CRITICAL: Honeypot DDoS Events Report

DESCRIPTION LAST UPDATED: 2023-12-06

DEFAULT SEVERITY LEVEL: CRITICAL

This report contains information about DDoS attack commands observed by honeypot drones. These drones emulate malware bot infected machines and can listen to commands given to those bots. These commands include the C2 issuing the command and target information, malware family, protocol being used for C2 and attack destination as well as various attack parameters.

The src_ip below is the C2 IP issuing the commands, the dst_ip is the IP of the attack victim. If you are getting this report, it means a C2 (src_ip) issuing the attack command was located on your network or constituency.

The activity reported is typically related to Mirai like bots. The naming convention and description is consistent with the Mirai source code published.

This report has its sister version that contains the same information but filtered by dst_ip (address of attack victims): Honeypot DDoS Target Events Report.

You can learn more on the report in our Honeypot DDoS Events Report tutorial.

You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.

Severity levels are described here.

This report was enabled as part of the European Union HaDEA CEF VARIoT project.

File name: event4_honeypot_ddos

 

Fields

  • timestamp
    Timestamp when the source IP was seen in UTC+0
  • protocol
    Packet type of the connection traffic (UDP/TCP)
  • src_ip
    The source IP of the C2 issuing DDoS attack commands
  • src_port
    Source port of the IP connection
  • src_asn
    ASN of the source IP
  • src_geo
    Country of the source IP
  • src_region
    Region of the source IP
  • src_city
    City of the source IP
  • src_hostname
    Reverse DNS of the source IP
  • src_naics
    North American Industry Classification System Code
  • src_sector
    Sector to which the IP in question belongs; e.g. Communications, Commercial
  • device_vendor
    Source device vendor
  • device_type
    Source device type
  • device_model
    Source device model
  • severity
    Severity level
  • dst_ip
    Destination IP (IP being attacked)
  • dst_port
    Destination port of the IP being attacked
  • dst_asn
    ASN of the destination IP
  • dst_geo
    Country of the destination IP
  • dst_region
    Region of the destination IP
  • dst_city
    City of the destination IP
  • dst_hostname
    Reverse DNS of the destination IP
  • dst_naics
    North American Industry Classification System Code
  • dst_sector
    Sector to which the IP in question belongs; e.g. Communications, Commercial
  • public_source
    Source of the event data
  • infection
    Description of the malware/infection
  • family
    Malware family or campaign associated with the event
  • tag
    Event attributes
  • application
    Application name associated with the event
  • version
    Software version associated with the event
  • event_id
    Unique identifier assigned to the source IP or event
  • dst_network
    Network CIDR being attacked
  • dst_netmask
    Mask of the destination network under attack
  • attack
    Attack type (command issued)
  • duration
    Attack duration
  • attack_src_ip
    Spoofed attack source IP (if set)
  • attack_src_port
    Spoofed attack source port (if set)
  • domain
    Domain to attack (in attack command)
  • domain_transaction_id
    Domain transaction id, default is random (internal bot nomenclature)
  • gcip
    May be used to set internal IP to destination ip, default is 0 (no)
  • http_method
    HTTP method name used for the attack, default is GET
  • http_path
    HTTP path used for the observed attack, default is /
  • http_postdata
    POST data if any being used in the attack, default is empty/none
  • http_usessl
    Is SSL used in HTTP floods
  • ip_header_ack
    Set the ACK bit in IP header, default is 0 (no) except for ACK flood
  • ip_header_acknum
    Ack number value in TCP header, default is random
  • ip_header_dont_fragment
    Set the Dont-Fragment bit in IP header, default is 0 (no)
  • ip_header_fin
    Set the FIN bit in IP header, default is 0 (no)
  • ip_header_identity
    ID field value in IP header, default is random
  • ip_header_psh
    Set the PSH bit in IP header, default is 0 (no)
  • ip_header_rst
    Set the RST bit in IP header, default is 0 (no)
  • ip_header_seqnum
    Sequence number value in TCP header, default is random
  • ip_header_syn
    Set the ACK bit in IP header, default is 0 (no) except for SYN flood
  • ip_header_tos
    TOS field value in IP header, default is 0
  • ip_header_ttl
    TTL field in IP header, default is 255
  • ip_header_urg
    Set the URG bit in IP header, default is 0 (no)
  • number_of_connections
    Number of connections
  • packet_length
    Size of packet data, default is 512 bytes
  • packet_randomized
    Randomize packet data content, default is 1 (yes)
  • http_agent
    HTTP agent

Sample

"timestamp","protocol","src_ip","src_port","src_asn","src_geo","src_region","src_city","src_hostname","src_naics","src_sector","device_vendor","device_type","device_model","severity","dst_ip","dst_port","dst_asn","dst_geo","dst_region","dst_city","dst_hostname","dst_naics","dst_sector","domain_source","public_source","infection","family","tag","application","version","event_id","dst_network","dst_netmask","attack","duration","attack_src_ip","attack_src_port","domain","domain_transaction_id","gcip","http_method","http_path","http_postdata","http_usessl","ip_header_ack","ip_header_acknum","ip_header_dont_fragment","ip_header_fin","ip_header_identity","ip_header_psh","ip_header_rst","ip_header_seqnum","ip_header_syn","ip_header_tos","ip_header_ttl","ip_header_urg","number_of_connections","packet_length","packet_randomized","http_agent"
"2010-02-10 00:00:00",,192.168.0.1,38241,64512,ZZ,Region,City,node01.example.com,0,,,,,critical,172.16.0.1,,65534,ZZ,Region,City,node01.example.net,0,"Communications, Service Provider, and Hosting Service",,,ddos,mirai,mirai,mirai,,,172.16.0.0/16,28,atk9,60,,,node01.example.com,,,,,,,,,,,,,,,,,,,,1399,,
"2010-02-10 00:00:01",,192.168.0.2,38241,64512,ZZ,Region,City,node02.example.com,0,,,,,critical,172.16.0.2,,65534,ZZ,Region,City,node02.example.net,0,"Communications, Service Provider, and Hosting Service",,,ddos,mirai,mirai,mirai,,,172.16.0.0/16,28,atk9,60,,,node02.example.com,,,,,,,,,,,,,,,,,,,,1399,,
"2010-02-10 00:00:02",,192.168.0.3,38241,64512,ZZ,Region,City,node03.example.com,0,,,,,critical,172.16.0.3,,65534,ZZ,Region,City,node03.example.net,0,"Communications, Service Provider, and Hosting Service",,,ddos,mirai,mirai,mirai,,,172.16.0.0/16,28,atk9,60,,,node03.example.com,,,,,,,,,,,,,,,,,,,,1399,,

Our 124 Report Types