![[CAIDA - Cooperative Association for Internet Data Analysis logo]](/images/caida_globe_faded.png)
![[CAIDA]](/images/caida_whitewords.png "Go to CAIDA home page"){kind=small}
This dataset contains approximately one hour of anonymized traffic traces from a DDoS attack on August 4, 2007 (20:50:08 UTC to 21:56:16 UTC). This type of denial-of-service attack attempts to block access to the targeted server by consuming computing resources on the server and by consuming all of the bandwidth of the network connecting the server to the Internet.
The one-hour trace is split up in 5-minute pcap files. The total size of the dataset is 5.3 GB (compressed; 21 GB uncompressed). Only attack traffic to the victim and responses to the attack from the victim are included in the traces. Non-attack traffic has as much as possible been removed. Traces in this dataset are anonymized using CryptoPAn prefix-preserving anonymization using a single key. The payload has been removed from all packets.
These traces can be read with any software that reads the pcap (tcpdump) format, including the CoralReef Software Suite, tcpdump, Wireshark, and many others.
Data Use Restrictions
- The anonymized traffic traces will not be distributed beyond authorized users.
- CAIDA will be notified of the names and email addresses of any persons (and their respective affiliations) assisting in research using the anonymized traffic traces. This includes graduate students and interns.
- The IP addresses in these traces are all anonymized to preserve the privacy of end users (hosts) and networks monitored in the collection of the data. The anonymization is prefix-preserving; if the original IP addresses had N bits in common, the anonymized addresses will have those same N bits in common. The traces in a dataset are all anonymized with the same key, so one original IP address that appears in multiple traces in a dataset will appear as the same anonymized IP address across those traces. In so far as possible, privacy of end users (hosts) and networks monitored in the creation of these traces will be respected by the researchers. Researchers will make no attempts to reverse engineer, decrypt, or otherwise identify the original IP addresses collected in the trace. Researchers will also not attempt to extract unanonymized IP addresses from encapsulated headers. Researchers will make no attempts to connect to, probe, or in any other way initiate contact with a machine or machine administrator identified via the anonymized traffic traces.
- Anyone who publishes a document (including web pages and papers) that uses data from this dataset must provide CAIDA with a copy of the publication and must cite:
The CAIDA "DDoS Attack 2007" Dataset
Paul Hick, Emile Aben, kc claffy, Josh Polterock,
http://www.caida.org/data/passive/ddos-20070804_dataset.xml- All users are encouraged, but not required, to include the following attribution in their acknowledgments section:
Support for CAIDA's Internet Traces is provided by the National Science Foundation, the US Department of Homeland Security, and CAIDA Members.- All users who create a publicly available presentation using data from this dataset must provide CAIDA with a copy of the publication and must use the full name of the dataset ("The CAIDA "DDoS Attack 2007" Dataset") in the presentation. Users are encouraged, but not required, to include the url for the dataset (http://www.caida.org/data/passive/ddos-20070804_dataset.xml).
- At the end of the research, or semi-annually (whichever is less), a summary of the research and any findings/conclusions will be reported to CAIDA. If any research is described on the WWW, a URL will be provided. This information is primarily used in reports to our funding agencies.
Data Access
Request Access to the CAIDA "DDoS Attack 2007" Dataset
DDoS-Related Information at CAIDA
Acknowledgements
Special thanks to the Collaborative Center for Internet Epidemiology and Defenses (CCIED, "SeaSide") for their assistance with this dataset.