Introduction

The UCSD network telescope is a sophisticated system that monitors one-way, passive Internet traffic directed toward the unused portion of a globally routed /9 and /10 IPv4 network, which is often referred to as a black hole, Internet sink, darkspace, or darknet. This network, allocated by ARDC, represents approximately 1/256th of all IPv4 addresses and carries almost no legitimate traffic due to its lack of provider-allocated IP addresses.

After filtering out legitimate traffic from the incoming packets, the remaining signal provides a continuous view of anomalous unsolicited traffic, commonly referred to as Internet Background Radiation (IBR). This traffic includes a mixture of signals resulting from various sources such as misconfigurations (e.g. mistyping an IP addressxx), malicious activities (e.g., scanning, probing, and backscatter from denial-of-service attacks), propagation of worms and viruses, and other unintended network behaviors. IBR is generally studied to gain insights into Internet-wide phenomena, including cybersecurity threats, vulnerabilities, and systemic misconfigurations. Traditionally, darkspace traffic was dominated by high-intensity scanning, backscatter from large-scale denial-of-service (DDoS) attacks, and worm propagation. However, in recent years, traffic destined for darkspace has increasingly included longer-duration, low-intensity events, some of which are associated with botnet operations.

CAIDA personnel maintains and expands the telescope instrumentation, collects, curates, archives, and analyzes the data, and enables data access for vetted security researchers. As a result, 299 publications were written using datasets generated from the UCSD Network Telescope.

Subnet Filters

The UCSD network Telescope is a passive monitoring system that captures Internet traffic sent to a segment of IP address space owned by Amateur Radio Digital Communications. The range consists predominantly of unutilized IP addresses, meaning they are not assigned to active hosts. It also encompasses a few utilized IP address blocks. We wrote a tool to filter out any legitimate traffic inadvertently captured. Our filtering process relies on an exclusion list obtained by querying a database maintained by ARDC. This list includes all address blocks allocated by ARDC for use, including some users that announce their prefix via the Border Gateway Protocol (BGP) into the global Internet. Theoretically, we should not receive traffic from these BGP-announced networks; this filtering is a preventative measure. As of November 2023, we have enhanced our operations by automatically updating subnet filters twice daily. Additionally, for historical reference, we archive all filters going forward (starting with the timestamp 1700517778) in a swift container named amprnet-legit-networks-all-subnets. This container also has files of daily filters before this time, but there is a gap where we had not updated the pipeline to use the new database querying mechanism, i.e., we were not performing this filtering accurately. Authorized users of the telescope data can access this historical information which may help analyze the data, as it indicates which prefixes we should not see traffic to because we filter it. I.e, those address blocks are not part of our darknet.

The telescope instrumentation is in need of an overhaul to keep up with traffic growth. System resource limitations sometimes cause packets to be dropped, or failure to generate flowtuples. We are in the process of upgrading the hardware and software to accommodate this growth.

IBR Origin

Denial-of-service Attacks

The UCSD network telescope can be used to monitor the spread of random-source distributed denial-of-service attacks. To make it difficult for the attack victim (and the victim’s ISPs) to block an incoming attack, the attacker may use a fake source IP address (similar to a fake return address in postal mail) in each packet sent to the victim (Figure 1). Because the denial-of-service attack victim can’t distinguish between incoming requests from an attacker and legitimate inbound requests, the victim tries to respond to every received request (Figure 2). When the attacker spoofs a source address in the network telescope, we observe a response destined for a computer that doesn’t exist (and therefore never sent the initial query) (Figure 3). By monitoring these unsolicited responses, researchers can identify denial-of-service attack victims and infer information about the volume of the attack, the bandwidth of the victim, the location of the victim, and the types of services the attacker targets.

Figure 1: The attacker sends packets with spoofed source addresses to the denial-of-service attack victim.	Figure 2: The denial-of-service attack victim cannot differentiate between legitimate traffic and the attack packets, so the victim responds to as many of the attack packets as possible.	Figure 3: Because the network telescope composes 1/256th of the IPv4 address space, the telescope receives approximately 1/256th of the responses to spoofed packets generated by the denial-of-service attack victim.

