BSidesLuxembourg 2026

In this talk, we will first present the conceptual and operational fundamentals of what a network telescope is. Explaining its technical characteristics and its role in capturing unsolicited traffic at Internet scale. I will then describe the ingestion, normalization, and structuring pipeline used to transform the raw PCAP data into a durable and queryable data lake, relying on Suricata and ClickHouse for large-scale processing. Finally, I will showcase the types of analyses and meaningful insights that can be extracted from this dataset; including the identification of emerging behaviors, the characterization of malicious activities, and the observation of broader, systemic trends in global Internet traffic.

We will details in our presentation all the valuable analysis that may comes out of the void;

Detection of Scanners Bots:
By combining PTR, and activity is it possible to determine profiles of commercial and detect also some less known scanner. We were able to discover more than 25 different scanners brand, from well known ones like Onyphe or Shodan to less unknown like Stretchoid or some public russians ones F6 or Skipa. This permit the indentification of around 6000 IP’s monthly that are available as Misp Warning lists.
Observation of the Mirai Botnet:
Since decades now this malware is trying to replicate, the TCP windows size of the initial SYN packet is enought to qualify this malware family. The dataset collected shows an average of 45K Mirai BOTs. The repartition of MIRAI per country is quite interesting.

Detection of CVE Trends:
By discriminating sources of activity by destination port, protocl and known scanner type, it is often possible to distinguish early scanning campaigns and anticipate upcoming threats. This capability is particularly valuable for a CERT, as it supports early warning and timely notification of its constituency.

This is an example of scan activity around the port TCP 8530 corresponding to the remote code execution (RCE) CVE-2025-59287 via unsafe deserialization bug in Microsoft Windows Server Update Services (WSUS). The CVE was released on 14/10/25

Deep analysis of SNMP queries
Analysis at this scale SNMP traffics allows us to monitor CVE Based injections, and associated campains.

It permit also to find interesting relations between devices and user SMMP community. Some examples of our previous SNMP protocol analysis could be found here ;
https://d4-project.org/2025/11/27/Learning-from-Large-Scale-IPv4-blackhole-behavioral-analysis-of-SNMP-traffic.html

Many other trends can also be extracted. During this presentation, we will additionally cover;

IOT botnet injections: The lowest level possible of interaction still allow use to identify old RCE injection like CVE-2019-12297, CVE-2021-35394, CVE-2023-28771.
Detection of DDoS attacks: Since combined DDOS attacks often use spoofed random IP’s, it is possible to see some the backscatter traffic (TCP synack/ icmp unreachable). and therefore determine victimology
Antivirus usage trends: By observing unsolicited traffic generated by security products, it is possible to identify antivirus deployment patterns, update behaviors, and their evolution over time, providing indirect visibility into defensive technologies used across the Internet.
Port 0 scanning: Although port 0 is reserved and unused by legitimate services, it is sometimes leveraged by scanners for operating system fingerprinting. Monitoring this activity helps identify OS detection techniques and early-stage reconnaissance behaviors.
Many Funny syslog misconfigurations: Since our range is not too far from a RFC1918 IP one, it often receive syslog traffic from misconfigured devices sending logs to invalid destinations. These cases highlight operational mistakes, legacy configurations, and occasionally the unintended exposure of internal or sensitive information.