School of Computing Science aand Engineering, VIT Chennai - Cloud Security Experiments

DDoS Attack datasets are generated using virtual instances running in a private cloud security testbed. OpenStack private cloud is deployed in the cloud security testbed along with virtual instances running on them. The virtual instances are acting as zombies from different public and private networks of Open Stack private cloud. The attack generation is done using virtual instances as zombies and the data collection is performed at the victim with network monitoring software. The DDoS flood attacks that are considered in the experiment are ICMP flood, TCPSYN flood, TCPSYN-ACK flood, UDP flood and Land Flood

The cloud security dataset is built using Free/Open Source Software based Open Stack cloud security experimental testbed and freely distributed under GNU/GPL licence

Data collection is performed using two methods during attack.

• *.pcap files with complete packet information
• values of SNMP MIB variables
• CSV files

1. Collection of *.pap files

The files in the repository contain the dump file captured during the DDoS attack in *.pcap format. The size of captured files are ranging from 25MB, 50MB, 100MB, 500MB to 1GB files.

The types of the DDoS variants that are contained in the files are as follows.

• ICMP Flood Attack.pcap – captured file while the ICMP attack is in progress.
• LAND Flood Attack.pcap - captured file while the LAND attack is in progress.
• TCP-SYN Flood Attack.pcap - captured file while the TCPSYN attack is in progress.
• TCP-SYN-ACK Flood Attack.pcap - captured file while the TCPSYNACK attack is in progress.
• UDP Flood Attack.pcap - captured file while the UDP attack is in progress.

2.Collection of the values of the SNMP MIB variables

The major parameters extracted from the dump file are time, source address, source port, protocol. length, information, destination port, destination address, hardware source address and hardware destination address.

• ICMP Flood Attack .xls – exported excel file from ICMP_Flood.pcap – 6,80,000 records.
• LAND Flood Attack.xls - exported excel file from LAND_Flood.pcap – 59,000 records.
• TCP-SYN Flood Attack.xls - exported excel file from TCPSYN_Flood.pcap – 6,00,000 records.
• TCP-SYN-ACK Flood Attack.xls - exported excel file from TCPSYNACK_Flood.pcap – 68,000 records.
• UDP Flood Attack.xls- exported excel file from UDP_Flood.pcap – 6,80,000 records.

3.Collection of the CSV Files

The major parameters extracted from the dump file 25MB files are time, source address, source port, protocol. length, information, destination port, destination address, hardware source address , hardware destination address and so on.

• ICMP.csv – exported csv file from ICMP_Flood.pcap – 3,87,000 records.
• LAND.csv - exported csv file from LAND_Flood.pcap – 72,000 records.
• TCPSYN.csv - exported csv file from TCPSYN_Flood.pcap – 3,27,000 records.
• TCPSYNACK.csv-exported csv file from TCPSYNACK_Flood.pcap – 69,000 records.
• UDP.csv- exported csv file from UDP_Flood.pcap – 3,75,000 records.

All the datasets could be downloaded from the following section. Those who are using the dataset are requested to acknowledge the creators in their work.