Introduction

This report records traffic observed to darknet networks. Darknets (also known as network telescopes) are unused sets of IP addresses, which in theory should observe no traffic. In practice however a lot of traffic reaches such networks due to activities such Internet scanning, malware propagation or backscatter from spoofed DDoS events, meaning that these network packets can often be immediately classified as suspicious or malicious. Additional packet fingerprinting measures can be employed to attribute tools or malware sending out such packets.

Acknowlegement

This report type was created as part of the EU Horizon 2020 SISSDEN Project.

Fields

Field Description
timestamp Time that a packet was registered in UTC+0
ip The source IP registered (IP of sender)
port Source port
asn ASN announcing the source IP
geo Country where the source IP resides
region State / Province / Administrative region where the source IP resides
city City where the source IP resides
hostname PTR record of the source IP
type Additional information on activity type
dst_IP Destination IP of the packet (ie. in the darknet)
dst_port Destination port
dst_asn ASN announcing the destination IP
dst_geo Country where the destination IP resides
count Packet count, if recorded
naics North American Industry Classification System Code of the source IP
sic Standard Industrial Classification System Code of the source IP
dst_naics North American Industry Classification System Code of the destination IP
dst_sic Standard Industrial Classification System Code of the destination IP
sector Sector the source IP belongs to
dst_sector Sector the destination IP belongs to
family Additional family classification of activity
tag Classification of activity eg. mirai-like
public_source Source of the data, for cases where the source accepts being credited

Sample

"timestamp","ip","port","asn","geo","region","city","hostname","type","dst_ip","dst_port","dst_asn","dst_geo","count","naics","sic","dst_naics","dst_sic","sector","dst_sector","family","tag","public_source"
"2018-10-29 00:00:22","192.0.2.7",,4134,"CN",,"GUANGZHOU","7.0.2.192.broad.gz.jx.dynamic.163data.com.cn",,,23,,,102,0,0,,,"Communications",,,"mirai-like","sissden"
"2018-10-29 05:01:31","192.0.2.145",,7922,"US","ILLINOIS","OAK LAWN","c-192.0.2.145.hsd1.il.comcast.net",,,80,,,5,518111,737401,,,"Commercial Facilities",,,"mirai-like","sissden"
"2018-10-29 10:29:42","198.51.100.176",,16135,"TR","ANKARA","CAGLAYAN MAH.",,,,5555,,,1,0,0,,,,,,"mirai-like","sissden"
"2018-10-29 13:02:13","198.51.100.203",,9121,"TR","OSMANIYE","AKKOPRU KOYU","198.51.100.203.static.ttnet.com.tr",,,23,,,1,0,0,,,,,,"mirai-like","sissden"
"2018-10-29 19:02:28","203.0.113.244",,18881,"BR","BAHIA","SALVADOR","203.0.113.244.dynamic.adsl.gvt.net.br",,,2323,,,3,0,0,,,,,,"mirai-like","sissden"

<< | Reports | >>