DDoSia
DDoSia is a distributed denial-of-service (DDoS) attack tool reportedly employed by pro-Russian hacktivist groups. The tool coordinates large networks of compromised devices to flood targeted websites or services with excessive traffic, overwhelming their capacity and rendering them inaccessible to legitimate users. It has been used to disrupt government, financial, and media platforms, aiming to create instability and hinder critical infrastructure.
The DDoSia configuration, basically the instructions for the attack tool, have been shared via the MISP platform as MISP objects (ddos-config object).
Extract hostnames and domains
I created a small tool to
- Search for the events with the DDoSia config file;
- Extract the unique hostnames and domains;
- Print the summary, and optionally send it to Mattermost.
The script requires the pymisp and tldextract Python libraries.
Sample output
1 | Parsed 9 events and found 65 unique hostnames for 49 domains - (2024-10-08) |
4 | authentication.antwerpen.be |
12 | komfinbank.rada.gov.ua |
Script
You can find the script on GitHub at https://github.com/cudeso/tools/blob/master/ddosia-extract/parse_ddosia.py. Make sure you
- Set the misp_url and misp_key. Point it to your MISP server;
- Set the date_filter to limit the results;
- Choose if you want to send results to Mattermost with send_mattermost (and set mattermost_hook)
6 | from datetime import datetime |
22 | ddosia_file_output = "/var/www/MISP/app/webroot/misp-export/ddosia.txt" |
29 | send_mattermost = False |
35 | write_to_ddosia_file_output = False |
38 | query_org = "ae763844-03bf-4588-af75-932d5ed2df8c" |
47 | misp = PyMISP(misp_url, misp_key, misp_verifycert) |
48 | print(f"Extract hostnames from {misp_url}") |
51 | events = misp.search("events", pythonify=True, org=query_org, published=published, date=date_filter) |
55 | print("Parsing {} events".format(len(events))) |
57 | print(" Event {} ({})".format(event.info, event.uuid)) |
58 | for object in event.objects: |
59 | if object.name == "ddos-config": |
60 | for attribute in object.Attribute: |
61 | if attribute.type == "hostname": |
62 | check_value = attribute.value.lower().strip() |
63 | if check_value not in target_hostnames: |
64 | target_hostnames.append(check_value) |
65 | print(f" Found {check_value}") |
67 | extracted = tldextract.extract(check_value) |
68 | domain = '.'.join([extracted.domain, extracted.suffix]) |
69 | if domain not in target_domains: |
70 | target_domains.append(domain) |
72 | if len(target_hostnames) > 0: |
73 | target_hostnames.sort() |
76 | title = "DDoSia config: Parsed {} MISP events and found {} unique hostnames for {} domains - ({}, last {})".format(len(events), len(target_hostnames), len(target_domains), datetime.now().date(), date_filter) |
77 | summary = "Hostnames\n------------\n" |
78 | summary_md = "# Hostnames\n" |
80 | for t in target_hostnames: |
81 | summary += "\n{}".format(t) |
82 | summary_md += "\n- {}".format(t) |
84 | summary += "\n\nDomains\n----------\n" |
85 | summary_md += "\n\n# Domains\n" |
86 | for t in target_domains: |
87 | summary += "\n{}".format(t) |
88 | summary_md += "\n- {}".format(t) |
92 | summary_md = title + summary_md + "\n" |
93 | message = {"username": "witha.name-reporters", "text": summary_md} |
94 | r = requests.post(mattermost_hook, data=json.dumps(message)) |
95 | print(r, r.status_code, r.text) |
102 | "contentType": "application/vnd.microsoft.teams.card.o365connector", |
105 | "type": "MessageCard", |
118 | r = requests.post(teams_hook, json=message) |
120 | if write_to_ddosia_file_output: |
121 | summary = title + "\n\n" + summary + "\n" |
122 | with open(ddosia_file_output, 'w') as file: |
126 | print("No events found.") |
I need to configure some cron to execute this script?
Or what is the configuration after set the MISP url and key?