This web page documents our datasets related to DNS backscatter. DNS Backscatter is all reverse-DNS queries that are sent in reaction to some network-wide event, like scanning or spamming.
The paper “Detecting Malicious Activity with DNS Backscatter”
Our first publication about backscatter is: 
- Kensuke Fukuda and John Heidemann 2015. Detecting Malicious Activity with DNS Backscatter. Proceedings of the ACM Internet Measurement Conference (Tokyo, Japan, Oct. 2015), 197–210. [DOI] [PDF] [Dataset] ["Details"]
This paper describes methods and analysis we developed for DNS backscatter.
We list all datatasets used in the paper below (and in Table 1 of the paper). Some of those datasets are not publicly available, but some datasets are available upon request.
- JP-ditl: not currently available.
- B-post-ditl: Full name: USC-LANDER/DITL_B_Root-20140428. Available through the ANT project, PREDICT, or from DNS-OARC.
- B-long: not currently available.
- M-ditl: Available through DNS-OARC.
- M-ditl-2015: Available through DNS-OARC.
- M-sampled: not currently available.
If you have specific research needs that require datasets marked “not currently available”, please contact the paper authors.
DITL data is network packet captures in pcap format. Data has been host anonymized, where the low-order 8 bits are scrabled with prefix-preserving anonymization.
Getting this data
For ANT-project or PREDICT data see requests.html for details about how to get these datasets.
DITL datasets are also available throuhg DNS-OARC.