The CAIDA Backscatter Dataset
This dataset contains information useful for studying denial-of-service attacks. The dataset consists of collections of responses to spoofed traffic sent by denial-of-service attack victims and received by the UCSD Network Telescope. Data was collected between 2001 and 2008.
In these traffic traces destinations on the UCSD Network Telescope are anonymized by zeroing the first octet of the IP address. The source addresses (representing denial-of-service attack victims) were not modified.
When a denial-of-service-attack victim receives attack traffic with spoofed source IP addresses, the attack victim cannot differentiate between this spoofed traffic and legitimate requests, so the victim replies to the spoofed source IP addresses. These spoofed IP addresses were not the actual sources of the attack traffic, so they receive responses to traffic they never sent. By measuring this response traffic to a large portion of IP addresses (roughly a /8 network), it is possible to estimate a lower bound for the overall volume of spoofed source denial-of-service attacks occurring on the Internet.
The collections were made on:
- 2001: February 2 to August 15
- 2002: May 9 to June 15, December 11 to 19
- 2003: November 6 to November 11
- 2004: February 25 to March 6, May 26 to June 3, August 26 to September 3, November 24 to December 2
- 2005: February 23 to March 3, May 25 to June 2, August 24 to September 1, November 23 to December 1
- 2006: February 22 to March 2, May 24 to June 1, August 23 to 31, November 22 to 30
- 2007: January 8 to 11, February 21 to March 1, May 23 to 31, August 23 to 30, November 20 to 29
- 2008: February 20 to 28, March 18 to 19, May 21 to 29, August 20 to 28, November 12 to 19
This data for 2001 through 2003, and February/March 2004, were used in the paper:
Inferring Internet Denial-of-Service Activity,
D. Moore, C. Shannon, D. Brown, G. Voelker, and S. Savage,
ACM Transactions on Computer Systems, May 2006 http://www.caida.org/publications/papers/2006/backscatter_dos/
Caveats that apply to this dataset:
- This dataset does not contain any traffic between the attacker and the attack victim. It contains only responses from the attack victim that went back to other IP addresses.
- Not everything in this dataset is a denial-of-service attack. The trace is limited to unidirectional, unsolicited response traffic, but some (rarely used) forms of scanning and a variety of misconfigured or broken equipment can cause response traffic to be misrouted to other IP address space.
- This dataset and the types of denial-of-service attack traffic contained therein are representative only of some spoofed source denial-of-service attacks. Many denial-of-service attackers do not spoof source IP addresses when they attack their victim. Under highly disruptive attacks, victims may be limited or prevented from responding at all to requests. Also, Attackers can spoof in a non-random fashion, causing responses from spoofed source address attack traffic to go to some, but not all IP address space. If our /8 Network Telescope block was not a part of the spoofed address space, these traces will not see responses from the victims.
Referencing the Dataset
When referencing this data (as required by the AUA), please use:The UCSD CAIDA Backscatter Dataset - <dates used>,Also, please, report your publication to CAIDA.
Since April 2016 access to these data is provided through the website of the Information Marketplace for Policy and Analysis of Cyber-risk and Trust (IMPACT).
- Access to these data can be requested through IMPACT
For more information on Backscatter and Denial-of-Service attacks, see:
For more information on the UCSD Network Telescope, see:
For more information on the CoralReef Software Suite, see:
For more information on the Corsaro Software Suite, see:
For a non-exhaustive list of Non-CAIDA publications using Network Telescope data, see:
UCSD Network Telescope Datasets