DDoS Research data open-sourced on

For the last 3 years we have been working on a research project on UDP services who could be and are being abused in relation to DDoS Attacks.

The original idea was to attempt to identify why a large part of DDoS attacks were originating from Russia and China, could this be due to the amount of services in the different countries or ?

The answer to this was not conclusive as the services abused had a high amount in the two countries there were no direct evidence onto why.

A guess could be that take-downs of vulnerable services in these countries, were not seen as much but again nothing conclusive.

Around 12.000.000+ services is public on the internet and could potentially be abused in DDoS attacks.

The research covered 20 different UDP services, with 21 different attacks scenarios.

During this research as often happens when you go down the rabbit hole you end up in another place and the research turned from defensive to offensive.

By using the large dataset collected in this case only on UDP the attack scenario of “MaxPain” came to life. The thought behind this is that the closer to the target and attacker can come.

Looking at a “standard” anti-DDoS solution it could look like the below illustration

When applying the attack analysis of MaxPain you start searching as close to the victim for and work you way out. This can have the effect that instead of having to reach the DDoS size of 1-2 Tbit/s you just need to reach line speed on the internet connection.

It was also during this research that I found another UDP protocol that can be abused in DDoS attacks, in this case an IoT protocal named CoAP

“The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained networks in the Internet of Things.

The protocol is designed for machine-to-machine (M2M) applications such as smart energy and building automation.”

What was especially “interesting” was that this protocol was designed around 2014 and still not found a way to avoid from being abused.

The service was not really being used when the research project started, however around between november 2017 and december 2018 it jumped from 6500 instances to 26.000 and last month it was close to 600.000 just in China and still raising.
This can be due to implementation in a service in China providing “The worlds first decentralized mobile network” (

Presenting the research

I has been an honor to present this research at RVASec 2018 (US),, IDA Driving IT(DK) and Erhvervsakademi Aarhus(DK)

RVASec 2018, Richmond VA

Raw data set from 2016-2018

Now this research project has come to an end and we are happy to announce that Censys has allowed eCrimeLabs to share the raw scanning dataset on the project page -

The dataset consist of 3 large *.tar files, that again contains a lot of bz2 compressed json files.

If you like to work with PCAP’s instead a JSON file, the json2pcap conversion tool is located on Github. This can be used as “simulated” attacks, in your security products.

The structure of the JSON

Attending MISP Threat Intelligence Summit 0x04 and presenting at

Dennis Rand will be attending the MISP Threat Intelligence Summit 0x04 at 2018 the upcoming week, and will at be presenting the latest updates around the DDoS research project, where research around an MaxPain attack will be presented.

The MaxPain attack is where an attacker is using amongst other data mining in order to prepare for the best possible attack scenario. By using this it can be possible to bypassing ISP based and enterprise anti-DDoS solutions.

If you are in Luxembourg the upcomming week and want to meet up, please feel free to reach out.

Update from the conference:

Video’s from the conference as well as the slides

Release of VT2MISP a tool for enriching MISP with VirusTotal data

As a strong believer and supporter of the MISP Threat Sharing Platform as well as a long time user I've often while working  and adding event based on external reports and in relations to incidents we have worked on. This usually also include searching for additional attributes or IOC data to build up knowledge on the event.

This also includes going to VirusTotal to see if there are any information about e.g. hashes. Often in external reports there are only mentioned MD5, SHA1 or SHA256 however the work of doing this manually searching for every hash

and copy-paste this into MISP can be somewhat tedious and will take a long time to add file objects and virustotal-report objects and last but not least make a relation between these two.

For this reason I've created the tool VT2MISP thereby making the data more actionable as I have more data and content around the original hash.

The MISP event of the following case "QUASAR,SOBAKEN AND VERMIN: A deeper look into an ongoing espionage campaign" from ESET.

The VT2MISP is a small python script that can be downloaded HERE.

What is MISP for those who do not know. This is in short a Open Source Threat Sharing platform that allows users to share Threat data between each others, while also using it as an internal tool to collect all the threat data you received whether something you collect yourself or from external sources. The sharing part can be seen as a form of crowdsourcing, so if your network has seen a threat this platform can be used to easily share this with only trusted partners or everyone based on the sensitivity of the data. 

  • Knowledge data for threat data and threat intelligence.
  • Correlation between all the data in your instance.
  • Support for a large collection of OSINT threat feeds.
  • Make easy use of the data into your security solutions.

So don't store your valuable information in your inbox but get it into an ever evolving platform designed and developed by security professionals, Threat hunters and Incident response team.

If you are interested in MISP in general or our MISP SaaS solution a fully managed and detected MISP instance, where you can take advantage of the MISP platform without having to think of the operational part. While also eCrimeLabs has build a custom broker service that allows you to use the data in MISP to add into your security products in a simple way. You can read more on our services Threat Intelligence Software-as-a-Service or contact us directly

RVASec 2018 -So you think IoT DDoS botnets are dangerous - Bypassing ISP and Enterprise Anti-DDoS with 90’s technology

On the 7. of June 2018 Dennis Rand presented on the RVASec conference in Richmond, Virginia on the topic of how we in the future will see attacks that are not easily or even possible to mitigate. 

The need to do digital hygiene if we want to protect our networks.

The videos from the conference has now been released.

Presenting DDoS research at RVASEC 2018

eCrimeLabs is proud to announce Dennis Rand will be attending as speaker at RVAsec 2018 in Richmond Virginia.

"RVAsec is the first Richmond, Virginia, security convention to bring top speakers to the mid-atlantic region.  The conference will be held on Thursday, June 7th and Friday June 8th 2018 at the Commonwealth Ballroom at VCU’s University Commons."

The research presented started originally back in 2016 with analysis of DDoS attacks.

As the research and analysis of data evolved, I discovered that there is a large gap in the Anti-DDoS defenses that are existing today allowing attackers with a minimal of effort and some data mining to bypass the enterprise and ISP based DDoS solutions out there.

Also during the research I was looking through alternate UDP service that could in the future pose a problem and here came upon an IoT protocol, introducing the same possibilities as services designed over 20 years ago.

The problem exists in the still large and growing amount of vulnerable services exposed to the internet. The numbers from April 2018 was close to 19.000.000 IP's that has a potential of being abused.