This report contains observed reflected amplification DDoS events.
Description
This category of DDoS attacks utilizes UDP-based, open, amplifiable services to reflect packets to a victim, by spoofing the source IP address of the packets sent by the amplifier to the victim’s IP address.
Depending on the protocol and type of open services abused, the size of the original packet content sent by the attacker can be amplified in the service response multiple times (even by a factor of hundreds), flooding the victim with packets and enabling DDoS.
Honeypots that emulate open and amplifiable services can be used to detect this kind of abuse. However, as the source of these attacks is spoofed to the victim address, it is possible only to report on victims being abused, not on the source of the DDoS.
Fields
Field | Description |
timestamp | Time that the amplification DDoS was registered in UTC+0 |
ip | The IP address being DDoSed |
protocol | Protocol used for the DDoS reflection attack |
dst_port | Port being used for the DDoS reflection attack (ie. associated with the service/protocol used for amplification) |
tag | Additional attack information for example, service name used for attack |
src_port | Source port of the spoofed packets being sent |
hostname | PTR record of the target IP |
asn | ASN announcing the target IP |
geo | Country where the target IP resides |
region | State / Province / Administrative region where the target IP resides |
city | ASN of where the target IP resides |
naics | North American Industry Classification System Code of the target IP |
sic | Standard Industrial Classification System Code of the target IP |
request | Request being used to generate the amplification attack, if recorded |
count | Count of requests sent as part of the amplification attack, if recorded |
bytes | Bytes sent as part of the attack |
sensor_geo | Geolocation of sensor that detected the reflected amplification attack |
sector | Sector the target IP belongs to |
end_time | The time when the attack ended (if recorded by the source) |
public_source | Source of the data, for cases where the source accepts being credited |
Delivery Mechanism
The report is sent out daily via The Shadowserver Foundation’s free victim remediation reporting service. All events coming from SISSDEN are clearly marked as “SISSDEN” for every event reported.
Sample Report
"timestamp",ip,protocol,dst_port,tag,src_port,hostname,asn,geo,region,city,naics,sic,request,count,bytes,sensor_geo,sector,"end_time",public_source "2018-10-09 06:00:06",192.0.2.10,udp,13,daytime,53,,44395,AM,YEREVAN,YEREVAN,0,0,"DAYTIME Request",15,2220,RU, "2018-10-09 08:14:37",192.0.2.50,udp,123,ntp,53,dhcp-50-2-0-192.net1.bg,43561,BG,SOFIA-GRAD,SOFIA,0,0,"Standard query response 0xe98a NS auth111.ns.uu.net NS auth120.ns.uu.net",15,2700,RU, "2018-10-09 13:15:36",198.51.100.20,udp,1900,,45486,,199155,PT,COLMBRA,"OLIVEIRA DO HOSPITAL",0,0,"M-SEARCH * HTTP/1.1",37,3626,RU, "2018-10-09 14:48:50",198.51.100.70,udp,1900,,18693,,39891,SA,"AR RIYAD",RIYADH,0,0,"M-SEARCH * HTTP/1.1",75,7350,RU, "2018-10-20 00:00:17",198.51.100.155,,11211,,,,134764,CN,,GUANGZHOU,0,0,,,,,Communications,,SISSDEN "2018-10-20 00:02:48",203.0.113.10,,19,,,c-10-113-0-203.hsd1.fl.comcast.net,7922,US,FLORIDA,"PORT SAINT LUCIE",518111,737401,,,,,,"2018-10-20 00:09:55",SISSDEN "2018-10-20 23:56:22",203.0.113.205,,123,,,,39891,SA,MAKKAH,JIDDAH,0,0,,,,,,,SISSDEN