Hi Adrian, Adrian Popa wrote: > Hello everybody, > > I'm trying to write a nfsen backend script to detect (automatically) > denial-of-service attacks. > > >From my experience, the types of DOS attacks that I have registered > against my network are these: > > * flooding from one source to one destination (seen like a large > number of pps from the same flow) > + these are easy to catch - I've set up a top 200 pps > and I compare the duration and number of pps of each > top result and see if they exceed a limit. > + -n 200 -s record/pps > + 'duration > 1000' as a filter (to get rid of false > positives - flows that have low number of packets > (30) and low duration (0.001s) have 30.000pps!) > * flooding from one source to one destination with low pps > + these have a great flows count > + are quite rare, in my case. > + they are caught the same way as the first type of > flooding > + -n 200 -s record/flows > + 'duration > 1000' as a filter (to get rid of false > positives - flows that have low number of packets > (30) and low duration (0.001s) have 30.000pps! > not sure if you can call it "flooding" in this case, since if the data rate transfer is high an sustained, the destination is very willing to accept this traffic. Looks more like a big transfer. Most likely originating from a p2p application. Have you checked if teh flows in this case have a typical size (most p2p applications segment the transfers in chunks of fixed size..). So, these may be not really "attacks..."...
> * flooding from one source to one destination using different port > numbers. > it's a port scan. Yes, I've seen these tuypes of attacks... > + these floods are harder to catch because they appear > as different flows. > + I can see these flows clearly when searching for a > specific IP address - which means it's hard to automate. > + I don't know how to create a filter to generate a > top x pps with the flows aggregated by srcip and dstip. > I would start with a filter to evidence the top destinations receiving the highest number of FLOWS (not packets!). Then, for each of them, see what are the top sources sending to it. If there is one, you have a port scan coming from a specific host, if you have several of them, the attach is distribute. Question: do you use sampled or unsampled Netflow? Regards, MAurizio > + I've tried something like: nfdump -r > /data/nfsen/profiles/live/source/nfcapd.200701222305 > -n 10 -s record/pps -A srcip,dstip -o extended > + however, I haven't been able to detect these types > of floods - will it work? > * distributed DOS: flows from numerous sources to the same > destination, on different ports. > + I guess it could be implemented like the previous > one, but it would be tricky to set the threshold - > to separate floods from legitimate traffic > > > My questions to you are: > 1. How do you detect the last 2 types of flooding > 2. Have you encountered other types of attack? Can you suggest a > better way to detect them? > > Thank you kindly, > Adrian Popa > > > >------------------------------------------------------------------------ > >------------------------------------------------------------------------- >Take Surveys. Earn Cash. Influence the Future of IT >Join SourceForge.net's Techsay panel and you'll get the chance to share your >opinions on IT & business topics through brief surveys - and earn cash >http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > >------------------------------------------------------------------------ > >_______________________________________________ >Nfsen-discuss mailing list >[email protected] >https://lists.sourceforge.net/lists/listinfo/nfsen-discuss > > -- ______________________________________________________________________ Maurizio Molina Network Engineer DANTE - www.dante.net Tel: +44 (0)1223 371 300 Fax: +44 (0)1223 371 371 Email: [EMAIL PROTECTED] PGP Key ID: 3FF58D51 City House, 126-130 Hills Road Cambridge CB2 1PQ UK _____________________________________________________________________ ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Nfsen-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
