diff --git a/README.md b/README.md index 5baf941..bd6564e 100644 --- a/README.md +++ b/README.md @@ -17,11 +17,6 @@ As an example, labels created by the provider for the B/B_Root_Anomaly-20190907/provider-uscisiant -When citing labels, please use the label name (omit "provider" if present) -and dataset name. For example provider-uscisiant labels from the above -example could be cited as "uscisiant labels for B_Root_Anomaly-20190907 -dataset". - In each subdirectory containing labels, please refer to the specific README file that describes the associated labels or tools to create the labels and how to use them. @@ -46,3 +41,10 @@ tools from the "tools/usc-isi-antlab/ddos" directory and are referenced in the B/B_Root_Anomaly-20190907/provider/README.md file. These are generic tools that are used for many of the datasets prefixed with /B_Root_Anomaly-/. + +## Citing labels + +When citing labels, please use the label name (omit "provider" if present) +and dataset name. For example provider-uscisiant labels from the above +example could be cited as "uscisiant labels for B_Root_Anomaly-20190907 +dataset". diff --git a/ddos_hackathon-20200511/provider-peakflow/README.md b/ddos_hackathon-20200511/provider-peakflow/README.md new file mode 100644 index 0000000..1504071 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/README.md @@ -0,0 +1,29 @@ +# Provenance information + +Peakflow (now NetScout) appliance was running at FRGP network during +dataset collection and it was generating alerts, which we collected +as well. We pre-filtered these alerts to keep only reflection DDoS +attacks and we have anonymized the alerts to match the dataset +anonymization. Each alert shows the epoch start and stop time of +the attack, and the attack type(s) as reported by Peakflow. The +start time is the actual attack detection time and the stop time +is when the mitigation was stopped. + +# Tools required for generating labels + +The provider (usc-isi) has produced the tool to use the provided +event labels in this folder and Netflow data from the dataset to +produce per-flow labels (B for benign, A for attack). The tool prints +output of nfdump -o pipe and attaches the label at the end of the line. +The tool can be found in /tools/usc-isi/netflow-ddos/ directory +in the COMUNDA git repository. Please refer to the +README.md file in that directory for how to run the tool. The +instructions below describe how to use the tool to generate the +provider given labels for this dataset. + + +# How to run the labeling code + +``` +perl tag_flows.pl path-to-folder-w-netflow path-to-this-folder +``` \ No newline at end of file diff --git a/ddos_hackathon-20200511/provider-peakflow/README.md~ b/ddos_hackathon-20200511/provider-peakflow/README.md~ new file mode 100644 index 0000000..370ae19 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/README.md~ @@ -0,0 +1,29 @@ +# Provenance information + +Peakflow (now NetScout) appliance was running at FRGP network during +dataset collection and it was generating alerts, which we collected +as well. We pre-filtered these alerts to keep only reflection DDoS +attacks and we have anonymized the alerts to match the dataset +anonymization. Each alert shows the epoch start and stop time of +the attack, and the attack type(s) as reported by Peakflow. The +start time is the actual attack detection time and the stop time +is when the mitigation was stopped. + +# Tools required for generating labels + +The provider (usc-isi) has produced the tool to use the provided +event labels in this folder and Netflow data from the dataset to +produce per-flow labels (B for benign, A for attack). The tool prints +output of nfdump -o pipe and attaches the label at the end of the line. +The tool can be found in /tools/usc-isi/netflow-ddos/ directory +in the COMUNDA git repository. Please refer to the +README.md file in that directory for how to run the tool. The +instructions below describe how to use the tool to generate the +provider given labels for this dataset. + + +# How to run the labeling code + +``` +perl tag_flows.pl tag -s 1581581100 -e 1581581360 -r -E sin -q 8.8.8.8 +``` \ No newline at end of file diff --git a/ddos_hackathon-20200511/provider-peakflow/aug/peak.1 b/ddos_hackathon-20200511/provider-peakflow/aug/peak.1 new file mode 100644 index 0000000..788be71 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/aug/peak.1 @@ -0,0 +1,4 @@ +Target 17.20.107.182 +start 1598219145 +end 1598219391 +type mDNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/aug/peak.10 b/ddos_hackathon-20200511/provider-peakflow/aug/peak.10 new file mode 100644 index 0000000..f1ff497 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/aug/peak.10 @@ -0,0 +1,4 @@ +Target 17.20.122.67 +start 1597986765 +end 1597987014 +type NTPAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/aug/peak.11 b/ddos_hackathon-20200511/provider-peakflow/aug/peak.11 new file mode 100644 index 0000000..9980c11 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/aug/peak.11 @@ -0,0 +1,4 @@ +Target 17.77.201.1 +start 1598572185 +end 1598572671 +type UDP IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/aug/peak.12 b/ddos_hackathon-20200511/provider-peakflow/aug/peak.12 new file mode 100644 index 0000000..6646d36 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/aug/peak.12 @@ -0,0 +1,4 @@ +Target 17.77.52.118 +start 1598572097 +end 1598572397 +type UDP IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/aug/peak.2 b/ddos_hackathon-20200511/provider-peakflow/aug/peak.2 new file mode 100644 index 0000000..dabf0e6 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/aug/peak.2 @@ -0,0 +1,4 @@ +Target 26.27.154.249 +start 1598542091 +end 1598542371 +type DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/aug/peak.3 b/ddos_hackathon-20200511/provider-peakflow/aug/peak.3 new file mode 100644 index 0000000..540767c --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/aug/peak.3 @@ -0,0 +1,4 @@ +Target 17.20.127.110 +start 1598543745 +end 1598544291 +type mDNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/aug/peak.4 b/ddos_hackathon-20200511/provider-peakflow/aug/peak.4 new file mode 100644 index 0000000..98e6a9f --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/aug/peak.4 @@ -0,0 +1,4 @@ +Target 116.231.92.155 +start 1597777605 +end 1597778095 +type CLDAPAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/aug/peak.5 b/ddos_hackathon-20200511/provider-peakflow/aug/peak.5 new file mode 100644 index 0000000..f2b0278 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/aug/peak.5 @@ -0,0 +1,4 @@ +Target 16.73.76.89 +start 1597888485 +end 1597888792 +type CLDAPAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/aug/peak.6 b/ddos_hackathon-20200511/provider-peakflow/aug/peak.6 new file mode 100644 index 0000000..f27b853 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/aug/peak.6 @@ -0,0 +1,4 @@ +Target 17.20.123.89 +start 1598045205 +end 1598045693 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/aug/peak.7 b/ddos_hackathon-20200511/provider-peakflow/aug/peak.7 new file mode 100644 index 0000000..7bc49f5 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/aug/peak.7 @@ -0,0 +1,4 @@ +Target 17.20.120.126 +start 1598597925 +end 1598598292 +type UDP CLDAPAmplification IPFragmentation TotalTraffic DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/aug/peak.8 b/ddos_hackathon-20200511/provider-peakflow/aug/peak.8 new file mode 100644 index 0000000..17424b1 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/aug/peak.8 @@ -0,0 +1,4 @@ +Target 17.20.120.126 +start 1598661332 +end 1598662133 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/aug/peak.9 b/ddos_hackathon-20200511/provider-peakflow/aug/peak.9 new file mode 100644 index 0000000..d5d8dcf --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/aug/peak.9 @@ -0,0 +1,4 @@ +Target 26.14.91.190 +start 1597811745 +end 1597812113 +type chargenAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/may/peak.1 b/ddos_hackathon-20200511/provider-peakflow/may/peak.1 new file mode 100644 index 0000000..b144ff3 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/may/peak.1 @@ -0,0 +1,4 @@ +Target 46.148.120.155 +start 1589247121 +end 1589247471 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/may/peak.10 b/ddos_hackathon-20200511/provider-peakflow/may/peak.10 new file mode 100644 index 0000000..124571e --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/may/peak.10 @@ -0,0 +1,4 @@ +Target 46.148.123.147 +start 1589603325 +end 1589603739 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/may/peak.11 b/ddos_hackathon-20200511/provider-peakflow/may/peak.11 new file mode 100644 index 0000000..7689030 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/may/peak.11 @@ -0,0 +1,4 @@ +Target 46.148.120.155 +start 1589328634 +end 1589329180 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/may/peak.12 b/ddos_hackathon-20200511/provider-peakflow/may/peak.12 new file mode 100644 index 0000000..18892ce --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/may/peak.12 @@ -0,0 +1,4 @@ +Target 113.41.244.95 +start 1589271345 +end 1589271645 +type ICMP diff --git a/ddos_hackathon-20200511/provider-peakflow/may/peak.13 b/ddos_hackathon-20200511/provider-peakflow/may/peak.13 new file mode 100644 index 0000000..ee9acb5 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/may/peak.13 @@ -0,0 +1,4 @@ +Target 113.41.244.95 +start 1589289558 +end 1589297143 +type TCPSYN/ACKAmplification ICMP diff --git a/ddos_hackathon-20200511/provider-peakflow/may/peak.14 b/ddos_hackathon-20200511/provider-peakflow/may/peak.14 new file mode 100644 index 0000000..91da004 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/may/peak.14 @@ -0,0 +1,4 @@ +Target 113.41.244.95 +start 1589297180 +end 1589297564 +type TCPSYN/ACKAmplification TotalTraffic ICMP diff --git a/ddos_hackathon-20200511/provider-peakflow/may/peak.15 b/ddos_hackathon-20200511/provider-peakflow/may/peak.15 new file mode 100644 index 0000000..c7cdaf5 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/may/peak.15 @@ -0,0 +1,4 @@ +Target 113.41.244.95 +start 1589297610 +end 1589298043 +type TCPSYN/ACKAmplification TotalTraffic ICMP diff --git a/ddos_hackathon-20200511/provider-peakflow/may/peak.16 b/ddos_hackathon-20200511/provider-peakflow/may/peak.16 new file mode 100644 index 0000000..717616a --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/may/peak.16 @@ -0,0 +1,4 @@ +Target 113.41.244.95 +start 1589298091 +end 1589298463 +type ICMP diff --git a/ddos_hackathon-20200511/provider-peakflow/may/peak.17 b/ddos_hackathon-20200511/provider-peakflow/may/peak.17 new file mode 100644 index 0000000..f3dec34 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/may/peak.17 @@ -0,0 +1,4 @@ +Target 113.41.244.95 +start 1589298501 +end 1589298883 +type ICMP diff --git a/ddos_hackathon-20200511/provider-peakflow/may/peak.18 b/ddos_hackathon-20200511/provider-peakflow/may/peak.18 new file mode 100644 index 0000000..a0c9fb7 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/may/peak.18 @@ -0,0 +1,4 @@ +Target 113.41.244.95 +start 1589298912 +end 1589299303 +type ICMP diff --git a/ddos_hackathon-20200511/provider-peakflow/may/peak.19 b/ddos_hackathon-20200511/provider-peakflow/may/peak.19 new file mode 100644 index 0000000..0264634 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/may/peak.19 @@ -0,0 +1,4 @@ +Target 113.41.244.95 +start 1589299344 +end 1589299723 +type ICMP diff --git a/ddos_hackathon-20200511/provider-peakflow/may/peak.2 b/ddos_hackathon-20200511/provider-peakflow/may/peak.2 new file mode 100644 index 0000000..8934f71 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/may/peak.2 @@ -0,0 +1,4 @@ +Target 113.41.244.95 +start 1589246985 +end 1589247285 +type ICMP diff --git a/ddos_hackathon-20200511/provider-peakflow/may/peak.20 b/ddos_hackathon-20200511/provider-peakflow/may/peak.20 new file mode 100644 index 0000000..0cce803 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/may/peak.20 @@ -0,0 +1,4 @@ +Target 113.41.244.95 +start 1589299760 +end 1589300143 +type ICMP diff --git a/ddos_hackathon-20200511/provider-peakflow/may/peak.21 b/ddos_hackathon-20200511/provider-peakflow/may/peak.21 new file mode 100644 index 0000000..4d87e20 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/may/peak.21 @@ -0,0 +1,4 @@ +Target 113.41.244.95 +start 1589300174 +end 1589302901 +type ICMP diff --git a/ddos_hackathon-20200511/provider-peakflow/may/peak.22 b/ddos_hackathon-20200511/provider-peakflow/may/peak.22 new file mode 100644 index 0000000..11a0e90 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/may/peak.22 @@ -0,0 +1,4 @@ +Target 113.41.244.95 +start 1589302937 +end 1589303320 +type TCPSYN/ACKAmplification ICMP diff --git a/ddos_hackathon-20200511/provider-peakflow/may/peak.23 b/ddos_hackathon-20200511/provider-peakflow/may/peak.23 new file mode 100644 index 0000000..4476bf8 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/may/peak.23 @@ -0,0 +1,4 @@ +Target 40.40.133.46 +start 1589509363 +end 1589509660 +type CLDAPAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/may/peak.3 b/ddos_hackathon-20200511/provider-peakflow/may/peak.3 new file mode 100644 index 0000000..47ed524 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/may/peak.3 @@ -0,0 +1,4 @@ +Target 16.52.125.25 +start 1589281845 +end 1589282145 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/may/peak.4 b/ddos_hackathon-20200511/provider-peakflow/may/peak.4 new file mode 100644 index 0000000..1ff3bc8 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/may/peak.4 @@ -0,0 +1,4 @@ +Target 113.41.244.95 +start 1589268498 +end 1589268798 +type ICMP diff --git a/ddos_hackathon-20200511/provider-peakflow/may/peak.5 b/ddos_hackathon-20200511/provider-peakflow/may/peak.5 new file mode 100644 index 0000000..455c995 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/may/peak.5 @@ -0,0 +1,4 @@ +Target 16.52.125.25 +start 1589358449 +end 1589358820 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/may/peak.6 b/ddos_hackathon-20200511/provider-peakflow/may/peak.6 new file mode 100644 index 0000000..1b6bcf6 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/may/peak.6 @@ -0,0 +1,4 @@ +Target 40.40.133.46 +start 1589509005 +end 1589509300 +type CLDAPAmplification DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/may/peak.7 b/ddos_hackathon-20200511/provider-peakflow/may/peak.7 new file mode 100644 index 0000000..74236a9 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/may/peak.7 @@ -0,0 +1,4 @@ +Target 113.41.244.95 +start 1589673765 +end 1589674059 +type TCPRST diff --git a/ddos_hackathon-20200511/provider-peakflow/may/peak.8 b/ddos_hackathon-20200511/provider-peakflow/may/peak.8 new file mode 100644 index 0000000..90b013a --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/may/peak.8 @@ -0,0 +1,4 @@ +Target 26.27.120.177 +start 1589658703 +end 1589659180 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/may/peak.9 b/ddos_hackathon-20200511/provider-peakflow/may/peak.9 new file mode 100644 index 0000000..1b6bcf6 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/may/peak.9 @@ -0,0 +1,4 @@ +Target 40.40.133.46 +start 1589509005 +end 1589509300 +type CLDAPAmplification DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.1 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.1 new file mode 100644 index 0000000..9f054f5 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.1 @@ -0,0 +1,4 @@ +Target 116.254.8.57 +start 1599762285 +end 1599762790 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.10 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.10 new file mode 100644 index 0000000..868618c --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.10 @@ -0,0 +1,4 @@ +Target 17.20.116.236 +start 1599976545 +end 1599977032 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.11 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.11 new file mode 100644 index 0000000..8398b71 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.11 @@ -0,0 +1,4 @@ +Target 17.20.116.236 +start 1600023226 +end 1600023620 +type NTPAmplification UDP TotalTraffic diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.12 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.12 new file mode 100644 index 0000000..6a3f83f --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.12 @@ -0,0 +1,4 @@ +Target 17.20.116.236 +start 1600036425 +end 1600036940 +type NTPAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.13 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.13 new file mode 100644 index 0000000..6a3f83f --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.13 @@ -0,0 +1,4 @@ +Target 17.20.116.236 +start 1600036425 +end 1600036940 +type NTPAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.14 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.14 new file mode 100644 index 0000000..7f25f42 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.14 @@ -0,0 +1,4 @@ +Target 17.20.116.236 +start 1600037445 +end 1600038080 +type NTPAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.15 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.15 new file mode 100644 index 0000000..7f25f42 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.15 @@ -0,0 +1,4 @@ +Target 17.20.116.236 +start 1600037445 +end 1600038080 +type NTPAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.16 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.16 new file mode 100644 index 0000000..d7973be --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.16 @@ -0,0 +1,4 @@ +Target 17.20.116.236 +start 1600121725 +end 1600122430 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.17 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.17 new file mode 100644 index 0000000..9b56488 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.17 @@ -0,0 +1,4 @@ +Target 17.94.222.59 +start 1600146151 +end 1600147690 +type UDP IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.18 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.18 new file mode 100644 index 0000000..9b56488 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.18 @@ -0,0 +1,4 @@ +Target 17.94.222.59 +start 1600146151 +end 1600147690 +type UDP IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.19 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.19 new file mode 100644 index 0000000..b1c0dcb --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.19 @@ -0,0 +1,4 @@ +Target 17.20.127.115 +start 1600155705 +end 1600156210 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.2 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.2 new file mode 100644 index 0000000..af8fe25 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.2 @@ -0,0 +1,4 @@ +Target 116.254.8.57 +start 1599764968 +end 1599765268 +type CLDAPAmplification IPFragmentation diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.20 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.20 new file mode 100644 index 0000000..84e4e23 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.20 @@ -0,0 +1,4 @@ +Target 17.20.127.115 +start 1600200765 +end 1600201039 +type CLDAPAmplification DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.21 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.21 new file mode 100644 index 0000000..4b605b8 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.21 @@ -0,0 +1,4 @@ +Target 17.20.127.115 +start 1600203105 +end 1600203620 +type DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.22 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.22 new file mode 100644 index 0000000..dda08e5 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.22 @@ -0,0 +1,4 @@ +Target 17.20.123.4 +start 1599944504 +end 1599944812 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.23 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.23 new file mode 100644 index 0000000..d7973be --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.23 @@ -0,0 +1,4 @@ +Target 17.20.116.236 +start 1600121725 +end 1600122430 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.24 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.24 new file mode 100644 index 0000000..904b411 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.24 @@ -0,0 +1,4 @@ +Target 17.20.127.115 +start 1600330524 +end 1600330939 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.25 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.25 new file mode 100644 index 0000000..9f0139f --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.25 @@ -0,0 +1,4 @@ +Target 17.20.107.182 +start 1600355767 +end 1600356079 +type DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.26 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.26 new file mode 100644 index 0000000..ef5f000 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.26 @@ -0,0 +1,4 @@ +Target 17.20.123.4 +start 1600376554 +end 1600377500 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.27 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.27 new file mode 100644 index 0000000..8cb13b9 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.27 @@ -0,0 +1,4 @@ +Target 17.20.127.115 +start 1600402425 +end 1600402939 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.28 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.28 new file mode 100644 index 0000000..3fc24aa --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.28 @@ -0,0 +1,4 @@ +Target 17.20.127.115 +start 1600406080 +end 1600406720 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.29 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.29 new file mode 100644 index 0000000..3fc24aa --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.29 @@ -0,0 +1,4 @@ +Target 17.20.127.115 +start 1600406080 +end 1600406720 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.3 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.3 new file mode 100644 index 0000000..f63d01e --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.3 @@ -0,0 +1,4 @@ +Target 17.20.116.236 +start 1599779257 +end 1599779550 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.30 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.30 new file mode 100644 index 0000000..b58adf0 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.30 @@ -0,0 +1,4 @@ +Target 17.20.127.115 +start 1600406948 +end 1600407440 +type UDP IPFragmentation TotalTraffic DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.31 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.31 new file mode 100644 index 0000000..3a38888 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.31 @@ -0,0 +1,4 @@ +Target 17.20.127.115 +start 1600424325 +end 1600425079 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.32 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.32 new file mode 100644 index 0000000..3a38888 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.32 @@ -0,0 +1,4 @@ +Target 17.20.127.115 +start 1600424325 +end 1600425079 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.33 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.33 new file mode 100644 index 0000000..5454579 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.33 @@ -0,0 +1,4 @@ +Target 17.20.107.182 +start 1600445485 +end 1600445780 +type DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.34 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.34 new file mode 100644 index 0000000..95db3f2 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.34 @@ -0,0 +1,4 @@ +Target 17.20.107.182 +start 1600446920 +end 1600447221 +type mDNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.35 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.35 new file mode 100644 index 0000000..ee16db2 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.35 @@ -0,0 +1,4 @@ +Target 17.20.127.115 +start 1600465665 +end 1600465965 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.36 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.36 new file mode 100644 index 0000000..35e1716 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.36 @@ -0,0 +1,4 @@ +Target 17.20.127.115 +start 1600466325 +end 1600466600 +type DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.37 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.37 new file mode 100644 index 0000000..891cb2e --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.37 @@ -0,0 +1,4 @@ +Target 17.94.217.113 +start 1600495965 +end 1600496419 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.38 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.38 new file mode 100644 index 0000000..fd035f4 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.38 @@ -0,0 +1,4 @@ +Target 17.20.127.115 +start 1600507178 +end 1600507700 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.39 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.39 new file mode 100644 index 0000000..3509873 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.39 @@ -0,0 +1,4 @@ +Target 16.52.239.211 +start 1600545045 +end 1600545439 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.4 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.4 new file mode 100644 index 0000000..a9d5d66 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.4 @@ -0,0 +1,4 @@ +Target 17.20.116.236 +start 1599780704 +end 1599781230 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.40 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.40 new file mode 100644 index 0000000..43bc9b8 