Global Site Navigation (use tab and down arrow)

Canadian Institute for Cybersecurity

CIC DoS dataset

A recent escalation of application layer Denial of Service (DoS) attacks on the Internet has quickly shifted the interest of the research community traditionally focused on network-based DoS attacks. Application layer DoS attacks are generally seen in high-volume or low-volume variations.

High-volume attacks are often referred to as flooding, these attacks are similar in nature to traditional DoS attacks. They are characterized by a high volume of application-layer requests (e.g. HTTP GETs, DNS queries, SIP INVITEs) transmitted to a victim.

Low-volume DoS attacks are characterized by small amounts of attack traffic transmitted strategically to a victim. There are three variations of low-volume DoS attacks: low-rate attacks, that send traffic in periodic short-time pulses, slow-rate attacks, that exploit timing parameters on a server's side by sending/receiving traffic slower than expected, and one-shot attacks that inflict damage to a victim with a single connection/request aiming to consume excess amounts of the victim’s resources (e.g., Apache Range Header attack).

Since one-shot attacks generally exploit a specific weakness or vulnerability in application level protocol/service, in this study we focus our attention on more universal type of application DoS slow-rate attacks that are often seen in two variations: slow send and slow read.

The lack of data with application layer DoS attacks prompted us to create an evaluation dataset. We have set up a testbed environment with a victim webserver running Apache Linux v.2.2.22, PHP5 and Drupal v.7 as a content management system. The attacks were selected to represent the most common types of application layer DoS. We assume that an attacker is non-oblivious, i.e., he understands the attack, knows exactly when and how much traffic to send to maximize the attack damage.

Since the main premise of low-volume DoS attacks is their ability to impact a service without significant resources on an attacker side, the attacks were generated with just enough traffic to impact the targeted service, i.e, the attacks were stopped once a server became unresponsive. As a result we noticed that to be successful it was sufficient for these attacks to produce small amounts of traffic during short periods of time.

Generated application layer DoS attacks were intermixed with the attack-free traces from the ISCX-IDS dataset. We produced 4 types of attacks with different tools, obtaining 8 different application layer DoS attack traces. These attacks were directed towards 10 web servers in ISCX data set that have the top highest number of connections. The resulting set contains 24 h of network traffic with total size of 4.6 GB.

The full research paper outlining the details of the dataset and its underlying principles:

For more information, contact