The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative dedicated to collecting, analyzing, and responding to computer security threats and incidents. As part of its mission, CIRCL operates a IPv4 /18 network telescope (black-hole address space) observing unsolicited Internet traffic.

This presentation introduces the foundations of network telescopes and their value for observing Internet background noise, scanning activity, botnet behavior, malicious probing, and misconfigurations. Since no legitimate services are hosted, all captured traffic provides an unbiased view of Internet-wide malicious activity.

The talk then presents the data processing pipeline deployed at CIRCL, from ingestion and normalization to long-term storage in a queryable data lake, enabling large-scale and longitudinal analysis.

Several concrete use cases are discussed, including scanner and bot detection through activity correlation and PTR analysis, identification of SNMP scanning campaigns, detection of emerging CVE trends by port and scanner type, Mirai botnet fingerprinting using TCP SYN window sizes, and DDoS victim identification via backscatter traffic.

Operationally, these observations are used to generate warning lists and early alerts for CIRCL constituents. Relevant events and indicators are shared through MISP or Warning lists, enabling collaborative detection and response.

Overall, the talk shows how actionable security intelligence can be extracted from unused address space, turning “the void” into a powerful Internet-scale security observatory.