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.40 @@ -0,0 +1,4 @@ +Target 16.73.75.144 +start 1600554285 +end 1600554619 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.41 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.41 new file mode 100644 index 0000000..5e9e2e7 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.41 @@ -0,0 +1,4 @@ +Target 17.20.127.115 +start 1600583985 +end 1600584499 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.42 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.42 new file mode 100644 index 0000000..262b1a7 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.42 @@ -0,0 +1,4 @@ +Target 16.52.238.235 +start 1600586745 +end 1600587259 +type CLDAPAmplification DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.43 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.43 new file mode 100644 index 0000000..203e88d --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.43 @@ -0,0 +1,4 @@ +Target 113.92.254.108 +start 1600592385 +end 1600592839 +type UDP CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.44 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.44 new file mode 100644 index 0000000..3c0385f --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.44 @@ -0,0 +1,4 @@ +Target 17.20.127.115 +start 1600598925 +end 1600599379 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.45 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.45 new file mode 100644 index 0000000..83aacad --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.45 @@ -0,0 +1,4 @@ +Target 16.52.236.140 +start 1600639960 +end 1600640540 +type UDP CLDAPAmplification IPFragmentation TotalTraffic DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.46 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.46 new file mode 100644 index 0000000..ef5f000 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.46 @@ -0,0 +1,4 @@ +Target 17.20.123.4 +start 1600376554 +end 1600377500 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.47 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.47 new file mode 100644 index 0000000..bd058b2 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.47 @@ -0,0 +1,4 @@ +Target 18.214.227.240 +start 1600642651 +end 1600642940 +type CLDAPAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.48 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.48 new file mode 100644 index 0000000..3be2ed2 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.48 @@ -0,0 +1,4 @@ +Target 17.20.127.115 +start 1600675305 +end 1600675819 +type CLDAPAmplification IPFragmentation diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.49 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.49 new file mode 100644 index 0000000..b24021a --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.49 @@ -0,0 +1,4 @@ +Target 17.20.127.115 +start 1600679685 +end 1600680200 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.5 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.5 new file mode 100644 index 0000000..04c869c --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.5 @@ -0,0 +1,4 @@ +Target 17.20.116.236 +start 1599791691 +end 1599792389 +type UDP CLDAPAmplification IPFragmentation TotalTraffic diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.50 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.50 new file mode 100644 index 0000000..05bf11a --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.50 @@ -0,0 +1,4 @@ +Target 17.20.123.4 +start 1600661374 +end 1600661660 +type DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.51 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.51 new file mode 100644 index 0000000..41cb7f1 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.51 @@ -0,0 +1,4 @@ +Target 17.20.123.4 +start 1600712025 +end 1600712540 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.52 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.52 new file mode 100644 index 0000000..add59a0 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.52 @@ -0,0 +1,4 @@ +Target 18.214.227.252 +start 1600713029 +end 1600713380 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.53 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.53 new file mode 100644 index 0000000..75bed15 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.53 @@ -0,0 +1,4 @@ +Target 17.20.123.4 +start 1600752885 +end 1600754060 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.54 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.54 new file mode 100644 index 0000000..75bed15 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.54 @@ -0,0 +1,4 @@ +Target 17.20.123.4 +start 1600752885 +end 1600754060 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.55 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.55 new file mode 100644 index 0000000..d3b80ed --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.55 @@ -0,0 +1,4 @@ +Target 17.20.127.115 +start 1600756065 +end 1600756580 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.56 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.56 new file mode 100644 index 0000000..d9c15e5 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.56 @@ -0,0 +1,4 @@ +Target 16.52.149.150 +start 1600799745 +end 1600800019 +type L2TPAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.57 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.57 new file mode 100644 index 0000000..f47d839 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.57 @@ -0,0 +1,4 @@ +Target 123.126.19.109 +start 1600816037 +end 1600816700 +type UDP IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.58 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.58 new file mode 100644 index 0000000..d7ee13a --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.58 @@ -0,0 +1,4 @@ +Target 26.27.172.145 +start 1600719345 +end 1600719860 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.59 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.59 new file mode 100644 index 0000000..760eeb0 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.59 @@ -0,0 +1,4 @@ +Target 16.52.233.72 +start 1600745157 +end 1600746500 +type NTPAmplification UDP diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.6 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.6 new file mode 100644 index 0000000..04c869c --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.6 @@ -0,0 +1,4 @@ +Target 17.20.116.236 +start 1599791691 +end 1599792389 +type UDP CLDAPAmplification IPFragmentation TotalTraffic diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.60 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.60 new file mode 100644 index 0000000..80622bd --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.60 @@ -0,0 +1,4 @@ +Target 16.52.239.247 +start 1600063785 +end 1600064064 +type DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.61 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.61 new file mode 100644 index 0000000..ff21c65 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.61 @@ -0,0 +1,4 @@ +Target 16.52.236.140 +start 1600663245 +end 1600663579 +type UDP IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.62 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.62 new file mode 100644 index 0000000..b42914e --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.62 @@ -0,0 +1,4 @@ +Target 17.20.123.89 +start 1600641635 +end 1600641980 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.63 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.63 new file mode 100644 index 0000000..75bed15 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.63 @@ -0,0 +1,4 @@ +Target 17.20.123.4 +start 1600752885 +end 1600754060 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.64 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.64 new file mode 100644 index 0000000..0a20f1c --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.64 @@ -0,0 +1,4 @@ +Target 17.94.205.139 +start 1599758745 +end 1599759129 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.65 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.65 new file mode 100644 index 0000000..f47d839 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.65 @@ -0,0 +1,4 @@ +Target 123.126.19.109 +start 1600816037 +end 1600816700 +type UDP IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.7 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.7 new file mode 100644 index 0000000..a942a74 --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.7 @@ -0,0 +1,4 @@ +Target 17.20.116.236 +start 1599863543 +end 1599863992 +type CLDAPAmplification IPFragmentation diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.8 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.8 new file mode 100644 index 0000000..5cfb1fb --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.8 @@ -0,0 +1,4 @@ +Target 17.20.127.104 +start 1599971899 +end 1599972199 +type NTPAmplification CLDAPAmplification IPFragmentation diff --git a/ddos_hackathon-20200511/provider-peakflow/sep/peak.9 b/ddos_hackathon-20200511/provider-peakflow/sep/peak.9 new file mode 100644 index 0000000..be20bac --- /dev/null +++ b/ddos_hackathon-20200511/provider-peakflow/sep/peak.9 @@ -0,0 +1,4 @@ +Target 17.20.116.236 +start 1599974193 +end 1599974692 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/README.md b/ddos_hackathon-20200511/uscisi/README.md new file mode 100644 index 0000000..526f205 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/README.md @@ -0,0 +1,35 @@ +# Provenance information + +We (USC/ISI) infer and report the actual start and stop of alleged attack +flows that match Peakflow alerts from ddos_hackathon-20200511/peakflow +directory. These times were established by monitoring all traffic of a +given type to the alleged attack target. We monitor traffic per alleged +attack type, e.g., to detect DNSAmplification attacks we would monitor +all traffic to the alleged target from source port 53. We monitor number of flows, +number of bytes and number of unique sources per second. We signal attack start +when all three of these quantities show a sudden increase, as measured by CUSUM being >5. +We signal end of attack when CUSUM values all fall below 5. We also require that +reverse flows (from alleged target to the sources of traffic flows) do not appear +anomalous (CUSUM values in reverse direction are below 5). This rules out +self-inflicted attacks, e.g., when the alleged target scans a lot of DNS servers, which +then reply back to the target. Attack data is represented as epoch start and stop +time of the attack and the attack type(s). This format matches the format +of Peakflow labels in ddos_hackathon-20200511/peakflow directory + +# Tools required for generating labels + +The provider (usc-isi) has produced the tool to use the provided +event labels in this folder and Netflow data from the dataset to +produce per-flow labels (B for benign, A for attack). The tool prints +output of nfdump -o pipe and attaches the label at the end of the line. +The tool can be found in /tools/usc-isi/netflow-ddos/ directory +in the COMUNDA git repository. Please refer to the +README.md file in that directory for how to run the tool. The +instructions below describe how to use the tool to generate the +provider given labels for this dataset. + +# How to run the labeling code + +``` +perl tag_flows.pl path-to-folder-w-netflow path-to-this-folder +``` \ No newline at end of file diff --git a/ddos_hackathon-20200511/uscisi/README.md~ b/ddos_hackathon-20200511/uscisi/README.md~ new file mode 100644 index 0000000..1504071 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/README.md~ @@ -0,0 +1,29 @@ +# Provenance information + +Peakflow (now NetScout) appliance was running at FRGP network during +dataset collection and it was generating alerts, which we collected +as well. We pre-filtered these alerts to keep only reflection DDoS +attacks and we have anonymized the alerts to match the dataset +anonymization. Each alert shows the epoch start and stop time of +the attack, and the attack type(s) as reported by Peakflow. The +start time is the actual attack detection time and the stop time +is when the mitigation was stopped. + +# Tools required for generating labels + +The provider (usc-isi) has produced the tool to use the provided +event labels in this folder and Netflow data from the dataset to +produce per-flow labels (B for benign, A for attack). The tool prints +output of nfdump -o pipe and attaches the label at the end of the line. +The tool can be found in /tools/usc-isi/netflow-ddos/ directory +in the COMUNDA git repository. Please refer to the +README.md file in that directory for how to run the tool. The +instructions below describe how to use the tool to generate the +provider given labels for this dataset. + + +# How to run the labeling code + +``` +perl tag_flows.pl path-to-folder-w-netflow path-to-this-folder +``` \ No newline at end of file diff --git a/ddos_hackathon-20200511/uscisi/aug/uscisi.1 b/ddos_hackathon-20200511/uscisi/aug/uscisi.1 new file mode 100644 index 0000000..f5349d8 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/aug/uscisi.1 @@ -0,0 +1,4 @@ +Target 17.20.107.182 +start 1598218831 +end 1598220581 +type mDNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/aug/uscisi.10 b/ddos_hackathon-20200511/uscisi/aug/uscisi.10 new file mode 100644 index 0000000..f993137 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/aug/uscisi.10 @@ -0,0 +1,4 @@ +Target 17.20.122.67 +start 1597986684 +end 1597986750 +type NTPAmplification diff --git a/ddos_hackathon-20200511/uscisi/aug/uscisi.11 b/ddos_hackathon-20200511/uscisi/aug/uscisi.11 new file mode 100644 index 0000000..68f768a --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/aug/uscisi.11 @@ -0,0 +1,4 @@ +Target 17.77.201.1 +start 1598572107 +end 1598572324 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/aug/uscisi.12 b/ddos_hackathon-20200511/uscisi/aug/uscisi.12 new file mode 100644 index 0000000..4eefd0d --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/aug/uscisi.12 @@ -0,0 +1,4 @@ +Target 17.77.52.118 +start 1598572029 +end 1598572117 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/aug/uscisi.2 b/ddos_hackathon-20200511/uscisi/aug/uscisi.2 new file mode 100644 index 0000000..1faa7f3 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/aug/uscisi.2 @@ -0,0 +1,4 @@ +Target 26.27.154.249 +start 1598542028 +end 1598542111 +type DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/aug/uscisi.3 b/ddos_hackathon-20200511/uscisi/aug/uscisi.3 new file mode 100644 index 0000000..1aa8c85 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/aug/uscisi.3 @@ -0,0 +1,4 @@ +Target 17.20.127.110 +start 1598543327 +end 1598544041 +type mDNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/aug/uscisi.4 b/ddos_hackathon-20200511/uscisi/aug/uscisi.4 new file mode 100644 index 0000000..6e95cb8 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/aug/uscisi.4 @@ -0,0 +1,4 @@ +Target 116.231.92.155 +start 1597777509 +end 1597777818 +type CLDAPAmplification IPFragmentation diff --git a/ddos_hackathon-20200511/uscisi/aug/uscisi.5 b/ddos_hackathon-20200511/uscisi/aug/uscisi.5 new file mode 100644 index 0000000..88cde5f --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/aug/uscisi.5 @@ -0,0 +1,4 @@ +Target 16.73.76.89 +start 1597888385 +end 1597888464 +type CLDAPAmplification IPFragmentation diff --git a/ddos_hackathon-20200511/uscisi/aug/uscisi.6 b/ddos_hackathon-20200511/uscisi/aug/uscisi.6 new file mode 100644 index 0000000..62ef5aa --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/aug/uscisi.6 @@ -0,0 +1,4 @@ +Target 17.20.123.89 +start 1598045110 +end 1598045411 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/aug/uscisi.7 b/ddos_hackathon-20200511/uscisi/aug/uscisi.7 new file mode 100644 index 0000000..fc40907 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/aug/uscisi.7 @@ -0,0 +1,4 @@ +Target 17.20.120.126 +start 1598597849 +end 1598598052 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/aug/uscisi.8 b/ddos_hackathon-20200511/uscisi/aug/uscisi.8 new file mode 100644 index 0000000..7cd86ec --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/aug/uscisi.8 @@ -0,0 +1,4 @@ +Target 17.20.120.126 +start 1598661211 +end 1598661820 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/aug/uscisi.9 b/ddos_hackathon-20200511/uscisi/aug/uscisi.9 new file mode 100644 index 0000000..97e779b --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/aug/uscisi.9 @@ -0,0 +1,4 @@ +Target 26.14.91.190 +start 1597811627 +end 1597811782 +type chargenAmplification IPFragmentation ICMP diff --git a/ddos_hackathon-20200511/uscisi/may/uscisi.1 b/ddos_hackathon-20200511/uscisi/may/uscisi.1 new file mode 100644 index 0000000..4cf9517 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/may/uscisi.1 @@ -0,0 +1,4 @@ +Target 46.148.120.155 +start 1589247028 +end 1589247169 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/may/uscisi.10 b/ddos_hackathon-20200511/uscisi/may/uscisi.10 