In cooperation with the Student Union Electrical Engineering (SUEE) at Ulm University, we collected and published two data set for the analysis of slow DDoS attacks. One data set containing 24 hours (2nd to 3th November 2017 with 1,634 clients, SUEE1) and another data set containing eight days (5th to 13th November 2017 with 8,286 clients, SUEE8) of traffic data. The web server of the student union offers information about the union on its main site, provides public real-time transport information for bus stops in the city which is used primarily on mobile devices via mobile networks, as well as several external and internal services such as a printing service for the lecture notes of the electrical engineering courses and exams.
Both pcap files contain only header data since the data sets were anonymized and do not contain application layer payload due to privacy concerns. There have been no attacks reported during the times of recording of the benign data sets. The data sets serve the following purposes: SUEE1 is used as training data set to determine the best thresholds for each detection scheme. SUEE8 then can be used to determine whether the trained mitigation system is capable to mitigate attacks adequately. To facilitate this, we have combined the SUEE data sets with attack recordings. We have published the data sets with a more detailed description on github. The MAC and IP addresses are anonymized, i. e. new addresses are set. Benign clients IP addresses in the anonymized data sets are moved to the 192.168.0.0/16 block, while attacking clients are in the 18.104.22.168/16 block. The IP addresses count up chronologically after their first occurrence within the data set. The original IP addresses were in part from the Ulm University network and mostly from diverse networks in Ulm and surrounding areas.