We know of 11 papers relating to Denial-of-Service that have been written using telescope data :

• The Age of DDoScovery: An Empirical Comparison of Industry and Academic DDoS Assessments. R. Hiesgen, M. Nawrocki, M. Barcellos, D. Kopp, O. Hohlfeld, E. Chan, R. Dobbins, C. Doer, C. Rossow, D. Thomas, M. Jonker, R. Mok, X. Luo, J. Kristoff, T. Schmidt, M. Wählisch, k. claffy.
  ACM Internet Measurement Conference (IMC), Nov 2024.
• DarkSim: A Similarity-Based Time Series Analytic Framework for Darknet Traffic. M. Gao, R. Mok, E. Carisimo, k. claffy, E. Li, S. Kulkarni.
  ACM Internet Measurement Conference (IMC), Nov 2024.
• Investigating the impact of DDoS attacks on DNS infrastructure. R. Sommese, k. claffy, R. Van Rijswijk-Deij, A. Chattopadhyay, A. Dainotti, A. Sperotto, M. Jonker.
  ACM Internet Measurement Conference (IMC), Oct 2022.
• QUICsand: quantifying QUIC reconnaissance scans and DoS flooding events. M. Nawrocki, R. Hiesgen, T. Schmidt, M. Wahlisch.
  Proceedings of the 21st ACM Internet Measurement Conference, Nov 2021.
• At Home and Abroad: The Use of Denial-of-service Attacks during Elections in Nondemocratic Regimes. P. Lutscher, N. Weidmann, M. Roberts, M. Jonker, A. King, A. Dainotti.
  Journal of Conflict Resolution, Jul 2019.
• A machine learning model for classifying unsolicited IoT devices by observing Network Telescopes. F. Shaikh, E. Bou-Harb, J. Crichigno, N. Ghani.
  Intl Wireless Comm. and Mobile Computing Conf. (IWCMC),
• Inferring the deployment of source address validation filtering using silence of path-backscatter. S. Saurabh, A. Sairam.
  Natl Conf. on Communications (NCC),
• Millions of Targets Under Attack: a Macroscopic Characterization of the DoS Ecosystem. M. Jonker, A. King, J. Krupp, C. Rossow, A. Sperotto, A. Dainotti.
  ACM Internet Measurement Conference (IMC), Nov 2017.
• Darknet as a source of cyber threat intelligence: Investigating distributed and reflection Denial of Service attacks. C. Fachkha.
  Nov 2015.
• Detection and Mitigation of High-Rate Flooding Attacks. G. Mohay, E. Ahmed, S. Bhatia, A. Nadarajan, B. Ravindran, A. Tickle, R. Vijayasarathy.
  An Investigation into the Detection and Mitigation of Denial of Service (DoS) Attacks, Sep 2011.
• Inferring Internet Denial-of-Service Activity. D. Moore, C. Shannon, D. Brown, G. Voelker, S. Savage.
  ACM Transactions on Computer Systems, May 2006.

Internet Worms

Many Internet worms spread by randomly generating an IP address to be the target of an infection attempt and sending the worm off to that IP address in the hope that it is in use by a vulnerable computer (Figure 4). Because the network telescope includes one out of every 256 IPv4 addresses, it receives approximately one out of every 256 probes from hosts infected with randomly scanning worms. Many worms do not scan truly randomly, and network problems (both worm-induced and independent) may prevent the network telescope from receiving probes from all infected hosts. In general, though, the telescope sees a newly infected hosts transmitting at the slow speed of 10 packets per second within 30 seconds of the infection.

Figure 4: Infected computers randomly attempt to infect other vulnerable computers. The network telescope captures approximately one out of every 256 infection attempts.

