In the second quarter of 2025, around ******* DDoS attacks were registered worldwide. The figure has been increasing continuously over the observed period.

Between 2022 and 2023, organizations in the APAC region saw a *** percent growth in the number of distributed denial of service (DDoS) attacks. The average global growth of these attacks was ** percent. Furthermore, the Americas saw *** percent growth, while the EMEA region ranked third, with only ** percent growth in the measured period.

Distributed Denial of Service (DDoS) attack is a menace to network security that aims at exhausting the target networks with malicious traffic. Although many statistical methods have been designed for DDoS attack detection, designing a real-time detector with low computational overhead is still one of the main concerns. On the other hand, the evaluation of new detection algorithms and techniques heavily relies on the existence of well-designed datasets. In this paper, first, we review the existing datasets comprehensively and propose a new taxonomy for DDoS attacks. Secondly, we generate a new dataset, namely CICDDoS2019, which remedies all current shortcomings. Thirdly, using the generated dataset, we propose a new detection and family classification approach based on a set of network flow features. Finally, we provide the most important feature sets to detect different types of DDoS attacks with their corresponding weights.

The dataset offers an extended set of Distributed Denial of Service attacks, most of which employ some form of amplification through reflection. The dataset shares its feature set with the other CIC NIDS datasets, IDS2017, IDS2018 and DoS2017

original paper link: https://ieeexplore.ieee.org/abstract/document/8888419 kaggle dataset link: https://www.kaggle.com/datasets/dhoogla/cicddos2019

The Real-Time DDoS Traffic Dataset for ML is designed to support the development, testing, and validation of machine learning models focused on detecting Distributed Denial of Service (DDoS) attacks in real-time. As cybersecurity threats evolve, particularly in the realm of network traffic anomalies like DDoS, having access to labeled data that mirrors real-world attack scenarios is essential. This dataset aims to bridge this gap by providing comprehensive, structured network traffic data that includes both normal and DDoS attack instances, facilitating machine learning research and experimentation in DDoS detection and prevention.

The dataset is compiled from network traffic that either replicates real-time conditions or is simulated under carefully controlled network configurations to generate authentic DDoS attack traffic. This data encompasses variations in packet transmission and byte flow, which are key indicators in distinguishing between typical network behavior and DDoS attack patterns. The primary motivation behind this dataset is to aid machine learning practitioners and cybersecurity experts in training models that can effectively differentiate between benign and malicious traffic, even under high-stress network conditions.

Data Source and Collection: Include information on how the data was collected, whether it was simulated or recorded from real systems, and any specific tools or configurations used.

Dataset Structure: List and explain the features or columns in the dataset. For instance, you might describe columns such as:

• traffic_type: Indicates whether the traffic is normal or DDoS.
• packet_count: The number of packets in a session.
• packet_count_per_second: The rate of packets over time.
• byte_count: Total data in bytes for a session.
• byte_count_per_second: The data transfer rate over time.

This dataset is ideal for a range of applications in cybersecurity and machine learning:

1.Training DDoS Detection Models: The dataset is specifically structured for use in supervised learning models that aim to identify DDoS attacks in real time. Researchers and developers can train and test models using the labeled data provided.

2.Real-Time Anomaly Detection: Beyond DDoS detection, the dataset can serve as a foundation for models focused on broader anomaly detection tasks in network traffic monitoring.

3.Benchmarking and Comparative Studies: By providing data for both normal and attack traffic, this dataset is suitable for benchmarking various algorithms, allowing comparisons across different detection methods and approaches.

4.Cybersecurity Education: The dataset can also be used in educational contexts, allowing students and professionals to gain hands-on experience with real-world data, fostering deeper understanding of network anomalies and cybersecurity threats.

Limitations and Considerations While the dataset provides realistic DDoS patterns, it is essential to note a few limitations:

Data Origin: The dataset may contain simulated attack patterns, which could differ from real-world DDoS attack traffic in more complex network environments.

Sampling Bias: Certain features or types of attacks may be overrepresented due to the specific network setup used during data collection. Users should consider this when generalizing their models to other environments.

Ethical Considerations: This dataset is intended for educational and research purposes only and should be used responsibly to enhance network security.

Acknowledgments This dataset is an open-source contribution to the cybersecurity and machine learning communities, and it is designed to empower researchers, educators, and industry professionals in developing stronger defenses against DDoS attacks.

The AdDDoSDN dataset is a comprehensive network traffic corpus built for defensive SDN research, capturing coordinated DDoS attacks and benign enterprise activity through controlled Mininet experiments driven by a remote Ryu L3 controller to deliver high-quality labeled data for real-time detection development. The environment emulates a segmented four-subnet enterprise: h1 (192.168.10.10/24) acts as the external attacker, h2–h5 (192.168.20.10–13/24) form the corporate client subnet with h2 handling ICMP exchanges and h3/h5 generating rich TCP and UDP application sessions, h6 (192.168.30.10/24) resides in the server/DMZ subnet as the primary victim, and controller services operate on 192.168.0.0/24, providing realistic inter-subnet attack paths while preserving centralized SDN visibility.

The dataset follows a structured, configurable timeline sourced from config.json, with the default cycle spanning roughly 35 minutes per run: a 5-second initialization period, 1,600 seconds of benign traffic mixing ICMP, Telnet, SSH, FTP, HTTP/S, and DNS exchanges, enhanced traditional attacks from h1 including an 88-second SYN flood and 176-second UDP flood against h6, plus an 88-second ICMP flood toward h4, and adversarial attacks from h1 to h6 comprising a 72-second TCP state-exhaustion phase with human-like timing patterns, a 24-second application-layer mimicry burst combining heavy HTTP range/post requests with legitimate queries, and a 72-second slow-read phase sustaining long-lived connections. Traditional phases operate around 20–30 packets per second with protocol-compliant options, while adversarial scripts emphasize mimicry and timing jitter.

The dataset provides three synchronized data products derived from each capture cycle: 1. Packet-level data (adddosdn_packet_dataset.csvv): 30 header fields + 2 labels extracted directly from PCAP phases. 2. SDN flow-level data (adddosdn_flow_dataset.csv): Controller statistics with derived rates and labels collected via the Ryu REST API. 3. CICFlow aggregated data (adddosdn_cicflow_dataset.csv): 85 bidirectional behavioral features generated with CICFlowMeter.

The dataset demonstrates exceptional quality containing 3.5 million total records across dataset instances, each representing different temporal scenarios. Labels span normal, syn_flood, udp_flood, icmp_flood, ad_syn, ad_udp, and ad_slow, with Label_binary collapsing them into benign (0) versus malicious (1) classes to maintain consistency across packet, controller-flow, and behavioral representations.

Distributed Denial of Service (DDoS) attacks aim to disrupt networked services by overwhelming server resources, thereby preventing legitimate users from accessing critical applications. Among various attack vectors, TCP-based flooding attacks remain particularly impactful due to the widespread use of the Transmission Control Protocol in reliable Internet services such as web applications, cloud back-end systems, databases, and enterprise platforms.

This dataset presents a time-series representation of TCP flooding attack traffic, derived from the widely used benchmark dataset CICDDoS2019. Unlike the original CICDDoS2019 flow-based CSV files, which describe traffic characteristics at the individual TCP flow level, the proposed dataset aggregates network traffic over fixed 5-second time windows, enabling temporal analysis of server load and attack progression.

The dataset was generated by replaying selected CICDDoS2019 packet capture (pcap) files using tcpreplay at varying network speeds of up to 20 Gbps. Network traffic was captured using Wireshark, segmented into consecutive 5-second intervals, and processed to extract time-dependent TCP packet statistics for each interval. This processing strategy enables direct observation of how TCP flooding attacks evolve over time and how they affect server-side traffic intensity.

The resulting dataset focuses on TCP-based flooding behaviors, including TCP-SYN, TCP-SYN-ACK, TCP-ACK, and TCP-RST packet activity. Each time window is represented by a compact set of aggregated features that quantify TCP control packet counts and overall TCP traffic volume. The structured, labeled, and time-indexed nature of the data makes the dataset particularly suitable for the development and evaluation of machine learning–based intrusion detection systems (IDS), including both attack detection and severity assessment models.

The dataset consists of six CSV files. Two primary files represent time-series traffic captured on 12 January and 11 March, corresponding to the training and testing days defined in CICDDoS2019. These files include the following attributes: pcap file identifier, time window index, counts of SYN, SYN-ACK, ACK, and RST packets, and the total number of TCP packets per interval. Additional CSV files are derived from these base datasets and provide labeled samples for TCP-SYN flooding attack detection and attack severity classification.

By providing time-window–based TCP traffic characteristics, this dataset supports research on machine learning–driven intrusion detection, server health monitoring, and adaptive resource management in cloud and virtualized environments, where scaling and mitigation decisions depend on the temporal behavior of incoming traffic rather than individual flow statistics.

Description

This dataset is based on the paper "DoS/DDoS Attack Dataset of 5G Network Slicing" [1] and has been generated for the detection of attacks in 5G network slices. This dataset was developed by Khan et al. and it´s plublicly avaliable in IEEE: https://ieee-dataport.org/documents/dosddos-attack-dataset-5g-network-slicing#files.

Data Origin - These data have been collected from a simulated 5G network testbed with slicing, including benign traffic and DoS/DDoS attacks. - Structure: - Benign Traffic and Malicious Traffic - Subdivided into Slice1 and Slice2 - Each slice contains data from Day1 and Day2 - The data initially contain 84 variables.

Selected Features The following columns were selected from the dataset based on the authors' recommendation on page 641: - 'Flow Duration' - 'Src IP' - 'Dst Port' - 'Fwd Packet Length Std' - 'Src Port' - 'ACK Flag Count' - 'Protocol' - 'Total Fwd Packet' - 'Fwd Seg Size Min'

Data Loading and Merging - Data from different slices and days, including attack and benign traffic, were loaded. - Attack and benign data were concatenated into a single DataFrame.

Data Cleaning and Transformation - The '.pcap' extension was removed from the 'Attack' column. - Specific attack names were corrected (e.g., 'upf1_tcp' to 'tcp_fin'). - IP addresses were converted to numeric format. - Label encoding (LabelEncoder) was applied to the 'Attack' and 'Slice' columns.

Handling Missing Values - Rows with NaN values were removed.

Normalization - StandardScaler was applied to all numerical features for normalization.

Final Preparation - A binary version of the label was created (0 for benign traffic, 1 for any type of attack).

The final dataset used for the experiments contains 6,171,315 rows and 13 columns.

[1] Md Sajid Khan, Behnam Farzaneh, Nashid Shahriar, and Md Mahibul Hasan (2023). The dataset is available on IEEE Dataport: https://dx.doi.org/10.21227/32k1-dr12.

Context

This is a dataset of DDoS Botnet attacks from IOT devices.

Content

Contains all features about packets from bots.

Inspiration:

For making DDoS attack preventable.

Between 2021 and 2024, the magnitude of the largest DDoS attacks have increased steadily. The attack with the largest breadth was recorded in 2024, reaching two Terabits per second.

The dataset is made up of 12 features of normal and malicious UDP, ICMP, and TCP traffic from an SDN-emulated network. The features were extracted and computed from the Switch statistics. The dataset can be used for Traffic classification and DDOS attack detection in SDN using various machine learning, neural network, and statistical-based approaches.

NCSRD-DS-5GDDos v2.0 Dataset
===
NCSRD-DS-5GDDos is a comprehensive dataset recorded in a real-world 5G testbed that aligns with the 3GPP specifications. The dataset captures Distributed Denial of Service (DDoS) attacks initiated by malicious connected users (UEs).

The setup comprises of 3 cells with a total of 9 UEs connected to the same core network. The 5G network is implemented by the Amarisoft Callbox Mini solution (cell 2), and we further employ a second cell using the Amarisoft Classic (cell 1 & 3), that also hosts the 5G core.

The setup utilizes a broad set of UE devices comprising a set of smart phones (Huawei P40), microcomputers (Raspberry Pi 4 - Waveshare 5G Hat M2), industrial 5G routers (Industrial Waveshare 5G Router), a WiFi-6 mobile hotspot (DWR-2101 5G Wi-Fi 6 Mobile Hotspot) and a CPE box (Waveshare 5G CPE Box). All UEs are being operated by subsidiary hosts which are responsible for the traffic generation, occurring from scheduled communications times.

All identifiers are artificially generated and do not represent or based on personal data. We identify each UE through its ‘imeisv’ ID, that corresponds to the device in use, due to vendor implementation, that uses the same IMSI for all UEs.

This dataset captures attack data from a total of 5 malicious User Equipment (UE) devices that initiated various flooding attacks on a 5G network. Each record includes key identifiers such as the IMEISV (International Mobile Equipment Identity Software Version number) and IP address of the attacking UE, along with the device type. The file "summary_report.csv" summarizes this information. The traffic types used in the attacks include syn flooding, UDP flooding, ICMP flooding, DNS flooding, and GTP-U flooding. The benign users stream YouTube and Skype traffic.

The dataset is recorded through the use of a data collector that interfaces with the 5G network and gathers data regarding UEs, gNBs and the Core Network. The data are recorded in an InfluxdB and pre-processed into three separate tabular .csv files for more efficient processing: “amari_ue_data.csv”, “enb_counters.csv” and “mme_counters.csv”. In this version, we use an Amarisoft Classic (cells 1 & 3, Core Network) and an Amarisoft Mini (cell 2) (more information on the products can be found in https://www.amarisoft.com/).

The ”amari_ue_data.csv” provides information on the UEs regarding identification (“imeisv”, “5g_tmsi”, “rnti”), IP addressing, bearer information, cell information (“tac”, “ran_plmn”), and cell information (“ul_bitrate”, “dl_bitrate”, “cell_id”, retransmissions per user per cell “ul_retx” as well as aggregated bit rates for each cell).

The ”enb_counters.csv” focuses on cell-level information, providing downlink and uplink bitrates, usage ratio per user, cpu load of the gNB.

We provide separate files of ”amari_ue_data.csv” and ”enb_counters.csv” generated from each gNB (Amarisoft Classic and Mini).

The “mme_counters.csv” provides information on the Non-Access Stratum (NAS) of the 5G Network and focuses on session status reports (e.g., number of PDU session establishments, paging, context setup. This part gives an overview of the connection management throughout the recording session, and provides information on features suggested by 3GPP for abnormal user behavior.

We also provide a separate pre-processed dataset, that merges the two "amari_ue_data_*.csv" file, including labeling of the malicious/benign samples, and may be more flexible for interested data scientists.

Please refer to README.txt for the features included in each file.

Dataset

This dataset was created by Paritosh Bisht

Contents

This dataset is not my own dataset it is publicly available at Mendeley Data.

Data consist of DDoS attacks in SDN which include the ICMP, TCP, and UDP flood. The attack was generated in Mininet Emulator using the Scapy and TCPReplay. The topology used was : sudo mn --topo tree,depth=3,fanout=2 --mac --controller remote,ip=0.0.0.0:6633 performed by H1 to H4

To cite the dataset please reference it as Y. Kim, S. Hakak, and A. Ghorbani. "DDoS Attack Dataset (CICEV2023) against EV Authentication in Charging Infrastructure," in 2023 20th Annual International Conference on Privacy, Security and Trust (PST), IEEE Computer Society, pp. 1-9, August 2023.

Explore a comprehensive dataset capturing DDoS attack scenarios within electric vehicle (EV) charging infrastructure. This dataset features diverse machine learning attributes, including packet access counts, system status details, and authentication profiles across multiple charging stations and grid services. Simulated attack scenarios, authentication protocols, and extensive profiling results offer invaluable insights for training and testing detection models in safeguarding EV charging systems against cyber threats.

https://www.googleapis.com/download/storage/v1/b/kaggle-user-content/o/inbox%2F5737185%2F2dec3a047fec426e0b6d2f7672d25016%2Fadjusted-5221113.jpg?generation=1743055158796994&alt=media" alt=""> Figure 1: Proposed simulator structure, source: Y. Kim, S. Hakak, and A. Ghorbani.

Acknowledgment :

The authors sincerely appreciate the support provided by the Canadian Institute for Cybersecurity (CIC), as well as the funding received from the Canada Research Chair and the Atlantic Canada Opportunities Agency (ACOA).

Reference :

Y. Kim, S. Hakak, and A. Ghorbani. "DDoS Attack Dataset (CICEV2023) against EV Authentication in Charging Infrastructure," in 2023 20th Annual International Conference on Privacy, Security and Trust (PST), IEEE Computer Society, pp. 1-9, August 2023.

Scoreboard dataset contains statistical data for each second during the testing period. Scoreboard represents srcip:srcport-dstip:dstport pair with statistics count for the number of packets, protocol identification, flag (if it is TCP), and a number of SYN packets (if it is TCP). Each ip:port pair represents one communication channel.

The DoS/DDoS-MQTT-IoT dataset is composed of both normal MQTT data as well as normal MQTT data mixed with abnormally attacked data. As for the abnormal data, it came in ten categories of DDoS and DoS attacks.

In 2023, organizations in the finance industry worldwide saw the highest share of DDoS attacks, ** percent. The finance industry ranked second, with over ** percent, while healthcare followed, with **** percent.

In the third and fourth quarters of 2024, the gaming was the industry most impacted by Distributed Denial-of-Service (DDoS) attacks. The industry saw around 34 percent of the registered DDoS attacks. Financial services ranked second, with roughly a quarter of attacks, followed by the technology industry, with 19 percent.

DATASET [Taken from official website]

CICDDoS2019 is a dataset that contains benign and most up-to-date common DDoS attacks that resemble true real-world data (PCAPs). However, this version, in CSV file format, includes the results of network traffic analysis using CICFlowMeter-V3 with flows labeled based on timestamp, source and destination IPs, source and destination ports, protocols, and attack.

In this dataset, we have different modern reflective DDoS attacks such as PortMap, NetBIOS, LDAP, MSSQL, UDP, UDP-Lag, SYN, NTP, DNS and SNMP. Attacks were subsequently executed during this period. As Table III shows, we executed 12 DDoS attacks includes NTP, DNS, LDAP, MSSQL, NetBIOS, SNMP, SSDP, UDP, UDP-Lag, WebDDoS, SYN and TFTP on the training day and 7 attacks including PortScan, NetBIOS, LDAP, MSSQL, UDP, UDP-Lag and SYN in the testing day. The traffic volume for WebDDoS was so low and PortScan just has been executed in the testing day and will be unknown for evaluating the proposed model.

The finance industry was the major target of DDoS attacks in Russia in 2023. Furthermore, the share of attacks on e-commerce companies was almost ** percent. DDoS, or distributed denial-of-service attacks involve sending a high number of requests to a target network or website, more than it is capable of handling, leading to the disruption in the resource's functioning.