Mirai scanning 2016 (06/01/2016 to 12/31/2016)

In 2016, a worm called Mirai targeting Internet-of-Things (IoT) devices appeared in the Internet scene. The worm self-propagates by looking for open Telnet-listening channels running at insecure IoT devices, and launching password "dictionary attacks" to gain login access to these devices. This dataset captures said scanning efforts, as collected by Merit's 35/8 network telescope (aka "darknet"). The Mirai worm source code, released online by its author in September 2016, has a unique scanning fingerprint that lets us identify these scanning efforts. In particular, Mirai sends 1) TCP SYN packets, 2) towards Telnet ports 23 and 2323, and 3) sets the TCP initial sequence number equal to the destination IP of the targeted host. We mined our Darknet data for this fingerprint to create this Mirai dataset. This dataset provides a lens into the thousands of infected IoT devices, presumably responsible for the volumetric, record-breaking DDoS (Distributed Denial of Service) attacks that occurred in September and October 2016 against Akamai (i.e., the attacks against a popular security-oriented blog site hosted by Akamai), the attacks targeting the OVH cloud provider and the attacks directed at Dyn. Note: the first Mirai probe to TCP 23 with the Mirai fingerprint appeared on August 1st, 2016. The first probe to TCP 2323 with the Mirai fingerprint appeared on September 6th, 2016. For completeness, we provide the output of BPF-filtering (using the above Mirai fingerprint) of our PCAP-based darknet data for a few days prior to the Mirai outbreak; this output is just empty PCAP data. Data format: PCAP. Access to the dataset is via Merit's secure enclaves.