We know of 50 papers relating to Internet Worms that have been written using telescope data:

• H2P: A Novel Model to Study the Propagation of Modern Hybrid Worm in Hierarchical Networks. T. Wang, C. Xia.
  LNTCS, Sep 2020.
• Stability analysis and control strategies for worm attack in mobile networks via a VEIQS propagation model. Q. Gao, J. Zhuang.
  Applied Mathematics and Computation, Mar 2020.
• Optimizing Computer Worm Detection Using Ensembles. N. Ochieng, W. Mwangi, I. Ateya.
  Security and Communication Networks, Apr 2019.
• Some New Approaches for Modelling Large-scale Worm Spreading on the Internet. II. A. Iliev, N. Kyurkchiev, A. Rahnev, T. Terzieva.
  Neural, Parallel and Scientific Computations,
• Intelligent Simulation Of Network Worm Propagation Using The Code Red As An Example. D. Chumachenko, K. Chumachenko, S. Yakovlev.
  Telecommunications and Radio Engineering, 2019.
• A Hybrid Filter/Wrapper Method for Feature Selection for Computer Worm Detection using Darknet Traffic. O. Ochieng, R. Waweru, L. Ismail.
  International Journal of Computer Applications, May 2018.
• Detecting scanning computer worms using machine learning and darkspace network traffic. N. Ochieng, A. Ismail, M. Waweru, J. Orero.
  Pan African Conf. on Science, Computing and Telecommunications (PACT), Mar 2017.
• Some estimation problems in epidemic modeling. J. Dauxois, A. Nucit.
  Communications in Statistics - Simulation and Computation, Mar 2017.
• Novel analytical modelling-based simulation of worm propagation in unstructured peer-to-peer networks. H. Alharbi.
  Jan 2017.
• Adaptive IP mutation: A proactive approach for defending against worm propagation. C. Lin, C. Wu, M. Huang, Z. Wen, Q. Cheng.
  IEEE Symp. onReliable Distributed Systems Workshops (SRDSW), Sep 2016.
• Darknet as a source of cyber intelligence: Survey, taxonomy, and characterization. C. Fachkha, M. Debbabi.
  IEEE Communications Surveys and Tutorials, May 2016.
• Characterising heterogeneity in vulnerable hosts on worm propagation. Z. Chen, C. Chen.
  Intl J. Security and Networks, Jan 2016.
• CIPA: A collaborative intrusion prevention architecture for programmable network and SDN. X. Chen, S. Yu.
  Computers and Security, Dec 2015.
• Hybrid epidemics - A case study on computer worm Conficker. C. Zhang, S. Zhou, B. Chain.
  Plos One, May 2015.
• Toward hardware-oriented defensive network infrastructure. H. Chen.
  2015.
• Model-checking mean-field models: algorithms and applications. A. Kolesnichenko.
  Dec 2014.
• IMap: Visualizing network activity over Internet maps. J. Fowler, T. Johnson, P. Simonetto, P. Lazos, S. Kobourov, M. Schneider, C. Aceda.
  Visualization for Cyber Security (VizSec), Nov 2014.
• Simulation of zero-day worm epidemiology in the dynamic, heterogeneous Internet. L. Tidy, S. Woodhead, J. Wetherall.
  J. Defense Modeling and Simulation: Applications, Methodology, Technology, Oct 2013.
• A source analysis of the Conficker outbreak from a Network Telescope. B. Irwin.
  SAIEE Africa Research J., Jun 2013.
• Cardinality change-based early detection of large-scale cyber-attacks. W. Chen, Y. Liu, Y. Guan.
  IEEE INFOCOM, Apr 2013.
• Detection of distributed denial of service attacks using an ensemble of adaptive and hybrid neuro-fuzzy systems. P. Kumar, S. Selvakumar.
  Computer Communications, Feb 2013.
• A large-scale zero-day worm simulator for cyber-epidemiological analysis. L. Tidy, S. Woodhead, J. Wetherall.
  Conf. on Advances in Computer Science and Electronics Engineering (CSEE), Feb 2013.
• Traffic anomaly detection improvement based on spatial-temporal characteristics. L. Zheng, P. Zou, Y. Jia, W. Han.
  Advanced Science Lett., Mar 2012.
• Diurnal Forced Models for Worm Propagation Based on Conficker Dataset. Y. Yao, W. Xiang, H. Guo, G. Yu, F. Gao.
  2011 Third International Conference on Multimedia Information Networking and Security, Nov 2011.
