To request access this dataset you will need to login with an IMPACT account. Accounts are free. If you don't have one please register.
This dataset is no longer available and has a current status of 'Withdrawn'.
Please see the catalog for a listing of currently available datasets.

Summary

DS-0717
Mirai scanning 2016
Dataset
Merit Network, Inc.
Merit Network, Inc.
06/01/2016
12/31/2016
43 (lowest rank is 50)

Category & Restrictions

Blackhole Address Space Data
Restricted
true

ICC/Researcher MOA including the following additional terms:




1. Researcher shall not transfer, extract, or duplicate the provided data (or a subset thereof) outside the servers of the Data Host that house the data, without written authorization from Merit Network IMPACT PI team. Researcher agrees that derivative information from the provided data can be transferred and used, in accordance with the Researcher obligations and other terms of this Agreement, only if sensitive information (including IP addresses) has been anonymized and removed.




2. Researcher agrees that the computing resources (such as a virtual machine's processing power, memory and network bandwidth) provided by the Data Host to the Researcher for downloading or processing the data are shared resources. Researcher thus agrees that the service for access to the requested data would be on a best effort basis. Should a virtual machine gets allocated by the Data Host to the Researcher for processing the requested data, the Researcher's account on that machine should remain active for a period not exceeding 6 months, unless otherwise agreed with the Data Provider and Data Host.




3. The Researcher agrees that s/he will not attempt to probe or communicate in any way with a machine (or a human subject operating the machine) identified in the shared data. For example, the Researcher must not attempt to connect or send messages to any IP address present in the disclosed data.




4. The Data Provider reserves the right to audit any derived results from the provided dataset to ascertain that these results are in accordance with the Researcher's obligations regarding the terms of the ICC/Researcher MOA agreement including the following additional term: Researcher agrees that the computing resources (such as a virtual machine's processing power, memory and network bandwidth) provided by the Data Host to the Researcher for downloading or processing the data are shared resources. Researcher thus agrees that the service for access to the requested data would be on a best effort basis. Should a virtual machine gets allocated by the Data Host to the Researcher for processing the requested data, the Researcher's account on that machine should remain active for a period not exceeding 6 months, unless otherwise agreed with the Data Provider and Data Host.

Description


Network scanning attributed to the Mirai worm. The worm infects IoT devices and tries to propagate by scanning for insecure Telnet channels.

In 2016, a worm called Mirai targeting Internet-of-Things (IoT) devices appeared in the Internet scene. The worm self-propagates by looking for open Telnet-listening channels running at    insecure IoT devices, and launching password "dictionary attacks" to gain login access to these devices. This dataset captures said scanning efforts, as collected by Merit's 35/8 network telescope (aka "darknet").    The Mirai worm source code,    released online by its author in September 2016, has a unique scanning fingerprint that lets us    identify these scanning efforts. In particular, Mirai sends 1) TCP SYN packets, 2) towards Telnet ports 23 and 2323, and 3) sets the TCP initial sequence number equal to the destination IP of the targeted host. We mined our Darknet data for this fingerprint to create this Mirai dataset. This dataset provides a lens into the thousands of infected IoT devices, presumably responsible for the volumetric, record-breaking DDoS (Distributed Denial of Service) attacks that occurred in September and October 2016 against Akamai (i.e., the attacks against a popular security-oriented blog site hosted by Akamai), the attacks targeting the OVH cloud provider and the attacks directed at Dyn.

Note: the first Mirai probe to TCP 23 with the Mirai fingerprint appeared on August 1st, 2016. The first probe to TCP 2323 with the Mirai fingerprint appeared on September 6th, 2016. For completeness, we provide the output of BPF-filtering (using the above Mirai fingerprint) of our PCAP-based darknet data for a few days prior to the Mirai outbreak; this output is just empty PCAP data.

Data format: PCAP. Access to the dataset is via Merit's secure enclaves.

Additional Details

2.7TB
false
false
dark web, transport layer protocols, tcp ip stack fingerprinting, darknet, clear text protocols, completeness, blog, packets, iot, history of the internet, attacks, telnet, content delivery network, internet protocol, akamai technologies, text, vmware thinapp, 717, network packet, file sharing, online services, august home, uniform resource identifier, dictionary attack, computer worm, worm, vmware, source code, transmission control protocol, cyberwarfare, home automation, history of computing, dynamic dns, smart device, cryptanalysis, merit network, inc., cybercrime, network analyzers, mirai scanning 2016, scanning, iot malware, scan, authentication and key agreement, cryptographic protocol, dos, world wide web, ddos, application layer protocols, market research, login, mirai, database application, pcap, cloud infrastructure attacks failures, cloud computing, malware, virtualization software, remote administration software, denial of service attack, centralized computing, network telescope, network architecture, geotargeting, darknet market, internet of things, virtual private network, dyn, botnet, internet relay chat, exploit
Mirai, IoT, scanning, scan, network telescope, darknet, ddos, telnet, malware, worm, Internet of Things, attacks,