LANDER:B Root Anomaly message question-20200213 From Predict README version: 11231, last modified: 2020-06-17. This file describes the trace dataset "B_Root_Anomaly_message_question-20200213" provided by the LANDER project. Contents • 1 LANDER Metadata • 2 Context of The Event • 3 Dataset Contents • 4 File Format • 5 B-Root Address • 6 Citation • 7 Results Using This Dataset • 8 User Annotations LANDER Metadata ┌───────────────────────────┬────────────────────────────────────────────────────────────────────────────────────┐ │ dataSetName │ B_Root_Anomaly_message_question-20200213 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ status │ usc-web-and-predict │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ shortDesc │ Anomaly in B-Root traffic 2020 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ longDesc │ This is a collection of DNS requests host-only anonymized IP collected at B root. │ │ │ DNS payload is parsed and saved in a text form. For a datasets containing raw PCAP │ │ │ data, please see a companion dataset LANDER:B_Root_Anomaly-20200213. │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ datasetClass │ Quasi-Restricted │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ commercialAllowed │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ requestReviewRequired │ true │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ productReviewRequired │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ ongoingMeasurement │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ submissionMethod │ Upload │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionStartDate │ 2020-02-13 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionStartTime │ 00:00:00 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionEndDate │ 2020-02-13 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionEndTime │ 23:59:59 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityStartDate │ 2020-05-10 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityStartTime │ 00:30:00 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityEndDate │ 2030-01-01 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityEndTime │ 00:00:00 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ anonymization │ cryptopan/host │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ archivingAllowed │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ keywords │ category:dns-data, subcategory:anonymized-dns-data, dns, anomaly │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ format │ csv │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ access │ https │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ hostName │ USC-LANDER │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ providerName │ USC │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ groupingId │ B-Root Anomaly Message Question │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ groupingSummaryFlag │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ retrievalInstructions │ download │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ byteSize │ 210756435968 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ expirationDays │ 14 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ uncompressedSize │ {{{uncompressedSize}}} │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ impactDoi │ │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ useAgreement │ dua-ni-160816 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ irbRequired │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ privateAccessInstructions │ See https://ant.isi.edu/datasets/#getting-datasets for information on obtaining │ │ │ this dataset. │ │ │ See │ └───────────────────────────┴────────────────────────────────────────────────────────────────────────────────────┘ Context of The Event • Duration of the event: 08:05 UTC to 08:09 UTC • Common query name: RANDOM.8.8.8.8 with mostly NXDomain replies. • Attack characteristic: Attack was from 61.220/16 network where 61.220.3/24, 61.220.7/24 and 61.220.11/24 were most commonly used. DNS over UDP, but had some TCP SYN packets too. Common query name was RANDOM.8.8.8.8 with mostly NXDomain replies. • Captured query rate from message-format data: 0.37 Mqps (SIN site) Mqps (mega query per second) Dataset Contents This data was captured at the B-Root DNS server. It should represent all traffic to B-Root over this time period.     B_Root_Anomaly_message_question-20200213.README.txt     copy of this README     /     day of the month of collection          YYYYMMDD-HHMMSS-NNNNNNNN.{lax,mia}.message_question.fsdb.xz     data files          ...     .sha1sum     SHA-1 checksum Data files are named by the timestamp of the first packet in the trace (all times are in UTC): YYYYMMDD-HHMMSS-NNNNNNNN.SITE.message_question.fsdb.xz (or .bz2) where SITE: lax means the file was captured at LAX b-root anycast site mia means the file was captured at MIA b-root anycast site (if SITE is unspecified, the data was captured at LAX) YYYY is year (2019) MM is month (01-12) DD is day of the month (00-31) HH is hour (00-23) MM is minutes (00-59) SS is seconds (00-59) NNNNNNNN is a sequence number All data files are text (FSDB) format, compressed with XZ (earlier datasets may have BZIP compression). IP addresses are host-only anonymized, so the top 24 bits are unchanged and the bottom 24 bits are prefix-preserving anonymized using Cryptopan. The file ".sha1sum" contains SHA1 checksums of individual compressed files. The integrity of the distribution thus can be checked by independently calculating SHA1 sums of files and comparing them with those listed in the file. If you have the sha1sum utility installed on your system, you can do that by executing: sha1sum --check .sha1sum This has to be done before files are uncompressed. File Format Data files are the output of dnsanon utility. All data files are compressed text (FSDB). Columns are tab-separated and are as follows: Header Description msgid Incrementing integer counter within the FSDB file time timestamp of query srcip Source IP address srcport Source port dstip Destination IP address dstport Destination port protocol Protocol used (udp or tcp) id The ID field from the DNS packet qr boolean indicating the message was a Query (0) or response (1) opcode The DNS operation code value aa The Authoritative Answer flag tc The Truncated flag rd The Recursion Desired flag ra The Recursion Available flag z The (should be unused) z flag ad The Authenticated bit (DNSSEC validating resolvers set this) cd The Cache Disabled flag rcode The response code qdcount The number of records in the query section (should always be 1) ancount The number of records in the answer section nscount The number of records in the authoratative section arcount The number of records in the additional section edns_present Boolean: 1 if the EDNS0 record was present in the additional section edns_udp_size The max msg size accepted field from the EDNS0 record edns_extended_rcode The extended rcode field from the EDNS0 record edns_version The EDNS0 version number from the EDNS0 record edns_z The Z flag from the EDNS0 record msglen The length of the packet ipttl TTL value of the packet name The QName from the query section of the packet type DNS query type (e.g. A, AAAA, PTR, NS, etc) class DNS query class (e.g. IN, CH, ANY) B-Root Address Since all IPv4 addresses have lowest 8 bit anonymized, the IP address of B-Root is likely to be different from the actual B-Root address (192.228.79.201---now it is 199.9.14.201). For this dataset the B-Root address was anonymized to: 199.9.14.93 (new prefix) and 192.228.79.119 (old prefix). All IPv6 addresses have lowest 32 bits anonymized. The actual ipv6 address of B-Root (2001:500:84::b---now it is 2001:500:200::b) has been anonymized to 2001:500:200::1888:a303 (new ipv6) and 2001:500:84::382f:9543 (old ipv6). Citation If you use this trace to conduct additional research, please cite it as: Day In the Life of The Internet (DITL) April, 2015 dataset, IMPACT ID: USC-LANDER/B_Root_Anomaly_message_question-20200213/rev11231 . Provided by USC/B-Root Operations with USC/LANDER project http://www.isi.edu/ant/lander. Results Using This Dataset •  User Annotations Currently no annotations. Categories: • LANDER • LANDER:Datasets • LANDER:Datasets:BrootAnomaly • Datasets