This report records observed traffic to darknet networks.
Description
Darknets (also known as network telescopes) are unused sets of IP addresses, which in theory should observe no traffic. In practice, however, a lot of traffic reaches such networks through activities such as Internet scanning, malware propagation, or backscatter from spoofed DDoS events — meaning that these network packets can often be immediately classified as suspicious or malicious. Additional packet fingerprinting measures can be employed to attribute tools or malware sending out such packets.
Fields
Field | Description |
timestamp | Time that a packet was registered in UTC+0 |
ip | The source IP registered (IP of sender) |
port | Source port |
asn | ASN announcing the source IP |
geo | Country where the source IP resides |
region | State / Province / Administrative region where the source IP resides |
city | City where the source IP resides |
hostname | PTR record of the source IP |
type | Additional information on activity type |
dst_IP | Destination IP of the packet (ie. in the darknet) |
dst_port | Destination port |
dst_asn | ASN announcing the destination IP |
dst_geo | Country where the destination IP resides |
count | Packet count, if recorded |
naics | North American Industry Classification System Code of the source IP |
sic | Standard Industrial Classification System Code of the source IP |
dst_naics | North American Industry Classification System Code of the destination IP |
dst_sic | Standard Industrial Classification System Code of the destination IP |
sector | Sector the source IP belongs to |
dst_sector | Sector the destination IP belongs to |
family | Additional family classification of activity |
tag | Classification of activity eg. mirai-like |
public_source | Source of the data, for cases where the source accepts being credited |
Delivery Mechanism
The report is sent out daily via The Shadowserver Foundation’s free victim remediation reporting service. All events coming from SISSDEN are clearly marked as “SISSDEN” for every event reported.
Sample Report
"timestamp","ip","port","asn","geo","region","city","hostname","type","dst_ip","dst_port","dst_asn","dst_geo","count","naics","sic","dst_naics","dst_sic","sector","dst_sector","family","tag","public_source" "2018-10-29 00:00:22","192.0.2.7",,4134,"CN",,"GUANGZHOU","7.0.2.192.broad.gz.jx.dynamic.163data.com.cn",,,23,,,102,0,0,,,"Communications",,,"mirai-like","sissden" "2018-10-29 05:01:31","192.0.2.145",,7922,"US","ILLINOIS","OAK LAWN","c-192.0.2.145.hsd1.il.comcast.net",,,80,,,5,518111,737401,,,"Commercial Facilities",,,"mirai-like","sissden" "2018-10-29 10:29:42","198.51.100.176",,16135,"TR","ANKARA","CAGLAYAN MAH.",,,,5555,,,1,0,0,,,,,,"mirai-like","sissden" "2018-10-29 13:02:13","198.51.100.203",,9121,"TR","OSMANIYE","AKKOPRU KOYU","198.51.100.203.static.ttnet.com.tr",,,23,,,1,0,0,,,,,,"mirai-like","sissden" "2018-10-29 19:02:28","203.0.113.244",,18881,"BR","BAHIA","SALVADOR","203.0.113.244.dynamic.adsl.gvt.net.br",,,2323,,,3,0,0,,,,,,"mirai-like","sissden"