Introduction

This report contains observed reflected DDoS Amplification events. Note that as these types of attacks involve source address spoofing (to the IP of the target), only information about the target IP is included in the reports. For more information about DDoS Amplification attacks please read US-CERT Alert (TA14-017A).

Acknowlegement

This report type was enabled as part of the EU Horizon 2020 SISSDEN Project.

Fields

Field Description
timestamp Time that the amplification DDoS was registered in UTC+0
ip The IP address being DDoSed
protocol Protocol used for the DDoS reflection attack
dst_port Port being used for the DDoS reflection attack (ie. associated with the service/protocol used for amplification)
tag Additional attack information for example, service name used for attack
src_port Source port of the spoofed packets being sent
hostname PTR record of the target IP
asn ASN announcing the target IP
geo Country where the target IP resides
region State / Province / Administrative region where the target IP resides
city ASN of where the target IP resides
naics North American Industry Classification System Code of the target IP
sic Standard Industrial Classification System Code of the target IP
request Request being used to generate the amplification attack, if recorded
count Count of requests sent as part of the amplification attack, if recorded
bytes Bytes sent as part of the attack
sensor_geo Geolocation of sensor that detected the reflected amplification attack
sector Sector the target IP belongs to
end_time The time when the attack ended (if recorded by the source)
public_source Source of the data, for cases where the source accepts being credited

Sample

"timestamp",ip,protocol,dst_port,tag,src_port,hostname,asn,geo,region,city,naics,sic,request,count,bytes,sensor_geo,sector,"end_time",public_source
"2018-10-09 06:00:06",192.0.2.10,udp,13,daytime,53,,44395,AM,YEREVAN,YEREVAN,0,0,"DAYTIME Request",15,2220,RU,
"2018-10-09 08:14:37",192.0.2.50,udp,123,ntp,53,dhcp-50-2-0-192.net1.bg,43561,BG,SOFIA-GRAD,SOFIA,0,0,"Standard query response 0xe98a  NS auth111.ns.uu.net NS auth120.ns.uu.net",15,2700,RU,
"2018-10-09 13:15:36",198.51.100.20,udp,1900,,45486,,199155,PT,COLMBRA,"OLIVEIRA DO HOSPITAL",0,0,"M-SEARCH * HTTP/1.1",37,3626,RU,
"2018-10-09 14:48:50",198.51.100.70,udp,1900,,18693,,39891,SA,"AR RIYAD",RIYADH,0,0,"M-SEARCH * HTTP/1.1",75,7350,RU,
"2018-10-20 00:00:17",198.51.100.155,,11211,,,,134764,CN,,GUANGZHOU,0,0,,,,,Communications,,SISSDEN
"2018-10-20 00:02:48",203.0.113.10,,19,,,c-10-113-0-203.hsd1.fl.comcast.net,7922,US,FLORIDA,"PORT SAINT LUCIE",518111,737401,,,,,,"2018-10-20 00:09:55",SISSDEN
"2018-10-20 23:56:22",203.0.113.205,,123,,,,39891,SA,MAKKAH,JIDDAH,0,0,,,,,,,SISSDEN

<< | Reports | >>