An IXIA BreakingPoint box was used to simulate both normal and attack (DNS tunnelling) DNS traffic. The resulting pcaps were obtained and fields relevant to Apache Spot (incubating) were ingested and stored in parquet format. The attacks can be differentiated from the normal activity due to codes that were inserted into the Transaction ID field (upon ingestion: ‘dns_id’) which identifies either the fact that the traffic was normal or identifies the specific DNS tunneling activity being used. We provide the data schema as well as the location and specifications of the data within Amazon-S3. Information is also provided for how to interpret the dns_id field.
The schema for this data includes one field (called ‘dns_id’) in addition to what is usually used for DNS data in Apache Spot (incubating). The schema is as follows (see: http://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6 for more information):
| Name | Type | Description |
|---|---|---|
| frame_time | string | Time of packet capture (UTC) |
| unix_tstamp | bigint | Time of packet capture (UNIX time) |
| frame_len | int | Entire packet length |
| ip_dst | string | IP address making the DNS query |
| ip_src | string | IP address of the DNS server |
| dns_qry_name | string | Resource record being queried, ex: ‘google.com’ |
| dns_qry_class | string | Class of DNS record, ex: ‘0x00000001’ (for Internet) |
| dns_qry_type | int | Type of resource record, ex: 1 (for a host address) |
| dns_qry_rcode | int | Error code for the results of the query, ex: 0 (for No Error) |
| dns_a | string | Answer to the query |
| dns_id | string | Hexidecimal code inserting as the transaction ID used to differentiate normal queries from tunnelling (more details below) |
The value of dns_id indicates that either the data row was taken from a packet capture of simulated normal DNS traffic, or from a packet capture of a particular type of simulated DNS tunnelling.
Within BreakingPoint, Transaction IDs are represented as a decimal number. However, tshark dissects the transaction ID in its hexadecimal representation (the format contained within parenthesis in the table below).
Within Apache Spot (incubating), only responses from DNS servers are ingested since the response packet contains the query made by the client and the response from the server in the same packet.
| Super Flow Name | Transaction ID | Description |
|---|---|---|
| Brandon_DNS_domain_Test | 1008 (0x000003f0) | [Normal] This super flow simulates normal DNS queries. |
| DNS_Tunnel_BE_1 | 1002 (0x000003ea) | [Attack] This super flow simulates a message being tunneled over DNS via the query name field (url's are random strings), with a ip address response (drawn from a file of randomly generated IPs) being sent via the DNS answer field. |
| DNS_Tunnel_BE_2 | 1003 (0x000003eb}) | [Attack] This super flow simulates a message being tunneled over DNS via the query name field (url's random strings), with a response being given as no such url found. |
| TCP_DNS_Tunnel_BE_1 | 1001 (0x000003e9) | [Attack] This super Flow simulates tunneling random noise using TCP over DNS. The payload is generated by a Markov Dictionary and encoded in the DNS requests (responses) by using hex0x20Hack encoding. |
| TCP_DNS_Tunnel_BE_2 | 1005 (0x000003ed) | [Attack] This super Flow simulates tunneling random noise using TCP over DNS. The payload is generated by a Markov Dictionary and encoded in the DNS requests (responses) by using Base16Alpha encoding. |
| TCP_DNS_Tunnel_BE_3 | 1007 (0x000003ef) | [Attack] This super Flow simulates tunneling random noise using TCP over DNS. The payload is generated by a Markov Dictionary and encoded in the DNS requests (responses) by using Base63 encoding. |
| File | Description | Location | Size |
|---|---|---|---|
| 20170509_parquet.tar.gz | Tarball of directory (parquet files) simulated May 9, 2017 | https://s3-us-west-2.amazonaws.com/apachespot/public_data_sets/dns_labeled_data/20170509_parquet.tar.gz | 5.3G |
| 20170509_DATA_SPEC.md | Mark down document (the one you are reading now) | https://s3-us-west-2.amazonaws.com/apachespot/public_data_sets/dns_labeled_data/20170509_DATA_SPEC.md | 4K |
| Simulation Date | Total Records | dns_id=1008 | dns_id=1002 | dns_id=1003 | dns_id=1001 | dns_id=1005 | dns_id=1007 |
|---|---|---|---|---|---|---|---|
| 5/9/2017 | 391,364,387 | 391,314,477 | 16,317 | 21,666 | 4,156 | 2,743 | 5,028 |