LANDER:DoS 80-20110715 From Predict README version: 2299, last modified: 2011-10-20. This file describes the trace dataset "DoS_80-20110715" provided by the LANDER project. Contents • 1 LANDER Metadata • 2 Dataset Contents • 3 Attack/Backscatter description • 4 False Positives • 5 Citation • 6 Results Using This Dataset • 7 User Annotations LANDER Metadata ┌───────────────────────────┬────────────────────────────────────────────────────────────────────────────────────┐ │ dataSetName │ DoS_80-20110715 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ status │ usc-web-and-predict │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ shortDesc │ DoS TCP SYN/ACK trace │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ longDesc │ This dataset contains one attack, or possibly backscatter from a DoS attack. All │ │ │ packets of the attack are TCP SYN/ACKs, many identical. The attack lasts about 17 │ │ │ minutes. The attack includes background traffic with about an hour and a half │ │ │ prior and following the attack, including 8 known false positives. │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ datasetClass │ Restricted │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ commercialAllowed │ true │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ requestReviewRequired │ true │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ productReviewRequired │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ ongoingMeasurement │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ submissionMethod │ Upload │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionStartDate │ 2011-07-15 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionStartTime │ 19:13:53 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionEndDate │ 2011-07-15 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionEndTime │ 22:35:29 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityStartDate │ 2012-01-27 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityStartTime │ 17:04:40 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityEndDate │ 2030-01-01 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityEndTime │ 00:00:00 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ anonymization │ cryptopan/full │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ archivingAllowed │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ keywords │ category:ip-packet-headers, subcategory:ip-packet-headers, packet-header, dos, │ │ │ one-time │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ format │ gzip'ed ERF │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ access │ https │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ hostName │ USC-LANDER │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ providerName │ USC │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ groupingId │ │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ groupingSummaryFlag │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ retrievalInstructions │ download │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ byteSize │ 34696331264 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ expirationDays │ 14 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ uncompressedSize │ 100053113661 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ impactDoi │ 10.23721/109/1353711 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ useAgreement │ dua-ni-160816 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ irbRequired │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ privateAccessInstructions │ See https://ant.isi.edu/datasets/#getting-datasets for information on obtaining │ │ │ this dataset. │ │ │ See │ └───────────────────────────┴────────────────────────────────────────────────────────────────────────────────────┘ Dataset Contents DoS_80-20110715.README.txt      copy of this README data/     20110715-191315-01523603-h4393-f132dd7b.gz ERF packet trace file     ...     20110715-223343-01523806-h4393-f132dd7b.gz ERF packet trace file     .sha1sum SHA-1 checksum Subdirectory "data" contains packet trace data collected at USC. User data has been deleted and only network headers (IP, TCP, UDP, ICMP) remain, however all IP addresses have been anonymized using prefix-preserving anymization. Port numbers have not been anonymized. Each trace file is named as ----.gz where: and  : date and time stamps of the first packet in the trace  : sequence number of the file (consecutive files have consecutive numbers) and : keys used to anonymize data; these keys are not published. The file ".sha1sum" contains SHA1 checksums of individual compressed files. The integrity of the distribution thus can be checked by independently calculating SHA1 sums of files and comparing them with those listed in the file. If you have the sha1sum utility installed on your system, you can do that by executing: sha1sum --check .sha1sum This needs to be done before the files are uncompressed. Attack/Backscatter description This attack/backscatter was detected automatically by using the following thresholds on the trace data:  1. Packet/Bit rate directed to a particular IP is more than 3 standard deviations higher than the mean packet/bit rate for this IP.  2. Total packet rate must be greater than 5000 packets/s.  3. The conditions above must be met for at least 10 seconds to trigger a red flag. This algorithm discovered a DoS attack/backscatter directed at IP address 134.58.245.188. The attack starts on July 15, 2011 at 20:44:25.144109 (file 20110715-204356-01523696-h4393-f132dd7b.gz) and looks in tcpdump text as follows: 20:44:25.144109 IP 184.154.27.187.80 > 134.58.245.188.1683: S 2733780888:2733780888(0) ack 16548 win 5840 20:44:25.144110 IP 184.154.27.187.80 > 134.58.245.188.1683: S 2733780888:2733780888(0) ack 16548 win 5840 20:44:25.144111 IP 184.154.27.187.80 > 134.58.245.188.1683: S 2733780888:2733780888(0) ack 16548 win 5840 20:44:25.144437 IP 184.154.27.187.80 > 134.58.245.188.1683: S 2733780888:2733780888(0) ack 16548 win 5840 ... That is, TCP SYN/ACK with all identical sequence numbers. In subsequent trace files sequence numbers vary, e.g. in 20110715-204457-01523697-h4393-f132dd7b.gz we see: 20:45:11.189441 IP 184.154.27.187.80 > 134.58.245.188.1683: S 2779067777:2779067777(0) ack 16548 win 5840 20:45:11.189569 IP 184.154.27.187.80 > 134.58.245.188.1683: S 2779067777:2779067777(0) ack 16548 win 5840 20:45:11.189594 IP 184.154.27.187.80 > 134.58.245.188.1683: S 2779067777:2779067777(0) ack 16548 win 5840 ... This attack, or most likely backscatter, since there is a web server running at the source address, and there's nothing of interest (it's in fact a dorm computer at USC main campus). The attack lasts until 21:02:51.427617 in 20110715-210218-01523715-h4393-f132dd7b.gz and ends with: 21:02:51.427595 IP 184.154.27.187.80 > 134.58.245.188.1683: S 3886875447:3886875447(0) ack 16548 win 5840 21:02:51.427617 IP 184.154.27.187.80 > 134.58.245.188.1683: S 3886875447:3886875447(0) ack 16548 win 5840 21:02:51.427617 IP 184.154.27.187.80 > 134.58.245.188.1683: S 3886875447:3886875447(0) ack 16548 win 5840 In this dataset we've included about 1 hour and 30 minutes of background traffic prior the attack and about 1 hour and 30 minutes of background traffic following the attack. We are not aware of any DoS attacks in this data set other than the one documented above. False Positives After the thresholds above were applied, several other destinations were flagged as suspects of a potential DoS attack. A manual examination showed they were not actual attacks but normal traffic patterns. These false false positives are included in hope they might be used for evaluation or training of other DoS detection algorithms. ┌────────────────┬───────────────────┬──────────────┬───────────────────────────┬────────────────────────────────┐ │ │ Time Start (s │ │ Packet Stats (pkt/s) │ Byte Stats (B/s) │ │ Destination IP │ since epoch) │ Duration (s) ├─────────┬────────┬────────┼────────────┬─────────┬─────────┤ │ │ │ │ Rate │ Mean │ Stdev │ Rate │ Mean │ Stdev │ ├────────────────┼───────────────────┼──────────────┼─────────┼────────┼────────┼────────────┼─────────┼─────────┤ │ 134.58.85.56 │ 1310784653 │ 20 │ 15535.3 │ 85.5 │ 1088.3 │ 22182630.0 │ 118941 │ 1553990 │ ├────────────────┼───────────────────┼──────────────┼─────────┼────────┼────────┼────────────┼─────────┼─────────┤ │ 134.58.121.122 │ 1310790121 │ 10 │ 7073.3 │ 909.6 │ 721.3 │ 10235089.4 │ 1087980 │ 1049450 │ ├────────────────┼───────────────────┼──────────────┼─────────┼────────┼────────┼────────────┼─────────┼─────────┤ │ 134.58.124.158 │ 1310784847 │ 9 │ 5947.8 │ 93.7 │ 453 │ 8643295.1 │ 127075 │ 654055 │ ├────────────────┼───────────────────┼──────────────┼─────────┼────────┼────────┼────────────┼─────────┼─────────┤ │ 134.58.200.25 │ 1310785453 │ 19 │ 7408.3 │ 837.6 │ 1328.9 │ 10517188.3 │ 941764 │ 1936650 │ ├────────────────┼───────────────────┼──────────────┼─────────┼────────┼────────┼────────────┼─────────┼─────────┤ │ 134.58.196.196 │ 1310790626 │ 13 │ 6735.4 │ 409.2 │ 1367.8 │ 10220356.7 │ 618898 │ 2076020 │ ├────────────────┼───────────────────┼──────────────┼─────────┼────────┼────────┼────────────┼─────────┼─────────┤ │ 62.161.242.32 │ 1310782788 │ 18 │ 14855.5 │ 2628.9 │ 2063.6 │ 1066606 │ 184072 │ 147077 │ ├────────────────┼───────────────────┼──────────────┼─────────┼────────┼────────┼────────────┼─────────┼─────────┤ │ 62.161.249.121 │ 1310785226 │ 10 │ 20530.7 │ 679.0 │ 1384.5 │ 1464106.8 │ 48424.5 │ 98595.2 │ ├────────────────┼───────────────────┼──────────────┼─────────┼────────┼────────┼────────────┼─────────┼─────────┤ │ 62.161.202.68 │ 1310788543 │ 10 │ 27892.2 │ 47.1 │ 995.1 │ 42338309.4 │ 44105.4 │ 1510460 │ └────────────────┴───────────────────┴──────────────┴─────────┴────────┴────────┴────────────┴─────────┴─────────┘ Citation If you use this trace to conduct additional research, please cite it as: Scrambled Internet Trace Measurement dataset, PREDICT ID: USC-LANDER/DoS_80-20110715/rev2299. Traces taken from 2011-07-15 19:13:53 to 2011-07-15 22:35:29. Provided by the USC/LANDER project (http://www.isi.edu/ant/lander). Results Using This Dataset Traces similar to this one have been used the following previously published work: • Alefiya Hussain, John Heidemann, and Christos Papadopoulos. A Framework for Classifying Denial of Service Attacks. In Proceedings of the ACM SIGCOMM Conference, pp. 99-110. Karlsruhe, Germany, ACM. August, 2003. http://www.isi.edu/~johnh/PAPERS/Hussain03b.html • Alefiya Hussain, John Heidemann, and Christos Papadopoulos. Identification of Repeated DoS Attacks using Network Traffic Forensics. Technical Report ISI-TR-2003-577b, USC/Information Sciences Institute, August, 2003. Originally released August 2003, updated June 2004. http://www.isi.edu/~johnh/PAPERS/Hussain03c.html User Annotations This dataset reads successfully with libtrace-3.0.17, but not with wireshark-1.8.6. Sample command to read it: zcat /nfs/lander/traces/DoS_80-20110715/data/20110715-192338-01523615-h4393-f132dd7b.gz | \ tracesplit -Z none erf:- pcapfile:- | \ tcpdump -r- -nn Johnh (talk) 15:30, 17 June 2013 (PDT) Categories: • Datasets • LANDER • LANDER:Datasets • LANDER:Datasets:AddressSpace:Adaptive Probing • LANDER:Datasets:AddressSpace