This report contains information about honeypot observed amplification DDoS events. If you are seeing this report, it means that your IP was DDoSed using other hosts/services as reflectors.
This category of DDoS attacks utilizes UDP-based, open, amplifiable services to reflect packets to a victim, by spoofing the source IP address of the packets sent by the amplifier to the victim’s IP address.
Depending on the protocol and type of open services abused, the size of the original packet content sent by the attacker can be amplified in the service response multiple times (even by a factor of hundreds), flooding the victim with packets and enabling DDoS.
Honeypots that emulate open and amplifiable services can be used to detect this kind of abuse. However, as the source of these attacks is spoofed to the victim address, it is possible only to report on victims being abused, not on the true source of the DDoS.
You can read more about our DDoS attack observations in the SISSDEN blog entry on observations on DDoS attacks in 2018. For more insight into how amplifiable DDoS attacks work, check out this writeup and paper by Christian Rossow, as well as the US-CERT Alert (TA14-017A).
This report contains information about the IP that was attacked (set to src_ip) and the port that was abused on the honeypot to try to make it attack your IP (set to dst_port).
You can learn more on the report in our Honeypot Amplification DDoS Events Report tutorial.
You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.
File name: event4_honeypot_ddos_amp