Boğaziçi University Distributed Denial of Service (BOUN DDoS) Dataset

Published: 6 June 2020| Version 1 | DOI: 10.17632/mfnn9bh42m.1
Contributor:
Derya Erhan

Description

We carried out the TCP SYN flood and UDP flood attacks towards a server connected to the campus backbone. Over 4000 active internet user traffic was flowing over the campus router simultaneously to the attack traffic. We used the hping3 software installed on 3 computers for attacks. Attack packets contain spoofed source IP addresses. Since the source IP addresses of the attack packets are generated randomly and uniquely, it appears as attacks come from many different sources when viewed from the routers port. In other words, the attack packets in the dataset come from multiple sources. The design concept of Network-based intrusion detection systems is detecting attacks from networks end, on the router, or on the backbone switch. This dataset is produced for the evaluation of network-based intrusion detection methods. In the network topology shown in Figure 1, the traffic is taken from campus routers port by mirroring method. The mirroring operation on routers interfaces provides our traffic recording server the exact copies of incoming and outgoing packets flowing through the mirrored interface. Traffic is recorded and converted to .csv file format using Wireshark software.

Files

Steps to reproduce

We used the hping3 software installed on 3 computers for attacks. Attack packets contain spoofed source IP addresses. Since the source IP addresses of the attack packets are generated randomly and uniquely, it appears as attacks come from many different sources when viewed from the routers port. In other words, the attack packets in the dataset come from multiple sources. The design concept of Network-based intrusion detection systems is detecting attacks from networks end, on the router, or on the backbone switch. This dataset is produced for the evaluation of network-based intrusion detection methods. In the network topology shown in Figure 1, the traffic is taken from campus routers port by mirroring method. The mirroring operation on routers interfaces provides our traffic recording server the exact copies of incoming and outgoing packets flowing through the mirrored interface.