Hello everybody,
I'm trying to write a nfsen backend script to detect (automatically)
denial-of-service attacks.
From my experience, the types of DOS attacks that I have registered
against my network are these:
* flooding from one source to one destination (seen like a large
number of pps from the same flow)
+ these are easy to catch - I've set up a top 200 pps
and I compare the duration and number of pps of each
top result and see if they exceed a limit.
+ -n 200 -s record/pps
+ 'duration > 1000' as a filter (to get rid of false
positives - flows that have low number of packets (30)
and low duration (0.001s) have 30.000pps!)
* flooding from one source to one destination with low pps
+ these have a great flows count
+ are quite rare, in my case.
+ they are caught the same way as the first type of flooding
+ -n 200 -s record/flows
+ 'duration > 1000' as a filter (to get rid of false
positives - flows that have low number of packets (30)
and low duration (0.001s) have 30.000pps!
* flooding from one source to one destination using different port
numbers.
+ these floods are harder to catch because they appear
as different flows.
+ I can see these flows clearly when searching for a
specific IP address - which means it's hard to automate.
+ I don't know how to create a filter to generate a top
x pps with the flows aggregated by srcip and dstip.
+ I've tried something like: nfdump -r
/data/nfsen/profiles/live/source/nfcapd.200701222305
-n 10 -s record/pps -A srcip,dstip -o extended
+ however, I haven't been able to detect these types of
floods - will it work?
* distributed DOS: flows from numerous sources to the same
destination, on different ports.
+ I guess it could be implemented like the previous one,
but it would be tricky to set the threshold - to
separate floods from legitimate traffic
My questions to you are:
1. How do you detect the last 2 types of flooding
2. Have you encountered other types of attack? Can you suggest a better
way to detect them?
Thank you kindly,
Adrian Popa
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
