LANDER:ddos hackathon-20200511 From Predict README version: 14451, last modified: 2024-03-12. This file describes the trace dataset "ddos_hackathon-20200511" provided by the LANDER project. Contents • 1 LANDER Metadata • 2 Dataset Contents • 3 Dataset Generation • 4 Citation • 5 Results Using This Dataset • 6 User Annotations LANDER Metadata ┌───────────────────────────┬────────────────────────────────────────────────────────────────────────────────────┐ │ dataSetName │ ddos_hackathon-20200511 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ status │ usc-web-and-predict │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ shortDesc │ NetFlow data for benign and DDoS flows at FRGP for three months in 2020 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ longDesc │ This is anonymized NetFlow data, collected at FrontRange GigaPOP for select days │ │ │ during May, Aug and Sep of 2020. The data contains sampled benign flows (sampling │ │ │ rate is per packet and it is 1 in 100 or 1 in 4096) and sampled DDoS flows, as │ │ │ well as Arbor Peakflow (Netscout) detections of DDoS attacks. │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ datasetClass │ Unclassified │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ commercialAllowed │ true │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ requestReviewRequired │ true │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ productReviewRequired │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ ongoingMeasurement │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ submissionMethod │ Upload │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionStartDate │ 2020-05-11 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionStartTime │ 00:00:00 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionEndDate │ 2020-09-22 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionEndTime │ 00:00:00 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityStartDate │ │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityStartTime │ 00:00:00 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityEndDate │ 2030-01-01 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityEndTime │ 00:00:00 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ anonymization │ cryptopan/full │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ archivingAllowed │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ │ category:traffic-flow-data, │ │ keywords │ subcategory:long-lived-flow-summarization-full-ip-anon, netflow, benign, ddos, │ │ │ peakflow, frgp │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ format │ netflow, text │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ access │ https │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ hostName │ USC-LANDER │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ providerName │ USC │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ groupingId │ │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ groupingSummaryFlag │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ retrievalInstructions │ download │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ byteSize │ 119182196736 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ expirationDays │ 14 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ uncompressedSize │ │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ impactDoi │ │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ useAgreement │ frgp-download │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ irbRequired │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ privateAccessInstructions │ See https://ant.isi.edu/datasets/#getting-datasets for information on obtaining │ │ │ this dataset. │ │ │ See │ └───────────────────────────┴────────────────────────────────────────────────────────────────────────────────────┘ Dataset Contents This dataset contains NetFlow records from FrontRange GigaPOP, including benign flows and DDoS attack flows for three select periods during May, August and September 2020. Netflow records are saved in 5-minute chunks, and compressed using xz utility. The timestamps are in Mountain Standard Time, which is UTC-6 for the collection time period. The dataset also contains PeakFlow (NetScout) alerts for the DDoS attacks, and our inferred ground truth. The file ".sha1sum" contains SHA1 checksums of individual compressed files. The integrity of the distribution thus can be checked by independently calculating SHA1 sums of files and comparing them with those listed in the file. If you have the sha1sum utility installed on your system, you can do that by executing: sha1sum --check .sha1sum This has to be done before files are uncompressed. Dataset Generation This dataset was generated by sampling packets at several border routers of FrontRange GigaPOP with 1:100 or 1:4096 sampling rate (the rate is fixed per router interface). The sampled packets were then used to generate NetFlow records and IP addresses were anonymized using CryptoPAN. This is prefix-preserving anonymization. The entire IP address is anonymized, but IP addresses belonging to the same prefix share the same-length prefix after the anonymization. The flows' packet counts are upsampled after flows are created. This means that if one packet were sampled from a flow with 1:4096 sampling rate, the resulting flow will have the packet count of 4096. This upsampling is automatic by NetFlow reader (nfdump). To read NetFlow data, you will need nfdump utility. You can then read the data as follows: unxz -c | nfdump -r - -nn You can access attack labels for the data at: https://github.com/STEELISI/COMUNDA/tree/main/ddos_hackathon-20200511 Peakflow alerts were all collected for the affected dates, and pre-filtered to keep only those alerts that relate to reflection attacks. We show the epoch start and stop time of the attack, the anonymized target and the attack types (as reported in the Peakflow alert). We also align the start and stop time of attacks based on the Netflow traffic. This process is explained at https://github.com/STEELISI/COMUNDA/tree/main/ddos_hackathon-20200511/uscisi and it results in alternative set of attack labels. We welcome your feedback on our labeling process or reports of any attacks we may have missed or inferred wrongly. You can submit these corrections by following the process outlined here: https://steelisi.github.io/CLASSNET-DOCS/labels/. Citation If you use this trace to conduct additional research, please cite it as: FRGP DDoS Dataset 2020. Provided by the USC/CLASSNET project https://ant.isi.edu/classnet/. Results Using This Dataset Rajat Tandon, Pithayuth Charnsethikul, Michalis Kallitsis and Jelena Mirkovic, "AMON-SENSS: Scalable and Accurate Detection of Volumetric DDoS Attacks at ISPs," Proceedings of Globecom, 2022. User Annotations Currently no annotations. Categories: • Datasets • LANDER • LANDER:Datasets