DDoS Visual Forensic Analysis Report
Target: FiveM Gameserver | Incident Date: August 17, 2022
1. Executive Summary
A sophisticated and high-intensity Distributed Denial of Service (DDoS) attack was observed targeting a FiveM game server. This report provides a detailed forensic breakdown of the incident, identifying key attack vectors, origins, and patterns.
Total Packets Analyzed: 18,301,452
Peak Traffic Intensity: 152,376 PPS
Primary Attack Vector: UDP flood targeting Destination Port 1222.
Top Attacker Origin (Country): United States (49 packets)
Top Attacker Origin (ISP): Unknown (14 packets)
2. Key Findings
- A total of 18,301,452 packets were captured and analyzed over the incident period.
- The attack reached a peak intensity of 152,376 PPS.
- The primary attack method was identified as a UDP flood, specifically targeting port 1222, which is consistent with common FiveM server attack vectors.
- 162 unique source IP addresses were involved in the attack, suggesting a distributed botnet.
- The top 5 attacking IP addresses by packet count are:
- 35.200.213.57 (7,822,113 packets)
- 34.100.137.247 (5,236,039 packets)
- 65.20.74.174 (2,300,915 packets)
- 34.126.187.132 (1,110,872 packets)
- 45.116.228.118 (387,879 packets)
- Geographic analysis points to United States (49 packets) as the most significant origin country for the attack traffic, often routed through ISPs like Unknown (14 packets).
- Packet behavior analysis indicates widespread IP spoofing, a common tactic to obscure attacker identity.
3. Analysis Methodology
Our forensic investigation employed a multi-stage data engineering and visualization pipeline:
- Packet Extraction: Raw binary PCAP data was stream-parsed using the
dpktlibrary, extracting critical header information including IP addresses, TCP/UDP flags, and Time-To-Live (TTL) values. - Data Normalization: Timestamps were converted to a uniform format, and traffic metrics such as Packets Per Second (PPS) and Megabits Per Second (Mbps) were computed for temporal analysis.
- Geo-Enrichment: Unique source IP addresses were cross-referenced against the
MaxMind GeoLite2database for geographical mapping (Country, City, Latitude, Longitude) and `IPWhois` for Autonomous System Number (ASN)/ISP identification. - Visual Synthesis: Interactive visualizations were generated using
PlotlyandFoliumto identify attack patterns, traffic anomalies, and geographical distribution of attack sources.
4. Traffic Timeline & Attack Pulse
This section illustrates the temporal characteristics of the attack, highlighting its start, peak intensity, and duration.
Analysis Highlights:
- Observe the sudden and significant increase in PPS and Mbps, indicating the precise commencement of the DDoS event.
- The comparison of PPS and Mbps reveals the volumetric nature of the attack, showcasing both packet frequency and bandwidth consumption.
- Protocol stacking over time (e.g., UDP dominance) confirms the primary attack vector throughout the incident.
Analysis Highlights:
- The stacked area chart clearly shows the evolution of attack protocols.
- Dominance of UDP confirms it as the primary weapon used in this attack.
Analysis Highlights:
- The heatmap visualizes packet distribution across seconds and minutes, revealing if the attack was continuous or bursty.
- Dense red areas indicate high packet rates, pinpointing intense attack periods.
5. Protocol & Port Target Analysis
Understanding which protocols and ports were targeted is crucial for identifying the nature of the attack and vulnerable services.
Analysis Highlights:
- The sunburst chart provides a hierarchical view of protocol and destination port distribution.
- It distinctly shows the heavy concentration of traffic on port 1222 under the UDP protocol.
Analysis Highlights:
- The bar chart confirms port 1222 as the most targeted, indicating a direct assault on the FiveM server service.
- Presence of other ports could suggest secondary reconnaissance or collateral damage.
Analysis Highlights:
- A scattered distribution of source ports with a consistent destination port indicates IP spoofing.
- A tight cluster of both source and destination ports might suggest legitimate, but overwhelmed, connections.
Analysis Highlights:
- The animated bar race illustrates the minute-by-minute shift in dominant protocols, revealing potential attacker strategy changes.
6. Global Botnet Distribution (Geo-Location & Origins)
Mapping the physical origin of the attack traffic helps in understanding the scope and source of the botnet infrastructure.
Analysis Highlights:
- The global heatmap visually identifies geographical clusters of attacking IP addresses.
- Dense areas indicate significant contributions from specific regions, with United States (49 packets) being a prominent origin.
Analysis Highlights:
- The treemap details the distribution of attack traffic by country and Internet Service Provider (ISP) / Autonomous System Number (ASN).
- Large blocks represent major contributing ISPs, such as Unknown (14 packets), highlighting common hosting or proxy services used by attackers.
7. Packet Behavior (TTL, Flags, Payload)
Examining individual packet characteristics can reveal further insights into the attack methods, including spoofing and tool identification.
Analysis Highlights:
- The Time-To-Live (TTL) distribution is critical for detecting IP spoofing. Inconsistent or unusual TTL values, deviating from standard OS defaults (e.g., 64, 128), strongly suggest spoofed source IPs.
Analysis Highlights:
- For TCP-based attacks, the radar chart visualizes the frequency of different TCP flags (SYN, ACK, RST, FIN).
- A disproportionate number of SYN flags, for instance, is a hallmark of a SYN flood attack.
Analysis Highlights:
- The violin plot shows the distribution of packet payload sizes across different protocols.
- Anomalously large UDP payloads, especially exceeding typical DNS response sizes (e.g., 512 bytes), can indicate amplification attacks.