INFO: Honeypot DDoS Target Events Report

DESCRIPTION LAST UPDATED: 2023-12-06

DEFAULT SEVERITY LEVEL: INFO

This report contains information about DDoS attack targets observed by honeypot drones. These drones emulate malware bot infected machines and can listen to commands given to those bots. These commands include the C2 issuing the command and target information, malware family, protocol being used for C2 and attack destination as well as various attack parameters.

The dst_ip is the IP of the attack victim, the src_ip below is the C2 IP issuing the commands. If you are getting this report, it means an IP (dst_ip) that was targeted  was located on your network or constituency (attack destination).

The activity reported is typically related to Mirai like bots. The naming convention and description is consistent with the Mirai source code published.

This report has its sister version that contains the same information but filtered by src_ip (address of the C2 issuing commands): the Honeypot DDoS Event Report.

You can learn more on the report in our Honeypot DDoS Target Events Report tutorial.

You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.

You can view HTTP DDoS Target events on our Dashboard.

This report was enabled as part of the European Union HaDEA CEF VARIoT project.

Severity levels are described here.

File name: event4_honeypot_ddos_target

 

Fields

  • timestamp
    Timestamp when the destination IP was seen in UTC+0
  • protocol
    Packet type of the connection traffic (UDP/TCP)
  • dst_ip
    Destination IP (being attacked by a DDoS)
  • dst_port
    Destination port (being attacked by a DDoS)
  • dst_asn
    ASN of the destination IP
  • dst_geo
    Country of the destination IP
  • dst_region
    Region of the destination IP
  • dst_city
    City of the destination IP
  • dst_hostname
    Reverse DNS of the destination IP
  • dst_naics
    North American Industry Classification System Code
  • dst_sector
    Sector to which the destination IP in question belongs; e.g. Communications, Commercial
  • device_vendor
    Destination device vendor
  • device_type
    Destination device type
  • device_model
    Destination device model
  • severity
    Severity level
  • src_ip
    Source IP (IP acting as C2, ie. issuing commands)
  • src_port
    Source port of attack commands
  • src_asn
    ASN of the source IP
  • src_geo
    Country of the source IP
  • src_region
    Region of the source IP
  • src_city
    City of the source IP
  • src_hostname
    Reverse DNS of the source IP
  • src_naics
    North American Industry Classification System Code
  • src_sector
    Sector to which the destination IP in question belongs; e.g. Communications, Commercial
  • public_source
    Source of the event data
  • infection
    Description of the malware/infection
  • family
    Malware family or campaign associated with the event
  • tag
    Event attributes
  • application
    Application name associated with the event
  • version
    Software version associated with the event
  • event_id
    Unique identifier assigned to the source IP or event
  • dst_network
    Network CIDR being attacked
  • dst_netmask
    Mask of the destination network under attack
  • attack
    Attack type (command issued)
  • duration
    Attack duration
  • attack_src_ip
    Spoofed attack source IP (if set)
  • attack_src_port
    Spoofed attack source port (if set)
  • domain
    Domain to attack (in attack command)
  • domain_transaction_id
    Domain transaction id, default is random (internal bot nomenclature)
  • gcip
    May be used to set internal IP to destination ip, default is 0 (no)
  • http_method
    HTTP method name used for the attack, default is GET
  • http_path
    HTTP path used for the observed attack, default is /
  • http_postdata
    POST data if any being used in the attack, default is empty/none
  • http_usessl
    Is SSL used in HTTP floods
  • ip_header_ack
    Set the ACK bit in IP header, default is 0 (no) except for ACK flood"
  • ip_header_acknum
    Ack number value in TCP header, default is random
  • ip_header_dont_fragment
    Set the Dont-Fragment bit in IP header, default is 0 (no)
  • ip_header_fin
    Set the FIN bit in IP header, default is 0 (no)
  • ip_header_identity
    ID field value in IP header, default is random
  • ip_header_psh
    Set the PSH bit in IP header, default is 0 (no)
  • ip_header_rst
    Set the RST bit in IP header, default is 0 (no)
  • ip_header_seqnum
    Sequence number value in TCP header, default is random
  • ip_header_syn
    Set the ACK bit in IP header, default is 0 (no) except for SYN flood
  • ip_header_tos
    TOS field value in IP header, default is 0
  • ip_header_ttl
    TTL field in IP header, default is 255
  • ip_header_urg
    Set the URG bit in IP header, default is 0 (no)
  • number_of_connections
    Number of connections
  • packet_length
    Size of packet data, default is 512 bytes
  • packet_randomized
    Randomize packet data content, default is 1 (yes)

Sample

"timestamp","protocol","dst_ip","dst_port","dst_asn","dst_geo","dst_region","dst_city","dst_hostname","dst_naics","dst_sector","device_vendor","device_type","device_model","severity","src_ip","src_port","src_asn","src_geo","src_region","src_city","src_hostname","src_naics","src_sector","domain_source","public_source","infection","family","tag","application","version","event_id","dst_network","dst_netmask","attack","duration","attack_src_ip","attack_src_port","domain","domain_transaction_id","gcip","http_method","http_path","http_postdata","http_usessl","ip_header_ack","ip_header_acknum","ip_header_dont_fragment","ip_header_fin","ip_header_identity","ip_header_psh","ip_header_rst","ip_header_seqnum","ip_header_syn","ip_header_tos","ip_header_ttl","ip_header_urg","number_of_connections","packet_length","packet_randomized"
"2010-02-10 00:00:00",,172.16.0.1,,65534,ZZ,Region,City,node01.example.net,0,"Communications, Service Provider, and Hosting Service",,,,critical,192.168.0.1,38241,64512,ZZ,Region,City,node01.example.com,0,,,,ddos-target,mirai,mirai,mirai,,,172.16.0.0/16,28,atk9,60,,,node01.example.com,,,,,,,,,,,,,,,,,,,,1399,
"2010-02-10 00:00:01",,172.16.0.2,,65534,ZZ,Region,City,node02.example.net,0,"Communications, Service Provider, and Hosting Service",,,,critical,192.168.0.2,38241,64512,ZZ,Region,City,node02.example.com,0,,,,ddos-target,mirai,mirai,mirai,,,172.16.0.0/16,28,atk9,60,,,node02.example.com,,,,,,,,,,,,,,,,,,,,1399,
"2010-02-10 00:00:02",,172.16.0.3,,65534,ZZ,Region,City,node03.example.net,0,"Communications, Service Provider, and Hosting Service",,,,critical,192.168.0.3,38241,64512,ZZ,Region,City,node03.example.com,0,,,,ddos-target,mirai,mirai,mirai,,,172.16.0.0/16,28,atk9,60,,,node03.example.com,,,,,,,,,,,,,,,,,,,,1399,

Our 131 Report Types

« Back to Network Reporting