HIGH: DDoS Participant Report

DESCRIPTION LAST UPDATED: 2024-01-02

DEFAULT SEVERITY LEVEL: HIGH

This report contains information about IPs involved in DDoS attacks. It is sourced from networking devices observing attacks to a victim or from the target itself. Note the attacking IPs may be the actual IPs used for attacks, or it might be IPs with exposed services used in reflection attacks. Finally, traffic might also be spoofed.

Action to be taken

For UDP-based protocols, compare IPs listed in the report to exposed services that are included in your scan reports for that particular IP. As an example, if the protocol is DNS, and you have recently received an event for the same IP/host in the DNS Open Resolvers Report, it is highly likely that you have an Open Resolver that was just used in the particular attack reported.

Mitigation

Mitigation will depend on what sort of traffic is reported.

If the traffic is HTTP/HTTPS for example, it is possible that the IP might be:
– infected with malware
– operated by a bad actor that is intentially running DDoS software
– running an open proxy
– running a VPN exit node

Either way, attack traffic has been observed from this particular host, and the host has been observed attacking others.

If traffic is sourced from an UDP amplifier, that particular service would need to either be:
– limited from the internet – either by shutting down the service, configuring ACLs or firewall rules
– or in the case of e.g. DNS – configured not to respond to all queries from untrusted networks recursively.

Refer to the scan report of the corresponding protocol to ensure remediation is complete.

Since data in this report is based on current, ongoing attacks, no data in the report does not mean the particular host is no longer sending attack traffic – just that it has not been reported.

Severity levels are described here.

You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.

File name: event4_ddos_participant

Fields

  • timestamp
    Timestamp when the source IP was seen in UTC+0
  • protocol
    Packet type of the connection traffic (UDP/TCP)
  • src_ip
    The source IP (attacking IP). Note may be spoofed or that of a reflector IP abused for amplification attacks.
  • src_port
    Source port of the IP connection
  • src_asn
    ASN of the source IP
  • src_geo
    Country of the source IP
  • src_region
    Region of the source IP
  • src_city
    City of the source IP
  • src_hostname
    Reverse DNS of the source IP
  • src_naics
    North American Industry Classification System Code
  • src_sector
    Sector to which the IP in question belongs; e.g. Communications, Commercial
  • device_vendor
    Source device vendor
  • device_type
    Source device type
  • device_model
    Source device model
  • severity
    Severity level
  • dst_ip
    Destination IP (IP being attacked)
  • dst_port
    Destination port of the IP being attacked
  • dst_asn
    ASN of the destination IP
  • dst_geo
    Country of the destination IP
  • dst_region
    Region of the destination IP
  • dst_city
    City of the destination IP
  • dst_hostname
    Reverse DNS of the destination IP
  • dst_naics
    North American Industry Classification System Code
  • dst_sector
    Sector to which the IP in question belongs; e.g. Communications, Commercial
  • public_source
    Source of the event data
  • infection
    Description of the malware/infection
  • family
    Malware family or campaign associated with the event
  • tag
    Event attributes (example: ddos-participant)
  • application
    Application name associated with the event
  • version
    Software version associated with the event
  • event_id
    Unique identifier assigned to the source IP or event
  • dst_network
    Network CIDR being attacked
  • dst_netmask
    Mask of the destination network under attack
  • attack
    Attack type (command issued)
  • duration
    Attack duration
  • attack_src_ip
    Spoofed attack source IP (if set)
  • attack_src_port
    Spoofed attack source port (if set)
  • domain
    Domain to attack (in attack command)
  • domain_transaction_id
    Domain transaction id, default is random (internal bot nomenclature)
  • gcip
    May be used to set internal IP to destination ip, default is 0 (no)
  • http_method
    HTTP method name used for the attack, default is GET
  • http_path
    HTTP path used for the observed attack, default is /
  • http_postdata
    POST data if any being used in the attack, default is empty/none
  • http_usessl
    Is SSL used in HTTP floods
  • ip_header_ack
    Set the ACK bit in IP header, default is 0 (no) except for ACK flood
  • ip_header_acknum
    Ack number value in TCP header, default is random
  • ip_header_dont_fragment
    Set the Dont-Fragment bit in IP header, default is 0 (no)
  • ip_header_fin
    Set the FIN bit in IP header, default is 0 (no)
  • ip_header_identity
    ID field value in IP header, default is random
  • ip_header_psh
    Set the PSH bit in IP header, default is 0 (no)
  • ip_header_rst
    Set the RST bit in IP header, default is 0 (no)
  • ip_header_seqnum
    Sequence number value in TCP header, default is random
  • ip_header_syn
    Set the ACK bit in IP header, default is 0 (no) except for SYN flood
  • ip_header_tos
    TOS field value in IP header, default is 0
  • ip_header_ttl
    TTL field in IP header, default is 255
  • ip_header_urg
    Set the URG bit in IP header, default is 0 (no)
  • number_of_connections
    Number of connections
  • packet_length
    Size of packet data, default is 512 bytes
  • packet_randomized
    Randomize packet data content, default is 1 (yes)

Sample

timestamp,protocol,src_ip,src_port,src_asn,src_geo,src_region,src_city,src_hostname,src_naics,src_sector,device_vendor,device_type,device_model,severity,dst_ip,dst_port,dst_asn,dst_geo,dst_region,dst_city,dst_hostname,dst_naics,dst_sector,domain_source,public_source,infection,family,tag,application,version,event_id,dst_network,dst_netmask,attack,duration,attack_src_ip,attack_src_port,domain,domain_transaction_id,gcip,http_method,http_path,http_postdata,http_usessl,ip_header_ack,ip_header_acknum,ip_header_dont_fragment,ip_header_fin,ip_header_identity,ip_header_psh,ip_header_rst,ip_header_seqnum,ip_header_syn,ip_header_tos,ip_header_ttl,ip_header_urg,number_of_connections,packet_length,packet_randomized,http_agent
2023-01-28 11:33:23,tcp,151.36.86.189,38055,1267,IT,MILANO,MILAN,,517311,,,,,high,91.186.66.10,443,56828,NO,OSLO,OSLO,,,Health Care and Social Assistance,,,ddos-participant,,,https,,,,,,,,,www.ahus.no,,,GET,/??=GovpfOoaWYlk,,,,,,,,,,,,,,,,,,
2023-01-28 16:31:33,udp,92.247.29.201,53,8717,BG,SOFIA-GRAD,SOFIA,,,,,,,high,91.186.66.10,53,56828,NO,OSLO,OSLO,,,Health Care and Social Assistance,,,ddos-participant,,,dns,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
2023-01-28 16:31:33,udp,89.19.199.152,53,41465,RU,SAMARSKAYA OBLAST,SAMARA,,,,Microsoft,email,Exchange,high,91.186.66.10,53,56828,NO,OSLO,OSLO,,,Health Care and Social Assistance,,,ddos-participant,,,dns,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Our 124 Report Types