DDoS logging made easy
If your server is making you money then DDoS attacks can really hurt revenue. Unfortunately there isn’t a lot that you can do about a DDoS attack outside of getting mitigation through your host. Even with mitigation there can still be breakthrough attacks which are attacks that bypass mitigation completely. When an attack is able to bypass mitigation your host will likely ask for a packet capture, which is unfortunately difficult to get if your server is under attack. Fortunately there is a solution, automatically monitor and log DDoS attacks with DoSMon.
DoSMon is a daemon that I wrote for the very task of monitoring for, and logging, [distributed] denial of service attacks automatically. The tool isn’t totally foolproof though, it may detect instances of high traffic that are not attacks. Let’s take a look at the config file…
DEVICE="enp2s0"; # Device to monitor traffic on, typically eth0 (Your WAN connection) SEND_THRESHOLD="25"; # Send rate to start logging in Mbps RECV_THRESHOLD="25"; # Recieve rate to start logging in Mbps PPS_THRESHOLD="10000"; # Packets per second to start logging. LOG_PATH="/var/log/dosmon"; # Folder to store tcpdumps (make sure the directory exists!!) SAMPLE_SIZE="100000"; # Number of packets to log in tcpdump. COOL_DOWN="120"; # Number of seconds to wait, after a tcpdump, before taking another tcpdump
DoSMon looks for abnormal traffic spikes on the specified device. The values that you set in the config file depend on what normal traffic looks like. If you are getting a lot of pcap dumps that are not actually attacks, then you should change some of these values. The device is usually something like eth0 or similar. You will need to check the output of
to find out the name of your network device. The command output should look something like this…
# ifconfig ens32: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 172.16.0.1 netmask 255.255.255.0 broadcast 172.16.0.255 inet6 fe80::20c:29ff:fe6b:f816 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:6b:f8:16 txqueuelen 1000 (Ethernet) RX packets 468898417 bytes 501283507007 (466.8 GiB) RX errors 0 dropped 21 overruns 0 frame 0 TX packets 204740528 bytes 51779684137 (48.2 GiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 0 (Local Loopback) RX packets 13 bytes 1083 (1.0 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 13 bytes 1083 (1.0 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
You are looking for the device with your server’s WAN (or NAT) IP address. In my case the device name is
Your send and receive thresholds should be something reasonable. The point of a DDoS attack is to send junk traffic to your server which uses up the full bandwidth of your server. If your server has a 100Mbit connection an attack will use the full 100Mbit so that your server can’t handle any legitimate traffic. In most cases legitimate traffic will not be anywhere near the full port speed of your server. For example my server has a 10Gbit connection, but traffic doesn’t typically exceed 150Mbit combined up and down. My packets per second [
] doesn’t typically exceed 50,000. In this scenario it’s not recommended to set the thresholds to these numbers, it should be higher. My
is set to 100000.
is 250[MBit/s] and
is also 250[MBit/s]. If any of these limitations are reached DoSMon will log the attack to the logging directory, which by default is
Installing DoSMon is typically straight forward, make sure you have
installed and make sure that you have the Perl module
sudo apt-get install tcpdump sudo cpan Net::Server::Daemonize
sudo emerge -av net-analyzer/tcpdump sudo cpan Net::Server::Daemonize
sudo yum install tcpdump sudo cpan Net::Server::Daemonize
Once you have the dependencies installed, it’s time to download and install DoSMon.
git https://github.com/xnite/dosmon cd dosmon chmod +x INSTALL.sh sudo ./INSTALL.sh
If you prefer to install the files manually the script runs the following commands
mkdir /etc/dosmon mv /etc/dosmon.conf /etc/dosmon/ cp ./sample_conf /etc/dosmon/ cp dosmon.pl /usr/sbin/dosmon.pl chmod +x /usr/sbin/dosmon.pl mkdir /var/log/dosmon
Now it’s time to edit your configuration found at
. Once you are comfortable with your configuration save it with the .conf extension (eg- eth0.conf). Once configured you can run DoSMon by issuing the following command:
as root. If you need to stop DoSMon for any reason, issue the command
I hope you found this post helpful! Please leave any questions/comments/concerns in the comments below. If you run into any issues while running this code, or would like to suggest new features, please post to the issues section on Github.