• Darknet-Based Inference of Internet Worm Temporal Characteristics. Q. Wang, Z. Chen, C. Chen.
  IEEE Transactions on Information Forensics and Security, Jul 2011.
• Expansion of matching pursuit methodology for anomaly detection in computer networks. L. Saganowski, T. Andrysiak, M. Choras, R. Renk.
  Advances in Intelligent and Soft Computing, 2011.
• Deriving a closed-form expression for worm-scanning strategies. Z. Chen, C. Chen, Y. Li.
  International Journal of Security and Networks, Jul 2009.
• Behavior-Based Worm Detection and Signature Generation. Y. Yao, J. Lv, F. Gao, Y. Zhang, G. Yu.
  2008 International Multi-symposiums on Computer and Computational Sciences, Jan 2009.
• Modeling and analysis of a self-learning worm based on good point set scanning. F. Wang, Y. Zhang, J. Ma.
  Wireless Communications and Mobile Computing, Nov 2008.
• Correcting congestion-based error in network telescope's observations of worm dynamics. S. Wei, J. Mirkovic.
  Proceedings of the 8th ACM SIGCOMM conference on Internet measurement (IMC'08), Oct 2008.
• An Improved Method of Hybrid Worm Simulation. Q. Liu, J. Jing, Y. Wang.
  2008 The Ninth International Conference on Web-Age Information Management, Aug 2008.
• High level internet scale traffic visualization using Hilbert curve mapping. B. Irwin, N. Pilkington.
  Mathematics and Visualization, May 2008.
• Correcting congestion-based error in network telescopes observations of worm dynamics. S. Wei, J. Mirkovic.
  Internet Measurement Conf. (IMC), 2008.
• Worm traffic analysis and characterization. A. Dainotti, A. Pescape, G. Ventre.
  IEEE Conf. on Communications (ICC), Jun 2007.
• Modeling and Defending Against Internet Worm Attacks. Z. Chen.
  May 2007.
• Measuring network-aware worm spreading ability. Z. Chen, C. Ji.
  IEEE Conf. on Computer Communications (INFOCOM), May 2007.
• Optimal worm-scanning method using vulnerable-host distributions. Z. Chen, C. Ji.
  J. Security and Networks, 2007.
• On the impact of dynamic addressing on malware propagation. M. Rajab, F. Monrose, A. Terzis.
  Proceedings of the 4th ACM workshop on Recurring malcode (WORM '06), Nov 2006.
• Worm Detection Using Honeypots. D. Christoffersen, B. Mauland.
  Jun 2006.
• Worm evolution tracking via timing analysis. M. Rajab, F. Monrose, A. Terzis.
  ACM workshop on Rapid Malcode (WORM), Nov 2005.
• Importance-scanning worm using vulnerable-host distribution. Z. Chen, C. Ji.
  IEEE Global Telecommunications Conf. (GLOBECOM), Nov 2005.
• On the effectiveness of distributed worm monitoring. M. Rajab, F. Monrose, A. Terzis.
  Usenix Security Conf. (SEC), Jul 2005.
• Routing worm: A fast, selective attack worm based on ip address information. C. Zhou, D. Towsley, W. Gong, S. Cai.
  Workshop on Principles of Advanced and Distributed Simulation (PADS'05), IEEE, 2005, Jun 2005.
• Entropy based worm and anomaly detection in fast IP networks. A. Wagner, A. Plattner.
  Proceedings of the 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise, Jun 2005.
• PISA: Automatic extraction of traffic signatures. P. Chhabra, A. John, H. Saran.
  Lecture Notes in Computer Science (LNCS), May 2005.
• Toward understanding distributed blackhole placement. E. Cooke, M. Bailey, Z. Mao, D. Watson, F. Jahanian, D. McPherson.
  Proceedings of the 2004 ACM workshop on Rapid malcode (WORM '04), Oct 2004.
• The Spread of the Witty Worm. C. Shannon, D. Moore.
  IEEE Security and Privacy, Aug 2004.
• Worm Meets Beehive. X. Jiang, D. Xu, S. Lei, P. Ruth, J. Sun.
  2004.
• Internet Quarantine: Requirements for Containing Self-Propagating Code. D. Moore, C. Shannon, G. Voelker, S. Savage.
  IEEE Conference on Computer Communications (INFOCOM), Apr 2003.
• Code-Red: a case study on the spread and victims of an Internet worm. D. Moore, C. Shannon, J. Brown.
  Internet Measurement Workshop (IMW), Nov 2002.

