UCSD Network Telescope -- The Backscatter-2008 Dataset
The CAIDA Backscatter-2008 Dataset
This dataset contains information useful for studying denial-of-service
attacks. The dataset consists of quarterly week-long collections
of responses to spoofed traffic sent by denial-of-service attack
victims and received by the
UCSD Network Telescope.
Data collection is planned for February, May, August and November.
In addition to these quarterly collections, data will also be collected for
Day in The Life of the Internet (DITL) project.
Data will become available shortly after collection takes place.
When a denial-of-service-attack victim receives attack traffic with spoofed
source IP addresses, the attack victim cannot differentiate between this
spoofed traffic and legitimate requests, so the victim replies to the
spoofed source IP addresses. These spoofed IP addresses were not the
actual sources of the attack traffic, so they receive responses to traffic
they never sent. By measuring this response traffic to a large portion of
IP addresses (roughly a /8 network), it is possible to estimate a lower
bound for the overall volume of spoofed source denial-of-service attacks
occurring on the Internet.
Caveats that apply to this dataset:
-
This dataset does not contain any traffic between the attacker
and the attack victim. It contains only responses from the
attack victim that went back to other IP addresses.
-
Not everything in this dataset is a denial-of-service attack.
The trace is limited to unidirectional, unsolicited response
traffic, but some (rarely used) forms of scanning and a
variety of misconfigured or broken equipment can cause
response traffic to be misrouted to other IP address space.
-
This dataset and the types of denial-of-service attack
traffic contained therein are representative only of some
spoofed source denial-of-service attacks. Many
denial-of-service attackers do not spoof source IP addresses
when they attack their victim. Under highly disruptive
attacks, victims may be limited or prevented from responding
at all to requests. Also, Attackers can spoof in a non-random
fashion, causing responses from spoofed source address attack
traffic to go to some, but not all IP address space. If our
/8 Network Telescope block was not a part of the spoofed
address space, these traces will not see responses from the
victims.
Data Use Restrictions
Acceptable Use Policy for the files of the Backscatter-2008 Dataset
-
Backscatter data will not be distributed beyond authorized users.
-
I will notify CAIDA of the names and email addresses of any persons (and their respective affiliations) assisting me in research using the backscatter data. This includes graduate students and interns.
-
I will not attempt to connect to, probe, or in any other way initiate
contact with a machine or machine administrator identified via the backscatter data.
-
In so far as possible, privacy of end users (hosts) and networks monitored by the network telescope will be respected by the researchers. Any publications will anonymize, aggregate or summarize IP addresses, network names, and domain names, as appropriate when the disclosure of such information may present a security risk to those organizations or the general Internet. In particular, any activity presumed to be legitimate traffic crossing the network telescope should not be used [1] or published. While the datasets have been filtered to remove as much legitimate traffic as possible, it is possible that a few packets remain.
-
At the end of the research, or semi-annually (which ever is less), a summary of the research and any findings/conclusions will be reported to CAIDA. If any research is described on the WWW, a URL will be provided. This information is primarily used in reports to our funding agencies.
-
All users who publish a document (including web pages, and papers) using data
from this dataset must provide CAIDA with a copy of the publication and must cite:
The CAIDA Backscatter-2008 Dataset - <dates used>,
Colleen Shannon, David Moore, and Emile Aben,
http://www.caida.org/data/passive/backscatter_2008_dataset.xml.
-
Users are encouraged, but not required, to include the following
attribution in the acknowledgments section of their document:
Support for the Backscatter-2008 Dataset and the UCSD Network
Telescope are provided by Cisco Systems, Limelight Networks, the
US Department of Homeland Security, the National Science
Foundation, DARPA, Digital Envoy, and CAIDA Members.
-
All users who create a publicly available presentation using data
from this dataset must provide CAIDA with a copy of the presentation
and must use the full name of the dataset ("The CAIDA Backscatter-2008
Dataset") in the presentation. Users are further encouraged, but
not required, to include the URL for the dataset
(http://www.caida.org/data/passive/backscatter_2008_dataset.xml)
in their presentation.
[1] Legitimate traffic is by definition not backscatter.
Backscatter-2008 Access
Request Access to Backscatter Datasets
Other backscatter datasets:
References
For more information on Backscatter and Denial-of-Service attacks, see:
For more information on the UCSD Network Telescope, see:
For more information on the CoralReef Software Suite, see:
For a non-exhaustive list of Non-CAIDA publications using Backscatter data, see:
Acknowledgments
Special thanks to Brian Kantor, Jim Madden, and Pat Wilson at UCSD for
support of the UCSD Network Telescope Project.
Backscatter Dataset Sponsors:
UCSD Network Telescope Sponsors:
|
|
Cooperative Association for Internet Data Analysis (CAIDA)