DatCat℠Internet Measurement Data Catalog

Log in | Create an Account

Note: for a better experience, enable javascript and stylesheets in your browser.

Search for in
Enter one or more word stems or quoted phrases. Wildcards “*” and “?” are allowed.
Contact us


Collection: CAIDA Code-Red Worm Dataset

non-sensitive summaries on worm spread

Jump to: Description | Download Data | Annotations | Record Details

Collection Details

SummaryInformation useful for studying the spread of the Code-Red worms, as observed by the UCSD Network Telescope in 2001, including infection start and end times, infection durations, latitude, longitude, Autonomous System (AS) and country locations for infected computers. The dataset consists of 2 parts: a July dataset, which covers July 19-20 and an August dataset, which covers July 30 to August 19. Possible uses include modeling and visualization of worm propagation. Statistics: 359,104 infected IP addresses in the July dataset and 4,478,473 infected IP addresses in the August dataset.
MotivationTo provide a set of data useful for studying the Code-Red worms. The data does not contain sensitive information and therefore can be made publicly available.
Start Time2001-07-19 00:01:12.242 UTC (+0000)
End Time2001-08-19 06:00:01.354 UTC (+0000)
Duration31 days 05:58:49.112 (2699929.112 s)
Data formatstabular text
Logistic locationThe UCSD Network Telescope
CreatorsCAIDA Network Telescope Project - Code-Red
Keywordsactive, AS, AS links, background radiation, BGP, blackhole address space, CAIDA, Code-Red, Code-Redv2, CodeRed, CodeRedII, CodeRedv2, darknet, Internet worm, IPv4, network telescope, passive, RouteViews, security, skitter, summary, topology, traceroute, worm
Creation process
(Sample creation process from codered-july.table.txt):
The UCSD Network Telescope consists of a large region of globally announced IPv4 address space. This region contains almost no legitimate hosts, so inbound traffic to nonexistent hosts is always anomalous in some way. Because the network telescope contains approximately 1/256th of all IPv4 addresses, we receive roughly one out of every 256 packets sent by an Internet worm with an unbiased random number generator. Because the Network Telescope is uniquely situated to receive traffic from every worm-infected host, it provides a global view of the spread of Internet worms.

The data source for this dataset includes packet headers collected from the UCSD Network Telescope, timestamp/IP address pairs for TCP SYN packets received by two /16 networks at Lawrence Berkeley Laboratory (LBL), and sampled netflow from a router upstream of the /8 network at UCSD. These three data sources are used to maximize coverage of the expansion of the worm. Between midnight and 16:30 UTC, a passive network monitor recorded headers of all packets destined for the /8 research network. After 16:30 UTC, a filter installed on a campus router to reduce congestion caused by the worm blocked all external traffic to this network. Because this filter was put into place upstream of the monitor, we were unable to capture IP packet headers after 16:30 UTC. However, a second UCSD data set consisting of sampled netflow output from the filtering router was available at the UCSD site throughout the 24 hour period. Vern Paxson provided probe information collected by Bro on the LBL networks between 10:00 UTC on July 19, 2001 and 7:00 on July 20, 2001. We have merged these three sources into to produce the Code-Red July dataset.

Perl scripts were used to do aggregation of this information from Network Telescope traces.

Member of(none)
14 data files (793 MiB)

Download Data


Record Details

ContributorCAIDA Automated Data Contributor
Contributed2006-05-31 20:35:36.915 UTC (+0000)
Last Modified2006-05-31 20:36:24.272 UTC (+0000)