The UCSD Network Telescope

The UCSD Network Telescope is a passive traffic monitoring system built on a globally routed, but lightly utilized /9 and /10 network. Under CAIDA stewardship, this unique resource provides valuable data for network security researchers.

Introduction

The UCSD network telescope (aka a black hole, an Internet sink, darkspace, or a darknet) is a globally routed /9 and /10 network (approximately 1/256th of all IPv4 Internet addresses) that carries almost no legitimate traffic because there are few provider-allocated IP addresses in this prefix. After discarding the legitimate traffic from the incoming packets, the remaining data represent a continuous view of anomalous unsolicited traffic, or Internet Background Radiation (IBR). IBR results from a wide range of events, such as backscatter from randomly spoofed source denial-of-service attacks, the automated spread of Internet worms and viruses, scanning of address space by attackers or malware looking for vulnerable targets, and various misconfigurations (e.g. mistyping an IP address). In recent years, traffic destined to darkspace has evolved to include longer-duration, low-intensity events intended to establish and maintain botnets.

CAIDA personnel maintains and expands the telescope instrumentation, collects, curates, archives, and analyzes the data, and enables data access for vetted security researchers. As a result, 299 publications were written using datasets generated from the UCSD Network Telescope.

IBR origin

Denial-of-service Attacks

The UCSD network telescope can be used to monitor the spread of random-source distributed denial-of-service attacks. To make it difficult for the attack victim (and the victim’s ISPs) to block an incoming attack, the attacker may use a fake source IP address (similar to a fake return address in postal mail) in each packet sent to the victim (Figure 1). Because the denial-of-service attack victim can’t distinguish between incoming requests from an attacker and legitimate inbound requests, the victim tries to respond to every received request (Figure 2). When the attacker spoofs a source address in the network telescope, we observe a response destined for a computer that doesn’t exist (and therefore never sent the initial query) (Figure 3). By monitoring these unsolicited responses, researchers can identify denial-of-service attack victims and infer information about the volume of the attack, the bandwidth of the victim, the location of the victim, and the types of services the attacker targets.


Figure 1: The attacker sends packets with spoofed source addresses to the denial-of-service attack victim.	Figure 2: The denial-of-service attack victim cannot differentiate between legitimate traffic and the attack packets, so the victim responds to as many of the attack packets as possible.	Figure 3: Because the network telescope composes 1/256th of the IPv4 address space, the telescope receives approximately 1/256th of the responses to spoofed packets generated by the denial-of-service attack victim.

We know of 11 papers relating to Denial-of-Service that have been written using telescope data :

The Age of DDoScovery: An Empirical Comparison of Industry and Academic DDoS Assessments. R. Hiesgen, M. Nawrocki, M. Barcellos, D. Kopp, O. Hohlfeld, E. Chan, R. Dobbins, C. Doer, C. Rossow, D. Thomas, M. Jonker, R. Mok, X. Luo, J. Kristoff, T. Schmidt, M. Wählisch, k. claffy.
ACM Internet Measurement Conference (IMC), Nov 2024.
DarkSim: A Similarity-Based Time Series Analytic Framework for Darknet Traffic. M. Gao, R. Mok, E. Carisimo, k. claffy, E. Li, S. Kulkarni.
ACM Internet Measurement Conference (IMC), Nov 2024.
Investigating the impact of DDoS attacks on DNS infrastructure. R. Sommese, k. claffy, R. Van Rijswijk-Deij, A. Chattopadhyay, A. Dainotti, A. Sperotto, M. Jonker.
ACM Internet Measurement Conference (IMC), Oct 2022.
QUICsand: quantifying QUIC reconnaissance scans and DoS flooding events. M. Nawrocki, R. Hiesgen, T. Schmidt, M. Wahlisch.
Proceedings of the 21st ACM Internet Measurement Conference, Nov 2021.
At Home and Abroad: The Use of Denial-of-service Attacks during Elections in Nondemocratic Regimes. P. Lutscher, N. Weidmann, M. Roberts, M. Jonker, A. King, A. Dainotti.
Journal of Conflict Resolution, Jul 2019.
A machine learning model for classifying unsolicited IoT devices by observing Network Telescopes. F. Shaikh, E. Bou-Harb, J. Crichigno, N. Ghani.
Intl Wireless Comm. and Mobile Computing Conf. (IWCMC),
Inferring the deployment of source address validation filtering using silence of path-backscatter. S. Saurabh, A. Sairam.
Natl Conf. on Communications (NCC),
Millions of Targets Under Attack: a Macroscopic Characterization of the DoS Ecosystem. M. Jonker, A. King, J. Krupp, C. Rossow, A. Sperotto, A. Dainotti.
ACM Internet Measurement Conference (IMC), Nov 2017.
Darknet as a source of cyber threat intelligence: Investigating distributed and reflection Denial of Service attacks. C. Fachkha.
Nov 2015.
Detection and Mitigation of High-Rate Flooding Attacks. G. Mohay, E. Ahmed, S. Bhatia, A. Nadarajan, B. Ravindran, A. Tickle, R. Vijayasarathy.
An Investigation into the Detection and Mitigation of Denial of Service (DoS) Attacks, Sep 2011.
Inferring Internet Denial-of-Service Activity. D. Moore, C. Shannon, D. Brown, G. Voelker, S. Savage.
ACM Transactions on Computer Systems, May 2006.

