Home

Awesome

2017-SUEE-data-set

Data sets can be downloaded here:

data setstart datedurationhostsexternal hostsinternal hostsinternal hosts wifi (eduroam/welcome)
SUEE12017-11-0224 h16341192442243 (97/146)
SUEE82017-11-058 d828667551531705 (328/377)

SUEE8 updated on 2019-04-05 in release v1.1, due to missing attack traffic in v1.0

The data sets contain traffic in and out of the web server of the Student Union for Electrical Engineering (Fachbereichsvertretung Elektrotechnik) at Ulm University.

Internal hosts are hosts from within the university network, some of them are cable bound, others connect through one of two wifi services on campus (eduroam and welcome).

The data was mixed with attack traffic. The attacks contained in these data sets are:

Caution: because of an of-by-one error, the IP addresses 10.128.0.50 and 10.128.0.100 are used twice. In our own evaluation, we therefore choose to omit any packets sent or received by these clients completely.

The IP and MAC addresses of the benign clients were anonymized with anon.py, all IP addresses in the anonymized data sets are in the 192.168/16 block. The original IP addresses were in part from the Ulm University network and mostly from diverse networks in Ulm and surrounding areas. Keep in mind, that the same IP address in SUEE1 and SUEE8 are not affiliated. However, every packet sent (or received) by an IP within one data set was originally sent (or received) from the same IP address.

Port Distribution

data setnumber of packetsTCP source port 80TCP source port 443TCP destination port 80TCP destination port 443
SUEE12,089,436747,912173,978967,623199,923
SUEE819,301,2177,175,6271,229,5169,312,5371,583,543

Only TCP packets to or from port 80 and 443 were captured.

Attacker Configuration

The attacking tools were adapted to allow IP spoofing to simulate distributed attacks and were left in standard configuration apart from that. The parameters for slowhttptest were 30 seconds intervals, 8192 bytes for the Content-Length header, 10 bytes POST-body length per packet and one socket per client. Slowloris is also configured to use only one socket per client. The default configuration was left in place in all other settings, resulting in a packet interval of 15 seconds.

Slowloris-ng includes several changes to the original slowloris. The additional features implement randomized behavior, which is configured to send in intervals of 15 seconds with a randomization interval of 5 seconds and sending the header lines as bursts of single messages per character.

Contact

For questions, please contact Thomas Lukaseder.

Acknowledgment

We like to thank the Student Union for Electrical Engineering (Fachbereichsvertretung Elektrotechnik) at Ulm University and Philipp Hinz in particular for providing the necessary data.

This work was supported in the bwNET100G+ project by the Ministry of Science, Research and the Arts Baden- Württemberg (MWK).