LANDER:ddos hackathon-20200511 From Predict Jump to navigation Jump to search The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead. README version: 14291, last modified: 2023-08-29. This file describes the trace dataset "ddos_hackathon-20200511" provided by the LANDER project. The most recent version of this file can be found on-line at https://wiki.isi.edu/predict/index.php?title=LANDER:ddos_hackathon-20200511. [ ] Contents • 1 LANDER Metadata • 2 Dataset Contents • 3 Dataset Generation • 4 Citation • 5 Results Using This Dataset • 6 User Annotations LANDER Metadata (https://wiki.isi.edu/predict/index.php?title=LANDER:ddos_hackathon-20200511/landermeta) ┌───────────────────────────┬────────────────────────────────────────────────────────────────────────────────────┐ │ dataSetName │ ddos_hackathon-20200511 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ status │ usc-web-and-predict │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ shortDesc │ NetFlow data for benign and DDoS flows at FRGP for three months in 2020 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ longDesc │ This is anonymized NetFlow data, collected at FrontRange GigaPOP for select days │ │ │ during May, Aug and Sep of 2020. The data contains sampled benign flows (sampling │ │ │ rate is per packet and it is 1 in 100 or 1 in 4096) and sampled DDoS flows, as │ │ │ well as Arbor Peakflow (Netscout) detections of DDoS attacks. │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ datasetClass │ Unclassified │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ commercialAllowed │ true │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ requestReviewRequired │ true │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ productReviewRequired │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ ongoingMeasurement │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ submissionMethod │ Upload │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionStartDate │ 2020-05-11 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionStartTime │ 00:00:00 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionEndDate │ 2020-09-22 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionEndTime │ 00:00:00 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityStartDate │ │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityStartTime │ 00:00:00 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityEndDate │ 2030-01-01 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityEndTime │ 00:00:00 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ anonymization │ cryptopan/full │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ archivingAllowed │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ keywords │ netflow, benign, ddos, peakflow, frgp │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ format │ netflow, text │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ access │ https │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ hostName │ USC-LANDER │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ providerName │ USC │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ groupingId │ │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ groupingSummaryFlag │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ retrievalInstructions │ download │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ byteSize │ 119182196736 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ expirationDays │ 14 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ uncompressedSize │ │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ impactDoi │ │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ useAgreement │ dua-ni-160816 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ irbRequired │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ privateAccessInstructions │ See http://www.isi.edu/ant/traces/index.html#getting_datasets for information on │ │ │ obtaining this dataset. │ │ │ See https://wiki.isi.edu/predict/index.php?title=LANDER:ddos_hackathon-20200511 │ │ │ for details on this dataset. │ └───────────────────────────┴────────────────────────────────────────────────────────────────────────────────────┘ Dataset Contents This dataset contains NetFlow records from FrontRange GigaPOP, including benign flows and DDoS attack flows for three select periods during May, August and September 2020. Netflow records are saved in 5-minute chunks, and compressed using xz utility. The timestamps are in Mountain Standard Time, which is UTC-6 for the collection time period. The dataset also contains PeakFlow (NetScout) alerts for the DDoS attacks, and our inferred ground truth. The file ".sha1sum" contains SHA1 checksums of individual compressed files. The integrity of the distribution thus can be checked by independently calculating SHA1 sums of files and comparing them with those listed in the file. If you have the sha1sum utility installed on your system, you can do that by executing: sha1sum --check .sha1sum This has to be done before files are uncompressed. Dataset Generation This dataset was generated by sampling packets at several border routers of FrontRange GigaPOP with 1:100 or 1:4096 sampling rate (the rate is fixed per router interface). The sampled packets were then used to generate NetFlow records and IP addresses were anonymized using CryptoPAN. This is prefix-preserving anonymization. The entire IP address is anonymized, but IP addresses belonging to the same prefix share the same-length prefix after the anonymization. The flows' packet counts are upsampled after flows are created. This means that if one packet were sampled from a flow with 1:4096 sampling rate, the resulting flow will have the packet count of 4096. This upsampling is automatic by NetFlow reader (nfdump). To read NetFlow data, you will need nfdump utility. You can then read the data as follows: unxz -c | nfdump -r - -nn Peakflow alerts were all collected for the affected dates, and pre-filtered to keep only those alerts that relate to reflection attacks. We show the epoch start and stop time of the attack, the anonymized target and the attack types (as reported in the Peakflow alert). We also infer and report ground-truth attack data. Ground truth was established by monitoring all traffic of a given type to the alleged attack target. We monitor traffic per attack type, e.g., to detect DNSAmplification attacks we would monitor all traffic to the alleged target from source port 53. We monitor number of flows, number of bytes and number of unique sources per second. We detect ground-truth attack start when all three of these quantities show a sudden increase, as measured by CUSUM being >5. We detect attack stop when CUSUM values all fall below 5. We also require that reverse flows (from alleged target to the sources of traffic flows) do not appear anomalous. This rules out self-inflicted attacks, e.g., when the alleged target scans a lot of DNS servers, which then reply back to the target. Ground-truth data is represented as epoch start and stop time of the attack and the attack types. Peakflow and ground-truth data are all in ground-truth directory, and in plain text, one file per alert. We welcome your feedback on our ground-truth inference, as well as reports of any attacks we may have missed or inferred wrongly. You can submit these corrections by following the process outlined here: https://steelisi.github.io/CLASSNET-DOCS/labels/ Citation If you use this trace to conduct additional research, please cite it as: FRGP DDoS Dataset 2020. Provided by the USC/CLASSNET project https://ant.isi.edu/classnet/. Results Using This Dataset Rajat Tandon, Pithayuth Charnsethikul, Michalis Kallitsis and Jelena Mirkovic, "AMON-SENSS: Scalable and Accurate Detection of Volumetric DDoS Attacks at ISPs," Proceedings of Globecom, 2022. User Annotations Suggestion: Edit the annotations at https://wiki.isi.edu/predict/index.php?title=LANDERNOTES:ddos_hackathon-20200511&action=edit Currently no annotations. Retrieved from "https://wiki.isi.edu/predict/index.php?title=LANDER:ddos_hackathon-20200511&oldid=14291" Categories: • Datasets • LANDER • LANDER:Datasets Navigation menu Personal tools • Wikiexport • Talk • Preferences • Watchlist • Contributions • Log out Namespaces • LANDER • Discussion [ ] English Views • Read • Edit • View history • Watch [ ] More • Move _____________________ [ Search ] [ Go ] Navigation • Main page • Providers • Datasets • Results • Categories • Recent changes • Random page • Help Tools • What links here • Related changes • Upload file • Special pages • Permanent link • Page information • This page was last edited on 29 August 2023, at 22:14. • Content is available under Attribution-Share Alike 3.0 Unported unless otherwise noted. • Privacy policy • About Predict • Disclaimers • Attribution-Share Alike 3.0 Unported • Powered by MediaWiki