DNS Backscatter

This web page documents our datasets related to DNS backscatter. DNS Backscatter is all reverse-DNS queries that are sent in reaction to some network-wide event, like scanning or spamming.

The paper “Detecting Malicious Activity with DNS Backscatter”

Our first publication about backscatter is: [1]

This paper describes methods and analysis we developed for DNS backscatter.

Our second publication about backscatter is: [1]

This paper extends our understanding about methods and usability we developed for DNS backscatter.

We list all datatasets used in the paper below (and in Table 1 of the paper). Some of those datasets are not publicly available, but some datasets are available upon request.


If you have specific research needs that require datasets marked “not currently available”, please contact the paper authors.

Datatset Format

DITL data is network packet captures in pcap format. Data has been host anonymized, where the low-order 8 bits are scrabled with prefix-preserving anonymization.

Getting this data

For ANT-project or PREDICT data see requests.html for details about how to get these datasets.

DITL datasets are also available throuhg DNS-OARC.