The UCSD network telescope (aka a black hole, an Internet sink, darkspace, or a darknet) is a globally routed /8 network (approximately 1/256th of all IPv4 Internet addresses) that carries almost no legitimate traffic because there are few provider-allocated IP addresses in this prefix. After discarding the legitimate traffic from the incoming packets, the remaining data represent a continuous view of anomalous unsolicited traffic, or Internet Background Radiation (IBR). IBR results from a wide range of events, such as backscatter from randomly spoofed source denial-of-service attacks, the automated spread of Internet worms and viruses, scanning of address space by attackers or malware looking for vulnerable targets, and various misconfigurations (e.g. mistyping an IP address). In recent years, traffic destined to darkspace has evolved to include longer-duration, low-intensity events intended to establish and maintain botnets.
CAIDA personnel maintains and expands the telescope instrumentation, collects, curates, archives, and analyzes the data, and enables data access for vetted security researchers.
The UCSD network telescope can be used to monitor the spread of random-source distributed denial-of-service attacks. To make it difficult for the attack victim (and the victim's ISPs) to block an incoming attack, the attacker may use a fake source IP address (similar to a fake return address in postal mail) in each packet sent to the victim (Figure 1). Because the denial-of-service attack victim can't distinguish between incoming requests from an attacker and legitimate inbound requests, the victim tries to respond to every received request (Figure 2). When the attacker spoofs a source address in the network telescope, we observe a response destined for a computer that doesn't exist (and therefore never sent the initial query) (Figure 3). By monitoring these unsolicited responses, researchers can identify denial-of-service attack victims and infer information about the volume of the attack, the bandwidth of the victim, the location of the victim, and the types of services the attacker targets.
Animated Backscatter Explanation: quicktime mpeg
Note that the network telescope can not monitor denial-of-service attacks utilizing not spoofed or non-randomly spoofed source IP addresses in attacking the victims.
Many Internet worms spread by randomly generating an IP address to be the target of an infection attempt and sending the worm off to that IP address in the hope that it is in use by a vulnerable computer (Figure 4). Because the network telescope includes one out of every 256 IPv4 addresses, it receives approximately one out of every 256 probes from hosts infected with randomly scanning worms. Many worms do not scan truly randomly, and network problems (both worm-induced and independent) may prevent the network telescope from receiving probes from all infected hosts. In general, though, the telescope sees a newly infected hosts transmitting at the slow speed of 10 packets per second within 30 seconds of the infection.
Figure 4: Infected computers randomly attempt to infect other vulnerable computers. The network telescope captures approximately one out of every 256 infection attempts.
Malicious Network Scans
Scans are automated, semi-automated, and manual attempts to locate exploitable computers on the Internet. The scan traffic often differs from other types of traffic visible on the network telescope because it is not driven by chance. Rather, the attacker's byzantine motives in selecting scan targets appear arbitrary from the perspective of the recipient of the scan. The UCSD Network Telescope observes many types of scans continually, including ping based scans for the existence of a device at a given IP address, sequential scans of ports on a single IP address, methodical scans for a single or a small number of vulnerable ports sequentially through an IP address range, and even scans utilizing TCP resets.
Sharing Telescope Data
Privacy and Security issues
There are serious privacy and security concerns associated with Network Telescope datasets. Because some viruses and worms involve the installation of backdoors that provide unfettered access to infected computers, telescope data may inadvertently advertise these vulnerable machines. Also, while the source of some types of telescope traffic, including denial-of-service attacks and worms, is readily apparent, a significant volume of traffic is of unknown origin. Without identifying the causes of this traffic, we cannot categorically assess the security and privacy impact of releasing these data.
CAIDA makes available a number of Telescope datasets for researchers who wish to study data collected at the UCSD Network Telescope.
UCSD Network Telescope Datasets
- Historical and Near-Real-Time Network Telescope Dataset
- Aggregated Traffic Data in FlowTuple format
- Daily RSDoS Attack Metadata
- Two Years of Daily RSDoS Attack Metadata (downloadable paper supplement)
- Three Days Of Conficker Dataset
- CAIDA UCSD Network Telescope Traffic Samples
- Witty Worm Dataset
- Code-Red Worms Dataset
- Patch Tuesday Dataset
- Two Days in November 2008 Dataset
- Telescope Educational Dataset
- Telescope Dataset on the Sipscan
- Telescope Darknet Scanners Dataset
Research supported by Telescope Data
The UCSD Network Telescope datasets resulted in the following publications:
The UCSD Network Telescope project is currently funded by DHS S&T cooperative agreement (FA8750-12-2-0326) Supporting Research and Development of Security Technologies through Network and Security Data Collection. The project was originally funded by NSF award, (CNS 1059439) "CRI-Telescope: A Real-time Lens into Dark Address Space of the Internet". The project is currently funded by NSF Grant CNS-1730661 "STARDUST: Sustainable Tools for Analysis and Research on Darknet Unsolicited Traffic".