DNS Backscatter

This web page documents our datasets related to DNS backscatter. DNS Backscatter is all reverse-DNS queries that are sent in reaction to some network-wide event, like scanning or spamming.

The paper “Detecting Malicious Activity with DNS Backscatter”

In this paper we describes methods and analysis we developed for DNS backscatter: [1]

And we later extended extends our understanding about methods and usability we developed for DNS backscatter: [2]

We list all datatasets used in the paper below (and in Table 1 of the paper). Some of those datasets are not publicly available, but some datasets are available upon request.


If you have specific research needs that require datasets marked “not currently available”, please contact the paper authors.

The paper “Detecting Malicious Activity with DNS Backscatter”

We adapted the DNS backscatter technique for IPv6 in: [1]

Please contact the authors for availability of the datasets for this paper.

Datatset Format

DITL data is network packet captures in pcap format. Data has been host anonymized, where the low-order 8 bits are scrabled with prefix-preserving anonymization.

Getting this data

For ANT-project or PREDICT data see requests.html for details about how to get these datasets.

DITL datasets are also available throuhg DNS-OARC.