The UCSD Network Telescope

The UCSD Network Telescope is a passive traffic monitoring system built on a globally routed, but lightly utilized /9 and /10 network. Under CAIDA stewardship, this unique resource provides valuable data for network security researchers.

Introduction

The UCSD network telescope (aka a black hole, an Internet sink, darkspace, or a darknet) is a globally routed /9 and /10 network (approximately 1/256th of all IPv4 Internet addresses) that carries almost no legitimate traffic because there are few provider-allocated IP addresses in this prefix. After discarding the legitimate traffic from the incoming packets, the remaining data represent a continuous view of anomalous unsolicited traffic, or Internet Background Radiation (IBR). IBR results from a wide range of events, such as backscatter from randomly spoofed source denial-of-service attacks, the automated spread of Internet worms and viruses, scanning of address space by attackers or malware looking for vulnerable targets, and various misconfigurations (e.g. mistyping an IP address). In recent years, traffic destined to darkspace has evolved to include longer-duration, low-intensity events intended to establish and maintain botnets.

CAIDA personnel maintains and expands the telescope instrumentation, collects, curates, archives, and analyzes the data, and enables data access for vetted security researchers. As a result, 245 publications were written using datasets generated from the UCSD Network Telescope.

IBR origin

Denial-of-service Attacks

The UCSD network telescope can be used to monitor the spread of random-source distributed denial-of-service attacks. To make it difficult for the attack victim (and the victim’s ISPs) to block an incoming attack, the attacker may use a fake source IP address (similar to a fake return address in postal mail) in each packet sent to the victim (Figure 1). Because the denial-of-service attack victim can’t distinguish between incoming requests from an attacker and legitimate inbound requests, the victim tries to respond to every received request (Figure 2). When the attacker spoofs a source address in the network telescope, we observe a response destined for a computer that doesn’t exist (and therefore never sent the initial query) (Figure 3). By monitoring these unsolicited responses, researchers can identify denial-of-service attack victims and infer information about the volume of the attack, the bandwidth of the victim, the location of the victim, and the types of services the attacker targets.


Figure 1: The attacker sends packets with spoofed source addresses to the denial-of-service attack victim.	Figure 2: The denial-of-service attack victim cannot differentiate between legitimate traffic and the attack packets, so the victim responds to as many of the attack packets as possible.	Figure 3: Because the network telescope composes 1/256th of the IPv4 address space, the telescope receives approximately 1/256th of the responses to spoofed packets generated by the denial-of-service attack victim.

We know of 56 papers relating to Denial-of-Service that have been written using telescope data :

Investigating the impact of DDoS attacks on DNS infrastructure. R. Sommese, k. claffy, R. Van Rijswijk-Deij, A. Chattopadhyay, A. Dainotti, A. Sperotto, M. Jonker.
ACM Internet Measurement Conference (IMC), Oct 2022.
Digital Retaliation? Denial-of-Service Attacks after Sanction Events. P. Lutscher.
Journal of Global Security Studies, Dec 2021.
Governments and the Net: Defense, Control, and Trust in the Fifth Domain. L. Kawerau.
Nov 2021.
QUICsand: quantifying QUIC reconnaissance scans and DoS flooding events. M. Nawrocki, R. Hiesgen, T. Schmidt, M. Wählisch.
Nov 2021.
Mitigation of DoS Attacks Using Machine Learning. I. Goldschmidt.
Aug 2021.
Detection of Denial of Service Attack Using Deep Learning and Genetic Algorithm. S. Saha, N. Singh, B. Rudra.
Advances in Intelligent Systems and Computing, Jul 2021.
Analysis Of Ddos Backscatter Traffic In Network Flow Data. M. Marusiak.
2021.
Preemptive modelling towards classifying vulnerability of DDoS attack in SDN environment. M. Narender, B. Yuvaraju.
International Journal of Electrical and Computer Engineering (IJECE), Apr 2020.
Performance evaluation of Botnet DDoS attack detection using machine learning. T. Tuan, H. Long, L. Son.
Evolutionary Intelligence,
Doble grado Ingenieria Informatica y Administracion y Direccion de Empresas. J. Rosell.
Oct 2019.
At Home and Abroad: The Use of Denial-of-service Attacks during Elections in Nondemocratic Regimes. P. Lutscher, N. Weidmann, M. Roberts, M. Jonker, A. King, A. Dainotti.
Journal of Conflict Resolution, Jul 2019.
ERM: An Accurate Approach to Detect DDoS Attacks using Entropy Rate Measurement. L. Zhou, K. Sood, Y. Xiang.
IEEE Communications Letters,
Locally weighted classifiers for detection of neighbor discovery protocol distributed denial-of-service and replayed attacks. A. Alsadhan, A. Hussain, P. Liatsis, M. Alani, H. Tawfik, P. Kendrick, H. Francis.
Transactions on Emerging Telecommunications Technologies,
DDoS detection and defense mechanism based on cognitive-inspired computing in SDN. J. Cui, M. Wang, Y. Luo, H. Zhong.
Future Generation Computer Systems,
Toward secure software-defined networks against distributed denial of service attack. K. Sahoo, S. Panda, S. Sahoo, B. Sahoo, R. Dash.
The Journal of Supercomputing,
E-Had: A distributed and collaborative detection framework for early detection of DDoS attacks. N. Patil, C. Krishna, K. Kumar, S. Behal.
Journal of King Saud University - Computer and Information Sciences,
SDN-Based Intrusion Detection System for Early Detection and Mitigation of DDoS Attacks. P. Manso, J. Moura, C. Serrao.
Special Issue Insider Attacks,
Hybrid Traceback Scheme for DDoS Attacks. V. Vipul.
Recent Findings in Intelligent Computing Techniques,
DITFEC: Drift Identification in Traffic-Flow Streams for DDoS Attack Defense Through Ensemble Classifier. K. Prasad, V. Siva, K. Kishore, M. Sreenivasulu.
Computing and Network Sustainability,
On the performance of intelligent techniques for intensive and stealthy DDos detection. X. Lianga, T. Znatia.
Computer Networks,
On the collaborative inference of DDoS: An information-theoretic distributed approach. Q. Ezzahra, B. Khaled, E. Bou-Harb, C. Fachkha, B. Zouari.
Jun 2018.
DEFAD: ensemble classifier for DDOS enabled flood attack defense in distributed network environment. K. Prasad, A. Reddy, K. Rao.
Cluster Computing, May 2018.
A machine learning model for classifying unsolicited IoT devices by observing Network Telescopes. F. Shaikh, E. Bou-Harb, J. Crichigno, N. Ghani.
Inferring the deployment of source address validation filtering using silence of path-backscatter. S. Saurabh, A. Sairam.
Blockchain based Confidentiality and Integrity Preserving Scheme for Enhancing E-commerce Security. G. Iliev, J. Shaikh.
Neural Network Based DDoS Detection Regarding Hidden Layer Variation. I. Riadi, A. Muhammad.
Journal of Theoretical and Applied Information Technology,
Infrastructure for Generating New IDS Dataset. J. Uramova, P. Sege, M. Moravik, J. Papan, M. Kontsek, J. Hrabovsky.
