• HOME
  • About
  • Program Plan
  • Annual Report
  • Joining CAIDA
  • Staff
  • Jobs
  • Legal Agreements
  • How-To
  • Blog
  • Contact Us
• CATALOG
  • Datasets
  • Media
  • Papers
  • Recipes
  • Software
• RESEARCH
  • Topology
  • Security
  • Traffic Analysis
  • Economics and Policy
  • Visualization
• DATA
  • Overview
  • Data Sharing
  • Distribution Statistics
  • How-to
  • Data Usage FAQ
  • Papers using CAIDA Data
  • Acceptable Use Agreement
• TOOLS
  • Overview
• SERVICES
  • AS Rank
  • AS Rank API
  • BGPStream
  • BGPStream API
  • HI-CUBE (login required)
  • IODA
  • MANIC
  • MANIC API
  • Vela
  • Vela web API
  • Vela MIDAR API
  • Vela aliasq API
• PUBLICATIONS
  • Papers
  • Presentations
  • Blog
  • Visualizations
  • - Animations
  • - Posters
  • Networking Bibliography
• WORKSHOPS
  • Overview
  • AIMS
  • DUST
  • IMAPS
  • KISMET
  • WIE
  • WOMBIR
  • Collaborative
  • Archive
• PROJECTS
  • Ark
  • KISMET
  • MANIC
  • Macroscopic Topology
  • Spoofer
  • Network Telescope
  • IMPACT (PREDICT)
• FUNDING
  • PANDA
  • FANTAIL
  • PENMAN
  • SLAM
  • Censorship Outages
  • MapKIT
  • STARDUST
  • MADDVIPR
  • Program Plan

Data Description

The UCSD Network Telescope consists of a globally routed, but lightly utilized /8 network prefix, that is, 1/256th of the whole IPv4 address space. It contains few legitimate hosts; inbound traffic to non-existent machines - so called Internet Background Radiation (IBR) - is unsolicited and results from a wide range of events, including misconfiguration (e.g. mistyping an IP address), scanning of address space by attackers or malware looking for vulnerable targets, backscatter from randomly spoofed denial-of-service attacks, and the automated spread of malware. CAIDA continously captures this anomalous traffic discarding the legitimate traffic packets destined to the few reachable IP addresses in this prefix. We archive and aggregate these data, and provide this valuable resource to network security researchers.

To generate this RSDoS Metadata dataset, we processed 5-minute intervals of the raw telescope data extracting the response packets sent by victims of randomly and uniformly spoofed Denial-of-Service attacks ("backscatter" packets). Activity that related to the same victim was summarized in an 'attack vector', following the definitions and methodology described by Moore et al. (2006). We continued to update the attack vectors as long as related activity was still observed.

Once an attack 'completed', we recorded the accumulated statistics. We also geolocated the targeted IP address using NetAcuity Edge Premium Edition data and determined its origin AS using Routeviews Prefix-to-AS mappings ( pfx2as) data.

For each day within the two-year period from March 1, 2015 to February 28, 2017, the RSDoS dataset has a single compressed CSV file of attack vectors. Each attack vector is uniquely identified by the target IP address and the attack start timestamp. Each record contains the following fields:

• The IP address of the attack victim (target_ip)
• The number of distinct attacker IPs in the attack
• The number of distinct attacker ports
• The number of distinct target ports
• The cumulative total number of packets observed in the attack
• The cumulative total number of bytes seen for the attack
• The maximum packet rate (of backscatter packets) seen in the attack, as a moving average per minute
• The timestamp of the first observed packet of the attack
• The timestamp of the last observed packet of the attack
• The autonomous system number of target_ip at the time of the attack
• Country geolocation of target_ip, at the time of the attack
• Continent geolocation of target_ip, at the time of the attack

Data Access

Academic researchers and US government agencies can request access through CAIDA by filling out and submitting the online form. It usually takes about two to five business days to process your request. We carefully review each application and the decision to grant the data access is based on the merits of your proposed data use.

These data also may be available for corporate entities who participate in CAIDA's membership program. Information on membership levels, services, and rates can be requested by emailing sponsorship@caida.org.

Referencing this Dataset

As specified in TOU, if you use this dataset in any publication (including but not limited to: papers, web pages, presentations, and papers published by a third party), you must include the following reference:

The CAIDA Randomly and Uniformly Spoofed Denial-of-Service (RSDos) Attack Metadata - < dates used > ,
https://www.caida.org/data/passive/rsdos-targets/

Please consider referencing the associated papers:

Jonker, M., King, A., Krupp, J., Rossow, C., Sperotto, A. and Dainotti, A., 2017. Millions of targets under attack: a macroscopic characterization of the DoS ecosystem. In Proceedings of the ACM 2017 Internet Measurement Conference (pp. 100-113), doi:10.1145/3131365.3131383

Moore, D., Shannon, C., Brown, D.J., Voelker, G.M. and Savage, S., 2006. Inferring internet denial-of-service activity. ACM Transactions on Computer Systems (TOCS), 24(2), pp.115-139.

Also, please report your publication using this dataset to CAIDA.

UCSD Network Telescope Datasets

• Historical and Near-Real-Time Network Telescope Dataset
• Aggregated Traffic Data in FlowTuple format
• Daily RSDoS Attack Metadata
• Two Years of Daily RSDoS Attack Metadata (downloadable paper supplement)
• Three Days Of Conficker Dataset
• CAIDA UCSD Network Telescope Traffic Samples
• Witty Worm Dataset
• Code-Red Worms Dataset
• Patch Tuesday Dataset
• Two Days in November 2008 Dataset
• Telescope Educational Dataset
• Telescope Dataset on the Sipscan
• Telescope Darknet Scanners Dataset