Academic publications, operational findings, and field notes from years of passive observation. Our data doesn't just sit in feeds - it drives research that advances the field.
In-depth analyses written by the Dataplane.org team based directly on observed feed data - covering threats, countermeasures, and Internet measurement findings.
An examination of how operating systems and network stacks select ephemeral source ports for outbound connections - and what the distribution of those choices reveals about host fingerprinting, NAT traversal, and privacy implications for Internet-wide scanning data.
Read analysisA comprehensive analysis of SSH password authentication threats observed across Dataplane.org sensors. Covers credential distributions, attack patterns, botnet behavior, and practical defensive countermeasures for operators protecting SSH infrastructure.
Read analysisAnalysis of VNC (Virtual Network Computing) scanning and authentication attack patterns observed in Dataplane.org RFB signal data. Examines attack sources, authentication bypass attempts, and defensive strategies for protecting VNC deployments.
Read analysisInvestigation into a pattern of source-spoofed DNS queries where packets appear to originate from IPs topologically adjacent to the intended target - what the traffic looks like and what it indicates about reflector-abuse techniques.
Read analysisExamination of RPKI relying party client software versions observed fetching validation data. Analysis of which implementations are current vs. falling behind, and implications for BGP route origin validation reliability.
Read analysisA comprehensive empirical comparison of how industry practitioners and academic researchers assess DDoS attacks - finding substantial discrepancies in methodology, scope, and conclusions. Dataplane.org sensor data contributed ground-truth observations for this cross-sector analysis of how DDoS is measured and understood across different communities.
Papers, RFCs, and standards work authored or co-authored by the Dataplane.org team. Research that directly uses Dataplane.org signal data is marked with a sensor icon.
Complete publication list at dataplane.org/jtk/publications/
Operational findings and signal analyses published in our newsletter - shorter-form research notes grounded in current feed data.
2025 review covering newly added NTP signal feeds, an analysis of evolving SSH credential patterns, and observations of unsolicited DNS traffic reaching sensors from unexpected source ranges.
Read in newsletterInvestigation into a pattern of source-spoofed DNS queries observed across sensors - where packets appeared to originate from IP addresses topologically adjacent to the intended target, suggesting a novel probing or reflector abuse technique.
Read investigationA dual-topic note: new findings from ongoing RPKI relying-party measurement, plus an unexpected anomaly in SSH authentication traffic that defied easy explanation - and what further investigation revealed.
Read newsletterAn analysis of observed activity following the Apache Struts exploit (NETINT) and a year-end retrospective of SSH credential data: password lengths ranged from 1 to 358 characters, with a median of 8. Top attempts included "guest," "changeme," and "raspberry."
Read newsletterAnnouncing two new signal feeds: dnstypename (daily DNS IN-class query types from globally diverse sensors) and sshpwauthpairs (daily SSH credential pairs observed in the wild), plus early findings from each.
A retrospective of 2022 activity across Dataplane.org feeds, covering sensor network growth, notable traffic patterns observed across DNS, SSH, and NTP, and organizational updates including the BCP 235 RFC publication.
Read newsletterDataplane.org signal feeds are freely available for academic research, operational analysis, and threat intelligence. If you've used our data in published work, we'd love to know - it helps justify continued operation and guides what we build next.
When citing Dataplane.org data in academic work, please reference the organization and the specific feed(s) used, including the date range of the data.
Dataplane.org NFP. "[Feed name] signal feed."
https://dataplane.org/[feedname].txt
Accessed [date range].
# Example:
Dataplane.org NFP. "SSH password
authentication (sshpwauth) signal feed."
https://dataplane.org/sshpwauth.txt
Accessed Jan–Dec 2024.
All of this work - the sensor network, the free feeds, the analysis - runs on donations and custom feed revenue. Every contribution keeps it free and independent.