LANDER:B Root Anomaly-20200214 From Predict README version: 11225, last modified: 2020-06-16. This file describes the trace dataset "B_Root_Anomaly-20200214" provided by the LANDER project. Contents • 1 LANDER Metadata • 2 Context of The Event • 3 Dataset Contents • 4 B-Root Address • 5 Citation • 6 Results Using This Dataset • 7 User Annotations • 8 Categories LANDER Metadata ┌───────────────────────────┬────────────────────────────────────────────────────────────────────────────────────┐ │ dataSetName │ B_Root_Anomaly-20200214 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ status │ usc-web-and-predict │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ shortDesc │ B root traffic for DITL 2020 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ longDesc │ This is the collection of full payload packets data with host-only anonymized IP │ │ │ collected at B root. For a datasets containing parsed DNS data, please see a │ │ │ companion dataset LANDER:B_Root_Anomaly_message_question-20200214. │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ datasetClass │ Quasi-Restricted │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ commercialAllowed │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ requestReviewRequired │ true │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ productReviewRequired │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ ongoingMeasurement │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ submissionMethod │ Upload │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionStartDate │ 2020-02-14 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionStartTime │ 00:00:00 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionEndDate │ 2020-02-14 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionEndTime │ 23:59:59 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityStartDate │ 2020-05-25 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityStartTime │ 00:30:00 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityEndDate │ 2030-01-01 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityEndTime │ 00:00:00 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ anonymization │ cryptopan/host │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ archivingAllowed │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ keywords │ category:dns-data, subcategory:anonymized-dns-data, dns, anomaly │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ format │ pcap │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ access │ https │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ hostName │ USC-LANDER │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ providerName │ USC │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ groupingId │ B-Root Anomaly │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ groupingSummaryFlag │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ retrievalInstructions │ download │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ byteSize │ 511121031168 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ expirationDays │ 14 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ uncompressedSize │ 5202224537166 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ impactDoi │ │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ useAgreement │ dua-ni-160816 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ irbRequired │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ privateAccessInstructions │ See https://ant.isi.edu/datasets/#getting-datasets for information on obtaining │ │ │ this dataset. │ │ │ See │ └───────────────────────────┴────────────────────────────────────────────────────────────────────────────────────┘ Context of The Event • Duration of the event: 23:17:47 UTC to 23:19:00 UTC • Common query name: peacecorps.gov. with other attack queries. • Attack characteristic: The attack is mostly at LAX. Looks like a reflection attack directed to B-root. Lots of fragmented packets, lots of sources, CLDAP packets, DNS response packets (with DNSSEC sigs). • Captured query rate from message-format data: 0.12 Mqps (LAX site) Mqps (mega query per second) Dataset Contents This data was captured at the B-Root DNS server. It should represent all traffic to B-Root over this time period.     B_Root_Anomaly-20200214.README.txt     copy of this README          day of the month of collection          YYYYMMDD-HHMMSS-NNNNNNNN.SITE.pcap.xz     data files          ...     .sha1sum     SHA-1 checksum Data files are named by the timestamp of the first packet in the trace (all times are in UTC): YYYYMMDD-HHMMSS-NNNNNNNN.SITE.pcap.xz (or .bz2) where SITE is anycast site of Broot: lax or unspecified: stands for Los Angeles, California mia: stands for Miami, Florida ari: stands for Arica, Chile sin: stands for Singapore iad: stands for Dulles, Virginia ams: stands for Amsterdam, Netherlands YYYY is year (2020) MM is month (01-12) DD is day of the month (01-31 depending on the month) HH is hour (00-23) MM is minutes (00-59) SS is seconds (00-59) NNNNNNNN is a sequence number All data files are in PCAP format, compressed with XZ (earlier datasets may have BZIP compression). IP addresses are host-only anonymized, so that for IPv4, the most signficant 24 bits are unchanged and the least signficant 8 bits are prefix-preserving anonymized using Cryptopan (for IPv6 it's the least signficant 32 bits). The file ".sha1sum" contains SHA1 checksums of individual compressed files. The integrity of the distribution thus can be checked by independently calculating SHA1 sums of files and comparing them with those listed in the file. If you have the sha1sum utility installed on your system, you can do that by executing: sha1sum --check .sha1sum This has to be done before files are uncompressed. B-Root Address Since all IPv4 addresses have lowest 8 bit anonymized, the IP address of B-Root is likely to be different from the actual B-Root address (192.228.79.201---now it is 199.9.14.201). For this dataset the B-Root address was anonymized to: 199.9.14.133 (new prefix) and 192.228.79.11 (old prefix). All IPv6 addresses have lowest 32 bits anonymized. The actual ipv6 address of B-Root (2001:500:84::b---now it is 2001:500:200::b) has been anonymized to 2001:500:200::168d:a865 (new ipv6) and 2001:500:84::db69:691d (old ipv6). Citation If you use this trace to conduct additional research, please cite it as: xxx dataset, PREDICT ID IMPACT ID: USC-LANDER/B_Root_Anomaly-20200214/rev11225 . Provided by USC/B-Root Operations with USC/LANDER project http://www.isi.edu/ant/lander. Results Using This Dataset •  User Annotations Currently no annotations. Categories Categories: • LANDER • LANDER:Datasets • LANDER:Datasets:BrootAnomaly • Datasets