DESCRIPTION LAST UPDATED: 2024-01-02
DEFAULT SEVERITY LEVEL: HIGH
This report contains information about IPs involved in DDoS attacks. It is sourced from networking devices observing attacks to a victim or from the target itself. Note the attacking IPs may be the actual IPs used for attacks, or it might be IPs with exposed services used in reflection attacks. Finally, traffic might also be spoofed.
Action to be taken
For UDP-based protocols, compare IPs listed in the report to exposed services that are included in your scan reports for that particular IP. As an example, if the protocol is DNS, and you have recently received an event for the same IP/host in the DNS Open Resolvers Report, it is highly likely that you have an Open Resolver that was just used in the particular attack reported.
Mitigation will depend on what sort of traffic is reported.
If the traffic is HTTP/HTTPS for example, it is possible that the IP might be:
– infected with malware
– operated by a bad actor that is intentially running DDoS software
– running an open proxy
– running a VPN exit node
Either way, attack traffic has been observed from this particular host, and the host has been observed attacking others.
If traffic is sourced from an UDP amplifier, that particular service would need to either be:
– limited from the internet – either by shutting down the service, configuring ACLs or firewall rules
– or in the case of e.g. DNS – configured not to respond to all queries from untrusted networks recursively.
Refer to the scan report of the corresponding protocol to ensure remediation is complete.
Since data in this report is based on current, ongoing attacks, no data in the report does not mean the particular host is no longer sending attack traffic – just that it has not been reported.
Severity levels are described here.
You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.
File name: event4_ddos_participant