UCSD Network Telescope Educational Dataset: Analysis of Unidirectional IP Traffic to Darkspace
The UCSD network telescope consists of a globally routed /9 and /10 network that carries almost no legitimate traffic. We can filter out the legitimate traffic so the resulting data provides us with a snapshot of anomalous 'background' traffic to 1/256th of all public IPv4 destination addresses on the Internet.
The packets seen by the network telescope result from a wide range of events, including misconfiguration (e.g. mistyping an IP address), scanning of address space by attackers or malware looking for vulnerable targets, backscatter from randomly spoofed source denial-of-service attacks, and the automated spread of malware.
This educational dataset describes methods for analyzing Internet Protocol (IP) traffic data destined to this unassigned address space (also referred to as darkspace) using data samples from the UCSD Network Telescope.
We hope that this educational dataset, and accompanying instructions, will help teachers introduce Internet data analysis concepts to students. We show how to use different analysis methods to extract information from the raw data, providing step-by-step instructions for analyzing the dataset, and displaying the outcome of each of the analysis steps. We contribute this material for education in the field of network data analysis and hope to inspire students and teachers to work with darkspace and other network data.
This educational dataset uses Telescope data from April 2012. With this dataset we show how the raw data (in pcap format) can be reprocessed with the CAIDA Corsaro Software Suite to extract aggregated information. We then provide a sequence of exercises demonstrating the steps required to analyze the aggregated data for the purpose of isolating signatures of "Patch Tuesday" on April 10 in the Telescope data as in the paper "The Day After Patch Tuesday: Effects Observable in IP Darkspace Traffic".
In all data samples the destination network addresses have been masked by zeroing the first eight bits of the IP address. Source addresses have been anonymized using Cryptopan anonymization with a single key.
Caveats that apply to this dataset:
- This dataset and the types of worm and denial-of-service attack traffic contained therein are representative only of some spoofed source denial-of-service attacks. Many denial-of-service attackers do not spoof source IP addresses when they attack their victim, in which case backscatter would not appear on a telescope. Attackers can also spoof in a non-random fashion, which will incur an uneven distribution of backscatter across the IPv4 address space, including any telescope lenses. The telescope does not currently send any packets in response, which also limits insight into the traffic it sees.
Acceptable Use Agreement
Please read the terms of the CAIDA Acceptable Use Agreement (AUA) for Publicy Accessible Datasets below:
When referencing this data (as required by the AUA), please use:
The CAIDA UCSD Network Telescope Educational Dataset,
Request Data Access
Access the public CAIDA UCSD Network Telescope Educational Dataset
For more information on the recent use of these data and other Telescope data by CAIDA researchers, see:
For more information on the UCSD Network Telescope, see:
For more information on the CoralReef Software Suite, see:
For more information on the Corsaro Software Suite, see:
For a non-exhaustive list of Non-CAIDA publications using Network Telescope data, see: