vDOS log analysis

Thu, 17 Nov 2016 20:41:08 +0000

Below is an analysis of the vDOS database log leek. It was done using an ELK stack which can be found here:

http://www.toms-blog.com/post/vdos-analysis-elk-stack-vagrant/

Types of attacks

The below pie chart shows the different types of attacks. It shows that more than 50% of the attacks were DNS based attacks followed by NTP. This doesn’t come as a big shock as these protocols can easily be amplified due to the amount of misconfigured servers publicly available

Attacks by Country by Week

The graph below shows the 2 biggest targets of vDOS customers was China and the US with most other countries roughly hovering around the same amount. China seems to be attacked most with some weeks it being hit twice as much as the US.

Graphic below shows a visual representation of overall attacks globally.

Attack Durations

The table below shows the average, min and max of attack durations. These are put in to Seconds, Minutes and Hours, although in the logs themselves they are only given in seconds.

	Average	Max	Min
Seconds	1,624	25,200	30
Minutes	27	420	0.5
Hours	0.5	7	-

Conclusions

There’s a lot more data in the logs, the above is just a small amount, though you can draw some simple conclusions.

DNS being the most used attack method was not a surprise due the prevalence of Open DNS resolvers and them being easily used in amplification attacks. The same can be said for NTP although I would have thought NTP would be used the most or at least the same amount as DNS due to recent publications of misconfigured NTP servers. It also shows how the more traditional attacks such as TCP-SYN and TCP-ACK are being dropped in favour of the new amplification attacks.

The most surprising bit of the above was the amount of attacks on China especially compared to America. You would always expect these 2 countries to be in the top spots but not by as much as they were, especially with China being attacked twice as much as the US.

Another surprise was the average duration was only 30 minutes and the maximum only being 7 hours. These aren’t massive durations and shows more that this service was probably used for small attacks.

vDOS analysis with ELK stack and Vagrant

Sun, 13 Nov 2016 15:48:19 +0000

vDOS was a booter service ran out of Israel allowing anyone to DDOS victims. In July 2016 Brian Krebs obtained a database dump from the booter service giving insight into the techniques used and victims of the service.

You can see Brian’s posts here:

https://krebsonsecurity.com/2016/09/alleged-vdos-proprietors-arrested-in-israel/

https://krebsonsecurity.com/2016/09/israeli-online-attack-service-vdos-earned-600000-in-two-years/

To analyse the database I’ve written a Vagrantfile which installs the ELK stack and uses logstash to put the vDOS log file into Elasticsearch, Kibana can then be used to analyse the data.

The Vagrantfile and provision script can be found here:

https://github.com/thomasweaver/vdos-elasticsearch-vagrant

NOTE: The database is not provided here. You must obtain it yourself and copy it the vagrant folder with name attacks.txt The memory is set to 4GB in the Vagrantfile, make sure you have enough memory before doing a vagrant up

git clone https://github.com/thomasweaver/vdos-elasticsearch-vagrant.git
cd vdos-elasticsearch-vagrant
cp location-of-attack-database attacks.txt
vagrant up

Kibana can then be access on

http://127.0.0.1:5601

You can then search for your IP, ASN, Company Name or URL.