Managing IT Implementation Risk: A Model from High Reliability Organizations. K. Hartzel, W. Spangler.
Detection System of HTTP DDoS Attacks in a Cloud Environment Based on Information Theoretic Entropy and Random Forest. M. Idhammad, K. Afdel, M. Belouch.
Hindawi Security and Communication Networks,
Sonification of Network Traffic for Detecting and Learning About Botnet Behavior. P. Vickers, M. Debashi.
IEEE Access,
Private Virtual Cloud Infrastructure Modelling using VCPHCF-RTT Security Agent. R. Maheshwari, A. Rajput, A. Gupta.
D-FAC: A novel 0-Divergence based distributed DDoS defense system. S. Behal, M. Sachdeva, K. Saluja.
Journal of King Saud University,
Synflood Spoofed Source DDoS Attack Defense Based on Packet ID Anomaly Detection with Bloom Filter. T. Thang, C. Nguyen, K. Nguyen.
Millions of Targets Under Attack: a Macroscopic Characterization of the DoS Ecosystem. M. Jonker, A. King, J. Krupp, C. Rossow, A. Sperotto, A. Dainotti.
ACM Internet Measurement Conference (IMC), Nov 2017.
Low-Rate DDoS Attack Detection Using Expectation of Packet Size. L. Zhou, M. Liao, C. Yuan, H. Zhang.
Security and Communication Networks,
Detecting a distributed denial of service attack using a pre-processed convolutional neural network. M. Ghanbari, W. Kinsner, K. Ferens.
Cybercrime deterrence and international legislation: Evidence from Distributed Denial of Service attack. K. Hui, S. Kim, Q. Wang.
Management Information Systems Quarterly, May 2016.
Real Time Early Warning DDoS Attack Detection. K. Xylogiannopoulos, P. Karampelas, R. Alhaji.
Mar 2016.
Ranking of machine learning algorithms based on the performance in classifying DDoS attacks. R. Robinson, C. Thomas.
Dec 2015.
Darknet as a source of cyber threat intelligence: Investigating distributed and reflection Denial of Service attacks. C. Fachkha.
Nov 2015.
Feature selection for robust backscatter DDoS detection. E. Balkanli, A. Zincir-Heywood, M. Heywood.
Oct 2015.
Inferring distributed reflection denial of service attacks from darknet. C. Fachkha, E. Bou-Harb, M. Debbabi.
Computer Communications, Jan 2015.
Supervised learning to detect DDoS attacks. E. Balkanli, J. Alves, A. Zincir-Heywood.
Dec 2014.
DDOS attack detection based on an ensemble of neural classifier. M. Kale, D. Choudhari.
Intl J. Computer Science and Network Security (IJCSNS), Jul 2014.
On-line detection of persistently high packet-rate flows via a sliding window scheme with random packet sampling. T. Kudo, T. Takin.
Intl J. of Network Management, Jan 2014.
Marginal deterrence in the enforcement of law: Evidence from distributed Denial of Service attack. K. Hui, S. Kim, Q. Wang.
Sep 2013.
Detection of distributed denial of service attacks using an ensemble of adaptive and hybrid neuro-fuzzy systems. P. Kumar, S. Selvakumar.
Computer Communications, Feb 2013.
DDoS attacks detection by means of greedy algorithms. T. Andrysiak, L. Saganowski, M. Choras.
Advances in Intelligent Systems and Computing, Jan 2013.
Statistical Segregation Method to Minimize the False Detections During DDoS Attacks. J. Udhayan, T. Hamsapriya.
International Journal of Network Security, Nov 2011.
Detection and Mitigation of High-Rate Flooding Attacks. G. Mohay, E. Ahmed, S. Bhatia, A. Nadarajan, B. Ravindran, A. Tickle, R. Vijayasarathy.
Sep 2011.
Evaluating machine learning algorithms for detecting DDoS attacks. M. Suresh, R. Anitha.
Communications in Computer and Information Science, Jun 2011.
Evaluation of a distributed detecting method for SYN flood attacks using a real Internet trace. M. Narita, T. Katoh, B. Bista, T. Takata.
Mar 2011.
Joint entropy analysis model for DDoS attack detection. H. Rahmani, N. Sahli, F. Kamoun.
Aug 2009.
A traffic coherence analysis model for DDoS attack detection. H. Rahmani, N. Sahli, F. Kamoun.
Jul 2009.
Inferring Internet Denial-of-Service Activity. D. Moore, C. Shannon, D. Brown, G. Voelker, S. Savage.
ACM Transactions on Computer Systems, May 2006.
Disclosing the element distribution of Bloom filter. Y. Peng, J. Gong, W. Yang, W. Liu.
Lecture Notes in Computer Science (LNCS), May 2006.