Internet Worms

Many Internet worms spread by randomly generating an IP address to be the target of an infection attempt and sending the worm off to that IP address in the hope that it is in use by a vulnerable computer (Figure 4). Because the network telescope includes one out of every 256 IPv4 addresses, it receives approximately one out of every 256 probes from hosts infected with randomly scanning worms. Many worms do not scan truly randomly, and network problems (both worm-induced and independent) may prevent the network telescope from receiving probes from all infected hosts. In general, though, the telescope sees a newly infected hosts transmitting at the slow speed of 10 packets per second within 30 seconds of the infection.

Figure 4: Infected computers randomly attempt to infect other vulnerable computers. The network telescope captures approximately one out of every 256 infection attempts.

We know of 51 papers relating to Internet Worms that have been written using telescope data:

H2P: A Novel Model to Study the Propagation of Modern Hybrid Worm in Hierarchical Networks. T. Wang, C. Xia.
LNTCS, Sep 2020.
Stability analysis and control strategies for worm attack in mobile networks via a VEIQS propagation model. Q. Gao, J. Zhuang.
Applied Mathematics and Computation, Mar 2020.
Optimizing Computer Worm Detection Using Ensembles. N. Ochieng, W. Mwangi, I. Ateya.
Security and Communication Networks, Apr 2019.
A New Analysis Of Cryptolocker Ransomware And Welchia Worm Propagation Behavior. N. Kyurkchiev, A. Iliev, A. Rahnev, T. Terzieva.
Communications in Applied Analysis,, Mar 2019.
Some New Approaches for Modelling Large-scale Worm Spreading on the Internet. II. A. Iliev, N. Kyurkchiev, A. Rahnev, T. Terzieva.
Neural, Parallel and Scientific Computations,
Intelligent Simulation Of Network Worm Propagation Using The Code Red As An Example. D. Chumachenko, K. Chumachenko, S. Yakovlev.
Telecommunications and Radio Engineering, 2019.
A Hybrid Filter/Wrapper Method for Feature Selection for Computer Worm Detection using Darknet Traffic. O. Ochieng, R. Waweru, L. Ismail.
International Journal of Computer Applications, May 2018.
Detecting scanning computer worms using machine learning and darkspace network traffic. N. Ochieng, A. Ismail, M. Waweru, J. Orero.
Pan African Conf. on Science, Computing and Telecommunications (PACT), Mar 2017.
Some estimation problems in epidemic modeling. J. Dauxois, A. Nucit.
Communications in Statistics - Simulation and Computation, Mar 2017.
Novel analytical modelling-based simulation of worm propagation in unstructured peer-to-peer networks. H. Alharbi.
Jan 2017.
Adaptive IP mutation: A proactive approach for defending against worm propagation. C. Lin, C. Wu, M. Huang, Z. Wen, Q. Cheng.
IEEE Symp. onReliable Distributed Systems Workshops (SRDSW), Sep 2016.
Darknet as a source of cyber intelligence: Survey, taxonomy, and characterization. C. Fachkha, M. Debbabi.
IEEE Communications Surveys and Tutorials, May 2016.
Characterising heterogeneity in vulnerable hosts on worm propagation. Z. Chen, C. Chen.
Intl J. Security and Networks, Jan 2016.
CIPA: A collaborative intrusion prevention architecture for programmable network and SDN. X. Chen, S. Yu.
Computers and Security, Dec 2015.
Hybrid epidemics - A case study on computer worm Conficker. C. Zhang, S. Zhou, B. Chain.
Plos One, May 2015.
Toward hardware-oriented defensive network infrastructure. H. Chen.
2015.
Model-checking mean-field models: algorithms and applications. A. Kolesnichenko.
Dec 2014.
IMap: Visualizing network activity over Internet maps. J. Fowler, T. Johnson, P. Simonetto, P. Lazos, S. Kobourov, M. Schneider, C. Aceda.
Visualization for Cyber Security (VizSec), Nov 2014.
Simulation of zero-day worm epidemiology in the dynamic, heterogeneous Internet. L. Tidy, S. Woodhead, J. Wetherall.
J. Defense Modeling and Simulation: Applications, Methodology, Technology, Oct 2013.
A source analysis of the Conficker outbreak from a Network Telescope. B. Irwin.
SAIEE Africa Research J., Jun 2013.
Cardinality change-based early detection of large-scale cyber-attacks. W. Chen, Y. Liu, Y. Guan.
IEEE INFOCOM, Apr 2013.
Detection of distributed denial of service attacks using an ensemble of adaptive and hybrid neuro-fuzzy systems. P. Kumar, S. Selvakumar.
Computer Communications, Feb 2013.
A large-scale zero-day worm simulator for cyber-epidemiological analysis. L. Tidy, S. Woodhead, J. Wetherall.
Conf. on Advances in Computer Science and Electronics Engineering (CSEE), Feb 2013.
Traffic anomaly detection improvement based on spatial-temporal characteristics. L. Zheng, P. Zou, Y. Jia, W. Han.
Advanced Science Lett., Mar 2012.
Diurnal Forced Models for Worm Propagation Based on Conficker Dataset. Y. Yao, W. Xiang, H. Guo, G. Yu, F. Gao.
2011 Third International Conference on Multimedia Information Networking and Security, Nov 2011.
Darknet-Based Inference of Internet Worm Temporal Characteristics. Q. Wang, Z. Chen, C. Chen.
IEEE Transactions on Information Forensics and Security, Jul 2011.
Expansion of matching pursuit methodology for anomaly detection in computer networks. L. Saganowski, T. Andrysiak, M. Choras, R. Renk.
Advances in Intelligent and Soft Computing, 2011.
Deriving a closed-form expression for worm-scanning strategies. Z. Chen, C. Chen, Y. Li.
International Journal of Security and Networks, Jul 2009.
Behavior-Based Worm Detection and Signature Generation. Y. Yao, J. Lv, F. Gao, Y. Zhang, G. Yu.
2008 International Multi-symposiums on Computer and Computational Sciences, Jan 2009.
Modeling and analysis of a self-learning worm based on good point set scanning. F. Wang, Y. Zhang, J. Ma.
Wireless Communications and Mobile Computing, Nov 2008.
Correcting congestion-based error in network telescope's observations of worm dynamics. S. Wei, J. Mirkovic.
Proceedings of the 8th ACM SIGCOMM conference on Internet measurement (IMC'08), Oct 2008.
An Improved Method of Hybrid Worm Simulation. Q. Liu, J. Jing, Y. Wang.
2008 The Ninth International Conference on Web-Age Information Management, Aug 2008.
High level internet scale traffic visualization using Hilbert curve mapping. B. Irwin, N. Pilkington.
Mathematics and Visualization, May 2008.
Correcting congestion-based error in network telescopes observations of worm dynamics. S. Wei, J. Mirkovic.
Internet Measurement Conf. (IMC), 2008.
Worm traffic analysis and characterization. A. Dainotti, A. Pescape, G. Ventre.
IEEE Conf. on Communications (ICC), Jun 2007.
Modeling and Defending Against Internet Worm Attacks. Z. Chen.
May 2007.
Measuring network-aware worm spreading ability. Z. Chen, C. Ji.
IEEE Conf. on Computer Communications (INFOCOM), May 2007.
