When a denial-of-service-attack victim receives attack traffic with spoofed source IP addresses, the attack victim cannot differentiate between this spoofed traffic and legitimate requests, so the victim replies to the spoofed source IP addresses. These spoofed IP addresses were not the actual sources of the attack traffic, so they receive responses to traffic they never sent. By measuring this response traffic to a large portion of IP addresses (roughly a /8 network), it is possible to estimate a lower bound for the overall volume of spoofed source denial-of-service attacks occurring on the Internet.
The dataset consists of collections of responses to spoofed traffic sent by denial-of-service attack victims and received by the UCSD Network Telescope. Data was collected between 2001 and 2008. Destinations on the UCSD Network Telescope are anonymized by zeroing the first octet of the IP address. The source addresses (representing denial-of-service attack victims) were not modified.
The collections were made on:
- 2001: February 2 to August 15
- 2002: May 9 to June 15, December 11 to 19
- 2003: November 6 to November 11
- 2004: February 25 to March 6, May 26 to June 3, August 26 to September 3, November 24 to December 2
- 2005: February 23 to March 3, May 25 to June 2, August 24 to September 1, November 23 to December 1
- 2006: February 22 to March 2, May 24 to June 1, August 23 to 31, November 22 to 30
- 2007: January 8 to 11, February 21 to March 1, May 23 to 31, August 23 to 30, November 20 to 29
- 2008: February 20 to 28, March 18 to 19, May 21 to 29, August 20 to 28, November 12 to 19
This data for 2001 through 2003, and February/March 2004, were used in the paper:
Inferring Internet Denial-of-Service Activity,
D. Moore, C. Shannon, D. Brown, G. Voelker, and S. Savage,
ACM Transactions on Computer Systems, May 2006 http://www.caida.org/publications/papers/2006/backscatter_dos/
Caveats that apply to this dataset:
- This dataset does not contain any traffic between the attacker and the attack victim. It contains only responses from the attack victim that went back to other IP addresses.
- Not everything in this dataset is a denial-of-service attack. The trace is limited to unidirectional, unsolicited response traffic, but some (rarely used) forms of scanning and a variety of misconfigured or broken equipment can cause response traffic to be misrouted to other IP address space.
- This dataset and the types of denial-of-service attack traffic contained therein are representative only of some spoofed source denial-of-service attacks. Many denial-of-service attackers do not spoof source IP addresses when they attack their victim. Under highly disruptive attacks, victims may be limited or prevented from responding at all to requests. Also, Attackers can spoof in a non-random fashion, causing responses from spoofed source address attack traffic to go to some, but not all IP address space. If our /8 Network Telescope block was not a part of the spoofed address space, these traces will not see responses from the victims.
After locating this dataset in the IMPACT data catalog,
- if you don't have an IMPACT account yet, apply for one
- if you have an account, follow the IMPACT instructions for requesting the dataset
As specified in TOU, if you use this dataset in any publication (including but not limited to: papers, web pages, presentations, and papers published by a third party), you must include the following reference:'CAIDA UCSD Network Telescope Traffic Samples', [dates used], www.impactcybertrust.org, DOI 10.23721/107/1421850Also, please report your publication using this dataset to CAIDA.
UCSD Network Telescope Datasets
- Historical and Near-Real-Time Network Telescope Dataset
- Aggregated Traffic Data in FlowTuple format
- Daily RSDoS Attack Metadata
- Two Years of Daily RSDoS Attack Metadata (downloadable paper supplement)
- Three Days Of Conficker Dataset
- CAIDA UCSD Network Telescope Traffic Samples
- Witty Worm Dataset
- Code-Red Worms Dataset
- Patch Tuesday Dataset
- Two Days in November 2008 Dataset
- Telescope Educational Dataset
- Telescope Dataset on the Sipscan
- Telescope Darknet Scanners Dataset
For more information on Backscatter and Denial-of-Service attacks, see:
For more information on the UCSD Network Telescope, see:
For more information on the CoralReef Software Suite, see:
For more information on the Corsaro Software Suite, see:
For a non-exhaustive list of Non-CAIDA publications using Network Telescope data, see: