ACM SIGCOMM 2021, virtually (online)


Hackathon Program

The hackathon has an associated Slack channel for discussions. Click on the link below to visit it. If you're asked to sign in, use the workspace name "" to sign up or sign in.

Go to ISP-DDoS Hackathon Slack channel
  • Friday, August 27th 13:00-17:00 (UTC-4, New York), 19:00-23:00 (UTC+2, Paris)

  • 1:00 pm - 3:00 pm Session I

  • 1:00 pm - 3:00 pm

    Introduction and goals of hackathon

    What is a good criteria for DDoS detection

    Evaluation on test dataset

  • 3:00 pm - 3:30 pm Coffee/tea Break

  • 3:30 pm - 5:00 pm Session II

  • 3:30 pm - 5:00 pm

    Discussion of new detections and joint labeling

    Teams debrief everyone on their strategy, challenges and successes

Call For Participation

Distributed denial-of-service (DDoS) attacks remain an ongoing threat to networks. DDoS attacks evolve over time, tending to be smaller and shorter and more similar to legitimate traffic. This makes their detection and filtering difficult. Trying to detect and filter DDoS attacks at an ISP level is especially hard, given the large scale of both the amount of traffic and the number of potential victims at an ISP.

We have recently gained access to Front Range GigaPOP's anonymized and sampled traffic header traces, as well as to their commercial defense’s alerts. This allows us the opportunity to label the traces with an approximate ground truth and share them with the research community. In this hackathon we will work as the community to develop methods for accurate DDoS detection from sampled Netflow traces, and to label any potential attacks in the dataset that are not detected by the commercial defense. We hope to release the labeled dataset to resaerch community in the three months following the hackathon.


DDoS resaerch is hampered by lack of realistic, accurately labeled datasets. In this hackathon we can collectively work to improve this situation, by identifying and labeling new attack events in a real, partially labeled dataset. Participants will also contribute to the field of DDoS detection by developing and publicly releasing their attack detection code.

A rough outline follows:

  • Session I In this session we will release the test dataset and allow teams to evauate their approaches with this dataset. We will produce initial scores and report statistics on any new detections (in addition to our labeled data).

  • Session II In this session we will discuss each additional detection that got flagged by several different teams and will proclaim it true or false positive. We will recalculate scores and update the scoreboard. Teams will debrief everyone about their challenges and successes. All code should be released as open source.

Audience Expectations and Prerequisites

We expect that the audience is familiar with network flow features and TCP/IP headers. We also expect that participants will prepare their attack detection approach ahead of the hackathon.

To successfully participate in this hackathon please start early and follow the directions below:

  1. Sign our Memorandum of Understanding outlining acceptable use of the data. E-mail the completed form to
  2. You will receive a download link for the training/validation dataset. Download the data onto a secure machine and carefully study dataset description.
  3. Work on training/validation of your approach. You can use any hardware and software you have access to. Bear mind that real data is noisy. There may very well be more attacks in the data than we could label.
  4. You cannot share this data with anyone else.
  5. You must delete the dataset upon completion of the hackathon. If you want to use this dataset for your research or teaching, please contact us. We are developing mechanisms to share the dataset with a broad research community.
  6. Comment your code and release it at shared Google drive prior to the hackathon. You can keep updating it until the end of the hackathon.
  7. Release your validation accuracy by filling out this document prior to the hackathon. You can keep updating it until the end of the hackathon.


  • Jelena Mirkovic

    USC Information Sciences Institute

    • Bio:

      Jelena Mirkovic is a Research Associate Professor at University of Southern California. She is a pioneer in DDoS research field and has worked on DDoS defenses from the application layer, to host, to edge and core network. Her other resaerch interests are user authentication, privacy, security experimentation and security education.

  • Christos Papadopoulos

    University of Memphis

    • Bio:

      Christos Papadopoulos is currently a Professor and Sparks Family Chair of Excellence in Global Research Leadership at the University of Memphis. Prior to that he was a program manager at DHS S\&T, where he worked on cyber-physical systems security. His current interests include network architecture, network security, global Internet measurements and automotive cybersecurity.

  • Jun Li

    University of Oregon

    • Bio:

      Jun Li is a Professor in Computer and Information Science and a Ripple fellow at the University of Oregon and studies computer networking, distributed systems, and network security. More information of him can be found at his home page.

  • Peter Reiher

    University of California Los Angeles

    • Bio:

      Dr. Peter Reiher is an Adjunct Professor in the Computer Science Department at UCLA. His research interests include cybersecurity (particularly Internet security issues, such as distributed denial of service attacks), computer networks, ubiquitous computing, security of autonomous vehicles and vehicular networks, security of wireless medical devices, and file systems.


[1] Dataset description

[2] Memorandum of understanding