new file mode 100644 index 0000000..85b06b9 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/may/uscisi.10 @@ -0,0 +1,4 @@ +Target 46.148.123.147 +start 1589603213 +end 1589603401 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/may/uscisi.11 b/ddos_hackathon-20200511/uscisi/may/uscisi.11 new file mode 100644 index 0000000..c2fd54f --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/may/uscisi.11 @@ -0,0 +1,4 @@ +Target 46.148.120.155 +start 1589328535 +end 1589328857 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/may/uscisi.12 b/ddos_hackathon-20200511/uscisi/may/uscisi.12 new file mode 100644 index 0000000..da0ff27 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/may/uscisi.12 @@ -0,0 +1,4 @@ +Target 113.41.244.95 +start 1589263168 +end 1589302918 +type TCPSYN/ACKAmplification ICMP diff --git a/ddos_hackathon-20200511/uscisi/may/uscisi.13 b/ddos_hackathon-20200511/uscisi/may/uscisi.13 new file mode 100644 index 0000000..da0ff27 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/may/uscisi.13 @@ -0,0 +1,4 @@ +Target 113.41.244.95 +start 1589263168 +end 1589302918 +type TCPSYN/ACKAmplification ICMP diff --git a/ddos_hackathon-20200511/uscisi/may/uscisi.14 b/ddos_hackathon-20200511/uscisi/may/uscisi.14 new file mode 100644 index 0000000..da0ff27 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/may/uscisi.14 @@ -0,0 +1,4 @@ +Target 113.41.244.95 +start 1589263168 +end 1589302918 +type TCPSYN/ACKAmplification ICMP diff --git a/ddos_hackathon-20200511/uscisi/may/uscisi.15 b/ddos_hackathon-20200511/uscisi/may/uscisi.15 new file mode 100644 index 0000000..da0ff27 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/may/uscisi.15 @@ -0,0 +1,4 @@ +Target 113.41.244.95 +start 1589263168 +end 1589302918 +type TCPSYN/ACKAmplification ICMP diff --git a/ddos_hackathon-20200511/uscisi/may/uscisi.16 b/ddos_hackathon-20200511/uscisi/may/uscisi.16 new file mode 100644 index 0000000..da0ff27 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/may/uscisi.16 @@ -0,0 +1,4 @@ +Target 113.41.244.95 +start 1589263168 +end 1589302918 +type TCPSYN/ACKAmplification ICMP diff --git a/ddos_hackathon-20200511/uscisi/may/uscisi.17 b/ddos_hackathon-20200511/uscisi/may/uscisi.17 new file mode 100644 index 0000000..da0ff27 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/may/uscisi.17 @@ -0,0 +1,4 @@ +Target 113.41.244.95 +start 1589263168 +end 1589302918 +type TCPSYN/ACKAmplification ICMP diff --git a/ddos_hackathon-20200511/uscisi/may/uscisi.18 b/ddos_hackathon-20200511/uscisi/may/uscisi.18 new file mode 100644 index 0000000..da0ff27 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/may/uscisi.18 @@ -0,0 +1,4 @@ +Target 113.41.244.95 +start 1589263168 +end 1589302918 +type TCPSYN/ACKAmplification ICMP diff --git a/ddos_hackathon-20200511/uscisi/may/uscisi.19 b/ddos_hackathon-20200511/uscisi/may/uscisi.19 new file mode 100644 index 0000000..da0ff27 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/may/uscisi.19 @@ -0,0 +1,4 @@ +Target 113.41.244.95 +start 1589263168 +end 1589302918 +type TCPSYN/ACKAmplification ICMP diff --git a/ddos_hackathon-20200511/uscisi/may/uscisi.2 b/ddos_hackathon-20200511/uscisi/may/uscisi.2 new file mode 100644 index 0000000..05ab1b7 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/may/uscisi.2 @@ -0,0 +1,4 @@ +Target 113.41.244.95 +start 1589246894 +end 1589262420 +type TCPSYN/ACKAmplification ICMP diff --git a/ddos_hackathon-20200511/uscisi/may/uscisi.20 b/ddos_hackathon-20200511/uscisi/may/uscisi.20 new file mode 100644 index 0000000..da0ff27 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/may/uscisi.20 @@ -0,0 +1,4 @@ +Target 113.41.244.95 +start 1589263168 +end 1589302918 +type TCPSYN/ACKAmplification ICMP diff --git a/ddos_hackathon-20200511/uscisi/may/uscisi.21 b/ddos_hackathon-20200511/uscisi/may/uscisi.21 new file mode 100644 index 0000000..da0ff27 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/may/uscisi.21 @@ -0,0 +1,4 @@ +Target 113.41.244.95 +start 1589263168 +end 1589302918 +type TCPSYN/ACKAmplification ICMP diff --git a/ddos_hackathon-20200511/uscisi/may/uscisi.22 b/ddos_hackathon-20200511/uscisi/may/uscisi.22 new file mode 100644 index 0000000..da0ff27 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/may/uscisi.22 @@ -0,0 +1,4 @@ +Target 113.41.244.95 +start 1589263168 +end 1589302918 +type TCPSYN/ACKAmplification ICMP diff --git a/ddos_hackathon-20200511/uscisi/may/uscisi.23 b/ddos_hackathon-20200511/uscisi/may/uscisi.23 new file mode 100644 index 0000000..9ea6db4 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/may/uscisi.23 @@ -0,0 +1,4 @@ +Target 40.40.133.46 +start 1589509245 +end 1589509339 +type CLDAPAmplification IPFragmentation diff --git a/ddos_hackathon-20200511/uscisi/may/uscisi.3 b/ddos_hackathon-20200511/uscisi/may/uscisi.3 new file mode 100644 index 0000000..a1ef8dc --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/may/uscisi.3 @@ -0,0 +1,4 @@ +Target 16.52.125.25 +start 1589281708 +end 1589282973 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/may/uscisi.4 b/ddos_hackathon-20200511/uscisi/may/uscisi.4 new file mode 100644 index 0000000..da0ff27 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/may/uscisi.4 @@ -0,0 +1,4 @@ +Target 113.41.244.95 +start 1589263168 +end 1589302918 +type TCPSYN/ACKAmplification ICMP diff --git a/ddos_hackathon-20200511/uscisi/may/uscisi.5 b/ddos_hackathon-20200511/uscisi/may/uscisi.5 new file mode 100644 index 0000000..c6deec6 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/may/uscisi.5 @@ -0,0 +1,4 @@ +Target 16.52.125.25 +start 1589358327 +end 1589358470 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/may/uscisi.6 b/ddos_hackathon-20200511/uscisi/may/uscisi.6 new file mode 100644 index 0000000..ad89bff --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/may/uscisi.6 @@ -0,0 +1,4 @@ +Target 40.40.133.46 +start 1589508880 +end 1589508929 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/may/uscisi.7 b/ddos_hackathon-20200511/uscisi/may/uscisi.7 new file mode 100644 index 0000000..c2238cf --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/may/uscisi.7 @@ -0,0 +1,4 @@ +Target 113.41.244.95 +start 1589672852 +end 1589673861 +type TCPRST ICMP diff --git a/ddos_hackathon-20200511/uscisi/may/uscisi.8 b/ddos_hackathon-20200511/uscisi/may/uscisi.8 new file mode 100644 index 0000000..310c6fa --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/may/uscisi.8 @@ -0,0 +1,4 @@ +Target 26.27.120.177 +start 1589658568 +end 1589658871 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/may/uscisi.9 b/ddos_hackathon-20200511/uscisi/may/uscisi.9 new file mode 100644 index 0000000..9ea6db4 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/may/uscisi.9 @@ -0,0 +1,4 @@ +Target 40.40.133.46 +start 1589509245 +end 1589509339 +type CLDAPAmplification IPFragmentation diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.1 b/ddos_hackathon-20200511/uscisi/sep/uscisi.1 new file mode 100644 index 0000000..4bf6f56 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.1 @@ -0,0 +1,4 @@ +Target 116.254.8.57 +start 1599762201 +end 1599762529 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.10 b/ddos_hackathon-20200511/uscisi/sep/uscisi.10 new file mode 100644 index 0000000..df35567 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.10 @@ -0,0 +1,4 @@ +Target 17.20.116.236 +start 1599976442 +end 1599976776 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.11 b/ddos_hackathon-20200511/uscisi/sep/uscisi.11 new file mode 100644 index 0000000..b8811b1 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.11 @@ -0,0 +1,4 @@ +Target 17.20.116.236 +start 1600023164 +end 1600023282 +type NTPAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.12 b/ddos_hackathon-20200511/uscisi/sep/uscisi.12 new file mode 100644 index 0000000..f81b90f --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.12 @@ -0,0 +1,4 @@ +Target 17.20.116.236 +start 1600036304 +end 1600036435 +type NTPAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.13 b/ddos_hackathon-20200511/uscisi/sep/uscisi.13 new file mode 100644 index 0000000..55e59a6 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.13 @@ -0,0 +1,4 @@ +Target 17.20.116.236 +start 1600036520 +end 1600036836 +type NTPAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.14 b/ddos_hackathon-20200511/uscisi/sep/uscisi.14 new file mode 100644 index 0000000..0b5b8de --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.14 @@ -0,0 +1,4 @@ +Target 17.20.116.236 +start 1600037324 +end 1600037476 +type NTPAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.15 b/ddos_hackathon-20200511/uscisi/sep/uscisi.15 new file mode 100644 index 0000000..a6f2d91 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.15 @@ -0,0 +1,4 @@ +Target 17.20.116.236 +start 1600037642 +end 1600037784 +type NTPAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.16 b/ddos_hackathon-20200511/uscisi/sep/uscisi.16 new file mode 100644 index 0000000..588dfb5 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.16 @@ -0,0 +1,4 @@ +Target 17.20.116.236 +start 1600121616 +end 1600121917 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.17 b/ddos_hackathon-20200511/uscisi/sep/uscisi.17 new file mode 100644 index 0000000..c498642 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.17 @@ -0,0 +1,4 @@ +Target 17.94.222.59 +start 1600146060 +end 1600146673 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.18 b/ddos_hackathon-20200511/uscisi/sep/uscisi.18 new file mode 100644 index 0000000..634f673 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.18 @@ -0,0 +1,4 @@ +Target 17.94.222.59 +start 1600146760 +end 1600147362 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.19 b/ddos_hackathon-20200511/uscisi/sep/uscisi.19 new file mode 100644 index 0000000..90fef3b --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.19 @@ -0,0 +1,4 @@ +Target 17.20.127.115 +start 1600155580 +end 1600155885 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.2 b/ddos_hackathon-20200511/uscisi/sep/uscisi.2 new file mode 100644 index 0000000..cadfb0a --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.2 @@ -0,0 +1,4 @@ +Target 116.254.8.57 +start 1599764840 +end 1599765161 +type CLDAPAmplification IPFragmentation diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.20 b/ddos_hackathon-20200511/uscisi/sep/uscisi.20 new file mode 100644 index 0000000..b6faf16 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.20 @@ -0,0 +1,4 @@ +Target 17.20.127.115 +start 1600200615 +end 1600200704 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.21 b/ddos_hackathon-20200511/uscisi/sep/uscisi.21 new file mode 100644 index 0000000..2e6d348 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.21 @@ -0,0 +1,4 @@ +Target 17.20.127.115 +start 1600202970 +end 1600203271 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.22 b/ddos_hackathon-20200511/uscisi/sep/uscisi.22 new file mode 100644 index 0000000..c1ad323 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.22 @@ -0,0 +1,4 @@ +Target 17.20.123.4 +start 1599944399 +end 1599944502 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.23 b/ddos_hackathon-20200511/uscisi/sep/uscisi.23 new file mode 100644 index 0000000..f7d1a79 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.23 @@ -0,0 +1,4 @@ +Target 17.20.116.236 +start 1600122085 +end 1600122123 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.24 b/ddos_hackathon-20200511/uscisi/sep/uscisi.24 new file mode 100644 index 0000000..d19f633 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.24 @@ -0,0 +1,4 @@ +Target 17.20.127.115 +start 1600330418 +end 1600330619 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.25 b/ddos_hackathon-20200511/uscisi/sep/uscisi.25 new file mode 100644 index 0000000..6fafe18 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.25 @@ -0,0 +1,4 @@ +Target 17.20.107.182 +start 1600355644 +end 1600355764 +type DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.26 b/ddos_hackathon-20200511/uscisi/sep/uscisi.26 new file mode 100644 index 0000000..ed28599 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.26 @@ -0,0 +1,4 @@ +Target 17.20.123.4 +start 1600376450 +end 1600376751 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.27 b/ddos_hackathon-20200511/uscisi/sep/uscisi.27 new file mode 100644 index 0000000..aa9d621 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.27 @@ -0,0 +1,4 @@ +Target 17.20.127.115 +start 1600402295 +end 1600402596 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.28 b/ddos_hackathon-20200511/uscisi/sep/uscisi.28 new file mode 100644 index 0000000..2769f0a --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.28 @@ -0,0 +1,4 @@ +Target 17.20.127.115 +start 1600405980 +end 1600406048 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.29 b/ddos_hackathon-20200511/uscisi/sep/uscisi.29 new file mode 100644 index 0000000..9b124e8 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.29 @@ -0,0 +1,4 @@ +Target 17.20.127.115 +start 1600406132 +end 1600406446 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.3 b/ddos_hackathon-20200511/uscisi/sep/uscisi.3 new file mode 100644 index 0000000..64de5fc --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.3 @@ -0,0 +1,4 @@ +Target 17.20.116.236 +start 1599779133 +end 1599779208 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.30 b/ddos_hackathon-20200511/uscisi/sep/uscisi.30 new file mode 100644 index 0000000..169d3d3 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.30 @@ -0,0 +1,4 @@ +Target 17.20.127.115 +start 1600406931 +end 1600407097 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.31 b/ddos_hackathon-20200511/uscisi/sep/uscisi.31 new file mode 100644 index 0000000..9fc6647 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.31 @@ -0,0 +1,4 @@ +Target 17.20.127.115 +start 1600424211 +end 1600424250 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.32 b/ddos_hackathon-20200511/uscisi/sep/uscisi.32 new file mode 100644 index 0000000..ee79776 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.32 @@ -0,0 +1,4 @@ +Target 17.20.127.115 +start 1600424458 +end 1600424762 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.33 b/ddos_hackathon-20200511/uscisi/sep/uscisi.33 new file mode 100644 index 0000000..3337e6d --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.33 @@ -0,0 +1,4 @@ +Target 17.20.107.182 +start 1600445407 +end 1600445490 +type mDNSAmplification DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.34 b/ddos_hackathon-20200511/uscisi/sep/uscisi.34 new file mode 100644 index 0000000..480147f --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.34 @@ -0,0 +1,4 @@ +Target 17.20.107.182 +start 1600446764 +end 1600446870 +type mDNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.35 b/ddos_hackathon-20200511/uscisi/sep/uscisi.35 new file mode 100644 index 0000000..360b596 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.35 @@ -0,0 +1,4 @@ +Target 17.20.127.115 +start 1600465580 +end 1600465896 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.36 b/ddos_hackathon-20200511/uscisi/sep/uscisi.36 new file mode 100644 index 0000000..7b87621 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.36 @@ -0,0 +1,4 @@ +Target 17.20.127.115 +start 1600466201 +end 1600466311 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.37 b/ddos_hackathon-20200511/uscisi/sep/uscisi.37 new file mode 100644 index 0000000..a0845ef --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.37 @@ -0,0 +1,4 @@ +Target 17.94.217.113 +start 1600495862 +end 1600496107 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.38 b/ddos_hackathon-20200511/uscisi/sep/uscisi.38 new file mode 100644 index 0000000..014849c --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.38 @@ -0,0 +1,4 @@ +Target 17.20.127.115 +start 1600507068 +end 1600507368 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.39 b/ddos_hackathon-20200511/uscisi/sep/uscisi.39 new file mode 100644 index 0000000..3eecc11 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.39 @@ -0,0 +1,4 @@ +Target 16.52.239.211 +start 1600544921 +end 1600545087 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.4 b/ddos_hackathon-20200511/uscisi/sep/uscisi.4 new file mode 100644 index 0000000..190a00a --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.4 @@ -0,0 +1,4 @@ +Target 17.20.116.236 +start 1599780578 +end 1599780879 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.40 b/ddos_hackathon-20200511/uscisi/sep/uscisi.40 new file mode 100644 index 0000000..d04fae6 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.40 @@ -0,0 +1,4 @@ +Target 16.73.75.144 +start 1600554148 +end 1600554302 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.41 b/ddos_hackathon-20200511/uscisi/sep/uscisi.41 new file mode 100644 index 0000000..01568e6 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.41 @@ -0,0 +1,4 @@ +Target 17.20.127.115 +start 1600583852 +end 1600584195 