Internet Worms

Many Internet worms spread by randomly generating an IP address to be the target of an infection attempt and sending the worm off to that IP address in the hope that it is in use by a vulnerable computer (Figure 4). Because the network telescope includes one out of every 256 IPv4 addresses, it receives approximately one out of every 256 probes from hosts infected with randomly scanning worms. Many worms do not scan truly randomly, and network problems (both worm-induced and independent) may prevent the network telescope from receiving probes from all infected hosts. In general, though, the telescope sees a newly infected hosts transmitting at the slow speed of 10 packets per second within 30 seconds of the infection.

Figure 4: Infected computers randomly attempt to infect other vulnerable computers. The network telescope captures approximately one out of every 256 infection attempts.

We know of 50 papers relating to Internet Worms that have been written using telescope data:

H2P: A Novel Model to Study the Propagation of Modern Hybrid Worm in Hierarchical Networks. T. Wang, C. Xia.
LNTCS, Sep 2020.
Generalization Performance Comparison of Machine Learners for the Detection of Computer Worms Using Behavioral Features. N. Ochieng, W. Mwangi, I. Ateya.
Advances in Intelligent Systems and Computing, Jun 2020.
Stability analysis and control strategies for worm attack in mobile networks via a VEIQS propagation model. Q. Gao, J. Zhuang.
Applied Mathematics and Computation, Mar 2020.
Reducing Generalization Error Using Autoencoders for The Detection of Computer Worms. N. Ochieng, W. Mwangi, I. Ateya.
Computer Engineering and Applications,
Computer Viruses. M. Reinikainen.
Oct 2019.
Optimizing Computer Worm Detection Using Ensembles. N. Ochieng, W. Mwangi, I. Ateya.
Security and Communication Networks, Apr 2019.
A New Analysis Of Cryptolocker Ransomware And Welchia Worm Propagation Behavior. N. Kyurkchiev, A. Iliev, A. Rahnev, T. Terzieva.
Communications in Applied Analysis,, Mar 2019.
Some New Approaches for Modelling Large-scale Worm Spreading on the Internet. II. A. Iliev, N. Kyurkchiev, A. Rahnev, T. Terzieva.
Neural, Parallel and Scientific Computations,
Improvement of the Model of Computer Epidemics Based on Expanding the Set of Possible States of the Information Systems Objects. A. Bychkov, V. Navotna, V. Shevchenko, A. Shevchenko.
Journal of Automation and Information Sciences, 2019.
Intelligent Simulation Of Network Worm Propagation Using The Code Red As An Example. D. Chumachenko, K. Chumachenko, S. Yakovlev.
Telecommunications and Radio Engineering, 2019.
Detecting scanning computer worms using machine learning and darkspace network traffic. N. Ochieng, A. Ismail, M. Waweru, J. Orero.
Mar 2017.
Some estimation problems in epidemic modeling. J. Dauxois, A. Nucit.
Communications in Statistics - Simulation and Computation, Mar 2017.
Diagnosis of chronic kidney disease based on Support Vector Machine by Feature Selection Methods. H. Polat, H. Mehr, A. Cetin.
J. of Medical Systems, Feb 2017.
Novel analytical modelling-based simulation of worm propagation in unstructured peer-to-peer networks. H. Alharbi.
Jan 2017.
Adaptive IP mutation: A proactive approach for defending against worm propagation. C. Lin, C. Wu, M. Huang, Z. Wen, Q. Cheng.
Sep 2016.
Darknet as a source of cyber intelligence: Survey, taxonomy, and characterization. C. Fachkha, M. Debbabi.
IEEE Communications Surveys and Tutorials, May 2016.
Fitting a code-red virus spread model: An account of putting theory into practice. A. Kolesnichenko, B. Haverkort, A. Remke, P. de Boer.
Mar 2016.
Characterising heterogeneity in vulnerable hosts on worm propagation. Z. Chen, C. Chen.
Intl J. Security and Networks, Jan 2016.
Increasing the darkness of darknet traffic. Y. Haga, A. Saso, T. Mori, S. Goto.
Dec 2015.
CIPA: A collaborative intrusion prevention architecture for programmable network and SDN. X. Chen, S. Yu.
Computers and Security, Dec 2015.
Hybrid epidemics - A case study on computer worm Conficker. C. Zhang, S. Zhou, B. Chain.
Plos One, May 2015.
Optimizing hybrid spreading in metapopulations. C. Zhang, S. Zhou, J. Miller, I. Cox, B. Chain.
Nature Scientific Reports, Apr 2015.
Toward hardware-oriented defensive network infrastructure. H. Chen.
2015.
Model-checking mean-field models: algorithms and applications. A. Kolesnichenko.
Dec 2014.
IMap: Visualizing network activity over Internet maps. J. Fowler, T. Johnson, P. Simonetto, P. Lazos, S. Kobourov, M. Schneider, C. Aceda.
Nov 2014.
