UCSD Network Telescope Daily Randomly and Uniformly Spoofed Denial-of-Service (RSDoS) Attack Metadata

This dataset contains meta-data of the randomly spoofed denial-of-service attacks inferred from the backscatter packets collected by the UCSD Network Telescope. It is aggregated from the raw Telescope data using the criteria described in the paper Inferring Internet Denial-of-Service Activity (2006) by Moore et al. This dataset is updated every day, and contains data starting October 1st 2008.

Data Description

The UCSD Network Telescope consists of a globally routed, but lightly utilized /9 and /10 network prefix, that is, 1/256th of the whole IPv4 address space. It contains few legitimate hosts; inbound traffic to non-existent machines - so called Internet Background Radiation (IBR) - is unsolicited and results from a wide range of events, including misconfiguration (e.g. mistyping an IP address), scanning of address space by attackers or malware looking for vulnerable targets, backscatter from randomly spoofed denial-of-service attacks, and the automated spread of malware. CAIDA continously captures this anomalous traffic discarding the legitimate traffic packets destined to the few reachable IP addresses in this prefix. We archive and aggregate these data, and provide this valuable resource to network security researchers.

To generate this RSDoS Attack Metadata dataset, we process 5-minute intervals of the raw telescope data extracting the response packets sent by victims of randomly and uniformly spoofed Denial-of-Service attacks (backscatter packets). Activity that related to the same victim is summarized in an 'attack vector', following the definitions and methodology described by Moore et al. (2006). We continue to update the attack vectors as long as related activity is still observed.
Once an attack completed, we record the accumulated statistics. We also geolocate the targeted IP address using NetAcuity Edge Premium Edition data and determine its origin AS using Routeviews Prefix-to-AS mappings (pfx2as) data.
For more information please see the RSDoS documentation.

Caveats that apply to this dataset

This dataset and the types of worm and denial-of-service attack traffic contained therein are representative only of some spoofed source denial-of-service attacks. Many denial-of-service attackers do not spoof source IP addresses when they attack their victim, in which case backscatter would not appear on a telescope. Attackers can also spoof in a non-random fashion, which will incur an uneven distribution of backscatter across the IPv4 address space, and may cause backscatter traffic to miss any telescope lenses. Note that the telescope does not send any packets in response, which also limits insight into the traffic it sees.

Data Access Policy

In 2021 CAIDA completed an NSF-funded CI-SUSTAIN project "Sustainable Tools for Analysis and Research on Darknet Unsolicited Traffic" (STARDUST). NSF’s expectation is that this funding has enabled CAIDA to sustain Telescope data collection, curation, and sharing through users' contributions. We are now undertaking efforts to put in place the mechanisms that allow such contributions. This includes service agreements and data licensing for academic and commercial data use, as well as new data access options. If you are interested in finding more information about the access options and pricing please fill out and submit the CAIDA UCSD Network Telescope Datasets Request Form.

Acceptable Use Agreement

Access to these data is subject to the terms of the following CAIDA Acceptable Use Agreement

It is also governed by the terms of the CAIDA Telescope Supplement Acceptable Use Agreement

Referencing this Dataset

When referencing this data (as required by the AUA), please use:

UCSD Network Telescope Daily Randomly and Uniformly Spoofed Denial-of-Service (RSDoS) Attack Metadata - <dates used>,
https://www.caida.org/catalog/datasets/telescope-daily-rsdos/,
doi:10.21986/CAIDA.DATA.TELESCOPE-DAILY-RSDOS

Also, please, report your publication to CAIDA.

UCSD Network Telescope Datasets

The UCSD Network Telescope datasets resulted in the following 21 Telescope datasets listed in CAIDA catalog:

UCSD Real-time Network Telescope. Apr 2020.
Telescope nDAG Live.
UCSD Telescope data at NERSC. Nov 2003.
UCSD Network Telescope Aggregated Flow Dataset. Nov 2003.
Aggregated Daily RSDoS Attack Metadata. Jan 2008.
Annotated Anonymized Telescope Packets Sampler. Aug 2022.
UCSD-NT FlowTuple Sampler. May 2022.
Anonymized Network Sensing Graph Challenge Dataset. Apr 2022.
Aggregated Daily RSDoS Attack Metadata (Corsaro 2). Aug 2021.
CAIDA-GreyNoise Cross Correlation Dataset. Oct 2020.
CAIDA Randomly and Uniformly Spoofed Denial-of-Service Attack Metadata. Feb 2017.
Telescope Darknet Scanners. Jun 2016.
Corsaro Patch Tuesday. Jun 2012.
Telescope Educational. Apr 2012.
Telescope Sipscan dataset. Feb 2011.
Three days of Conficker. Jan 2009.
Two-Days-in-2008 Telescope Dataset. Nov 2008.
UCSD Network Telescope Traffic Samples. Nov 2008.
Witty Worm dataset. Mar 2004.
Backscatter datasets for TOCS paper. Feb 2004.
Code Red worm dataset. Aug 2001.

For more information on the UCSD Network Telescope, see:

https://www.caida.org/projects/network_telescope/

For more information on the CoralReef Software Suite, see:

https://www.caida.org/catalog/software/coralreef/

For more information on the Corsaro Software Suite, see:

https://catalog.caida.org/software/corsaro

For a non-exhaustive list of Non-CAIDA publications using Network Telescope data, see:

Related Objects

See https://catalog.caida.org/dataset/telescope_daily_rsdos/ to explore related objects to this document in the CAIDA Resource Catalog.