• HOME
  • About
  • Program Plan
  • Annual Report
  • Joining CAIDA
  • Staff
  • Jobs
  • Legal Agreements
  • How-To
• RESEARCH
  • Routing
  • Topology
  • DNS
  • Security
  • Traffic Analysis
  • Policy
  • Visualization
• DATA
  • Overview
  • Data Sharing
  • How-to
  • Data Usage FAQ
  • Papers using CAIDA Data
• TOOLS
  • Measurement
  • Taxonomy
  • Utilities
  • Visualization
• PUBLICATIONS
  • Papers
  • Presentations
  • Animations
  • Visualizations
  • Bibliography
  • Posters
• WORKSHOPS
  • ISMA
  • DUST
  • WIE
  • CAIDA-WIDE-CASFI
  • DANCES
  • External
  • Archive
• PROJECTS
  • Macroscopic Topology
  • Cybersecurity
  • PREDICT
  • Interconnection Economics
  • Named Data Networking
  • IPv6 Evolution
  • IMDC (DatCat)
  • Ark
  • IIC Wiki
• FUNDING
  • iLENS
  • Cybersecurity
  • Routing
  • Named Data Networking
  • Economics
  • Telescope
  • IRNC-SP
  • DatCat
  • PREDICT
  • Program Plan

• Ongoing Research
  • Infrastructure
    • MIT ANA Spoofer
    • Network Telescope
    • PREDICT
  • Malicious Activity Analysis
    • Conficker/Conflicker/Downadup (2008-2009)
• Datasets
• Publications
• Previous Research
  • Malicious Activity Analysis
    • The Nyxem Email Virus (2006)
    • Spread of the Witty Worm (2004)
    • SCO Offline from Denial-of-Service Attack (2003)
    • Analysis of the Sapphire Worm (2003)
    • CAIDA Analysis of Code-Red (2001)

Ongoing Research

Infrastructure

• MIT ANA Spoofer

  CAIDA is collaborating with the MIT ANA Spoofer project to assess macroscopic trends in IPv4 source address filtering, e.g., of private or bogon addresses, which should not be exiting appropriately configured networks.

  UCSD Network Telescope

  The UCSD network telescope acts as a passive data collection system. The network telescope is a portion of routed IP address space on which little or no legitimate traffic exists. Monitoring unexpected traffic arriving at a network telescope yields a view of certain remote network events. Among the visible events are various forms of flooding DoS attacks, infection of hosts by Internet worms, and network scanning.

• Protected Repository for the Defense of Infrastructure Against Cyber Threats (PREDICT)

  PREDICT is a repository of data for cyber security research. PREDICT is a community of users who share data useful for research into cyber defense technologies, products, models and strategies.

Malicious Activity Analysis

• Conficker/Conflicker/Downadup as seen from the UCSD Network Telescope (2008-2009)

  [Worm] On October 23, 2008, Microsoft announced a security update that resolved a critical vulnerability in the Windows Server service (MS08-067). In this bulletin, Microsoft stated, "it is possible that this vulnerability could be used in the crafting of a wormable exploit". While various rumors spread, the first serious evidence of a worm outbreak was reported on November 22 2008. We provide both an initial results of MS08-067 as seen from the UCSD Network Telescope as well as an update of Conficker/Conflicker/Downadup as seen from the UCSD Network Telescope.

Datasets

CAIDA makes available a number of datasets for researchers who wish to study data collected at the UCSD Network Telescope.

• Denial-of-Service Attack Backscatter
  • Backscatter-2008 Dataset
  • Backscatter-2007 Dataset
  • Backscatter-2006 Dataset
  • Backscatter-2004-2005 Dataset
  • Backscatter-TOCS Dataset
• Worms
  • Witty Worm Dataset
  • Code-Red Worms Dataset

Publications

• Papers
• Presentations
• Animations

Previous Research

Malicious Activity Analysis

• The Nyxem Email Virus: Analysis and Inferences (2006)

  [Virus] We estimate that between 469,507 and 946,835 computers in more than 200 countries were infected by the Nyxem/Blackworm virus between January 15 23:40:54 UTC 2006 and Wednesday February 1 05:00:12 UTC. At least 45,401 of the infected computers were also compromised by other forms of spyware or bot software. For details, read on in The Nyxem Email Virus: Analysis and Inferences

• Spread of the Witty Worm (2004)

  [Worm] A joint effort of CAIDA and UC San Diego CSE to analyze the spread of the Witty Worm. At 8:45:18pm PST on March 19, 2004, the UCSD network telescope received its first Witty worm packet. In contrast to previous worms, we observed 110 hosts infected in the first ten seconds, and 160 at the end of 30 seconds. Witty infected only about a tenth as many hosts than the next smallest widespread Internet worm. Where SQL Slammer infected between 75,000 and 100,000 computers, the vulnerable population of the Witty worm was only about 12,000 computers. Although researchers have long predicted that a fast-probing worm could infect a small population very quickly, Witty is the first worm to demonstrate this capability. Witty was also the first widely propagated Internet worm to carry a destructive payload, represents the shortest known interval between vulnerability disclosure and worm release -- it began to spread the day after the ISS vulnerability was publicized.

• SCO Offline from Denial-of-Service Attack (2003)

  [DoS Attack] Around 2:50 AM PST Thursday morning, December 11, the attacker(s) began to attack SCO's ftp (file transfer protocol) servers in addition to continuing the web server attack. Together www.sco.com and ftp.sco.com experienced a SYN flood of over 50,000 packet-per-second early Thursday morning. By mid-morning Thursday (9 AM PST), the attack rate had reduced considerably to around 3,700 packets per second. Throughout Thursday morning, the ftp server received the brunt of the attack, although the high-intensity attack on the ftp server lasted for a considerably shorter duration than the web server attack. In spite of rumors that SCO has faked the denial-of-service attack to implicate Linux users and garner sympathy from its critics, UCSD's Network Telescope received more than 2.8 million response packets from SCO servers, indicating that SCO responded to more than 700 million attack packets over 32 hours. For details, read on CAIDA's report SCO Offline from Denial-of-Service Attack.

• Analysis of the Sapphire Worm (2003)

  [Worm] A joint effort of CAIDA, ICSI, Silicon Defense, UC Berkeley EECS and UC San Diego CSE to provide an analysis of the Sapphire Worm. The Sapphire Worm was the fastest computer worm in history. As it began spreading throughout the Internet, it doubled in size every 8.5 seconds. It infected more than 90 percent of vulnerable hosts within 10 minutes. The worm (also called Slammer) began to infect hosts slightly before 05:30 UTC on Saturday, January 25. The worm infected at least 75,000 hosts, perhaps considerably more, and caused network outages and such unforeseen consequences as canceled airline flights, interference with elections, and ATM failures.

• CAIDA Analysis of Code-Red (2001)

  [Worm] On July 19, 2001 more than 359,000 computers were infected with the Code-Red (CRv2) worm in less than 14 hours. At the peak of the infection frenzy, more than 2,000 new hosts were infected each minute. 43% of all infected hosts were in the United States, while 11% originated in Korea followed by 5% in China and 4% in Taiwan. The .NET Top Level Domain (TLD) accounted for 19% of all compromised machines, followed by .COM with 14% and .EDU with 2%. We also observed 136 (0.04%) .MIL and 213 (0.05%) .GOV hosts infected by the worm.

  CAIDA's analysis of the Code-Red worms includes a detailed analysis of the spread of original Code-Red v1 as well as Code-Red v2 and CodeRed II, detailing their differences and spread.