Simulation of zero-day worm epidemiology in the dynamic, heterogeneous Internet. L. Tidy, S. Woodhead, J. Wetherall.
J. Defense Modeling and Simulation: Applications, Methodology, Technology, Oct 2013.
A source analysis of the Conficker outbreak from a Network Telescope. B. Irwin.
SAIEE Africa Research J., Jun 2013.
Cardinality change-based early detection of large-scale cyber-attacks. W. Chen, Y. Liu, Y. Guan.
Apr 2013.
Improved SEIR viruses propagation model and the patchs impact on the propagation of the virus. C. Ma, Y. Yang, X. Guo.
J. of Computational Information Systems, Apr 2013.
Detection of distributed denial of service attacks using an ensemble of adaptive and hybrid neuro-fuzzy systems. P. Kumar, S. Selvakumar.
Computer Communications, Feb 2013.
A large-scale zero-day worm simulator for cyber-epidemiological analysis. L. Tidy, S. Woodhead, J. Wetherall.
Feb 2013.
Combating good point set scanning-based self-learning worms by using predators. F. Wang, Y. Zhang, H. Guo, C. Wang.
J. Network Security, Jan 2013.
High level internet scale traffic visualization using Hilbert curve mapping. B. Irwin, N. Pilkington.
Mathematics and Visualization, May 2008.
Activity monitoring for large honeynets and network telescopes. J. Francois, R. State, O. Festor.
J. Advances in Systems and Measurements, 2008.
Correcting congestion-based error in network telescopes observations of worm dynamics. S. Wei, J. Mirkovic.
2008.
Worm traffic analysis and characterization. A. Dainotti, A. Pescape, G. Ventre.
Jun 2007.
Measuring network-aware worm spreading ability. Z. Chen, C. Ji.
May 2007.
Sampling strategies for epidemic-style information dissemination. M. Vojnovic, V. Gupta, T. Karagiannis, C. Gkantsidis.
Apr 2007.
Optimal worm-scanning method using vulnerable-host distributions. Z. Chen, C. Ji.
J. Security and Networks, 2007.
Toward a framework for forensic analysis of scanning worms. I. Hamadeh, G. Kesidis.
Lecture Notes in Computer Science (LNCS), Jun 2006.
Antiworm NPU-based parallel Bloom filters for TCP/IP content processing in giga-ethernet LAN. Z. Chen, C. Lin, J. Ni, D. Ruan, B. Zheng, Y. Jiang, X. Peng, Y. Wang, A. Luo, B. Zhu, Y. Yue, F. Ren.
Nov 2005.
Worm evolution tracking via timing analysis. M. Rajab, F. Monrose, A. Terzis.
Nov 2005.
Importance-scanning worm using vulnerable-host distribution. Z. Chen, C. Ji.
Nov 2005.
On the effectiveness of distributed worm monitoring. M. Rajab, F. Monrose, A. Terzis.
Jul 2005.
Routing worm: A fast, selective attack worm based on ip address information. C. Zhou, D. Towsley, W. Gong, S. Cai.
Jun 2005.
Entropy based worm and anomaly detection in fast IP networks. A. Wagner, A. Plattner.
Jun 2005.
PISA: Automatic extraction of traffic signatures. P. Chhabra, A. John, H. Saran.
Lecture Notes in Computer Science (LNCS), May 2005.
The Spread of the Witty Worm. C. Shannon, D. Moore.
IEEE Security and Privacy, Aug 2004.
Internet Quarantine: Requirements for Containing Self-Propagating Code. D. Moore, C. Shannon, G. Voelker, S. Savage.
IEEE Conference on Computer Communications (INFOCOM), Apr 2003.
Code-Red: a case study on the spread and victims of an Internet worm. D. Moore, C. Shannon, J. Brown.
Internet Measurement Workshop (IMW), Nov 2002.

Malicious Network Scans

Scans are automated, semi-automated, and manual attempts to locate exploitable computers on the Internet. The scan traffic often differs from other types of traffic visible on the network telescope because it is not driven by chance. Rather, the attacker’s byzantine motives in selecting scan targets appear arbitrary from the perspective of the recipient of the scan. The UCSD Network Telescope observes many types of scans continually, including ping based scans for the existence of a device at a given IP address, sequential scans of ports on a single IP address, methodical scans for a single or a small number of vulnerable ports sequentially through an IP address range, and even scans utilizing TCP resets.

Privacy and Security issues

There are serious privacy and security concerns associated with Network Telescope datasets. Because some viruses and worms involve the installation of backdoors that provide unfettered access to infected computers, telescope data may inadvertently advertise these vulnerable machines. Also, while the source of some types of telescope traffic, including denial-of-service attacks and worms, is readily apparent, a significant volume of traffic is of unknown origin. Without identifying the causes of this traffic, we cannot categorically assess the security and privacy impact of releasing these data.