DDoS Research data open-sourced on scans.io

For the last 3 years we have been working on a research project on UDP services who could be and are being abused in relation to DDoS Attacks.

The original idea was to attempt to identify why a large part of DDoS attacks were originating from Russia and China, could this be due to the amount of services in the different countries or ?

The answer to this was not conclusive as the services abused had a high amount in the two countries there were no direct evidence onto why.

A guess could be that take-downs of vulnerable services in these countries, were not seen as much but again nothing conclusive.

Around 12.000.000+ services is public on the internet and could potentially be abused in DDoS attacks.

The research covered 20 different UDP services, with 21 different attacks scenarios.

During this research as often happens when you go down the rabbit hole you end up in another place and the research turned from defensive to offensive.

By using the large dataset collected in this case only on UDP the attack scenario of “MaxPain” came to life. The thought behind this is that the closer to the target and attacker can come.

Looking at a “standard” anti-DDoS solution it could look like the below illustration

When applying the attack analysis of MaxPain you start searching as close to the victim for and work you way out. This can have the effect that instead of having to reach the DDoS size of 1-2 Tbit/s you just need to reach line speed on the internet connection.

It was also during this research that I found another UDP protocol that can be abused in DDoS attacks, in this case an IoT protocal named CoAP

“The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained networks in the Internet of Things.

The protocol is designed for machine-to-machine (M2M) applications such as smart energy and building automation.”

What was especially “interesting” was that this protocol was designed around 2014 and still not found a way to avoid from being abused.

The service was not really being used when the research project started, however around between november 2017 and december 2018 it jumped from 6500 instances to 26.000 and last month it was close to 600.000 just in China and still raising.
This can be due to implementation in a service in China providing “The worlds first decentralized mobile network” (http://qlink.mobi)

Presenting the research

I has been an honor to present this research at RVASec 2018 (US), Hack.lu(LU), IDA Driving IT(DK) and Erhvervsakademi Aarhus(DK)

RVASec 2018, Richmond VA

Raw data set from 2016-2018

Now this research project has come to an end and we are happy to announce that Censys has allowed eCrimeLabs to share the raw scanning dataset on the scans.io project page - https://scans.io/study/ecrimelabs-amplifiers.

The dataset consist of 3 large *.tar files, that again contains a lot of bz2 compressed json files.

If you like to work with PCAP’s instead a JSON file, the json2pcap conversion tool is located on Github. This can be used as “simulated” attacks, in your security products.

The structure of the JSON