LANDER:orion telescope-20200801 From Predict README version: 14303, last modified: 2023-09-13. This file describes the trace dataset "orion_telescope-20200801" provided by MERIT. Contents • 1 LANDER Metadata • 2 Dataset Contents • 3 Dataset Generation • 4 Labels • 5 Citation • 6 Results Using This Dataset • 7 User Annotations LANDER Metadata ┌───────────────────────────┬────────────────────────────────────────────────────────────────────────────────────┐ │ dataSetName │ orion_telescope-20200801 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ status │ usc-web-and-predict │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ shortDesc │ Darknet data offered by Merit's ORION Network Telescope │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ longDesc │ Darknet data offered by Merit's ORION Network Telescope. Byte size quoted as of │ │ │ 2022-02-14. For further details, please visit: │ │ │ https://www.merit.edu/initiatives/orion-network-telescope/ │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ datasetClass │ Classified │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ commercialAllowed │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ requestReviewRequired │ true │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ productReviewRequired │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ ongoingMeasurement │ true │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ submissionMethod │ Upload │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionStartDate │ 2020-08-01 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionStartTime │ 00:00:00 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionEndDate │ 2030-01-01 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionEndTime │ 00:00:00 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityStartDate │ 2022-03-15 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityStartTime │ 00:00:00 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityEndDate │ 2030-01-01 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityEndTime │ 00:00:00 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ anonymization │ none │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ archivingAllowed │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ keywords │ category:darknet-data, subcategory:unidirectional-traffic-traces, darknet, network │ │ │ telescope, scanning, malware, ongoing │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ format │ Google BigQuery │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ access │ Google BigQuery │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ hostName │ USC-LANDER │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ providerName │ MERIT │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ groupingId │ │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ groupingSummaryFlag │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ retrievalInstructions │ cloud │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ byteSize │ NA │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ expirationDays │ NA │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ uncompressedSize │ NA │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ impactDoi │ │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ useAgreement │ merit-dua-v1 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ irbRequired │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ privateAccessInstructions │ See https://ant.isi.edu/datasets/#getting-datasets for information on obtaining │ │ │ this dataset. │ │ │ See │ └───────────────────────────┴────────────────────────────────────────────────────────────────────────────────────┘ Dataset Contents This ongoing, longitudinal dataset includes data collected at Merit's Darknet. Network telescopes collect and record unsolicited Internet-wide traffic destined to a routed but unused address space usually referred to as “Darknet” or “blackhole” address space. Darknets can provide global perspective on Internet behavior and are one of the key data sources used by the networking and security communities to understand malware propagation, Distributed Denial of Service (DDoS) attacks, network scanning, routing misconfigurations, and Internet outages. Merit Network has been operating one of a small number of researcher-accessible network telescopes for more than 15 years, that has facilitated an array of empirical studies. The data collection is ongoing and as of Feb 2022 full dataset size is over 11.5T of data. Dataset Generation The dataset is available via Google's BigQuery service. Data is uploaded to BigQuery on an hourly basis. The ORION Network Telescope data pipeline is explained in more detail here: https://www.merit.edu/initiatives/orion-network-telescope/ The software that generates these Darknet events is open-sourced and available here: https://github.com/Merit-Research/darknet-events Labels There are multiple labels already available in ORION's BigQuery table. E.g., one can perform a query to retrieve IPs appearing in the ORION network telescope that are 1) associated with the Mirai malware (see Manos Antonakakis et al. (USENIX Security 2017) paper for more information on the Mirai botnet), 2) associated with ZMap/Masscan scanning, 3) associated with scanning in general (i.e., all IPs engaged in TCP-SYN requests), 4) associated with DoS/backscatter activities, etc. For instance, to retrieve IPs and important metadata (such as packets sent) associated with the Mirai label appearing in the ORION network telescope within the last 24 hours, one can perform the following query: # BQ query for Mirai IPs SELECT sourceip, SUM(packets) AS packets FROM `orion_network_telescope.events` WHERE Mirai = TRUE AND FIRST > TIMESTAMP_SUB(CURRENT_TIMESTAMP(), INTERVAL 24 HOUR) AND FIRST <= CURRENT_TIMESTAMP() GROUP BY sourceip ORDER BY packets DESC For BigQuery's API access to retrieve these data using Python or another language, visit the ORION Wiki and references therein: https://github.com/Merit-Research/darknet-events/wiki/ORION-Network-Telescope Citation If you use this trace to conduct additional research, please cite it as: ORION Network Telescope. Provided by Merit Network, Inc. https://www.merit.edu/initiatives/orion-network-telescope/ Results Using This Dataset • Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J. Alex Halderman, Luca Invernizzi, Michalis Kallitsis, Deepak Kumar, Chaz Lever, Zane Ma, Joshua Mason, Damian Menscher, Chad Seaman, Nick Sullivan, Kurt Thomas, and Yi Zhou. Understanding the mirai botnet. In 26th USENIX Security Symposium (USENIX Security 17), pages 1093–1110, Vancouver, BC, 2017. USENIX Association. • Zakir Durumeric, Michael Bailey, and J. Alex Halderman. An internet-wide view of internet-wide scanning. In Proceedings of the 23rd USENIX Conference on Security Symposium, SEC’14, pages 65–78, Berkeley, CA, USA, 2014. USENIX Association. • Karyn Benson, Alberto Dainotti, kc claffy, Alex C. Snoeren, and Michael Kallitsis. Leveraging internet background radiation for opportunistic network analysis. In Proceedings of the 2015 ACM Conference on Internet Measurement Conference, IMC ’15, pages 423–436, New York, NY, USA, 2015. ACM. • Jakub Czyz, Michael Kallitsis, Manaf Gharaibeh, Christos Papadopoulos, Michael Bailey, and Manish Karir. Taming the 800 pound gorilla: The rise and decline of ntp ddos attacks. In Proceedings of the 2014 Conference on Internet Measurement Conference, IMC ’14, pages 435–448, New York, NY, USA, 2014. ACM. • Alberto Dainotti, Karyn Benson, Alistair King, kc claffy, Michael Kallitsis, Eduard Glatz, and Xenofontas Dimitropoulos. Estimating internet address space usage through passive measurements. SIGCOMM Comput. Commun. Rev., 44(1):42–49, December 2013. • A. Mirian, Z. Ma, D. Adrian, M. Tischer, T. Chuenchujit, T. Yardley, R. Berthier, J. Mason, Z. Durumeric, J. A. Halderman, and M. Bailey. An internet-wide view of ics devices. In 2016 14th Annual Conference on Privacy, Security and Trust (PST), pages 96–103, Dec 2016. • Eric Wustrow, Manish Karir, Michael Bailey, Farnam Jahanian, and Geoff Huston. Internet background radiation revisited. In Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement, IMC ’10, pages 62–74, New York, NY, USA, 2010. ACM. User Annotations Currently no annotations. Categories: • Datasets • LANDER • LANDER:Datasets • LANDER:Datasets:AddressSpace:Adaptive Probing • LANDER:Datasets:AddressSpace • LANDER:Datasets:MERIT