
Network telescopes are like super powerful binoculars for the internet, allowing us to scan a massive portion of the internet's surface for potential cybersecurity threats. They can monitor millions of IP addresses at once.
This is made possible by a network telescope's ability to collect and analyze vast amounts of internet traffic data. By doing so, they can identify malicious activity, such as malware and phishing attempts, before they reach their intended targets.
Network telescopes can detect threats that traditional security systems might miss, such as unknown malware or zero-day attacks. This is because they are constantly monitoring the internet for unusual patterns and behaviors.
As a result, network telescopes have become an essential tool for cybersecurity professionals, helping them stay one step ahead of cyber threats and protect their organizations' sensitive data.
Additional reading: Joint Data Network
Network Telescope Basics
A network telescope is a passive monitoring system that observes network traffic without interfering with it. It's like a pair of binoculars that lets you observe the world without touching it.
A network telescope typically consists of a collection of sensors that are strategically placed across the network to gather data. These sensors can be routers, switches, or even dedicated monitoring devices.
The data collected by the sensors is then analyzed to identify patterns and anomalies in the network traffic. This helps network administrators to understand how their network is being used and identify potential security threats.
Network telescopes are often used to detect and analyze malware, as they can observe the communication patterns of malicious software. They can also help to identify unknown vulnerabilities in network devices.
By analyzing network traffic, network telescopes can provide valuable insights into network behavior and performance.
Discover more: French Data Network
Threats and Attacks
Network telescopes like the one at UCSD observe a wide range of malicious network scans. These scans are automated, semi-automated, and manual attempts to locate exploitable computers on the internet.
Scans often differ from regular network traffic because they're not driven by chance, but rather by an attacker's specific motives. The UCSD Network Telescope sees many types of scans, including ping-based scans that check for the existence of a device at a given IP address.
Malicious scans can also involve sequential scans of ports on a single IP address, methodical scans for vulnerable ports through an IP address range, and even scans using TCP resets.
Here's an interesting read: Network Address
DoS Attacks
A DoS attack is a type of cyberattack that aims to make a computer or network resource unavailable by overwhelming it with traffic.
This type of attack can be launched from a single IP address or a network of compromised devices.
A notable example of a DoS attack is the "Mirai botnet" which caused widespread disruptions in 2016 by flooding DNS servers with traffic.
The Mirai botnet was powered by over 100,000 compromised IoT devices.
A DoS attack can be launched using various tools and techniques, including amplification attacks and application-layer attacks.
Amplification attacks involve using a third-party service to amplify the traffic, making it harder to identify the source of the attack.
Application-layer attacks target specific vulnerabilities in web applications, often using tools like Slowloris.
Discover more: Ppc Competitor Keyword Research Tools
Malicious Scans
Malicious Scans are automated, semi-automated, and manual attempts to locate exploitable computers on the Internet.
Scans are driven by the attacker's motives, which can appear arbitrary to the recipient of the scan.
A different take: Automated Keyword Research
Malicious scans often differ from other network traffic because they're not random.
The UCSD Network Telescope observes many types of scans continually, including ping based scans for the existence of a device at a given IP address.
Sequential scans of ports on a single IP address are also commonly observed.
Methodical scans for a single or a small number of vulnerable ports sequentially through an IP address range are another type of scan seen by the UCSD Network Telescope.
Even scans utilizing TCP resets are observed, highlighting the variety of malicious scan techniques used.
Data Access and Research
Network telescope data is now more accessible than ever, thanks to the efforts of researchers who have made it easier to analyze while maintaining necessary privacy and security safeguards.
There are currently 22 Telescope datasets listed in the CAIDA catalog, including the UCSD Network Telescope Aggregated Flow Dataset from Nov 2003.
Researchers can access these datasets through a VM-based analysis platform, where they can bring their code to the data but cannot download unanonymized data to ensure security and privacy.
Recommended read: Social Data Analysis
Historical datasets are available for download, either publicly or upon request, while ongoing datasets containing sensitive information can only be accessed through the VM-based platform.
CAIDA provides free access to U.S.-based and vetted foreign academic researchers, as well as telescope data licensing to vetted, paying industry partners under restricted data-use policies.
To support researchers, CAIDA has compiled comprehensive documentation, including a user guide and tutorials, offering step-by-step guidance on accessing, processing, and analyzing telescope data.
Researchers have already published 304 papers using UCSD Network Telescope Datasets, demonstrating the value of this data for advancing our understanding of network security and behavior.
Here are some examples of the datasets available for download:
- UCSD Network Telescope Aggregated Flow Dataset (Nov 2003)
- Aggregated Daily RSDoS Attack Metadata (Jan 2008)
- UCSD Real-time Network Telescope (Apr 2020)
- Telescope nDAG Live
- UCSD Telescope data at NERSC (Nov 2003)
- Annotated Anonymized Telescope Packets Sampler (Aug 2022)
- UCSD-NT FlowTuple Sampler (May 2022)
- Anonymized Network Sensing Graph Challenge Dataset (Apr 2022)
- Aggregated Daily RSDoS Attack Metadata (Corsaro 2) (Aug 2021)
- CAIDA-GreyNoise Cross Correlation Dataset (Oct 2020)
- UCSD-NT Telescope One-Hour Traffic Sample (May 2018)
- CAIDA Randomly and Uniformly Spoofed Denial-of-Service Attack Metadata (Feb 2017)
- Telescope Darknet Scanners (Jun 2016)
- Corsaro Patch Tuesday (Jun 2012)
- Telescope Educational (Apr 2012)
- Telescope Sipscan dataset (Feb 2011)
- Three days of Conficker (Jan 2009)
- Two-Days-in-2008 Telescope Dataset (Nov 2008)
- UCSD Network Telescope Traffic Samples (Nov 2008)
- Witty Worm dataset (Mar 2004)
- Backscatter datasets for TOCS paper (Feb 2004)
- Code Red worm dataset (Aug 2001)
Implementation and Configuration
A network telescope is a powerful tool for monitoring and analyzing network traffic.
To implement a network telescope, you'll need to set up a network with a large number of IP addresses that are not assigned to any devices.
This can be done by using a /8 or /16 IP address block, which provides a huge number of IP addresses to scan.
See what others are reading: Private Ip Networks
You'll also need to configure your network telescope to log and analyze the traffic it captures. This can be done using specialized software, such as a packet sniffer or a network intrusion detection system.
These tools can help you identify malicious activity, detect security threats, and gain insights into network behavior.
Namespaces
A network telescope can be configured to monitor a specific range of IP addresses, with the number of addresses monitored affecting its resolution. This means that the more IP addresses a telescope monitors, the higher the probability of observing a small event.
The basic idea is to observe traffic targeting unused address-space, which is considered suspicious and can indicate network attacks or misconfigurations.
A large Internet telescope that monitors 16,777,216 addresses, also known as a /8 Internet telescope in IPv4, has a higher resolution than a smaller telescope that monitors 65,536 addresses, a /16 Internet telescope.
The naming of network telescopes comes from an analogy to optical telescopes, where a larger physical size allows more photons to be observed. This concept is applied to network telescopes to describe their ability to monitor a larger range of IP addresses.
If this caught your attention, see: Internet Shopping Network
Large Instances

Large instances can be a challenge to set up and configure, but understanding what's involved can make the process smoother.
Network telescopes can capture massive amounts of data, such as the 4.1 terabyte captured by the APNIC instance in 2010.
To give you an idea of the scale, here are some key statistics for large network telescope instances:
The size of the captured data can be substantial, with the ARIN instance capturing 1.2 terabytes of data in just one week in 2010.
Project Overview
Network telescopes provide powerful tools for acquiring visibility into various forms of probing such as scan by attackers and worms. They work by monitoring traffic sent to communication dead-ends like unallocated portions of the IP address space.
These dead-ends are essentially unused addresses, so any traffic sent to them is strong evidence of malicious activity. This can include DDoS backscatter, port scanning, and probe activity from active worms.
Network telescopes can potentially provide early warning of a scanning-worm outbreak and yield excellent forensic information, enabling detailed understanding of a worm's spread.
Featured Images: pexels.com


