LEGACY: Amplification DDoS Victim Report

LAST UPDATED:  2021-06-07

LEGACY REPORT

Report discontinued. Replaced by: Honeypot Amplification DDoS Events Report

This report contains observed reflected amplification DDoS events.

This category of DDoS attacks utilizes UDP-based, open, amplifiable services to reflect packets to a victim, by spoofing the source IP address of the packets sent by the amplifier to the victim’s IP address.

Depending on the protocol and type of open services abused, the size of the original packet content sent by the attacker can be amplified in the service response multiple times (even by a factor of hundreds), flooding the victim with packets and enabling DDoS.

Honeypots that emulate open and amplifiable services can be used to detect this kind of abuse. However, as the source of these attacks is spoofed to the victim address, it is possible only to report on victims being abused, not on the source of the DDoS.

The chart below illustrates the scale of these types of amplificable DDoS attacks in Europe, based on SISSDEN data. Looking back from 29th October over the prior 30 days, over 53 000 attacks have been observed against over 36 000 victims with IP space in Europe, with open NTP (port 123/udp), DNS (port 53/udp) and chargen (port 19/udp).

You can read more about our DDoS attack observations in the SISSDEN blog entry on observations on DDoS attacks in 2018. For more insight into how amplifiable DDoS attacks work, check out this writeup and paper by Christian Rossow, as well as the US-CERT Alert (TA14-017A).

The Amplification DDoS Victim report we send to subscribers includes the IP that is being targeted (i.e., the victim), information about the type of service being abused for the DDoS, DDoS start times, end times if available, and request used if available.

This report type was enabled as part of the EU Horizon 2020 SISSDEN Project.

Fields

  • timestamp
    Time that the amplification DDoS was registered in UTC+0
  • ip
    The IP address being DDoSed
  • protocol
    Protocol used for the DDoS reflection attack
  • dst_port
    Port being used for the DDoS reflection attack (ie. associated with the service/protocol used for amplification)
  • tag
    Additional attack information for example, service name used for attack
  • src_port
    Source port of the spoofed packets being sent
  • hostname
    PTR record of the target IP
  • asn
    ASN announcing the target IP
  • geo
    Country where the target IP resides
  • region
    State / Province / Administrative region where the target IP resides
  • city
    ASN of where the target IP resides
  • naics
    North American Industry Classification System Code of the target IP
  • sic
    Standard Industrial Classification System Code of the target IP
  • request
    Request being used to generate the amplification attack, if recorded
  • count
    Count of packets sent as part of the attack
  • bytes
    Bytes sent as part of the attack
  • sensor_geo
    Geolocation of sensor that detected the reflected amplification attack
  • sector
    Sector the target IP belongs to
  • end_time
    The time when the attack ended (if recorded by the source)
  • public_source
    Source of the data, for cases where the source accepts being credited

Sample

"timestamp",ip,protocol,dst_port,tag,src_port,hostname,asn,geo,region,city,naics,sic,request,count,bytes,sensor_geo,sector,"end_time",public_source
"2018-10-09 06:00:06",192.0.2.10,udp,13,daytime,53,,44395,AM,YEREVAN,YEREVAN,0,0,"DAYTIME Request",15,2220,RU,
"2018-10-09 08:14:37",192.0.2.50,udp,123,ntp,53,dhcp-50-2-0-192.net1.bg,43561,BG,SOFIA-GRAD,SOFIA,0,0,"Standard query response 0xe98a  NS auth111.ns.uu.net NS auth120.ns.uu.net",15,2700,RU,
"2018-10-09 13:15:36",198.51.100.20,udp,1900,,45486,,199155,PT,COLMBRA,"OLIVEIRA DO HOSPITAL",0,0,"M-SEARCH * HTTP/1.1",37,3626,RU,
"2018-10-09 14:48:50",198.51.100.70,udp,1900,,18693,,39891,SA,"AR RIYAD",RIYADH,0,0,"M-SEARCH * HTTP/1.1",75,7350,RU,
"2018-10-20 00:00:17",198.51.100.155,,11211,,,,134764,CN,,GUANGZHOU,0,0,,,,,Communications,,SISSDEN
"2018-10-20 00:02:48",203.0.113.10,,19,,,c-10-113-0-203.hsd1.fl.comcast.net,7922,US,FLORIDA,"PORT SAINT LUCIE",518111,737401,,,,,,"2018-10-20 00:09:55",SISSDEN
"2018-10-20 23:56:22",203.0.113.205,,123,,,,39891,SA,MAKKAH,JIDDAH,0,0,,,,,,,SISSDEN

Our 124 Report Types