vDOS analysis with ELK stack and Vagrant

Sun, 13 Nov 2016 15:48:19 +0000

vDOS was a booter service ran out of Israel allowing anyone to DDOS victims. In July 2016 Brian Krebs obtained a database dump from the booter service giving insight into the techniques used and victims of the service.

You can see Brian’s posts here:

https://krebsonsecurity.com/2016/09/alleged-vdos-proprietors-arrested-in-israel/

https://krebsonsecurity.com/2016/09/israeli-online-attack-service-vdos-earned-600000-in-two-years/

To analyse the database I’ve written a Vagrantfile which installs the ELK stack and uses logstash to put the vDOS log file into Elasticsearch, Kibana can then be used to analyse the data.

The Vagrantfile and provision script can be found here:

https://github.com/thomasweaver/vdos-elasticsearch-vagrant

NOTE: The database is not provided here. You must obtain it yourself and copy it the vagrant folder with name attacks.txt The memory is set to 4GB in the Vagrantfile, make sure you have enough memory before doing a vagrant up

git clone https://github.com/thomasweaver/vdos-elasticsearch-vagrant.git
cd vdos-elasticsearch-vagrant
cp location-of-attack-database attacks.txt
vagrant up

Kibana can then be access on

http://127.0.0.1:5601

You can then search for your IP, ASN, Company Name or URL.

The above shows a search for “Google Inc” and then an individual log entry

TomsBlog

vDOS analysis with ELK stack and Vagrant