• HOME
  • About
  • Program Plan
  • Annual Report
  • Joining CAIDA
  • Staff
  • Jobs
  • Legal Agreements
  • How-To
  • Blog
  • Contact Us
• CATALOG
  • Datasets
  • Media
  • Papers
  • Recipes
  • Software
• RESEARCH
  • Topology
  • Security
  • Traffic Analysis
  • Economics and Policy
  • Visualization
• DATA
  • Overview
  • Data Sharing
  • Distribution Statistics
  • How-to
  • Data Usage FAQ
  • Papers using CAIDA Data
  • Acceptable Use Agreement
• TOOLS
  • Overview
• SERVICES
  • AS Rank
  • AS Rank API
  • BGPStream
  • BGPStream API
  • HI-CUBE (login required)
  • IODA
  • MANIC
  • MANIC API
  • Vela
  • Vela web API
  • Vela MIDAR API
  • Vela aliasq API
• PUBLICATIONS
  • Papers
  • Presentations
  • Blog
  • Visualizations
  • - Animations
  • - Posters
  • Networking Bibliography
• WORKSHOPS
  • Overview
  • AIMS
  • DUST
  • IMAPS
  • KISMET
  • WIE
  • WOMBIR
  • Collaborative
  • Archive
• PROJECTS
  • Ark
  • KISMET
  • MANIC
  • Macroscopic Topology
  • Spoofer
  • Network Telescope
  • IMPACT (PREDICT)
• FUNDING
  • PANDA
  • FANTAIL
  • PENMAN
  • SLAM
  • Censorship Outages
  • MapKIT
  • STARDUST
  • MADDVIPR
  • Program Plan

• Ongoing Research
  • Country-wide Censorship Episodes
  • Large-scale Outages
  • Malicious Scanning Activities
• Infrastructure Projects
  • Internet topology mapping
  • IMPACT
  • Spoofer
• Datasets
• Publications
• Previous Research: Malicious Activity Analysis
  • Conficker/Conflicker/Downadup (2008-2009)
  • The Nyxem Email Virus (2006)
  • Spread of the Witty Worm (2004)
  • SCO Offline from Denial-of-Service Attack (2003)
  • Analysis of the Sapphire Worm (2003)
  • CAIDA Analysis of Code-Red (2001)

Ongoing Research

Unsolicited traffic from Libya during censorship outages

Country-wide Censorship Episodes

Using multiple sources of large-scale data: BGP interdomain routing control plane data; unsolicited data plane traffic to unassigned address space; active macroscopic traceroute measurements; RIR delegation files; and MaxMind geolocation database, we analyzed disruptions of Internet communications in Egypt and Libya in response to civilian protests and threats of civil war.

Large-scale Outages

We study the Internet Background Radiation (IBR) traffic observed by the UCSD network telescope to evaluate effects of natural disasters (such as earthquakes) on the availability of Internet communications.

Malicious Scanning Activities

Using the UCSD network telescope, we captured a horizontal scan of the entire IPv4 address space conducted by the Sality botnet in February 2011. Our "Analysis of a "/0" Stealth Scan from a Botnet" paper revealed heavily coordinated and unusually covert scanning strategy aimed to discover and compromise VoIP-related (SIP server) infrastructure.

On March 17, 2013, the authors of an anonymous email to the "Full Disclosure" mailing list announced that last year they conducted a full probing of the entire IPv4 Internet. They claimed they used a botnet (named "Carna") created by infecting machines vulnerable due to use of default login/password pairs. Since we could not find any third-party validation of this event, we looked for evidence in the traffic captured at the UCSD Network Telescope (a large darknet), and performed a preliminary analysis of the Carna botnet scans.

Infrastructure Projects

• Internet Topology Mapping

  We have developed and implemented new measurement and data collection technologies on Ark measurement infrastructure to improve DHS' situational awareness and understanding of the structure, dynamics and vulnerabilities of the physical and logical topologies of the global Internet.

• Information Marketplace for Policy and Analysis of Cyber-risk & Trust (IMPACT)

  IMPACT is a repository of data for cyber security research. CAIDA participates in IMPACT as Data Provider and Data Host.

• Spoofer

  Originally developed at MIT ANA, the Spoofer project to assess macroscopic trends in IPv4 source address filtering, e.g., of private or bogon addresses, which should not be exiting appropriately configured networks.

Datasets

CAIDA offers a number of datasets for researchers who wish to study data collected at the UCSD Network Telescope.

