LANDER:DoS DDiDD Experiments-20230111 From Predict README version: 13525, last modified: 2022-12-12. This file describes the trace dataset "DoS_DDiDD_Experiments-20230111" provided by the LANDER project. Contents • 1 LANDER Metadata • 2 Dataset Contents • 3 Dataset explanation • 3.1 Trained (learned) data • 3.2 Additional data needed • 3.3 Additional software needed • 3.4 Instructions to reproduce paper results • 4 Citation • 5 User Annotations LANDER Metadata ┌───────────────────────────┬────────────────────────────────────────────────────────────────────────────────────┐ │ dataSetName │ DoS_DDiDD_Experiments-20230111 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ status │ usc-web-and-predict │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ shortDesc │ DDiDD experiment data and scripts │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ longDesc │ Experiments measuring DDiDD performance on a series of B_Root_Anomaly events │ │ │ representing flash-crowd DDoS attacks │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ datasetClass │ Quasi-Restricted │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ commercialAllowed │ true │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ requestReviewRequired │ true │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ productReviewRequired │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ ongoingMeasurement │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ submissionMethod │ Upload │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionStartDate │ 2015-11-30 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionStartTime │ 00:00:00 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionEndDate │ 2021-05-28 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionEndTime │ 00:00:00 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityStartDate │ 2022-12-03 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityStartTime │ 15:36:00 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityEndDate │ 2030-01-01 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityEndTime │ 00:00:00 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ anonymization │ cryptopan/host │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ archivingAllowed │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ keywords │ category:synthetically-generated-data, subcategory:experimental-data, │ │ │ domain-names, DNS requests │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ format │ text │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ access │ https │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ hostName │ USC-LANDER │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ providerName │ USC │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ groupingId │ │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ groupingSummaryFlag │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ retrievalInstructions │ download │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ byteSize │ 1895825408 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ expirationDays │ 14 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ uncompressedSize │ 11279224 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ impactDoi │ │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ useAgreement │ dua-ni-160816 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ irbRequired │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ privateAccessInstructions │ See http://www.isi.edu/ant/traces/index.html#getting_datasets for information on │ │ │ obtaining this dataset. │ │ │ See │ └───────────────────────────┴────────────────────────────────────────────────────────────────────────────────────┘ Dataset Contents This dataset contains the DDiDD experiments for the paper "Defending Root DNS Servers Against DDoS Using Layered Defenses" (Methodologies are explained in detail in the "Dataset explanation" section). All data and scripts are in the top directory. These datasets are all created from anonymized B_Root_Anomaly-xxx datasets. They contain no real IP addresses and so their contents have no privacy concerns. Dataset explanation Trained (learned) data Trained (learned) data for various filters is in the following files: * ur.trained.xxx - for UR filter * hcf.trained.xxx - for HCF filter * wr.trained.xxx - for WR filter * fq.trained - for FQ filter (data is pretty stable so we learn it once and use for all datasets) * at.xxx - ground truth for attacker IPs * 20151130.correct - ground truth for two specific seconds of attack in 20151130 dataset Additional data needed Reproducing all paper results also requires the direct captures of B-root Events. These are the list of events used in the DDiDD paper. They can be requested through http://www.isi.edu/ant/traces/index.html#getting_datasets. * B_Root_Anomaly-20151130 * B_Root_Anomaly-20160625 * B_Root_Anomaly-20170221 * B_Root_Anomaly-20170306 * B_Root_Anomaly-20170425 * B_Root_Anomaly-20190907 * B_Root_Anomaly-20200213 * B_Root_Anomaly-20201024 * B_Root_Anomaly-20210528 Additional software needed To reproduce paper results you wll need to download ddidd software from https://ant.isi.edu/software/ddidd/index.html. Instructions to reproduce paper results Please set your DATADIR environment variable to the location where you store all your datasets, e.g., for bash you would do "export DATADIR=/path/to/datasets" Set your PATH to point to the folder where ddidd and loadpcap binaries reside, e.g., for bash you would do "export PATH=/path/to/ddidd-binary:$PATH" You should run gunzip on all .gz files first. Trained (learned) data for various filters is in the following files: - ur.trained.xxx - for UR filter - hcf.trained.xxx - for HCF filter - wr.trained.xxx - for WR filter - fq.trained - for FQ filter (data is pretty stable so we learn it once and use for all datasets) - at.xxx - ground truth for attacker IPs - 20151130.correct - ground truth for two specific seconds of attack in 20151130 dataset You can reproduce the table II in our paper by running: * fq.sh for FQ column * ur.sh for UR column * hcf.sh for HC column * wr.sh for WR column * ddidd-full.sh for DDiDD_F column * ddidd-part.sh for DDiDD_P column After you have the results, please run corresponding onemean and dperf scripts to obtain cd and con column values, respectively. cd is "Good filtered" output of onemean and con is "controlled" output of dperf. * fq-onemean.sh and fq-dperf.sh * ur-onemean.sh and ur-dperf.sh * hcf-onemean.sh and hcf-dperf.sh * wr-onemean.sh and wr-dperf.sh * ddidd-full-onemean.sh and ddidd-full-dperf.sh * ddidd-part-onemean.sh and ddidd-part-dperf.sh Collateral damage (con) for 20151130 will not immediately match, because this attack event had a few seconds of spoofed traffic, using existing resolver addresses. This means that the ground-truth attacker set was dynamic during this event. To address this dynamism and recalculate collateral damage, while taking into account dynamic attacks, please set CORRECT flag to 1 in hcf.cc (DDiDD software), recompile and rerun. Citation If you use this trace to conduct additional research, please cite it as: A S M Rizvi, Jelena Mirkovic, John Heidemann and Wes Hardaker and Robert Story 2023. Defending Root DNS Servers Against DDoS Using Layered Defenses. Proceedings of the IEEE International Conference on Communications Systems and Networks (COMSNETS). User Annotations Currently no annotations. Categories: • LANDER • LANDER:Datasets • Datasets