Security Information Exchange (SIE) DDos Events Technical Overview
Channel 115 DDoS Events provides fact-based information about DDoS (Distributed Denial of Service) and DRDoS (Distributed Reflection Denial of Service) attacks based on analysis of data from Channel 14 (Darknet). The objective of a DDoS or DRDoS attack is temporarily or indefinitely disrupt services of a system connected to the Internet by depleting its system or network resources.
A DDoS attack will typically scan a network of interest to locate and identify vulnerable systems. After the vulnerable systems have been identified, a bad actor will send attack traffic originating from many different sources to the vulnerable systems. This causes the vulnerable systems to respond to the DDoS victim with response packets to deplete its system or network resources.
Darknets (also known as “dark space telescopes”) are blocks of unused IP address space connected to the Internet. The IP addresses in a darknet are inactive and there is no legitimate reason for any system on the Internet to attempt connections to a service within a darknet. Because of this, traffic observed in a darknet is typically the result of a network scan, probes looking for vulnerable systems, or other suspicious behaviors.
About Security Information Exchange (SIE)
The Security Information Exchange (SIE), from Farsight Security® Inc., is a scalable and adaptable real-time data streaming and information sharing platform. SIE collects and provides access to more than 200,000 observations per-second of raw data from its global sensor network. Farsight also applies unique and proprietary methods for improving usability of the data, directly sharing the refined intelligence with SIE customers and DNSDB®, one of the world’s largest passive DNS (pDNS) databases.
The diverse set of data available from SIE includes the following and is relevant and useful for practitioners in various technology roles:
- Raw and processed passive DNS data
- Darknet/darkspace telescope data
- SPAM sources and URLs
- Phishing URLs and associated targeted brands
- Connection attempts from malware-infected systems (as seen by a sinkhole)
- Network traffic blocked by Intrusion Detection Systems (IDS) and firewall devices
Each unique set of data in SIE is known as a channel and the data acquired from a specific channel can be customized to meet the needs of each customer, enabling you to subscribe to and access only the channels needed to solve your problem. A channel in SIE may be the result from analyzing the data or a subset of data from other channels.
Data Format for SIE DDos Events
| Channel Name | DDos Events |
| Description | Evidence of DDoS and DRDoS (Distributed Reflection Denial of Service) attacks based on analysis of data from Channel 14 (Darknet) |
| Channel Number | 115 |
To see current channel traffic volumes and service options for accessing it, please see the Security Information Exchange (SIE) Channel Guide.
Using DDos Events Data
A sample DDos Events record looks like this:
{"time":"2021-07-12 20:39:44.840338945",
"vname":"base",
"mname":"encode",
"source":"8931c92d",
"message":{"type":"JSON",
"payload":"eyJWaWN0aW0gSVAiOiI2Mi4xOTIuMTUzLjE1OSIsIk51bWJlciBPZiBQYWNrZXRzIjo3N
SwiUGFja2V0IFJhdGUiOjAuNTE4MjU4MTk4ODc2LCJOdW1iZXIgb2YgVW5pcXVlIFNvdXJjZXMiOjc1LCJEdXJhd
GlvbiBvZiBBdHRhY2sgKGluIHNlY29uZHMpIjoxNDQsIkF0dGFjayBTdGFydCBUaW1lIjoxNjI2MTIxODA0LCJBd
HRhY2sgRW5kIFRpbWUiOjE2MjYxMjE5NDksIlR5cGUgb2YgQXR0YWNrIjoiVENQIiwiVmljdGltIENpdHkiOiJBc
G8iLCJWaWN0aW0gQ291bnRyeSI6IlVuaXRlZCBTdGF0ZXMiLCJWaWN0aW0gSVNQIjoiS0IgSW1wdWxzIFNlcnZpY
2UgR21iSCIsIlZpY3RpbSBPcmdhbml6YXRpb24iOiJLQiBJbXB1bHMgU2VydmljZSBHbWJIIiwiV2hvaXMgSW5mb
3JtYXRpb24iOnsiYXNuX3JlZ2lzdHJ5IjogInJpcGVuY2MiLCAiYXNuX2RhdGUiOiAiMjAyMC0wOC0yNiIsICJhc
25fY291bnRyeV9jb2RlIjogIkRFIiwgInJhdyI6IG51bGwsICJhc25fY2lkciI6ICI2Mi4xOTIuMTUzLjAvMjQiL
CAicmF3X3JlZmVycmFsIjogbnVsbCwgInF1ZXJ5IjogIjYyLjE5Mi4xNTMuMTU5IiwgInJlZmVycmFsIjogbnVsb
CwgIm5ldHMiOiBbeyJ1cGRhdGVkIjogIjIwMjAtMDgtMjZUMTM6MTQ6NDUiLCAiaGFuZGxlIjogIk1HMjUwMDEtU
klQRSIsICJkZXNjcmlwdGlvbiI6IG51bGwsICJ0ZWNoX2VtYWlscyI6IG51bGwsICJhYnVzZV9lbWFpbHMiOiBud
WxsLCAicG9zdGFsX2NvZGUiOiBudWxsLCAiYWRkcmVzcyI6ICJIb2ZoZWltZXIgU3RyYXNzZSA5XG42NTc3OVxuS
2Vsa2hlaW1cbkdFUk1BTlkiLCAiY2lkciI6ICI2Mi4xOTIuMTUzLjAvMjQiLCAiY2l0eSI6IG51bGwsICJuYW1lI
jogIkRFLUFBLTIwMjAwODI2IiwgImNyZWF0ZWQiOiAiMjAyMC0wOC0yNlQxMzoxNDo0NSIsICJjb3VudHJ5IjogI
kRFIiwgInN0YXRlIjogbnVsbCwgInJhbmdlIjogIjYyLjE5Mi4xNTMuMCAtIDYyLjE5Mi4xNTMuMjU1IiwgIm1pc
2NfZW1haWxzIjogbnVsbH0sIHsiY2l0eSI6IG51bGwsICJ1cGRhdGVkIjogIjIwMjEtMDMtMjJUMDk6NTQ6MDgiL
CAiaGFuZGxlIjogbnVsbCwgImRlc2NyaXB0aW9uIjogbnVsbCwgInRlY2hfZW1haWxzIjogbnVsbCwgImNvdW50c
nkiOiBudWxsLCAiYWJ1c2VfZW1haWxzIjogbnVsbCwgImNyZWF0ZWQiOiAiMjAyMS0wMy0yMlQwOTo1NDowOCIsI
CJyYW5nZSI6ICI2Mi4xOTIuMTUzLjAvMjQiLCAic3RhdGUiOiBudWxsLCAicG9zdGFsX2NvZGUiOiBudWxsLCAiY
WRkcmVzcyI6IG51bGwsICJjaWRyIjogIjYyLjE5Mi4xNTMuMC8yNCIsICJtaXNjX2VtYWlscyI6IG51bGwsICJuY
W1lIjogbnVsbH0sIHsiY2l0eSI6IG51bGwsICJ1cGRhdGVkIjogIjIwMjAtMDktMDlUMDk6MDI6MTUiLCAiaGFuZ
GxlIjogbnVsbCwgImRlc2NyaXB0aW9uIjogbnVsbCwgInRlY2hfZW1haWxzIjogbnVsbCwgImNvdW50cnkiOiBud
WxsLCAiYWJ1c2VfZW1haWxzIjogbnVsbCwgImNyZWF0ZWQiOiAiMjAyMC0wOS0wOVQwOTowMjoxNSIsICJyYW5nZ
SI6ICI2Mi4xOTIuMTUzLjAvMjQiLCAic3RhdGUiOiBudWxsLCAicG9zdGFsX2NvZGUiOiBudWxsLCAiYWRkcmVzc
yI6IG51bGwsICJjaWRyIjogIjYyLjE5Mi4xNTMuMC8yNCIsICJtaXNjX2VtYWlscyI6IG51bGwsICJuYW1lIjogb
nVsbH1dLCAiYXNuIjogNjA1NDh9fQ=="
}
}
When you decode the payload, you get a data set that looks something like this:
{
"Victim IP":"62.192.153.159",
"Number Of Packets":75,
"Packet Rate":0.518258198876,
"Number of Unique Sources":75,
"Duration of Attack (in seconds)":144,
"Attack Start Time":1626121804,
"Attack End Time":1626121949,
"Type of Attack":"TCP",
"Victim City":"Apo",
"Victim Country":"United States",
"Victim ISP":"KB Impuls Service GmbH",
"Victim Organization":"KB Impuls Service GmbH",
"Whois Information":
{
"asn_registry": "ripencc",
"asn_date": "2020-08-26",
"asn_country_code": "DE",
"raw": null,
"asn_cidr": "62.192.153.0/24",
"raw_referral": null,
"query": "62.192.153.159",
"referral": null,
"nets":
[
{
"updated": "2020-08-26T13:14:45",
"handle": "MG25001-RIPE",
"description": null,
"tech_emails": null,
"abuse_emails": null,
"postal_code": null,
"address": "Hofheimer Strasse 9\n65779\nKelkheim\nGERMANY",
"cidr": "62.192.153.0/24",
"city": null,
"name": "DE-AA-20200826",
"created": "2020-08-26T13:14:45",
"country": "DE",
"state": null,
"range": "62.192.153.0 - 62.192.153.255",
"misc_emails": null
},
{
"city": null,
"updated": "2021-03-22T09:54:08",
"handle": null,
"description": null,
"tech_emails": null,
"country": null,
"abuse_emails": null,
"created": "2021-03-22T09:54:08",
"range": "62.192.153.0/24",
"state": null,
"postal_code": null,
"address": null,
"cidr": "62.192.153.0/24",
"misc_emails": null,
"name": null
},
{
"city": null,
"updated": "2020-09-09T09:02:15",
"handle": null,
"description": null,
"tech_emails": null,
"country": null,
"abuse_emails": null,
"created": "2020-09-09T09:02:15",
"range": "62.192.153.0/24",
"state": null,
"postal_code": null,
"address": null,
"cidr": "62.192.153.0/24",
"misc_emails": null,
"name": null
}
],
"asn": 60548
}
}
This record gives you some data about the site being attacked and the scale of the attack that you can use for further analysis.
SIE Access Methods
Data from SIE can be accessed and acquired using the following methods:
- Direct Connect: Connect a system to the SIE network. This 1.) requires a server to be installed in a data center where Farsight has a point of presence, and 2.) then ordering a network cross connect between your server and the SIE network. Customers can optionally, and prefer to, lease a blade server from Farsight
- SIE Remote Access (SRA): Remotely connect to the SIE network using an encrypted tunnel from your workstation or a server in your local data center
- SIE Batch: Provides on-demand access for downloading data from SIE channels using a RESTful API or web-based interface. You select the channel and duration of time you are interested in, and then download the data for analysis. The duration of available data is dependent on the channel, but is typically the most recent 12-18 hours
For additional information about SIE access methods, please see the SIE Technical Overview document.
Direct Connect
SIE Direct Connect allows a customer to physically connect a server to the Farsight SIE network for maximum data throughput. This can be done in one of two ways:
- Blade Server: Pre-configured blade servers co-located in one of Farsight’s data centers that can be leased by customers for direct access to SIE channels
- Customer Server: Customer (owned, managed, and operated) servers that can be installed in one of Farsight’s data centers and physically connected to the SIE network with a network cross-connect
If a blade server is leased from Farsight, it will be pre-installed with the essential software components needed to acquire, process, compress, buffer, and transfer data from SIE channels to the customer’s data center for additional analysis, enrichment, and storage.
If a customer uses their own server, an order can be submitted for a cross-connect to the SIE switches hosted at select Equinix data centers (Ashburn DC3 and Palo Alto SV8). An FSI account manager can help guide cross-connect provisioning details, hosting, or colocation options.
For additional information about SIE connection methods, please see the SIE Technical Overview document. A Farsight’s sales representatives is happy to share a copy of this document with you. This will help inform and guide you in understanding which connection method will work best for you.
SIE Remote Access (SRA)
SIE Remote Access (SRA) enables a customer to remotely connect to the Security Information Exchange (SIE) from anywhere on the Internet. SRA provides access to SIE channel data on customer’s local servers, allowing their analysis and processing systems to be located in their own data centers rather than physically co-located at a Farsight’s data center.
Due to the technical limitations of transporting high bitrate SIE channels across the Internet, the SRA access method is not available for all SIE channels. Please reference the SIE Channel Guide for channels that can be accessed using SRA.
SRA uses the Advanced Exchange Access (AXA) transport protocol which enables SRA sessions to perform the following:
- Select which SIE channel or channels to monitor and acquire data from
- Define user-specified search or filtering criteria to match IP or DNS traffic
- Control rate-limits and other AXA parameters
The streaming search and filtering capabilities of AXA enables SRA to access and acquire meaningful and relevant data from SIE while avoiding the costs of transporting enormous volumes of data across the Internet.
Note: For high volume channels accessed using SRA, it is expected that customer’s will specify a search or filter for IP addresses and DNS domain names or hostnames of interest. The SRA service will only collect and send data matching the specified criteria across the Internet to the customer.
SIE Batch
SIE Batch provides on-demand access for downloading data from SIE channels using a RESTful API or web-based interface. You select the channel and duration of time you are interested in, and then download the data for analysis. The duration of available data is dependent on the channel, but is typically the most recent 12-18 hours. SIE Batch allows you to acquire data from SIE channel using two (2) methods:
- API: Allows you to write tools to programmatically download data from SIE channels for analysis
- Interactively: Web-based interface to the API that enables you to select and download SIE channel data on-demand
Advanced Exchange Access Middleware Daemon (AXAMD)
Farsight also provides a RESTful middleware layer in front of its AXA service. This service is called the AXA Middleware Daemon (AXAMD) and provides a RESTful capability that adds a streaming HTTP interface on top of the AXA toolkit. This enables web-application developers to interface with SIE using SRA. Farsight also published a command line tool and Python extension library called axamd_client. This toolkit is licensed under the Apache 2.0 license.
The Advanced Exchange Access (AXA) toolkit contains tools and a C library to bring Farsight’s real-time data and services directly from the Farsight Security Information Exchange (SIE) to the customers network.
Advanced Exchange Access Middleware Daemon (AXAMD) is a suite of tools and library code to bring Farsight’s real-time data and services directly from the Farsight Security Information Exchange (SIE) to the customers network.
Due to the technical limitations of transporting high bitrate SIE channels across the Internet, the AXAMD access method is not available for all SIE channels.
Additional Information
- SIE User Guide
- SIE Channel Guide
- jq – Json Processor
- JSON Lines (aka ND-JSON) description
- For more information on RRsets, see RRset and Rdata Demystified
