Abstract—The distribution of flow sizes is a quantity of interest fundamental to traffic engineering and network modelling and only likely to become more important in the future. The recovery of the flow-length distribution from (sampled) packet data is referred to as flow-inversion. Traditional packet sampling methods cause distortions in a recovered distribution of flow-length. We propose an improved method for inverting data sampled using the technique known as sample-and-hold. We show that the technique improves upon existing inversion techniques illustrated using both real and artificial data sets. The technique described may have applications to other inversion problems. I.

A network telescope is a portion of IP address space dedicated to observing inbound internet traffic. The purpose of a network telescope is to detect and log malicious traffic which originates from internet worms and viruses. In this paper, we investigate the statistical properties of observed traffic from a passive Class C telescope over a total of three months. We observe that only a few IP sources and destination ports are responsible for the majority of the traffic. We also demonstrate various ways to visualise the traffic profile from a telescope. We show that specific profiles can identify and distinguish portscans, hostscans and distributed denial-of-service (DDOS) attacks. Looking at the inter-arrival time of packets, the power spectrum and the detrended fluctuation analysis of the observed traffic, we show that there is very little sign of long-range dependence. This is in stark contrast to other network traffic and presents exciting possibilities for identifying malicious traffic purely from its traffic profile. Key words: telescope Internet worm attack, malware monitoring, network 1