Border Gateway Protocol routing records from Reseaux IP Europeens (RIPE) and BCNET

Primary tabs

Citation Author(s):
Simon Fraser University
Ana Laura
Gonzalez Rios
Simon Fraser University
Simon Fraser University
Submitted by:
Ljiljana Trajkovic
Last updated:
Fri, 07/31/2020 - 22:28
Data Format:
0 ratings - Please login to submit your rating.


Three well-known Border Gateway Anomalies (BGP) anomalies Slammer, Nimda, and Code Red I occurred in January 2003, September 2001, and July 2001, respectively. The Reseaux IP Europeens (RIPE) BGP update messages are publicly available from the Network Coordination Centre (NCC)and contain Slammer, Nimda, Code Red I, and regular data: Regular data are also collected from BCNET: infected Microsoft SQL servers through a small piece of code that generated IP addresses at random. The number of infected machines doubled approximately every 9 seconds. Nimda exploited vulnerabilities in the Microsoft Internet Information Services (IIS) web servers for Internet Explorer 5. The worm propagated by sending an infected attachment that was automatically downloaded once the email was viewed. The Code Red I worm attacked Microsoft IIS web servers by replicating itself through IIS server weaknesses Unlike the Slammer worm, Code Red I searched for vulnerable servers to infect. The rate of infection was doubling every 37 minutes. 37 features are extracted from BGP update messages that originated from AS 513 (route collector rrc 04). The data collected during periods of Internet anomalies include: five-day period for Slammer and Code Red I (the day of the attack as well as two days prior and two days after the attack); seven-day period for Nimda (two and a half days of the attack as well as two and a half days prior and two days after the attack). Note that there are 31 missing data points in the Nimda dataset.


Raw data from the "route collector rrc 04" are organized in folders labeled by the year and month of the collection date. Complete datasets for Slammer, Nimda, and Code Red I are available from the RIPE route collector rrc 04 site:       RIPE NCC:       Analyze:       Internet Measurements:       Routing Information Service (RIS):       RIS Raw Data: The date of last modification and the size of the datasets are also included.

BGP update messages are originally collected in multi-threaded routing toolkit (MRT) format. "Zebra-dump-parser" written in Perl is used to extract to ASCII the BGP updated messages. The 37 BGP features were extracted using a C# tool to generate uploaded datasets (csv files). Labels have been added based on the periods when data were collected.