Skip to Content
[CAIDA - Center for Applied Internet Data Analysis logo]
Center for Applied Internet Data Analysis > data : passive : telescope-ddos.xml
UCSD Network Telescope Aggregrated DDoS Metadata
This dataset represents DDoS activity observed by the UCSD Network Telescope. It is aggregated from the raw Telescope data using the criteria described in the paper Inferring Internet Denial-of-Service Activity (2006) by Moore et al.

Data Description

The UCSD Network Telescope consists of a globally routed, but lightly utilized /8 network prefix, that is, 1/256th of the whole IPv4 address space. It contains few legitimate hosts; inbound traffic to non-existent machines - so called Internet Background Radiation (IBR) - is unsolicited and results from a wide range of events, including misconfiguration (e.g. mistyping an IP address), scanning of address space by attackers or malware looking for vulnerable targets, backscatter from randomly spoofed denial-of-service attacks, and the automated spread of malware. CAIDA continously captures this anomalous traffic discarding the legitimate traffic packets destined to the few reachable IP addresses in this prefix. We archive and aggregate these data, and provide this valuable resource to network security researchers.

From traffic observed at the UCSD network telescope we extract the "backscatter" (response) packets sent by victims of Denial-of-Service attacks to infer properties of these attacks. To generate this DDoS Metadata dataset, we process 5-minute intervals of the raw telescope data creating a summary of all potential DDoS-related events encoded as attack vectors. The description of each attack vector contains the following information:

  • Start time of the 5-min interval
  • Number of attack vectors in this interval
  • Statistical characteristics of this attack: IP address of the attack victim, cumulative total number of different attacker IPs, the number of different attacker IPs in the attack in this interval, the number of different attacker port numbers used, the number of different target port numbers used, cumulative total number of packets in the attack, total number of packets in the attack in this interval, cumulative total number of bytes in the attack, total number of bytes in the attack in this interval, maximum packets per minute rate seen in the attack, timestamp of the first packet in attack in this interval, timestamp of the last packet in attack in this interval
  • Description of the first packet of the attack
The thresholds used to determine the attack vectors are defined in the Moore et al., 2006 paper.

If at the end of a given 5-minute interval an attack is still ongoing, then its corresponding attack vector is written to a file containing the state of the attack up to that time. The attack statistics continue to be accumulated in subsequent 5-minute intervals until the attack ends. At that time the attack vector for the whole attack (that is, including the numbers from the beginning of the attack) is recorded.

Each hour of Telescope data produces a single file of observed attack vectors. 24 hourly files for each day are stored in a separate subdirectory. The whole ongoing dataset covering the period from February 2008 till now is stored locally at CAIDA.

Caveats that apply to this dataset

This dataset and the types of worm and denial-of-service attack traffic contained therein are representative only of some spoofed source denial-of-service attacks. Many denial-of-service attackers do not spoof source IP addresses when they attack their victim, in which case backscatter would not appear on a telescope. Attackers can also spoof in a non-random fashion, which will incur an uneven distribution of backscatter across the IPv4 address space, and may cause backscatter traffic to miss any telescope lenses. Note that the telescope does not send any packets in response, which also limits insight into the traffic it sees.

Data Access Policy

These data must be analyzed on CAIDA machines, and cannot be downloaded!

Academic researchers and US government agencies can request access through CAIDA by filling out and submitting the online form. It usually takes about five to ten business days to process your request. We carefully review each application and the decision to grant the data access is based on the merits of your proposed data use.

These data also may be available for corporate entities who participate in CAIDA's membership program. Information on membership levels, services, and rates can be requested by emailing

Once users are approved for access to this dataset, they will receive an account on the CAIDA machine that provides direct access to the Telescope data they requested. Accounts are valid for a nominal twelve months in which the research is expected to be completed. CAIDA strictly enforces a "take software to the data" policy for this dataset: all analysis must be performed on CAIDA computers; download of raw data is not allowed. CAIDA provides several basic tools to work with the dataset, including CoralReef and Corsaro. Researchers can also upload their own analysis software.

Acceptable Use Agreement

Access to these data is subject to the terms of the following CAIDA Acceptable Use Agreement (printable version in PDF format)
and the supplemental AUA below:

When referencing this data (as required by the AUA), please use:

The CAIDA UCSD Network Telescope Aggregrated DDoS Metadata - < dates used >,
Also, please, report your publication to CAIDA.

UCSD Network Telescope Datasets


For more information about the use of these data in studies of internet censorship, see:

For more information on Conficker and worm attacks, see:

For more information on Backscatter and Denial-of-Service attacks, see:

For more information on the UCSD Network Telescope, see:

For more information on the CoralReef Software Suite, see:

For more information on the Corsaro Software Suite, see:

For a non-exhaustive list of Non-CAIDA publications using Network Telescope data, see:

  Last Modified: Tue Jul-28-2020 14:30:28 UTC
  Page URL: