Skip to Content
[CAIDA - Center for Applied Internet Data Analysis logo]
Center for Applied Internet Data Analysis
www.caida.org > data : passive : telescope-daily-rsdos.xml
UCSD Network Telescope Daily Randomly and Uniformly Spoofed Denial-of-Service (RSDoS) Attack Metadata
This dataset contains meta-data of the randomly spoofed denial-of-service attacks inferred from the backscatter packets collected by the UCSD Network Telescope. It is aggregated from the raw Telescope data using the criteria described in the paper Inferring Internet Denial-of-Service Activity (2006) by Moore et al. This ongoing dataset is updated every day, and contains data starting October 1st 2008.

|   Data Sources:    Passive    Active    Other    External   |

Data Description

The UCSD Network Telescope consists of a globally routed, but lightly utilized /8 network prefix, that is, 1/256th of the whole IPv4 address space. It contains few legitimate hosts; inbound traffic to non-existent machines - so called Internet Background Radiation (IBR) - is unsolicited and results from a wide range of events, including misconfiguration (e.g. mistyping an IP address), scanning of address space by attackers or malware looking for vulnerable targets, backscatter from randomly spoofed denial-of-service attacks, and the automated spread of malware. CAIDA continously captures this anomalous traffic discarding the legitimate traffic packets destined to the few reachable IP addresses in this prefix. We archive and aggregate these data, and provide this valuable resource to network security researchers.

To generate this RSDoS Attack Metadata dataset, we process 5-minute intervals of the raw telescope data extracting the response packets sent by victims of randomly and uniformly spoofed Denial-of-Service attacks (backscatter packets). Activity that related to the same victim is summarized in an 'attack vector', following the definitions and methodology described by Moore et al. (2006). We continue to update the attack vectors as long as related activity is still observed.

Once an attack completed, we record the accumulated statistics. We also geolocate the targeted IP address using NetAcuity Edge Premium Edition data and determine its origin AS using Routeviews Prefix-to-AS mappings (pfx2as) data.

For each day, the RSDoS dataset has a single compressed CSV file of attack vectors. Each attack vector is uniquely identified by the target IP address and the attack start timestamp. Each record contains the following fields:

  • The IP address of the attack victim (target_ip)
  • The number of distinct attacker IPs in the attack
  • The number of distinct attacker ports
  • The number of distinct target ports
  • The cumulative total number of packets observed in the attack
  • The cumulative total number of bytes seen for the attack
  • The maximum packet rate (of backscatter packets) seen in the attack, as a moving average per minute
  • The timestamp of the first observed packet of the attack
  • The timestamp of the last observed packet of the attack
  • The autonomous system number of target_ip at the time of the attack
  • Country geolocation of target_ip, at the time of the attack
  • Continent geolocation of target_ip, at the time of the attack
  • The IP protocol value of target-destined packets
  • The first observed attacker port
  • The first observed target port
  • The first-observed ICMP type for the attack vector
  • The first-observed ICMP code for the attack vector
  • A bit flag indicating if an attack is definitely multi IP protocol

Caveats that apply to this dataset

This dataset and the types of worm and denial-of-service attack traffic contained therein are representative only of some spoofed source denial-of-service attacks. Many denial-of-service attackers do not spoof source IP addresses when they attack their victim, in which case backscatter would not appear on a telescope. Attackers can also spoof in a non-random fashion, which will incur an uneven distribution of backscatter across the IPv4 address space, and may cause backscatter traffic to miss any telescope lenses. Note that the telescope does not send any packets in response, which also limits insight into the traffic it sees.

Data Access Policy

These data must be analyized on CAIDA machines, and cannot be downloaded!

Academic researchers, government agencies and corporate entries in the DHS-Approved Locations (Australia, Canada, Israel, Japan, Netherlands, Singapore, United Kingdom) should request access through the website of the Information Marketplace for Policy and Analysis of Cyber-risk and Trust (IMPACT) portal. After locating this dataset in the IMPACT data catalog, please follow the IMPACT instructions for requesting the dataset. In order for the application to be considered, the researchers must obtain an IMPACT account as well as complete and agree to IMPACT Memorandum of Agreement (MOA).

Academic researchers from other foreign countries can request access through CAIDA by filling out and submitting the online form. It usually takes about five to ten business days to process your request. We carefully review each application and the decision to grant the data access is based on the merits of your proposed data use.

Finally, these data also may be available for government and corporate entities not from DHS-Approved Locations who participate in CAIDA's membership program. Information on membership levels, services, and rates can be found on the CAIDA Sponsorship Information page, or by emailing sponsorship@caida.org.

Once users are approved for access to this dataset, they will receive an account on the CAIDA machine that provides direct access to the Telescope data they requested. Accounts are valid for a nominal twelve months in which the research is expected to be completed. CAIDA strictly enforces a "take software to the data" policy for this dataset: all analysis must be performed on CAIDA computers; download of raw data is not allowed. CAIDA provides several basic tools to work with the dataset, including CoralReef and Corsaro. Researchers can also upload their own analysis software.

Acceptable Use Agreement

Access to these data is subject to the terms of the following CAIDA Acceptable Use Agreement (printable version in PDF format)
and the supplemental AUA below:


Referencing this Dataset

When referencing this data (as required by the AUA), please use:

UCSD Network Telescope Daily Randomly and Uniformly Spoofed Denial-of-Service (RSDoS) Attack Metadata - < dates used >,
http://www.caida.org/data/passive/telescope-daily-rsdos.xml
Also, please, report your publication to CAIDA.

UCSD Network Telescope Datasets

For more information on the UCSD Network Telescope, see:

For more information on the CoralReef Software Suite, see:

For more information on the Corsaro Software Suite, see:

For a non-exhaustive list of Non-CAIDA publications using Network Telescope data, see:

  Last Modified: Tue Oct-8-2019 11:20:53 PDT
  Page URL: http://www.caida.org/data/passive/telescope-daily-rsdos.xml