UCSD Network Telescope Aggregated Flow Dataset
The UCSD Network Telescope consists of a globally routed, but lightly utilized /9 and /10 network prefix, that is, 1/256th of the whole IPv4 address space. It contains few legitimate hosts; inbound traffic to non-existent machines - so called Internet Background Radiation (IBR) - is unsolicited and results from a wide range of events, including misconfiguration (e.g. mistyping an IP address), scanning of address space by attackers or malware looking for vulnerable targets, backscatter from randomly spoofed denial-of-service attacks, and the automated spread of malware. CAIDA continously captures this anomalous traffic discarding the legitimate traffic packets destined to the few reachable IP addresses in this prefix. We archive and aggregate these data, and provide this valuable resource to network security researchers.
Raw data captured by the UCSD Network Telescope are stored in huge pcap files,
each file containing 1 hour of data. In order to enable more efficient data
storage, processing, and analysis, these hourly pcap files are post-processed
software to extract the most important packet header fields and aggregate data
into FlowTuple files.
For more information please see the FlowTuple documentation.
Caveats that apply to this dataset
This dataset and the types of worm and denial-of-service attack traffic contained therein are representative only of some spoofed source denial-of-service attacks. Many denial-of-service attackers do not spoof source IP addresses when they attack their victim, in which case backscatter would not appear on a telescope. Attackers can also spoof in a non-random fashion, which will incur an uneven distribution of backscatter across the IPv4 address space, and may cause backscatter traffic to miss any telescope lenses. Note that the telescope does not send any packets in response, which also limits insight into the traffic it sees.
Data Access Policy
In 2021 CAIDA completed an NSF-funded CI-SUSTAIN project "Sustainable Tools for Analysis and Research on Darknet Unsolicited Traffic" (STARDUST). NSF’s expectation is that this funding has enabled CAIDA to sustain Telescope data collection, curation, and sharing through users' contributions. We are now undertaking efforts to put in place the mechanisms that allow such contributions. This includes service agreements and data licensing for academic and commercial data use, as well as new data access options. If you are interested in finding more information about the access options and pricing please fill out and submit the CAIDA UCSD Network Telescope Datasets Request Form.
Acceptable Use Agreement
Access to these data is subject to the terms of the following CAIDA Acceptable Use Agreement
Referencing this Dataset
When referencing this data (as required by the AUA), please use:
The CAIDA UCSD Network Telescope Aggregated Flow Dataset - <dates used>,You are required to report your publications using this dataset to CAIDA.
UCSD Network Telescope Datasets
- Historical and Near-Real-Time Network Telescope Dataset
- Aggregated Traffic Data in FlowTuple format
- Daily RSDoS Attack Metadata
- Two Years of Daily RSDoS Attack Metadata (downloadable paper supplement)
- Annotated Anonymized Telescope Packets Sampler
- Three Days Of Conficker Dataset
- CAIDA UCSD Network Telescope Traffic Samples
- Witty Worm Dataset
- Code-Red Worms Dataset
- Patch Tuesday Dataset
- Two days in November 2008 Dataset
- Telescope Educational Dataset
- Telescope Dataset on the Sipscan
- Telescope Darknet Scanners Dataset
For more information on the UCSD Network Telescope, see:
For more information on the CoralReef Software Suite, see:
For more information on the Corsaro Software Suite, see:
For a non-exhaustive list of Non-CAIDA publications using Network Telescope data, see: