Archived pages will be placed here as needed.
To gain a better understanding of the topological and economic structure of the Internet, we developed a method to map Autonomous Systems (AS) to organizations that operate them. Our AS-ranking interactive page provides an organization-based ranking of Internet providers based on these inferred mappings. This data can be downloaded here: AS to Organization data.
December 10-11, 2003 An analysis by David Moore and Colleen Shannon of the December 2003 Distributed Denial-of-Service (DDoS) Attack against the SCO Group. For more information contact firstname.lastname@example.org We would like to thank Brian Kantor, Jim Madden, and Pat Wilson of UCSD for technical support of the Network Telescope project; Ranjita Bhagwan, kc claffy, and Mike Gannis for feedback on this document; and Rob Lemos for discussion as events unfolded. Support for this work was provided by Cisco Systems, NSF, DARPA, DHS, and CAIDA members.
An analysis by Colleen Shannon and David Moore of the spread of the Witty Internet Worm in March 2004. The network telescope and associated security efforts are a joint project of the UCSD Computer Science and Engineering Department and the Cooperative Association for Internet Data Analysis. For more information contact email@example.com We would like to thank Brian Kantor, Jim Madden, and Pat Wilson of UCSD for technical support of the Network Telescope project; Mike Gannis, Nicholas Weaver, Wendy Garvin, Team Cymru, and Stefan Savage for feedback on this document; and the Cisco PSIRT Team, Wendy Garvin, Team Cymru, Nicholas Weaver, and Vern Paxson for discussion as events unfolded. Support for this work was provided by Cisco Systems, NSF, DARPA, DHS, and CAIDA members.
Analysis of the Sapphire Worm - A joint effort of CAIDA, ICSI, Silicon Defense, UC Berkeley EECS and UC San Diego CSE
The Sapphire Worm was the fastest spreading computer worm in history. It spread throughout the Internet and infected most of the vulnerable hosts that could be found within ten minutes. The worm (also called Slammer, SQLSlammer, W32.Slammer) began at almost exactly 5:30 AM (UTC) on Saturday January 25th and spread by infecting copies of Microsoft SQL Server and MSDE 2000 (Microsoft SQL Server Desktop Engine) that were exposed to the Internet. The analysis provided is a joint effort of CAIDA, ICSI, Silicon Defense, UC Berkeley EECS and UC San Diego CSE.
This report describes the response from CAIDA to the announcement of the vulnerability MS08-67, by activating the Network Telescope to monitor any possible activity related to the exploit of that vulnerability. Starting on October 23 and over the course of four weeks, we analyzed the traffic received by the Network Telescope. During this period some scanning activity was detected related to other exploits, but no evidence of outbreak was found based on our observations. The lack of activity could be explained by a timely response from the community to neutralize or mitigate the spread of a possible worm or a specific black-listing of the Telescope address space.
Code-Red Worms: A Global Threat We would like to thank Pat Wilson and Brian Kantor of UCSD for data and discussion; Vern Paxson (LBL and ACIRI) for providing an additional view point of data; Jeff Brown (UCSD/CSE) for producing animations of worm spread; Bill Fenner (AT&T Research) for useful comments and fli2gif; and Stefan Savage (UCSD) and kc claffy (CAIDA) for suggestions. We would also like to thank Cisco for their generous support, without which these analyses would have been impossible. Support for this work was provided by DARPA ITO NGI and NMS programs, NSF ANIR, and CAIDA members.
Mirrored from the CAIDA blog post, regarding the Carna botnet scans.
An analysis by David Moore and Colleen Shannon of the spread of the Nyxem (or Blackworm or Kama Sutra or MyWife or CME 24) Virus in January and early February 2006. For more information contact firstname.lastname@example.org. Support for this work was provided by Cisco Systems, NSF, DHS, and CAIDA members.
From 2010-2013, CAIDA performed a study of the economics of Internet interconnection, supported by the NSF grant CNS-1017064, “NetSE-Econ: The economics of transit and peering interconnections in the Internet”.
The worldwide distribution of Internet resources and address space is highly non- uniform. We present an analysis comparing five demographic measures against three measures of Internet resources, stratified by continent with substratification by country. We found that two continents and one country consume a much larger share of Internet resource allocation than predicted by their demographic measures of size.
For various topology-related projects, we need a mapping from an IP address to the Autonomous System (AS) that owns that IP address. The most common approach to map IP addresses to ASes is to use BGP table dumps from public sources like Routeviews and RIPE, and then perform a longest-prefix match on the set of prefixes. We are currently using one routing table from Routeviews (RV2) and one table from RIPE (RRC12) to map IP addresses to ASes. The goal of this analysis is to study whether the current choice of routing tables is the best, in terms of various different metrics that we are interested in. Further, we study the utility of adding more tables, in terms of the increase in address space coverage, new ASes, prefixes, AS links, and AS paths that the additional table gives. We also compare the IP-AS mapping from Routeviews and RIPE tables with that obtained from Team Cymru’s WHOIS service.
