INFO: Honeypot Amplification DDoS Events Report

DESCRIPTION LAST UPDATED: 2024-08-16

DEFAULT SEVERITY LEVEL: INFO

This report contains information about honeypot observed amplification DDoS events. If you are seeing this report, it means that your IP was DDoSed using other hosts/services as reflectors.

This category of DDoS attacks utilizes UDP-based, open, amplifiable services to reflect packets to a victim, by spoofing the source IP address of the packets sent by the amplifier to the victim’s IP address.

Depending on the protocol and type of open services abused, the size of the original packet content sent by the attacker can be amplified in the service response multiple times (even by a factor of hundreds), flooding the victim with packets and enabling DDoS.

Honeypots that emulate open and amplifiable services can be used to detect this kind of abuse. However, as the source of these attacks is spoofed to the victim address, it is possible only to report on victims being abused, not on the true source of the DDoS.

For more insight into how amplifiable DDoS attacks work, check out this writeup and paper by Christian Rossow, as well as the US-CERT Alert (TA14-017A).

This report contains information about the IP that was attacked (set to src_ip) and the port that was abused on the honeypot to try to make it attack your IP (set to dst_port).

You can learn more on the report in our Honeypot Amplification DDoS Events Report tutorial.

Follow Amplification DDoS attacks on our Dashboard.

You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.

Severity levels are described here.

File name: event4_honeypot_ddos_amp

Fields

  • timestamp
    Timestamp when the IP was seen in UTC+0
  • protocol
    Packet type of the connection traffic (UDP/TCP)
  • src_ip
    The IP of the device in question
  • src_port
    Source port of the IP connection
  • src_asn
    ASN of the source IP
  • src_geo
    Country of the source IP
  • src_region
    Region of the source IP
  • src_city
    City of the source IP
  • src_hostname
    Reverse DNS of the source IP
  • src_naics
    North American Industry Classification System Code
  • src_sector
    Sector to which the IP in question belongs; e.g. Communications, Commercial
  • device_vendor
    Source device vendor
  • device_type
    Source device type
  • device_model
    Source device model
  • severity
    Severity level
  • dst_ip
    Destination IP
  • dst_port
    Destination port of the IP connection
  • dst_asn
    ASN of the destination IP
  • dst_geo
    Country of the destination IP
  • dst_region
    Region of the destination IP
  • dst_city
    City of the destination IP
  • dst_hostname
    Reverse DNS of the destination IP
  • dst_naics
    North American Industry Classification System Code
  • dst_sector
    Sector to which the IP in question belongs; e.g. Communications, Commercial
  • public_source
    Source of the event data
  • infection
    Description of the malware/infection
  • family
    Malware family or campaign associated with the event
  • tag
    Event attributes
  • application
    Application name associated with the event
  • version
    Software version associated with the event
  • event_id
    Unique identifier assigned to the source IP or event
  • request
    Request being used to generate the amplification attack, if recorded
  • count
    Count of packets sent as part of the attack
  • bytes
    Bytes sent as part of the attack
  • end_time
    The time when the attack ended (if recorded by the source)
  • duration
    Attack duration (in seconds)
  • avg_pps
    Average packet per second rate observed
  • max_pps
    Maximum packet per second rate observed

Sample

"timestamp","protocol","src_ip","src_port","src_asn","src_geo","src_region","src_city","src_hostname","src_naics","src_sector","device_vendor","device_type","device_model","severity","dst_ip","dst_port","dst_asn","dst_geo","dst_region","dst_city","dst_hostname","dst_naics","dst_sector","public_source","infection","family","tag","application","version","event_id","request","count","bytes","end_time","duration","avg_pps","max_pps"
"2010-02-10 00:00:00",,192.168.0.1,,64512,ZZ,Region,City,node01.example.com,0,,,,,info,172.16.0.1,123,65534,ZZ,Region,City,node01.example.net,0,,,ddos-amplification,,ntp,,,,,,,"2010-02-10 00:00:00",4317,,
"2010-02-10 00:00:01",udp,192.168.0.2,,64512,ZZ,Region,City,node02.example.com,0,"Communications, Service Provider, and Hosting Service",,,,info,172.16.0.2,3702,65534,ZZ,Region,City,node02.example.net,0,,,ddos-amplification,,ws-discovery,,,67f847a8-647e-5405-8978-c672a7f2f4ba,,384,,"2010-02-10 00:00:01",,,6.4
"2010-02-10 00:00:02",udp,192.168.0.3,,64512,ZZ,Region,City,node03.example.com,0,,,,,info,172.16.0.3,123,65534,ZZ,Region,City,node03.example.net,0,,,ddos-amplification,,ntp,,,1db7e55b-01db-528d-a4ff-4c81c4f45ab2,,154,,"2010-02-10 00:00:02",,,2.57

Our 131 Report Types

« Back to Network Reporting