I would open up a topic here in case someone has done this before and might have some good tips and/or links. Anyway what I plan to do is examine the packets of this DDoS and see if they have a common header and block it.
View 4 RepliesThis is the command i'm running and its options:
tcpdump > output.file
Problem is that the only way to stop this command is pressing CTRL + C, and i just need some option to specify how much time the tcpdump will be running, i need it running for 1 minute for example, and then it should automatically stop.
I'm developing a self-made solution to mitigate DDoS attacks, using tcpdump.. We received a DDoS last Sunday and it worked perfectly, we could rapidly identify the attack sources and ask our carrier to block them.
My idea is to monitor common connections from one IP to another, and order them by the number of connections. When there are 50+ connections (same ip, same port TO another ip, another port) this means we are probably under attack.
I was wondering if my algorythm is good enough?
Command used: tcpdump -n -c 200 | grep 2 | awk '{printf ("%s -> %s"),$3,$5}' | sort | uniq -c | sort -n -r
BUT... My doubt is that DEST port is always 80, 22, 21, 25, etc... But SOURCE port is variable!
I see everytime connections like:
208.X.X.X:24578 -> 70.Y.Y.Y:80
And also, sometimes a same IP place various connections like:
208.X.X.X:24578 -> 70.Y.Y.Y:80
208.X.X.X:38731 -> 70.Y.Y.Y:80
208.X.X.X:14598 -> 70.Y.Y.Y:80
208.X.X.X:64578 -> 70.Y.Y.Y:80
... and my script doesn't count them as 4 connections, just one for each line like that...
Is there any DDoS tool I can use to test this mitigation algorythm?
Is there any security group that can help me out, simulating a DDoS or even helping me with my script? (I can pay for it)
Example of my report, generated by my script:
No. connections | Source IP | Dest IP
8 201.9.126.9.27005 -> 200.169.XXX.160.27015:
6 200.169.XXX.130.http -> 189.55.119.177.astromed-main:
6 189.55.119.177.iwlistener -> 200.169.XXX.130.http:
5 200.169.XXX.175.pop3 -> 201.67.151.51.14137:
4 201.95.49.29.58559 -> 200.169.XXX.140.27015:
4 201.52.122.217.27005 -> 200.169.XXX.140.27060:
4 201.51.100.118.essp -> 200.169.XXX.135.63392:
4 201.47.13.35.50311 -> 200.169.XXX.140.27015: