This report contains observed reflected amplification DDoS events. This category of DDoS attacks utilizes UDP-based, open, amplifiable services to reflect packets to a victim, by spoofing the source IP address of the packets sent by the amplifier to the victim’s IP address. Depending on the protocol and type of open services abused, the size of the original packet content sent by the attacker can be amplified in the service response multiple times (even by a factor of hundreds), flooding the victim with packets and enabling DDoS. Honeypots that emulate open and amplifiable services can be used to detect this kind of abuse. However, as the source of these attacks is spoofed to the victim address, it is possible only to report on victims being abused, not on the source of the DDoS. This report type was enabled as part of the EU Horizon 2020 SISSDEN Project.
The entries in this report are hosts that have been targeted by a DDoS attack. They are in no way malicious, and there is nothing identifiable on their end (service, malware, user) which could indicate this would happen or could happen again in the future. The likelihood of this happening again is considered medium as a DDoS is often repeated to the same target. The impact is set to high as a DDoS attack can bring down a server or host if not behind DDoS-protection services. The overall risk is set to high because of the potential damage to others.