Recent Updates ARIN IPv6 Penetration Survey Results (2008-10-07) ARIN IPv6 Penetration Survey (2008-09-08) IPv4 WHOIS Map (2008-10-16) IPv4 Census Map (2007-10-12) These pages present the results of CAIDA’s work in 2005 and 2006 analyzing the rates and levels of consumption and use of Internet identifiers. Geoff Houston maintains current statistics on IPv4 consumption. Due to resource constraints and other priorities, we have shifted our efforts toward understanding the economic and security implications of IPv4 address ownership, where the Internet address policy community seems headed.
This report presents the results of a controlled “anycast switching” experiment conducted on the Chilean .CL ccTLD anycast infrastructure. Using traces from the .CL anycast cloud, we measure the time it takes for a client to get redirected from a failing node to the next available node.
This visualization shows the geographic distribution of DNS clients for anycast instances. We provide two world maps for each root, with individual anycast servers placed on the map at the “center of influence” of its observed clients. Wedges fanning out from each server indicate the direction, distance, and number of clients observed within the bounding angle of the wedge.
Internet topology maps are an important tool for those who seek to describe, analyze, or model various aspects of the Internet’s structure, behavior, and evolution. While different methods of measuring topology yield substantially different views of the Internet, many studies rely on only a single data source, sometimes outdated or incomplete, or mix fundamentally different data sources into a single topology. These compromises may undermine the fidelity of derived models and integrity of analysis results. In this report, we conduct a systematic comparison of Internet topologies derived from different data sources and characterizing the Internet at three granularities relevant to research as well as operations of network infrastructure: IP address (interface), router, and Autonomous System (AS). This document was later published as a CAIDA technical report in May 2012.
To visualize the use of IPv4 Internet address space, we create heatmaps that use intensity of color (heat) to show the use of addresses belonging to the same network. These heatmaps also make use of a fractal mapping technique that describes a space-fitting curve. This technique, most recently popularized by Randall Munroe’s xkcd #195, John Heidemann’s ping-based Censuses of IPv4 Space and Duane Wessels' maps of Routeviews BGP, open DNS resolvers, and RIR IPv4 whois data, keeps adjacent IP addresses close to one another in the map.
This webpage describes the methodology for generating dual AS and router-level Internet topologies. We also present analysis that is used to justify some of the design decisions in the generator, which is available upon request.
Data derived from the external DIMES dataset is posted here as a reference for future analysis in hyperbolic embedding of the Internet AS-level topology.
To increase our fundamental understanding of the laws of evolution of large scale networks, we build and analyze models for Internet topology evolution. We attempt to not only faithfully reproduce observed data, but also to develop sound methodologies for evaluating and validating various classes of formal network growth models.
Internet traffic classification gains continuous attentions while many applications emerge on the Internet with obfuscation techniques. Related papers tend to try to classify whatever traffic samples a researcher can find, with no systematic integration of results. To fill this gap, we have created a structured taxonomy of traffic classification papers and their data sets. Furthermore, we hope to reveal issues and challenges in traffic classification.
To visualize the use of IPv4 Internet address space, we create heatmaps that use intensity of color (heat) to show the use of addresses belonging to the same network. These heatmaps also make use of a fractal mapping technique that describes a space-fitting curve. This technique, most recently popularized by Randall Munroe’s xkcd #195, John Heidemann’s ping-based Censuses of IPv4 Space and Duane Wessels' maps of Routeviews BGP, open DNS resolvers, and RIR IPv4 whois data, keeps adjacent IP addresses close to one another in the map. By creating these maps of observable empirical data, we hope to learn about how the current IPv4 address space is used. We use traffic data samples from two OC192 core backbone links in the U.S., and meta-data (only for ARIN’s data) on what fraction and type of addresses are observably sending traffic on a busy backbone link at a busy weekday hour. We first extracted IP addresses seen in 1 hour of traffic on both directions of a tier1 ISP backbone link between Chicago and Seattle (sample taken April 2008) and of a backbone link between Los Angeles and San Jose (sample taken July 2008). The unique number of /24 networks that we see on those links is roughly 11% of the total number of /24 networks of the whole IPv4 space.
CAIDA’s Internet policy research tries to address the issues of economics, ownership, and trust which create obstacles to progress on most of the top problems of the Internet.
This page displays a snapshot of Internet Protocol version 6 (IPv6) topology at the Autonomous System (AS) level. The graph is derived from IPv6 forward paths as seen from a single observation point within Japan’s academic network on June 6, 2003.
Network topologies may be treated as a directed graph. Specific methods and definitions for analyzing network topology using graph theory.
Visualization of Autonomous Systems (AS) inter-connections between Internet eXchange points (IX) in 2002.
An annotated bibliography of papers and presentations in the wide-area networking literature. Note: This effort ended in 2013, but remains for historical purposes.