Below is an analysis of the vDOS database log leek. It was done using an ELK stack which can be found here:
http://www.toms-blog.com/post/vdos-analysis-elk-stack-vagrant/
Types of attacks
The below pie chart shows the different types of attacks. It shows that more than 50% of the attacks were DNS based attacks followed by NTP. This doesn’t come as a big shock as these protocols can easily be amplified due to the amount of misconfigured servers publicly available
Attacks by Country by Week
The graph below shows the 2 biggest targets of vDOS customers was China and the US with most other countries roughly hovering around the same amount. China seems to be attacked most with some weeks it being hit twice as much as the US.
Graphic below shows a visual representation of overall attacks globally.
Attack Durations
The table below shows the average, min and max of attack durations. These are put in to Seconds, Minutes and Hours, although in the logs themselves they are only given in seconds.
| Average | Max | Min | |
|---|---|---|---|
| Seconds | 1,624 | 25,200 | 30 |
| Minutes | 27 | 420 | 0.5 |
| Hours | 0.5 | 7 | - |
Conclusions
There’s a lot more data in the logs, the above is just a small amount, though you can draw some simple conclusions.
DNS being the most used attack method was not a surprise due the prevalence of Open DNS resolvers and them being easily used in amplification attacks. The same can be said for NTP although I would have thought NTP would be used the most or at least the same amount as DNS due to recent publications of misconfigured NTP servers. It also shows how the more traditional attacks such as TCP-SYN and TCP-ACK are being dropped in favour of the new amplification attacks.
The most surprising bit of the above was the amount of attacks on China especially compared to America. You would always expect these 2 countries to be in the top spots but not by as much as they were, especially with China being attacked twice as much as the US.
Another surprise was the average duration was only 30 minutes and the maximum only being 7 hours. These aren’t massive durations and shows more that this service was probably used for small attacks.