Characterizing Internet Background Traffic from a Spain-Based Network Telescope

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-10-09 DOI:10.1016/j.cose.2025.104693

Rodolfo García-Peñas, Rafael A. Rodríguez-Gómez , Gabriel Maciá-Fernández

{"title":"Characterizing Internet Background Traffic from a Spain-Based Network Telescope","authors":"Rodolfo García-Peñas, Rafael A. Rodríguez-Gómez , Gabriel Maciá-Fernández","doi":"10.1016/j.cose.2025.104693","DOIUrl":null,"url":null,"abstract":"<div><div>Internet background traffic (or Internet Background Radiation, IBR) consists of unsolicited packets. It is traffic usually generated in the preliminary phases of attacks by computers making enumerations of targets and available services, sent as responses to denial of service attacks, or sent by mistake due to incorrect configurations and commands. Capturing and analysing this traffic enables the observation of Internet activity and serves as an important tool for identifying new types of attacks and attackers. This traffic is captured by “network telescopes”, nodes that advertise blocks of unused IP addresses and store the traffic sent to them.</div><div>This article studies the traffic received by a network telescope located in Spain during 2023, with more than 4.7 billion packets and 362.39 GB of information. A statistical breakdown of the packets by protocol shows that TCP accounts for 95.96%, UDP for 3.74%, and ICMP for 0.51%. In addition, the behaviour of the traffic generators targeting the telescope’s addresses is examined, and the main attacks – such as NTP and DNS reflection – are analysed. The characteristics of the traffic are compared with those of previous studies, highlighting changes in behaviour and the most common attacks.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"159 ","pages":"Article 104693"},"PeriodicalIF":5.4000,"publicationDate":"2025-10-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825003827","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Internet background traffic (or Internet Background Radiation, IBR) consists of unsolicited packets. It is traffic usually generated in the preliminary phases of attacks by computers making enumerations of targets and available services, sent as responses to denial of service attacks, or sent by mistake due to incorrect configurations and commands. Capturing and analysing this traffic enables the observation of Internet activity and serves as an important tool for identifying new types of attacks and attackers. This traffic is captured by “network telescopes”, nodes that advertise blocks of unused IP addresses and store the traffic sent to them.

This article studies the traffic received by a network telescope located in Spain during 2023, with more than 4.7 billion packets and 362.39 GB of information. A statistical breakdown of the packets by protocol shows that TCP accounts for 95.96%, UDP for 3.74%, and ICMP for 0.51%. In addition, the behaviour of the traffic generators targeting the telescope’s addresses is examined, and the main attacks – such as NTP and DNS reflection – are analysed. The characteristics of the traffic are compared with those of previous studies, highlighting changes in behaviour and the most common attacks.

查看原文本刊更多论文

基于西班牙网络望远镜的互联网背景流量特征分析

Internet背景流量（或Internet背景辐射，IBR）由未经请求的数据包组成。它通常是在攻击的初始阶段由列举目标和可用服务的计算机产生的流量，作为拒绝服务攻击的响应发送，或者由于不正确的配置和命令而错误发送。捕获和分析这些流量可以观察互联网活动，并作为识别新类型攻击和攻击者的重要工具。这些流量被“网络望远镜”捕获，这些节点发布未使用的IP地址块并存储发送给它们的流量。本文研究的是位于西班牙的网络望远镜在2023年接收的流量，超过47亿个数据包，362.39 GB的信息。根据协议进行统计，TCP占95.96%，UDP占3.74%，ICMP占0.51%。此外，还检查了针对望远镜地址的流量生成器的行为，并分析了主要攻击-例如NTP和DNS反射。将流量的特征与先前的研究进行比较，突出显示行为的变化和最常见的攻击。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.