LANDER:DoS DNS amplification-20130617 From Predict README version: 3636, last modified: 2013-08-25. This file describes the trace dataset "DoS_DNS_amplification-20130617" provided by the LANDER project. The most recent version of this file can be found on-line at http://wiki.isi.edu/predict/index.php/LANDER:DoS_DNS_amplification-20130617. LANDER Metadata http://wiki.isi.edu/predict/index.php/LANDER:DoS_DNS_amplification-20130617/landermeta) +---------------------------------------------------------------------------------------------------------+ |dataSetName |DoS_DNS_amplification-20130617 | |--------------------------+------------------------------------------------------------------------------| |status |usc-web-and-predict | |--------------------------+------------------------------------------------------------------------------| |shortDesc |DoS DNS Amplification Attack | |--------------------------+------------------------------------------------------------------------------| |longDesc |This dataset contains one DNS amplification/reflection attack, staged by | | |researchers between two sites (USC/ISI, Marina del Rey, California to CSU, | | |Fort Collins, Colorado). It lasts for about 10 minutes. Packet headers are | | |fully anonymized. | |--------------------------+------------------------------------------------------------------------------| |datasetCategory |IP Packet Headers | |--------------------------+------------------------------------------------------------------------------| |datasetSubCategory |USC Phase I IP Packet Header Data | |--------------------------+------------------------------------------------------------------------------| |requestReviewRequired |true | |--------------------------+------------------------------------------------------------------------------| |productReviewRequired |false | |--------------------------+------------------------------------------------------------------------------| |ongoingMeasurement |false | |--------------------------+------------------------------------------------------------------------------| |collectionStartDate |2013-06-17 | |--------------------------+------------------------------------------------------------------------------| |collectionStartTime |21:52:45 | |--------------------------+------------------------------------------------------------------------------| |collectionEndDate |2013-06-17 | |--------------------------+------------------------------------------------------------------------------| |collectionEndTime |22:25:32 | |--------------------------+------------------------------------------------------------------------------| |availabilityStartDate | | |--------------------------+------------------------------------------------------------------------------| |availabilityStartTime | | |--------------------------+------------------------------------------------------------------------------| |availabilityEndDate | | |--------------------------+------------------------------------------------------------------------------| |availabilityEndTime | | |--------------------------+------------------------------------------------------------------------------| |anonymization |true | |--------------------------+------------------------------------------------------------------------------| |archivingAllowed | | |--------------------------+------------------------------------------------------------------------------| |keywords |packet-header, dos, one-time, full-IP-anonymization | |--------------------------+------------------------------------------------------------------------------| |format |dag | |--------------------------+------------------------------------------------------------------------------| |access |https | |--------------------------+------------------------------------------------------------------------------| |hostName |USC-LANDER | |--------------------------+------------------------------------------------------------------------------| |privateAccessInstructions |See http://www.isi.edu/ant/traces/index.html#getting_datasets for information | | |on obtaining this dataset. | | |See | | |http://wiki.isi.edu/predict/index.php/LANDER:DoS_DNS_amplification-20130617 | | |for details on this dataset. | +---------------------------------------------------------------------------------------------------------+ Background DNS amplification reflection attacks (for example, described here (us-cert)) involve an attacker sending a flood of DNS ANY requests to one or several DNS servers, while spoofing source address to that of the intended target. A poorly configured recursive DNS server will send a much larger reply to the target, thus amplifying the attack. We've staged such an attack between two sites we controlled: ISI/USC in Marina Del Rey hosted 6 recursive DNS servers and a single system at Colorado State in Fort Collins was an intended target. Another system at ISI was acting as an attacker. In this staged attack, we anonymize and scrub all non-attack traffic. Since the attack traffic was generated only as part of this experiment (completely under the control of the experimenter), it is known to not have any privacy concerns, and we preserve payloads of traffic specific to the attack. Dataset Contents DoS_DNS_amplification-20130617.README.txt copy of this README data/ 20130617-*.full.erf.bz2 bzip2 compressed ERF network trace .sha1sum SHA-1 checksum named/ named.conf configuration file for named snort rules file used to snort/ snort_rules detect inbound attack snort alerts (fine snort_alerts.txt name + CSV snort output) Subdirectory "data" contains four bzipped ERF network traces collected by LANDER running at CSU (target) site. All IP addresses were fully anonymized using prefix-preserving anonymization. The following anonymized IP addresses are of interest: DNS Servers 145.233.157.224 145.233.157.228 145.233.157.232 145.233.157.233 145.233.157.234 145.233.157.235 Target 144.154.222.228 Attacker 145.233.157.236 #probably not present in the traces, listed here for completeness The file ".sha1sum" contains SHA1 checksums of individual compressed files. The integrity of the distribution thus can be checked by independently calculating SHA1 sums of files and comparing them with those listed in the file. If you have the sha1sum utility installed on your system, you can do that by executing: sha1sum --check .sha1sum This has to be done before files are uncompressed. Subdirectory "snort" contain snort rules used for attack detection and snort output for each file (CSV) in a simple text file. Subdirectory "named" contains BIND named config file used on servers. Data Format All data files are in ERF format, compressed with GZIP. IP addresses were fully anonymized. Collection Method All traffic entering the CSU site was captured by a system running LANDER. Raw captured packets were run through SNORT running a custom rule detecting the attack. Thus flagged network traces were scrubbed (user payloads removed, all except for our own generated attack traffic) and IP addresses were fully anonymized using prefix-preserving anonymization. Recursive Server Setup We've included the named configuration file named.conf used in this setup. Very few changes were made, aside from restricting the server, we just increased UDP and EDNS sizes. Query Generation To generate a query of type ANY, the following command was used: dig ANY isc.org @servername +notcp +bufsize=8192 where servername is the name or IP address of the recursive DNS name server. We've captured the raw query using tcpdump, then replicated it multiple times for each server. Spoofing Source Addresses We've used tcprewrite to modify (spoof) source address of the query. Executing Attack The following command was executed to tcpreplay -i em1 --loop XXX --pps 400 --preload-pcap /path/to/pcap/file/with/queries.pcap Thus, we replay queries at 400 packets per second, each packet containing a UDP DNS quiery, directed to one of 6 servers in round-robin fashion. Each IP packet is 64 bytes long, thus the bit rate of the attack before amplification/reflection is 64*400*8=205Kbps. Beginning/Ending Date and Time Zone The attack starts at 22:00:12 and ends at 22:15:34 Dates/Times specified in the metadata and here are in UTC. Citation If you use this trace to conduct additional research, please cite it as: Scrambled Internet Trace Measurement dataset, PREDICT ID: USC-LANDER/DoS_DNS_amplification-20130617/rev3636 . Traces taken 2013-06-17 to 2013-06-17. Provided by the USC/LANDER project (http://www.isi.edu/ant/lander). Results Using This Dataset Traces similar to this one containing collections of "live" IP addresses have been used the following previously published work: * Alefiya Hussain, Yuri Pradkin, and John Heidemann. Replay of Malicious Traffic in Network Testbeds. submitted to HST xxx User Annotations Suggestion: Edit the annotations at http://wiki.isi.edu/predict/index.php?title=LANDERNOTES:DoS_DNS_amplification-20130617action=edit Currently no annotations. Categories Retrieved from "http://wiki.isi.edu/predict/index.php?title=LANDER:DoS_DNS_amplification-20130617oldid=3636" Categories: * LANDER:PredictCategory:IP Packet Headers * LANDER:PredictCategory:IP Packet Headers/USC Phase I IP Packet Header Data * Datasets * LANDER * LANDER:Datasets