Optimal worm-scanning method using vulnerable-host distributions. Z. Chen, C. Ji.
J. Security and Networks, 2007.
On the impact of dynamic addressing on malware propagation. M. Rajab, F. Monrose, A. Terzis.
Proceedings of the 4th ACM workshop on Recurring malcode (WORM '06), Nov 2006.
Worm Detection Using Honeypots. D. Christoffersen, B. Mauland.
Jun 2006.
Worm evolution tracking via timing analysis. M. Rajab, F. Monrose, A. Terzis.
ACM workshop on Rapid Malcode (WORM), Nov 2005.
Importance-scanning worm using vulnerable-host distribution. Z. Chen, C. Ji.
IEEE Global Telecommunications Conf. (GLOBECOM), Nov 2005.
On the effectiveness of distributed worm monitoring. M. Rajab, F. Monrose, A. Terzis.
Usenix Security Conf. (SEC), Jul 2005.
Routing worm: A fast, selective attack worm based on ip address information. C. Zhou, D. Towsley, W. Gong, S. Cai.
Workshop on Principles of Advanced and Distributed Simulation (PADS'05), IEEE, 2005, Jun 2005.
Entropy based worm and anomaly detection in fast IP networks. A. Wagner, A. Plattner.
Proceedings of the 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise, Jun 2005.
PISA: Automatic extraction of traffic signatures. P. Chhabra, A. John, H. Saran.
Lecture Notes in Computer Science (LNCS), May 2005.
Toward understanding distributed blackhole placement. E. Cooke, M. Bailey, Z. Mao, D. Watson, F. Jahanian, D. McPherson.
Proceedings of the 2004 ACM workshop on Rapid malcode (WORM '04), Oct 2004.
The Spread of the Witty Worm. C. Shannon, D. Moore.
IEEE Security and Privacy, Aug 2004.
Worm Meets Beehive. X. Jiang, D. Xu, S. Lei, P. Ruth, J. Sun.
2004.
Internet Quarantine: Requirements for Containing Self-Propagating Code. D. Moore, C. Shannon, G. Voelker, S. Savage.
IEEE Conference on Computer Communications (INFOCOM), Apr 2003.
Code-Red: a case study on the spread and victims of an Internet worm. D. Moore, C. Shannon, J. Brown.
Internet Measurement Workshop (IMW), Nov 2002.

Malicious Network Scans

Scans are automated, semi-automated, and manual attempts to locate exploitable computers on the Internet. The scan traffic often differs from other types of traffic visible on the network telescope because it is not driven by chance. Rather, the attacker’s byzantine motives in selecting scan targets appear arbitrary from the perspective of the recipient of the scan. The UCSD Network Telescope observes many types of scans continually, including ping based scans for the existence of a device at a given IP address, sequential scans of ports on a single IP address, methodical scans for a single or a small number of vulnerable ports sequentially through an IP address range, and even scans utilizing TCP resets.

Privacy and Security issues

There are serious privacy and security concerns associated with Network Telescope datasets. Because some viruses and worms involve the installation of backdoors that provide unfettered access to infected computers, telescope data may inadvertently advertise these vulnerable machines. Also, while the source of some types of telescope traffic, including denial-of-service attacks and worms, is readily apparent, a significant volume of traffic is of unknown origin. Without identifying the causes of this traffic, we cannot categorically assess the security and privacy impact of releasing these data.