Thank you for your input. I'll look into panoptis... Currently I've managed to catch distributed DOS attacks by using destination ip aggregation in my tops.
So, I'm running (for example) a top by flows aggregated by dst ip and I get all flows that go to a destination ip. Of these flows I consider ddos attack those that have a pps value greater than 100.000 flows (our dns server has 50.000 flows). So far we've caught a lot of floods this way. This is how I run nfdump: nfdump -r /data/nfsen/profiles/live/$router/nfcapd.$timeslot -n 200 -s record/flows -A dstip -o "fmt:%ts %td %pr %sap -> %dap %pkt %byt %pps %in %out %sas %das %fl" and this is a typical output: Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes pps Input Output Src AS Dst AS Flows 2007-02-01 04:19:21.032 331.795 0 0.0.0.0:0 -> xx.yyy.zz.ttt:0 1.4 M 40.4 M 4398 6 4 0 0 209152 I have a question for Peter: By using this kind of aggregation, are the input and output interface values correct? What if flows come to the same destination via different input interfaces? Or ar these values the last indeces of the last flow? I use these indices to separate incoming traffic from outgoing traffic, so it's important to me that they are correct. Thank you. Jason Chambers wrote: > > On Jan 23, 2007, at 12:21 AM, Adrian Popa wrote: > >> Hello everybody, >> >> I'm trying to write a nfsen backend script to detect (automatically) >> denial-of-service attacks. >> >> distributed DOS: flows from numerous sources to the same destination, >> on different ports. >> I guess it could be implemented like the previous one, but it would >> be tricky to set the threshold - to separate floods from legitimate >> traffic >> >> My questions to you are: >> 1. How do you detect the last 2 types of flooding >> 2. Have you encountered other types of attack? Can you suggest a >> better way to detect them? >> > > I think you need to look at the rate of increase in flows \ packets > between 5 minute time slots. > > From what I understand of the code, Panoptis [1] detects DoS attacks > by looking at the rate of increase for interfaces (either packets or > flows) and then gets the top talker(s) for that interface. And from > the looks of the man page for nfdump, it would seem that you could > implement that same approach. > > [1] http://sourceforge.net/projects/panoptis > > > Regards, > > --Jason > > -- Adrian Popa Junior Network Engineer Romtelecom S.A. Divizia Centrul National de Operare Retea Departament Transport IP & Metro Compartiment IP Core ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Nfsen-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
