Amppot: Honeypot for Monitoring Amplification DDoS Attacks
Thank you for visiting us. We provide the observation results of Amppot, a honeypot for monitoring amplification DDoS Attacks [1].
About Amppot project

News

2021/06/08
Amppot page is open!
We are happy to announce that our new Amppot page is open!
Read more

Amplification DDoS Observatory

These results are obtained by both high-interaction and agnostic Amppot in the last 7 days.

# Attacks by Protocols (World)

# Attacks by Protocols (Japan)

These results are obtained by both high-interaction and agnostic Amppot.

List of abused protocols observed by high-interaction Amppot (Only NTP, Memcached, Chargen, DNS, SNMP, SSDP, QotD are observed)

Service Port #Attack
List of abused protocols observed by agnostic Amppot (Agnostic Amppot listens on all UDP ports and returns random strings)

List of abused protocols observed by agnostic Amppot (Agnostic Amppot listens on all UDP ports and returns random strings)

Service Port #Attack
The table shows the number of attacks observed by agnostic Amppot over the last 7 days.

Reference

  • [1] Lukas Kramer, Johannes Krupp, Daisuke Makita, Tomomi Nishizoe, Takashi Koide, Katsunari Yoshioka, Christian Rossow, "AmpPot: Monitoring and Defending Amplification DDoS Attacks," Proceedings of the 18th International Symposium on Research in Attacks, Intrusions and Defenses (RAID'15).
  • [2] Takashi Koide, Daisuke Makita, Katsunari Yoshioka, Tsutomu Matsumoto, "Observation and Analysis of TCP-based Reflection DDoS Attacks Using Honeypot,” Posters of the 18th International Symposium on Research in Attacks, Intrusions and Defenses (RAID'15).
  • [3] Arman Noroozian, Maciej Korczynski, Carlos Hernandez Ganan, Daisuke Makita, Katsunari Yoshioka, Michel van Eeten, "Who Gets the Boot? Analyzing Victimization by DDoS-as-a-Service," Proc. Research in Attacks, Intrusions, and Defenses (RAID16).
  • [4] Mizuki Kondo, Rui Tanabe, Natsuo Shintani, Daisuke Makita, Katsunari Yoshioka, and Tsutomu Matsumoto, "Amplification Chamber: Dissecting the Attack Infrastructure of Memcached DRDoS Attacks," Proceedings of the 19th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA2022).

Please note that we count attack events based on the target IP addresses. Recent carpet bombing attacks that target wide range of target IP addresses are therefore counted as separate events and creating peaks in the above graph. We are working on aggregating the events.

These results have been obtained through a series of research projects: the commissioned researches (19001(WarpDrive) and 05201) by the National Institute of Information and Communications Technology (NICT), Japan and PRACTICE and MITIGATE supported by the Ministry of Internal Affairs and Communications, Japan.

Copyright (c) Yoshioka Lab, Yokohama National University, All rights reserved.