LANDER:B Root Anomaly-20210528 From Predict README version: 12012, last modified: 2021-09-28. This file describes the trace dataset "B_Root_Anomaly-20210528" provided by the LANDER project. Contents • 1 LANDER Metadata • 2 Context of The Event • 3 Dataset Contents • 4 B-Root Address • 5 Citation • 6 Results Using This Dataset • 7 User Annotations • 7.1 Details • 8 Categories LANDER Metadata ┌───────────────────────────┬────────────────────────────────────────────────────────────────────────────────────┐ │ dataSetName │ B_Root_Anomaly-20210528 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ status │ usc-web-and-predict │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ shortDesc │ Anomaly in B-Root traffic 2021 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ longDesc │ This is a collection of DNS requests host-only anonymized IP collected at B root. │ │ │ DNS payload is parsed and saved in a text form. For a datasets containing raw PCAP │ │ │ data, please see a companion dataset LANDER:B_Root_Anomaly-20210528. │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ datasetClass │ Quasi-Restricted │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ commercialAllowed │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ requestReviewRequired │ true │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ productReviewRequired │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ ongoingMeasurement │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ submissionMethod │ Upload │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionStartDate │ 2021-05-28 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionStartTime │ 00:00:00 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionEndDate │ 2021-05-28 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionEndTime │ 23:59:59 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityStartDate │ 2021-07-22 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityStartTime │ 00:00:00 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityEndDate │ 2030-01-01 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityEndTime │ 00:00:00 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ anonymization │ cryptopan/host │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ archivingAllowed │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ keywords │ category:dns-data, subcategory:anonymized-dns-data, dns, anomaly │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ format │ pcap │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ access │ https │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ hostName │ USC-LANDER │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ providerName │ USC │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ groupingId │ │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ groupingSummaryFlag │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ retrievalInstructions │ download │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ byteSize │ 500932018176 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ expirationDays │ 14 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ uncompressedSize │ {{{uncompressedSize}}} │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ impactDoi │ │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ useAgreement │ dua-ni-160816 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ irbRequired │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ privateAccessInstructions │ See http://www.isi.edu/ant/traces/index.html#getting_datasets for information on │ │ │ obtaining this dataset. │ │ │ See │ └───────────────────────────┴────────────────────────────────────────────────────────────────────────────────────┘ Context of The Event • Duration of the event: 02:35 UTC (for 3-5 minutes) • Common query name: pizzaseo.com. (most common) • Attack characteristic: All sites - sources were randomized, queries were IP fragmented (large packet size), the server made fixed 60bytes replies. • Captured query rate from message-format data: 60Gb/s [across all sites] Mqps (mega query per second) Dataset Contents This data was captured at the B-Root DNS server. It should represent all traffic to B-Root over this time period.     B_Root_Anomaly-20210528.README.txt     copy of this README          day of the month of collection          YYYYMMDD-HHMMSS-NNNNNNNN.SITE.pcap.xz     data files          ...     .sha1sum     SHA-1 checksum Data files are named by the timestamp of the first packet in the trace (all times are in UTC): YYYYMMDD-HHMMSS-NNNNNNNN.SITE.pcap.xz (or .bz2) where SITE is anycast site of Broot: lax or unspecified: stands for Los Angeles, California mia: stands for Miami, Florida ari: stands for Arica, Chile sin: stands for Singapore iad: stands for Dulles, Virginia ams: stands for Amsterdam, Netherlands YYYY is year (2021) MM is month (01-12) DD is day of the month (01-31 depending on the month) HH is hour (00-23) MM is minutes (00-59) SS is seconds (00-59) NNNNNNNN is a sequence number All data files are in PCAP format, compressed with XZ (earlier datasets may have BZIP compression). IP addresses are host-only anonymized, so that for IPv4, the most signficant 24 bits are unchanged and the least signficant 8 bits are prefix-preserving anonymized using Cryptopan (for IPv6 it's the least signficant 32 bits). The file ".sha1sum" contains SHA1 checksums of individual compressed files. The integrity of the distribution thus can be checked by independently calculating SHA1 sums of files and comparing them with those listed in the file. If you have the sha1sum utility installed on your system, you can do that by executing: sha1sum --check .sha1sum This has to be done before files are uncompressed. B-Root Address Since all IPv4 addresses have lowest 8 bit anonymized, the IP address of B-Root is likely to be different from the actual B-Root address (192.228.79.201---now it is 199.9.14.201). For this dataset the B-Root address was anonymized to: 199.9.14.182 (new address), 192.228.79.143 (old address). All IPv6 addresses have lowest 32 bits anonymized. The actual ipv6 address of B-Root (2001:500:84::b---now it is 2001:500:200::b) has been anonymized to 2001:500:200::5f46:3981 (new IPv6 address), 2001:500:84::57c2:6023 (old IPv6 address). Citation If you use this trace to conduct additional research, please cite it as: xxx dataset, PREDICT ID IMPACT ID: USC-LANDER/B_Root_Anomaly-20210528/rev12012 . Provided by USC/B-Root Operations with USC/LANDER project http://www.isi.edu/ant/lander. Results Using This Dataset • Not yet User Annotations Details Some details about this attack (analysis by johnh on 2023-02-21): It looks like B-Root was the target of a DNS amplification attack. Someone spoofed B-Root as the source address for DNS queries to many nameservers with the string "pizzaseo.com.". B-Root got these DNS replies as a volumetric attack to exhaust B-Root network capacity. The attack traffic can be identified as '_name =~ /pizzaseo.com./ && _qr == 1' in message_question format, or via: tshark -r - -n -T fields -e dns.qry.name -Y 'dns.qry.name matches "pizzaseo.com"' in pcap. Categories Categories: • LANDER • LANDER:Datasets • LANDER:Datasets:BrootAnomaly • Datasets