2017-03-05 13:01:02 +01:00
{
"attributes" : {
2022-03-09 10:48:47 +01:00
"backscatter-threshold" : {
"description" : "The minimum amount of backscatter received in 5 minutes / day. This field is only used when the capture origin is indirect network capture such as backscatter." ,
"disable_correlation" : true ,
"misp-attribute" : "counter" ,
"ui-priority" : 0
} ,
2022-02-17 07:38:35 +01:00
"capture-origin" : {
"description" : "Origin of the (D)DoS evidences" ,
"disable_correlation" : true ,
"misp-attribute" : "text" ,
"sane_default" : [
"Direct network capture" ,
"Logs" ,
"Indirect network capture (e.g. backscatter)" ,
"Unknown"
] ,
"ui-priority" : 0
} ,
2017-11-23 14:43:04 +01:00
"domain-dst" : {
"categories" : [
"Network activity" ,
"External analysis"
2020-04-26 02:10:02 +02:00
] ,
"description" : "Destination domain (victim)" ,
"misp-attribute" : "domain" ,
"ui-priority" : 1
2017-03-05 13:01:02 +01:00
} ,
2020-04-26 02:10:02 +02:00
"dst-port" : {
2017-03-05 13:01:02 +01:00
"categories" : [
"Network activity" ,
"External analysis"
2020-04-26 02:10:02 +02:00
] ,
2017-08-29 18:36:46 +02:00
"description" : "Destination port of the attack" ,
2017-07-03 06:33:53 +02:00
"misp-attribute" : "port" ,
2021-05-27 16:25:52 +02:00
"multiple" : true ,
"ui-priority" : 0
2020-04-26 02:10:02 +02:00
} ,
"first-seen" : {
"description" : "Beginning of the attack" ,
"disable_correlation" : true ,
"misp-attribute" : "datetime" ,
"ui-priority" : 0
} ,
"ip-dst" : {
2017-03-05 13:01:02 +01:00
"categories" : [
"Network activity" ,
"External analysis"
2020-04-26 02:10:02 +02:00
] ,
"description" : "Destination IP (victim)" ,
"misp-attribute" : "ip-dst" ,
"ui-priority" : 1
2017-03-05 13:01:02 +01:00
} ,
2020-04-26 02:10:02 +02:00
"ip-src" : {
2017-03-05 13:01:02 +01:00
"categories" : [
"Network activity" ,
"External analysis"
2020-04-26 02:10:02 +02:00
] ,
"description" : "IP address originating the attack" ,
"misp-attribute" : "ip-src" ,
2021-05-27 16:25:52 +02:00
"multiple" : true ,
"ui-priority" : 1
2017-03-05 13:01:02 +01:00
} ,
2020-04-26 02:10:02 +02:00
"last-seen" : {
"description" : "End of the attack" ,
2017-12-05 11:05:56 +01:00
"disable_correlation" : true ,
2017-03-13 08:19:27 +01:00
"misp-attribute" : "datetime" ,
2017-07-03 16:41:16 +02:00
"ui-priority" : 0
2017-03-13 08:19:27 +01:00
} ,
2017-03-05 13:01:02 +01:00
"protocol" : {
2017-08-29 18:36:46 +02:00
"description" : "Protocol used for the attack" ,
2022-02-17 07:38:35 +01:00
"disable_correlation" : true ,
2017-03-05 13:01:02 +01:00
"misp-attribute" : "text" ,
2017-07-03 16:41:16 +02:00
"ui-priority" : 0 ,
2017-09-17 12:46:51 +02:00
"values_list" : [
2017-03-05 16:51:02 +01:00
"TCP" ,
"UDP" ,
"ICMP" ,
"IP"
]
2017-03-05 13:01:02 +01:00
} ,
2020-04-26 02:10:02 +02:00
"src-port" : {
"categories" : [
"Network activity" ,
"External analysis"
] ,
"description" : "Port originating the attack" ,
"misp-attribute" : "port" ,
2021-05-27 16:25:52 +02:00
"multiple" : true ,
"ui-priority" : 0
2017-03-13 08:19:27 +01:00
} ,
2020-04-26 02:10:02 +02:00
"text" : {
"description" : "Description of the DDoS" ,
2017-12-05 11:05:56 +01:00
"disable_correlation" : true ,
2020-04-26 02:10:02 +02:00
"misp-attribute" : "text" ,
"ui-priority" : 0
} ,
"total-bps" : {
2022-02-17 07:38:35 +01:00
"description" : "Bits per second (maximum rate of bits per second measured)" ,
"disable_correlation" : true ,
"misp-attribute" : "counter" ,
"ui-priority" : 0
} ,
"total-bytes-sent" : {
"description" : "Total number of bytes sent by the sources mentioned" ,
"disable_correlation" : true ,
"misp-attribute" : "counter" ,
"ui-priority" : 0
} ,
"total-packets-sent" : {
"description" : "Total number of packets sent by the source mentioned" ,
"disable_correlation" : true ,
2020-04-26 02:10:02 +02:00
"misp-attribute" : "counter" ,
"ui-priority" : 0
} ,
"total-pps" : {
2022-02-17 07:38:35 +01:00
"description" : "Packets per second (maximum rate of packets per second measured)" ,
"disable_correlation" : true ,
2020-04-26 02:10:02 +02:00
"misp-attribute" : "counter" ,
2017-07-03 16:41:16 +02:00
"ui-priority" : 0
2022-02-17 07:38:35 +01:00
} ,
"type" : {
"description" : "Type(s) or Technique(s) of Denial of Service" ,
"disable_correlation" : true ,
"misp-attribute" : "text" ,
"multiple" : true ,
"sane_default" : [
"amplification-attack" ,
"reflected-spoofed-attack" ,
"slow-read-attack" ,
"flooding-attack" ,
"post-attack" ,
"chargen-amplification" ,
"dns" ,
"dns-amplification" ,
"ip-fragmentation" ,
"ip-private" ,
"icmp" ,
"memcached-amplification" ,
"ms-sql-rs-amplification" ,
"ntp-amplification" ,
"snmp-amplification" ,
"ssdp-amplification" ,
"tcp-null" ,
"tcp-rst" ,
"tcp-syn" ,
"udp"
] ,
"ui-priority" : 0
2017-03-05 13:01:02 +01:00
}
} ,
2022-02-17 07:38:35 +01:00
"description" : "DDoS object describes a current DDoS activity from a specific or/and to a specific target. Type of DDoS can be attached to the object as a taxonomy or using the type field." ,
2020-04-26 02:10:02 +02:00
"meta-category" : "network" ,
"name" : "ddos" ,
2017-03-05 13:01:02 +01:00
"requiredOneOf" : [
"ip-dst" ,
2017-11-23 14:43:04 +01:00
"ip-src" ,
"domain-dst"
2020-04-26 02:10:02 +02:00
] ,
"uuid" : "e2f124d6-f57c-4f93-99e6-8450545fa05d" ,
2022-03-09 10:48:47 +01:00
"version" : 9
2022-03-09 11:06:19 +01:00
}