DNS Backscatter

This web page documents our datasets related to DNS backscatter. DNS Backscatter is all reverse-DNS queries that are sent in reaction to some network-wide event, like scanning or spamming.

The paper “Detecting Malicious Activity with DNS Backscatter”

In this paper we describes methods and analysis we developed for DNS backscatter: [1]

And we later extended extends our understanding about methods and usability we developed for DNS backscatter: [2]

  • Kensuke Fukuda, John Heidemann and Abdul Qadeer 2017. Detecting Malicious Activity with DNS Backscatter Over Time. ACM/IEEE Transactions on Networking. 25, 5 (Aug. 2017), 3203–3218. [DOI] [PDF] [Dataset] Details
  • Kensuke Fukuda and John Heidemann 2015. Detecting Malicious Activity with DNS Backscatter. Proceedings of the ACM Internet Measurement Conference (Tokyo, Japan, Oct. 2015), 197–210. [DOI] [PDF] [Dataset] Details

We list all datatasets used in the paper below (and in Table 1 of the paper). Some of those datasets are not publicly available, but some datasets are available upon request.

Datasets:

  • JP-ditl: not currently available.
  • B-post-ditl: Full name: USC-LANDER/DITL_B_Root-20140428. Available through the ANT project, PREDICT, or from DNS-OARC.
  • B-long: not currently available.
  • M-ditl: Available through DNS-OARC.
  • M-ditl-2015: Available through DNS-OARC.
  • M-sampled: not currently available.

If you have specific research needs that require datasets marked “not currently available”, please contact the paper authors.

The paper “Detecting Malicious Activity with DNS Backscatter”

We adapted the DNS backscatter technique for IPv6 in: [1]

  • Kensuke Fukuda and John Heidemann 2018. Who Knocks at the IPv6 Door? Detecting IPv6 Scanning. Proceedings of the ACM Internet Measurement Conference (2018, Oct. 2018). [DOI] [PDF] Details

Please contact the authors for availability of the datasets for this paper.

Datatset Format

DITL data is network packet captures in pcap format. Data has been host anonymized, where the low-order 8 bits are scrabled with prefix-preserving anonymization.

Getting this data

For ANT-project or PREDICT data see requests.html for details about how to get these datasets.

DITL datasets are also available throuhg DNS-OARC.