DDoS attack detector

Ddosdetector System - a flexible tool for analyzing network traffic and automation of the process of protection against DDoS attacks. The system is based on the framework, Luigi Rizzo netmap and is designed to work with a large volume of traffic (10GB / sec and more) without loss of performance.

The system is written in C++ (Standard 11) using STL and Boost (1.55). Writing and assembling was done on Ubuntu 12.04.5 LTS and compiler g++4.8. For static analysis and research style blunders used cppcheck version 1.73.

InfluxDB can be used for monitoring and collection of statistics.

code of this Grafana dashboard in ./docs/INFLUXDB.md file

Principle of operation

The daemon runs on the SPAN interface (this interface is mirrored all traffic protected network) and starts to "listen" all traffic. The resulting traffic is passed through a set of rules. Each rule set of features by which the package is tested and a trigger that will work if the conditions are matched. A trigger is associated with a task that performs one action (logging, call scripts, etc.). All rules are added to the system are divided into several groups corresponding global L4 protocols (TCP, UDP, ICMP, etc.). Each rule is added to the same group and, in accordance with the protocol of the group may have different traffic processing parameters (for more information on available commands can be obtained from the Management Console, typing "help"). Each rule, in any group, there are a number of mandatory parameters, which add a rule without fail:

• source / destination ip address / network
• the trigger threshold (indicating critical importance for the achievement of which is caused by the action of the trigger)

An example of rules for search traffic:

ddoscontrold> show rules
TCP rules (num, rule, counter):
  -d 92.53.96.141/32 --pps-th 100p --hlen <20 --pps-th-period 60 --action log:/tmp/test.log --next    : 814.00p/s (735.03Kb/s), 157106 packets, 22975832 bytes

More functionality is described in the "Control" section.

Daemon is controlled through сonsole (access on TCP port or UNIX socket) standard utilities Linux (telnet/netcat/socat). The management console provides the user with the command line parameter selection, detection, counting the traffic, as well as the parameters of reaction to one or the other traffic.

System statistics can be sent to the InfluxDB data base for reporting and charting.

MORE POSTS FOR YOU:
TAKE DOWN ANY WEBSITE WITH SLOWLORIS

Installation

Since the system works on the basis netmap driver is required to install this driver.

Installing netmap driver on Ubuntu

To work correctly, the driver must collect netmap netmap module and collect network card driver with netmap support. This requires download the kernel source installed on your system (in example core version 3.10.90) and collect netmap with an indication of the source (build netmap patched network card driver from source and build them).

Download the kernel sources and unpack:

cd /usr/src
wget -S https://cdn.kernel.org/pub/linux/kernel/v3.x/linux-3.10.90.tar.xz
tar xpvf ./linux-3.10.90.tar.xz -C /usr/src/

Download netmap:

git clone https://github.com/luigirizzo/netmap

Configure the module assembly to enter the kernel source, and what we need drivers

cd ./netmap/LINUX/
./configure --kernel-sources=/usr/src/linux-3.10.90 --drivers=igb,ixgbe,e1000e

Build:

make

Load kernel modules in system:

insmod /usr/src/netmap/LINUX/netmap.ko
# for 10Gb/sec Intel ethernet adapter
rmmod ixgbe && insmod /usr/src/netmap/LINUX/ixgbe/ixgbe.ko
# for 1Gb/sec Intel ethernet adapter (may be other drivers)
rmmod igb && insmod /usr/src/netmap/LINUX/igb/igb.ko
rmmod e1000e && insmod /usr/src/netmap/LINUX/e1000e/e1000e.ko

then the system should appear interface with netmap:

# ls /dev/netmap 
/dev/netmap

Installing ddosdetector

Build ddosdetector from source:

git clone https://velizarx@bitbucket.org/velizarx/ddosdetector.git
cd ./ddosdetector
make

Run

To run the current user must have permissions to read and write to netmap interface (/dev/netmap). The network interface must be enabled. Network card driver that supports netmap must be loaded:

# lsmod | grep netmap
netmap                143360  27 ixgbe
# modinfo ixgbe | grep depends 
depends:        mdio,netmap,dca

Download ddosdetecter