace Traffic" by T. Zseby et al. was based on the data in this dataset.
Filenames are in the form:- FlowTuple data Filenames: [YYYYMMDDHHMM]_[epoch time].flowtuple - Smee source type analysis Filenames: [YYYYMMDDHHMM]_[epoch time].smee
The unprocessed, anonymized pcap traces for this dataset can in principle be made available on request, provided convincing arguments are given for needing them (the pcap files will consume about 20 TB of storage capacity!!). Pcap files can be read with any software that reads the pcap (tcpdump) format, including the CoralReef Software Suite, tcpdump, Wireshark, and many others.
Caveats that apply to this dataset:
- This dataset and the types of worm and denial-of-service attack traffic contained therein are representative only of some spoofed source denial-of-service attacks. Many denial-of-service attackers do not spoof source IP addresses when they attack their victim, in which case backscatter would not appear on a telescope. Attackers can also spoof in a non-random fashion, which will incur an uneven distribution of backscatter across the IPv4 address space, including any telescope lenses. The telescope does not currently send any packets in response, which also limits insight into the traffic it sees.
Referncing this Dataset
When referencing this data (as required by the AUA), please use:The CAIDA UCSD Network Telescope "Patch Tuesday" Dataset - < dates used > ,Also, please, report your publication to CAIDA.
Since April 2016 access to these data is provided through the website of the Information Marketplace for Policy and Analysis of Cyber-risk and Trust (IMPACT).
- Access to these data can be requested through IMPACT
For more information on the recent use of this dataset and other Telescope data by CAIDA researchers, see:
For more information on the UCSD Network Telescope, see:
For more information on the CoralReef Software Suite, see:
For more information on the Corsaro Software Suite, see:
For a non-exhaustive list of Non-CAIDA publications using Network Telescope data, see:
UCSD Network Telescope Datasets