LEGACY: Darknet Report

LAST UPDATED:  2021-06-07

LEGACY REPORT

Report discontinued. Replaced by: Darknet Events Report.

This report records observed traffic to darknet networks.

Darknets (also known as network telescopes) are unused sets of IP addresses, which in theory should observe no traffic. In practice, however, a lot of traffic reaches such networks through activities such as Internet scanning, malware propagation, or backscatter from spoofed DDoS events — meaning that these network packets can often be immediately classified as suspicious or malicious. Additional packet fingerprinting measures can be employed to attribute tools or malware sending out such packets.

This report type was created as part of the EU Horizon 2020 SISSDEN Project.

Fields

  • timestamp
    Time that a packet was registered in UTC+0
  • ip
    The source IP registered (IP of sender)
  • port
    Source port
  • asn
    ASN announcing the source IP
  • geo
    Country where the source IP resides
  • region
    State / Province / Administrative region where the source IP resides
  • city
    City where the source IP resides
  • hostname
    PTR record of the source IP
  • type
    Additional information on activity type
  • dst_IP
    Destination IP of the packet (i.e., in the darknet)
  • dst_port
    Destination port
  • dst_asn
    ASN announcing the destination IP
  • dst_geo
    Country where the destination IP resides
  • count
    Packet count, if recorded
  • naics
    North American Industry Classification System Code of the source IP
  • sic
    Standard Industrial Classification System Code of the source IP
  • dst_naics
    North American Industry Classification System Code of the destination IP
  • dst_sic
    Standard Industrial Classification System Code of the destination IP
  • sector
    Sector the source IP belongs to
  • dst_sector
    Sector the destination IP belongs to
  • family
    Additional family classification of activity
  • tag
    Classification of activity; e.g., mirai-like
  • public_source
    Source of the data, for cases where the source accepts being credited

Sample

"timestamp","ip","port","asn","geo","region","city","hostname","type","dst_ip","dst_port","dst_asn","dst_geo","count","naics","sic","dst_naics","dst_sic","sector","dst_sector","family","tag","public_source"
"2018-10-29 00:00:22","192.0.2.7",,4134,"CN",,"GUANGZHOU","7.0.2.192.broad.gz.jx.dynamic.163data.com.cn",,,23,,,102,0,0,,,"Communications",,,"mirai-like","sissden"
"2018-10-29 05:01:31","192.0.2.145",,7922,"US","ILLINOIS","OAK LAWN","c-192.0.2.145.hsd1.il.comcast.net",,,80,,,5,518111,737401,,,"Commercial Facilities",,,"mirai-like","sissden"
"2018-10-29 10:29:42","198.51.100.176",,16135,"TR","ANKARA","CAGLAYAN MAH.",,,,5555,,,1,0,0,,,,,,"mirai-like","sissden"
"2018-10-29 13:02:13","198.51.100.203",,9121,"TR","OSMANIYE","AKKOPRU KOYU","198.51.100.203.static.ttnet.com.tr",,,23,,,1,0,0,,,,,,"mirai-like","sissden"
"2018-10-29 19:02:28","203.0.113.244",,18881,"BR","BAHIA","SALVADOR","203.0.113.244.dynamic.adsl.gvt.net.br",,,2323,,,3,0,0,,,,,,"mirai-like","sissden"

Our 132 Report Types