To request access this dataset you will need to login with an IMPACT
account. Accounts are free. If you don't have one please
register.
This dataset is no longer available and has a current status of
'Withdrawn'.
Please see the catalog for a listing of currently available datasets.
Please see the catalog for a listing of currently available datasets.
Summary
DS-0717
Mirai scanning 2016
Dataset
Merit Network, Inc.
Merit Network, Inc.
06/01/2016
12/31/2016
48 (lowest rank is 56)
Category & Restrictions
Blackhole Address Space Data
Restricted
true
ICC/Researcher MOA including the following additional terms:
1. Researcher shall not transfer, extract, or duplicate the provided data (or a subset thereof) outside the servers of the Data Host that house the data, without written authorization from Merit Network IMPACT PI team. Researcher agrees that derivative information from the provided data can be transferred and used, in accordance with the Researcher obligations and other terms of this Agreement, only if sensitive information (including IP addresses) has been anonymized and removed.
2. Researcher agrees that the computing resources (such as a virtual machine's processing power, memory and network bandwidth) provided by the Data Host to the Researcher for downloading or processing the data are shared resources. Researcher thus agrees that the service for access to the requested data would be on a best effort basis. Should a virtual machine gets allocated by the Data Host to the Researcher for processing the requested data, the Researcher's account on that machine should remain active for a period not exceeding 6 months, unless otherwise agreed with the Data Provider and Data Host.
3. The Researcher agrees that s/he will not attempt to probe or communicate in any way with a machine (or a human subject operating the machine) identified in the shared data. For example, the Researcher must not attempt to connect or send messages to any IP address present in the disclosed data.
4. The Data Provider reserves the right to audit any derived results from the provided dataset to ascertain that these results are in accordance with the Researcher's obligations regarding the terms of the ICC/Researcher MOA agreement including the following additional term: Researcher agrees that the computing resources (such as a virtual machine's processing power, memory and network bandwidth) provided by the Data Host to the Researcher for downloading or processing the data are shared resources. Researcher thus agrees that the service for access to the requested data would be on a best effort basis. Should a virtual machine gets allocated by the Data Host to the Researcher for processing the requested data, the Researcher's account on that machine should remain active for a period not exceeding 6 months, unless otherwise agreed with the Data Provider and Data Host.
1. Researcher shall not transfer, extract, or duplicate the provided data (or a subset thereof) outside the servers of the Data Host that house the data, without written authorization from Merit Network IMPACT PI team. Researcher agrees that derivative information from the provided data can be transferred and used, in accordance with the Researcher obligations and other terms of this Agreement, only if sensitive information (including IP addresses) has been anonymized and removed.
2. Researcher agrees that the computing resources (such as a virtual machine's processing power, memory and network bandwidth) provided by the Data Host to the Researcher for downloading or processing the data are shared resources. Researcher thus agrees that the service for access to the requested data would be on a best effort basis. Should a virtual machine gets allocated by the Data Host to the Researcher for processing the requested data, the Researcher's account on that machine should remain active for a period not exceeding 6 months, unless otherwise agreed with the Data Provider and Data Host.
3. The Researcher agrees that s/he will not attempt to probe or communicate in any way with a machine (or a human subject operating the machine) identified in the shared data. For example, the Researcher must not attempt to connect or send messages to any IP address present in the disclosed data.
4. The Data Provider reserves the right to audit any derived results from the provided dataset to ascertain that these results are in accordance with the Researcher's obligations regarding the terms of the ICC/Researcher MOA agreement including the following additional term: Researcher agrees that the computing resources (such as a virtual machine's processing power, memory and network bandwidth) provided by the Data Host to the Researcher for downloading or processing the data are shared resources. Researcher thus agrees that the service for access to the requested data would be on a best effort basis. Should a virtual machine gets allocated by the Data Host to the Researcher for processing the requested data, the Researcher's account on that machine should remain active for a period not exceeding 6 months, unless otherwise agreed with the Data Provider and Data Host.
Description
Network scanning attributed to the Mirai worm. The worm infects IoT devices and tries to propagate by scanning for insecure Telnet channels.
In 2016, a worm called Mirai targeting Internet-of-Things (IoT) devices appeared in the Internet scene. The worm self-propagates by looking for open Telnet-listening channels running at insecure IoT devices, and launching password "dictionary attacks" to gain login access to these devices. This dataset captures said scanning efforts, as collected by Merit's 35/8 network telescope (aka "darknet"). The Mirai worm source code, released online by its author in September 2016, has a unique scanning fingerprint that lets us identify these scanning efforts. In particular, Mirai sends 1) TCP SYN packets, 2) towards Telnet ports 23 and 2323, and 3) sets the TCP initial sequence number equal to the destination IP of the targeted host. We mined our Darknet data for this fingerprint to create this Mirai dataset. This dataset provides a lens into the thousands of infected IoT devices, presumably responsible for the volumetric, record-breaking DDoS (Distributed Denial of Service) attacks that occurred in September and October 2016 against Akamai (i.e., the attacks against a popular security-oriented blog site hosted by Akamai), the attacks targeting the OVH cloud provider and the attacks directed at Dyn.
Note: the first Mirai probe to TCP 23 with the Mirai fingerprint appeared on August 1st, 2016. The first probe to TCP 2323 with the Mirai fingerprint appeared on September 6th, 2016. For completeness, we provide the output of BPF-filtering (using the above Mirai fingerprint) of our PCAP-based darknet data for a few days prior to the Mirai outbreak; this output is just empty PCAP data.
Data format: PCAP. Access to the dataset is via Merit's secure enclaves.
Additional Details
2.7TB
false
false
network, scanning, mirai, 2016, merit, worm, iot, telnet, 717, mirai scanning 2016, attacks, darknet, ddos, telescope, scan, malware, merit network, inc., devices, insecure, channels, attributed, infects, propagate, fingerprint, tcp, dataset, september, appeared, pcap, access, akamai, efforts, 2323, probe, output, targeting, create, volumetric, prior, sequence, blackhole address space data, format, enclaves, popular, host, author, equal, identify, october, running, security, provider, responsible, bpf, lens, syn, destination, listening, code, directed, note, online, captures, oriented, service, cloud, called, thousands, dictionary, provide, unique, propagates, mined, denial, login, ports, 6th, distributed, collected, packets, scene, password, outbreak, filtering, breaking, based, august, blackhole, gain, days, released, source, completeness, blog, secure, launching, hosted, space, dyn, aka, 1st, targeted, ovh, infected, sets, occurred, initial, sends, site, empty
Mirai, IoT, scanning, scan, network telescope, darknet, ddos, telnet, malware, worm, Internet of Things, attacks,