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.42 b/ddos_hackathon-20200511/uscisi/sep/uscisi.42 new file mode 100644 index 0000000..2b0611d --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.42 @@ -0,0 +1,4 @@ +Target 16.52.238.235 +start 1600586633 +end 1600586954 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.43 b/ddos_hackathon-20200511/uscisi/sep/uscisi.43 new file mode 100644 index 0000000..4b824bb --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.43 @@ -0,0 +1,4 @@ +Target 113.92.254.108 +start 1600592324 +end 1600592510 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.44 b/ddos_hackathon-20200511/uscisi/sep/uscisi.44 new file mode 100644 index 0000000..4d110db --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.44 @@ -0,0 +1,4 @@ +Target 17.20.127.115 +start 1600598823 +end 1600599025 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.45 b/ddos_hackathon-20200511/uscisi/sep/uscisi.45 new file mode 100644 index 0000000..c083eda --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.45 @@ -0,0 +1,4 @@ +Target 16.52.236.140 +start 1600639909 +end 1600640267 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.46 b/ddos_hackathon-20200511/uscisi/sep/uscisi.46 new file mode 100644 index 0000000..f3f2a86 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.46 @@ -0,0 +1,4 @@ +Target 17.20.123.4 +start 1600376897 +end 1600377198 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.47 b/ddos_hackathon-20200511/uscisi/sep/uscisi.47 new file mode 100644 index 0000000..d939e55 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.47 @@ -0,0 +1,4 @@ +Target 18.214.227.240 +start 1600642561 +end 1600642648 +type CLDAPAmplification IPFragmentation diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.48 b/ddos_hackathon-20200511/uscisi/sep/uscisi.48 new file mode 100644 index 0000000..f2313cd --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.48 @@ -0,0 +1,4 @@ +Target 17.20.127.115 +start 1600675203 +end 1600675503 +type CLDAPAmplification IPFragmentation diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.49 b/ddos_hackathon-20200511/uscisi/sep/uscisi.49 new file mode 100644 index 0000000..fe69e86 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.49 @@ -0,0 +1,4 @@ +Target 17.20.127.115 +start 1600679593 +end 1600679893 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.5 b/ddos_hackathon-20200511/uscisi/sep/uscisi.5 new file mode 100644 index 0000000..ac614e5 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.5 @@ -0,0 +1,4 @@ +Target 17.20.116.236 +start 1599791671 +end 1599791816 +type CLDAPAmplification IPFragmentation diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.50 b/ddos_hackathon-20200511/uscisi/sep/uscisi.50 new file mode 100644 index 0000000..f8bb6c3 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.50 @@ -0,0 +1,4 @@ +Target 17.20.123.4 +start 1600661270 +end 1600661316 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.51 b/ddos_hackathon-20200511/uscisi/sep/uscisi.51 new file mode 100644 index 0000000..4b0fbd1 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.51 @@ -0,0 +1,4 @@ +Target 17.20.123.4 +start 1600711905 +end 1600712208 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.52 b/ddos_hackathon-20200511/uscisi/sep/uscisi.52 new file mode 100644 index 0000000..e7d825e --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.52 @@ -0,0 +1,4 @@ +Target 18.214.227.252 +start 1600712934 +end 1600713077 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.53 b/ddos_hackathon-20200511/uscisi/sep/uscisi.53 new file mode 100644 index 0000000..e6a78df --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.53 @@ -0,0 +1,4 @@ +Target 17.20.123.4 +start 1600752770 +end 1600753205 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.54 b/ddos_hackathon-20200511/uscisi/sep/uscisi.54 new file mode 100644 index 0000000..d9453bf --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.54 @@ -0,0 +1,4 @@ +Target 17.20.123.4 +start 1600753441 +end 1600753547 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.55 b/ddos_hackathon-20200511/uscisi/sep/uscisi.55 new file mode 100644 index 0000000..9ddf7ff --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.55 @@ -0,0 +1,4 @@ +Target 17.20.127.115 +start 1600755930 +end 1600756231 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.56 b/ddos_hackathon-20200511/uscisi/sep/uscisi.56 new file mode 100644 index 0000000..729f933 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.56 @@ -0,0 +1,4 @@ +Target 16.52.149.150 +start 1600799486 +end 1600799740 +type L2TPAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.57 b/ddos_hackathon-20200511/uscisi/sep/uscisi.57 new file mode 100644 index 0000000..bf38aff --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.57 @@ -0,0 +1,4 @@ +Target 123.126.19.109 +start 1600815965 +end 1600816088 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.58 b/ddos_hackathon-20200511/uscisi/sep/uscisi.58 new file mode 100644 index 0000000..c0f837b --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.58 @@ -0,0 +1,4 @@ +Target 26.27.172.145 +start 1600719209 +end 1600719511 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.59 b/ddos_hackathon-20200511/uscisi/sep/uscisi.59 new file mode 100644 index 0000000..33ac575 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.59 @@ -0,0 +1,4 @@ +Target 16.52.233.72 +start 1600745095 +end 1600746159 +type NTPAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.6 b/ddos_hackathon-20200511/uscisi/sep/uscisi.6 new file mode 100644 index 0000000..bd3f485 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.6 @@ -0,0 +1,4 @@ +Target 17.20.116.236 +start 1599791857 +end 1599792067 +type CLDAPAmplification IPFragmentation diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.60 b/ddos_hackathon-20200511/uscisi/sep/uscisi.60 new file mode 100644 index 0000000..e73294a --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.60 @@ -0,0 +1,4 @@ +Target 16.52.239.247 +start 1600063663 +end 1600063694 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.61 b/ddos_hackathon-20200511/uscisi/sep/uscisi.61 new file mode 100644 index 0000000..5b29485 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.61 @@ -0,0 +1,4 @@ +Target 16.52.236.140 +start 1600663179 +end 1600663227 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.62 b/ddos_hackathon-20200511/uscisi/sep/uscisi.62 new file mode 100644 index 0000000..69ce7e9 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.62 @@ -0,0 +1,4 @@ +Target 17.20.123.89 +start 1600641525 +end 1600641678 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.63 b/ddos_hackathon-20200511/uscisi/sep/uscisi.63 new file mode 100644 index 0000000..72756f6 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.63 @@ -0,0 +1,4 @@ +Target 17.20.123.4 +start 1600753655 +end 1600753767 +type CLDAPAmplification IPFragmentation diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.64 b/ddos_hackathon-20200511/uscisi/sep/uscisi.64 new file mode 100644 index 0000000..b3b4ed9 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.64 @@ -0,0 +1,4 @@ +Target 17.94.205.139 +start 1599758648 +end 1599758836 +type CLDAPAmplification IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.65 b/ddos_hackathon-20200511/uscisi/sep/uscisi.65 new file mode 100644 index 0000000..7f89850 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.65 @@ -0,0 +1,4 @@ +Target 123.126.19.109 +start 1600816286 +end 1600816404 +type IPFragmentation DNSAmplification diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.7 b/ddos_hackathon-20200511/uscisi/sep/uscisi.7 new file mode 100644 index 0000000..816e21b --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.7 @@ -0,0 +1,4 @@ +Target 17.20.116.236 +start 1599863427 +end 1599863761 +type CLDAPAmplification IPFragmentation diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.8 b/ddos_hackathon-20200511/uscisi/sep/uscisi.8 new file mode 100644 index 0000000..8939e3d --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.8 @@ -0,0 +1,4 @@ +Target 17.20.127.104 +start 1599971804 +end 1599971928 +type NTPAmplification CLDAPAmplification IPFragmentation diff --git a/ddos_hackathon-20200511/uscisi/sep/uscisi.9 b/ddos_hackathon-20200511/uscisi/sep/uscisi.9 new file mode 100644 index 0000000..985c104 --- /dev/null +++ b/ddos_hackathon-20200511/uscisi/sep/uscisi.9 @@ -0,0 +1,4 @@ +Target 17.20.116.236 +start 1599974088 +end 1599974389 +type IPFragmentation DNSAmplification