• Denial-of-Service Attack Backscatter
  • Backscatter Dataset
  • Backscatter-TOCS Dataset
• Worms
  • Witty Worm Dataset
  • Code-Red Worms Dataset

Publications

• Animations
• Papers
• Posters
• Presentations

Previous Research

Malicious Activity Analysis

• Conficker/Conflicker/Downadup as seen from the UCSD Network Telescope (2008-2009)

  [Worm] On October 23, 2008, Microsoft announced a security update that resolved a critical vulnerability in the Windows Server service (MS08-067). In this bulletin, Microsoft stated, "it is possible that this vulnerability could be used in the crafting of a wormable exploit". While various rumors spread, the first serious evidence of a worm outbreak was reported on November 22 2008. We provide both an initial results of MS08-067 as seen from the UCSD Network Telescope as well as an update of Conficker/Conflicker/Downadup as seen from the UCSD Network Telescope.

  The Nyxem Email Virus: Analysis and Inferences (2006)

  [Virus] We estimate that between 469,507 and 946,835 computers in more than 200 countries were infected by the Nyxem/Blackworm virus between January 15 23:40:54 UTC 2006 and Wednesday February 1 05:00:12 UTC. At least 45,401 of the infected computers were also compromised by other forms of spyware or bot software. For details, read on in The Nyxem Email Virus: Analysis and Inferences

• Spread of the Witty Worm (2004)

  [Worm] A joint effort of CAIDA and UC San Diego CSE to analyze the spread of the Witty Worm. At 8:45:18pm PST on March 19, 2004, the UCSD network telescope received its first Witty worm packet. In contrast to previous worms, we observed 110 hosts infected in the first ten seconds, and 160 at the end of 30 seconds. Witty infected only about a tenth as many hosts than the next smallest widespread Internet worm. Where SQL Slammer infected between 75,000 and 100,000 computers, the vulnerable population of the Witty worm was only about 12,000 computers. Although researchers have long predicted that a fast-probing worm could infect a small population very quickly, Witty is the first worm to demonstrate this capability. Witty was also the first widely propagated Internet worm to carry a destructive payload, represents the shortest known interval between vulnerability disclosure and worm release -- it began to spread the day after the ISS vulnerability was publicized.

• SCO Offline from Denial-of-Service Attack (2003)

  [DoS Attack] Around 2:50 AM PST Thursday morning, December 11, the attacker(s) began to attack SCO's ftp (file transfer protocol) servers in addition to continuing the web server attack. Together www.sco.com and ftp.sco.com experienced a SYN flood of over 50,000 packet-per-second early Thursday morning. By mid-morning Thursday (9 AM PST), the attack rate had reduced considerably to around 3,700 packets per second. Throughout Thursday morning, the ftp server received the brunt of the attack, although the high-intensity attack on the ftp server lasted for a considerably shorter duration than the web server attack. In spite of rumors that SCO has faked the denial-of-service attack to implicate Linux users and garner sympathy from its critics, UCSD's Network Telescope received more than 2.8 million response packets from SCO servers, indicating that SCO responded to more than 700 million attack packets over 32 hours. For details, read on CAIDA's report SCO Offline from Denial-of-Service Attack.

• Analysis of the Sapphire Worm (2003)

  [Worm] A joint effort of CAIDA, ICSI, Silicon Defense, UC Berkeley EECS and UC San Diego CSE to provide an analysis of the Sapphire Worm. The Sapphire Worm was the fastest computer worm in history. As it began spreading throughout the Internet, it doubled in size every 8.5 seconds. It infected more than 90 percent of vulnerable hosts within 10 minutes. The worm (also called Slammer) began to infect hosts slightly before 05:30 UTC on Saturday, January 25. The worm infected at least 75,000 hosts, perhaps considerably more, and caused network outages and such unforeseen consequences as canceled airline flights, interference with elections, and ATM failures.

• CAIDA Analysis of Code-Red

  CAIDA Analysis of Code-Red (2001)

  [Worm] On July 19, 2001 more than 359,000 computers were infected with the Code-Red (CRv2) worm in less than 14 hours. At the peak of the infection frenzy, more than 2,000 new hosts were infected each minute. 43% of all infected hosts were in the United States, while 11% originated in Korea followed by 5% in China and 4% in Taiwan. The .NET Top Level Domain (TLD) accounted for 19% of all compromised machines, followed by .COM with 14% and .EDU with 2%. We also observed 136 (0.04%) .MIL and 213 (0.05%) .GOV hosts infected by the worm.

  CAIDA's analysis of the Code-Red worms includes a detailed analysis of the spread of original Code-Red v1 as well as Code-Red v2 and CodeRed II, detailing their differences and spread.