Dear Teams,

 

Our team CERT-GOV-GE implemented free plugin for NFSEN (GABRIEL v0.1.0).

This is testing release and we need your comments and remarks.

 

Here you can see small description of plugin:

This plugin detects DDoS attacks and displays the result for each timeslot.
several indices are counted for each timeslot data and are saved in the
database. 

such as: total bytes sent and received during each timeslot, total packets,
number of similar packets (two packets are assumed similar if they are of
the same size) and the percentage of the most often repeated packet.

DDoS is detected if the following two conditions are met:

                    1. total bytes in this flow are greater than the average
number  of total bytes during last $interval period **times** some
coefficient.

                    2. percentage of similar packets in this flow is greater
than the average number of such percentage during last $interval period
**PLUS** some coefficient;  if either of the above two conditions are not
met, no DDoS is detected;

                                                    

This is mostly the testing release, so these coefficients may be changed
according to your needs. see ($INTERVAL, $PERCENTAGE_COEFFICIENT and
BYTE_COEFFICIENT) in gabriel.pm. 

Increase $INTERVAL if you want to consider older flows when detecting DDoS.
Increase $PERCENTAGE_COEFFICIENT and $BYTE_COEFFICIENT if a normal flow is
detected as an attack, or decrease them if some attacks are not detected. 

 

We also have an idea about second version of plugin which you can read
below: 

For each timeslot, detect how many previously unseen IP's were visiting, and
save them to the database.

If the number of previously unseen IP's in each timeslot is increasing
significantly (not slightly), detect that an anomaly is happening.

This anomaly may be a DDoS attack, may be a flash event.

 

In the case of an anomaly, we assess the behavior of these IP's and decide
if it's an attack or not.

In each timeslot, we sort the IP's according to the date of their first
visit.

Older IP's have more trust and previously unseen IP's have less trust from
us.

So, we compare the behavior of older and newer IP's and if new IP's are 

consuming significantly more resources then older (trusted) IP's, then it's

probably a DDoS. otherwise it's just a flesh event.

 

You can download plugin from GitHub or see attached file:

https://github.com/CERT-GOV-GE/gabriel

 

If you have any questions please do not hesitate to contact us:

dkvata...@dea.gov.ge CERT-GOV-GE Manager

ndarja...@dea.gov.ge CERT-GOV-GE Senior Programmer

 

Thank you in advance!

 

With best regards,

David Kvatadze

CERT-GOV-GE Manager

LEPL DATA EXCHANGE AGENCY

Ministry of Justice of Georgia

Tbilisi, Georgia 0102 

2,St. Nikoloz/N. Chkheidze Str.

(: (+995 32) 2 915-140

): (+995) 599-252-113

*:  <mailto:dkvata...@dea.gov.ge> dkvata...@dea.gov.ge

oie_291681889JW3LHq

 

Attachment: gabriel-0.1.0.tar.gz
Description: GNU Zip compressed data

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss

Reply via email to