Malicious Network Scans

Scans are automated, semi-automated, and manual attempts to locate exploitable computers on the Internet. The scan traffic often differs from other types of traffic visible on the network telescope because it is not driven by chance. Rather, the attacker’s byzantine motives in selecting scan targets appear arbitrary from the perspective of the recipient of the scan. The UCSD Network Telescope observes many types of scans continually, including ping based scans for the existence of a device at a given IP address, sequential scans of ports on a single IP address, methodical scans for a single or a small number of vulnerable ports sequentially through an IP address range, and even scans utilizing TCP resets.

Accessing and Analyzing UCSD Network Telescope Data

With support from multiple funding sources, we have worked to lower the barrier to entry for researchers by making network telescope data more accessible and easier to analyze while maintaining necessary privacy and security safeguards.

Currently there are 21 Telescope datasets listed in CAIDA catalog:

• UCSD Real-time Network Telescope. Apr 2020.
• Telescope nDAG Live.
• UCSD Telescope data at NERSC. Nov 2003.
• UCSD Network Telescope Aggregated Flow Dataset. Nov 2003.
• Aggregated Daily RSDoS Attack Metadata. Jan 2008.
• Annotated Anonymized Telescope Packets Sampler. Aug 2022.
• UCSD-NT FlowTuple Sampler. May 2022.
• Anonymized Network Sensing Graph Challenge Dataset. Apr 2022.
• Aggregated Daily RSDoS Attack Metadata (Corsaro 2). Aug 2021.
• CAIDA-GreyNoise Cross Correlation Dataset. Oct 2020.
• CAIDA Randomly and Uniformly Spoofed Denial-of-Service Attack Metadata. Feb 2017.
• Telescope Darknet Scanners. Jun 2016.
• Corsaro Patch Tuesday. Jun 2012.
• Telescope Educational. Apr 2012.
• Telescope Sipscan dataset. Feb 2011.
• Three days of Conficker. Jan 2009.
• Two-Days-in-2008 Telescope Dataset. Nov 2008.
• UCSD Network Telescope Traffic Samples. Nov 2008.
• Witty Worm dataset. Mar 2004.
• Backscatter datasets for TOCS paper. Feb 2004.
• Code Red worm dataset. Aug 2001.

Several historical datasets are available for download, either publicly or upon request. However, ongoing datasets containing sensitive information can only be accessed through a VM-based analysis platform, where users can bring their code to the data but cannot download unanonymized data to ensure security and privacy.

To further support researchers, CAIDA provides free access to U.S.-based and vetted foreign academic researchers and offers telescope data licensing to vetted, paying industry partners under restricted data-use policies.

We have compiled comprehensive documentation, including a user guide and tutorials, offering step-by-step guidance on accessing, processing, and analyzing telescope data.

Published research supported by Telescope Data

The UCSD Network Telescope datasets resulted in the following 299 publications:

• Papers using UCSD Network Telescope Datasets

Acknowledgments

The UCSD Network Telescope project is funded by NSF award OAC-2319959 “Scalable Technology to Accelerate Research Network Operations Vulnerability Alerts”, . The project was originally funded by NSF award, (CNS 1059439) “CRI-Telescope: A Real-time Lens into Dark Address Space of the Internet”, and subsequently by NSF award CNS-1730661 “STARDUST: Sustainable Tools for Analysis and Research on Darknet Unsolicited Traffic”, DHS S&T cooperative agreement (FA8750-12-2-0326) Supporting Research and Development of Security Technologies through Network and Security Data Collection, Amateur Radio Digital Communications (ARDC) service agreement “Supporting AMPRNet and the UCSD Network Telescope”, and MIT Lincoln Labs service agreement.