Skip to Content
[CAIDA - Center for Applied Internet Data Analysis logo]
Center for Applied Internet Data Analysis > research : security
Research - Security
Security research at CAIDA makes use of darknet traffic data collected by the UCSD network telescope. Our infrastructure projects deal with collecting, hosting, and sharing security-relevant data with the research community. Past activities focused on measurement and statistical analysies of various Internet worms and viruses.
|   Ongoing Research    Infrastructure Projects    Datasets    Publications    Previous Research   |

Ongoing Research

Using multiple sources of large-scale data: BGP interdomain routing control plane data; unsolicited data plane traffic to unassigned address space; active macroscopic traceroute measurements; RIR delegation files; and MaxMind geolocation database, we analyzed disruptions of Internet communications in Egypt and Libya in response to civilian protests and threats of civil war.

We study the Internet Background Radiation (IBR) traffic observed by the UCSD network telescope to evaluate effects of natural disasters (such as earthquakes) on the availability of Internet communications.

Malicious Scanning Activities

Using the UCSD network telescope, we captured a horizontal scan of the entire IPv4 address space conducted by the Sality botnet in February 2011. Our "Analysis of a "/0" Stealth Scan from a Botnet" paper revealed heavily coordinated and unusually covert scanning strategy aimed to discover and compromise VoIP-related (SIP server) infrastructure.

On March 17, 2013, the authors of an anonymous email to the "Full Disclosure" mailing list announced that last year they conducted a full probing of the entire IPv4 Internet. They claimed they used a botnet (named "Carna") created by infecting machines vulnerable due to use of default login/password pairs. Since we could not find any third-party validation of this event, we looked for evidence in the traffic captured at the UCSD Network Telescope (a large darknet), and performed a preliminary analysis of the Carna botnet scans.

Infrastructure Projects


CAIDA offers a number of datasets for researchers who wish to study data collected at the UCSD Network Telescope.


Malicious Activity Analysis

  • [Worm] On October 23, 2008, Microsoft announced a security update that resolved a critical vulnerability in the Windows Server service (MS08-067). In this bulletin, Microsoft stated, "it is possible that this vulnerability could be used in the crafting of a wormable exploit". While various rumors spread, the first serious evidence of a worm outbreak was reported on November 22 2008. We provide both an initial results of MS08-067 as seen from the UCSD Network Telescope as well as an update of Conficker/Conflicker/Downadup as seen from the UCSD Network Telescope.

    [Virus] We estimate that between 469,507 and 946,835 computers in more than 200 countries were infected by the Nyxem/Blackworm virus between January 15 23:40:54 UTC 2006 and Wednesday February 1 05:00:12 UTC. At least 45,401 of the infected computers were also compromised by other forms of spyware or bot software. For details, read on in The Nyxem Email Virus: Analysis and Inferences

  • [Worm] A joint effort of CAIDA and UC San Diego CSE to analyze the spread of the Witty Worm. At 8:45:18pm PST on March 19, 2004, the UCSD network telescope received its first Witty worm packet. In contrast to previous worms, we observed 110 hosts infected in the first ten seconds, and 160 at the end of 30 seconds. Witty infected only about a tenth as many hosts than the next smallest widespread Internet worm. Where SQL Slammer infected between 75,000 and 100,000 computers, the vulnerable population of the Witty worm was only about 12,000 computers. Although researchers have long predicted that a fast-probing worm could infect a small population very quickly, Witty is the first worm to demonstrate this capability. Witty was also the first widely propagated Internet worm to carry a destructive payload, represents the shortest known interval between vulnerability disclosure and worm release -- it began to spread the day after the ISS vulnerability was publicized.

  • [DoS Attack] Around 2:50 AM PST Thursday morning, December 11, the attacker(s) began to attack SCO's ftp (file transfer protocol) servers in addition to continuing the web server attack. Together and experienced a SYN flood of over 50,000 packet-per-second early Thursday morning. By mid-morning Thursday (9 AM PST), the attack rate had reduced considerably to around 3,700 packets per second. Throughout Thursday morning, the ftp server received the brunt of the attack, although the high-intensity attack on the ftp server lasted for a considerably shorter duration than the web server attack. In spite of rumors that SCO has faked the denial-of-service attack to implicate Linux users and garner sympathy from its critics, UCSD's Network Telescope received more than 2.8 million response packets from SCO servers, indicating that SCO responded to more than 700 million attack packets over 32 hours. For details, read on CAIDA's report SCO Offline from Denial-of-Service Attack.

  • [Worm] A joint effort of CAIDA, ICSI, Silicon Defense, UC Berkeley EECS and UC San Diego CSE to provide an analysis of the Sapphire Worm. The Sapphire Worm was the fastest computer worm in history. As it began spreading throughout the Internet, it doubled in size every 8.5 seconds. It infected more than 90 percent of vulnerable hosts within 10 minutes. The worm (also called Slammer) began to infect hosts slightly before 05:30 UTC on Saturday, January 25. The worm infected at least 75,000 hosts, perhaps considerably more, and caused network outages and such unforeseen consequences as canceled airline flights, interference with elections, and ATM failures.

  • [Worm] On July 19, 2001 more than 359,000 computers were infected with the Code-Red (CRv2) worm in less than 14 hours. At the peak of the infection frenzy, more than 2,000 new hosts were infected each minute. 43% of all infected hosts were in the United States, while 11% originated in Korea followed by 5% in China and 4% in Taiwan. The .NET Top Level Domain (TLD) accounted for 19% of all compromised machines, followed by .COM with 14% and .EDU with 2%. We also observed 136 (0.04%) .MIL and 213 (0.05%) .GOV hosts infected by the worm.

    CAIDA's analysis of the Code-Red worms includes a detailed analysis of the spread of original Code-Red v1 as well as Code-Red v2 and CodeRed II, detailing their differences and spread.

  Last Modified: Tue Oct-13-2020 22:21:54 UTC
  Page URL: