Search for: All records

Since the exhaustion of unallocated IP addresses at the Internet Assigned Numbers Authority (IANA), a market for IPv4 addresses has emerged. In complement to purchasing address space, leasing IP addresses is becoming increasingly popular. Leasing provides a cost-effective alternative for organizations that seek to scale up without a high upfront investment. However, malicious actors also benefit from leasing as it enables them to rapidly cycle through different addresses, circumventing security measures such as IP blocklisting. We explore the emerging IP leasing market and its implications for Internet security. We examine leasing market data, leveraging blocklists as an indirect measure of involvement in various forms of network abuse. In February 2025, leased prefixes were 2.89× more likely to be flagged by blocklists compared to non-leased prefixes. This result raises questions about whether the IP leasing market should be subject to closer scrutiny. 

This dataset contains anonymized layer 1-4 packet headers of two-way passive traces captured on a 100 GB link between Los Angeles and Dallas. These data are useful for research on the characteristics of Internet traffic, including application breakdown, security events, geographic and topological distribution, flow volume and duration. 

This dataset contains anonymized layer 1-4 packet headers of two-way passive traces captured on a 100 GB link between Los Angeles and San Jose. These data are useful for research on the characteristics of Internet traffic, including application breakdown, security events, geographic and topological distribution, flow volume and duration. Passive 100G sampler is offered to researchers at commercial organizations when they request Anonymized Internet Traces. These data are part of the 2024 Anonymized Traces 100G dataset. The files consist of 5 second snapshots of a bidirectional capture taken in November 2024. 

This publicly available dataset contains metadata for all 100g passive monthly traces. 

Network Telescopes, often referred to as darknets, capture unsolicited traffic directed toward advertised but unused IP spaces, enabling researchers and operators to monitor malicious, Internet-wide network phenomena such as vulnerability scanning, botnet propagation, and DoS backscatter. Detecting these events, however,has become increasingly challenging due to the growing traffic volumes that telescopes receive. To address this, we introduce DarkSim,a novel analytic framework that utilizes Dynamic Time Warping to measure similarities within the high-dimensional time series of network traffic. DarkSim combines traditional raw packet processing with statistical approaches, identifying traffic anomalies and enabling rapid time-to-insight. We evaluate our framework against DarkGLASSO, an existing method based on the GraphicalLASSO algorithm, using data from the UCSD Network Telescope.Based on our manually classified detections, DarkSim showcased perfect precision and an overlap of up to 91% of DarkGLASSO’s detections in contrast to DarkGLASSO’s maximum of 73.3% precision and detection overlap of 37.5% with the former. We further demonstrate DarkSim’s capability to detect two real-world events in our case studies: (1) an increase in scanning activities surrounding CVE public disclosures, and (2) shifts in country and network-level scanning patterns that indicate aggressive scanning. DarkSim provides a detailed and interpretable analysis framework for time-series anomalies, representing a new contribution to network security analytics.