DDoS logging made easy

  • Author:xnite
  • Date:2016/07/29

If your server is making you money then DDoS attacks can really hurt revenue. Unfortunately there isn’t a lot that you can do about a DDoS attack outside of getting mitigation through your host. Even with mitigation there can still be breakthrough attacks which are attacks that bypass mitigation completely. When an attack is able to bypass mitigation your host will likely ask for a packet capture, which is unfortunately difficult to get if your server is under attack. Fortunately there is a solution, automatically monitor and log DDoS attacks with DoSMon.

DoSMon is a daemon that I wrote for the very task of monitoring for, and logging, [distributed] denial of service attacks automatically. The tool isn’t totally foolproof though, it may detect instances of high traffic that are not attacks. Let’s take a look at the config file…

DEVICE="enp2s0";			# Device to monitor traffic on, typically eth0 (Your WAN connection)
SEND_THRESHOLD="25";		# Send rate to start logging in Mbps
RECV_THRESHOLD="25";		# Recieve rate to start logging in Mbps
PPS_THRESHOLD="10000";		# Packets per second to start logging.
LOG_PATH="/var/log/dosmon";	# Folder to store tcpdumps (make sure the directory exists!!)
SAMPLE_SIZE="100000";		# Number of packets to log in tcpdump.
COOL_DOWN="120";			# Number of seconds to wait, after a tcpdump, before taking another tcpdump

DoSMon looks for abnormal traffic spikes on the specified device. The values that you set in the config file depend on what normal traffic looks like. If you are getting a lot of pcap dumps that are not actually attacks, then you should change some of these values. The device is usually something like eth0 or similar. You will need to check the output of

1
ifconfig
 to find out the name of your network device. The command output should look something like this…

# ifconfig
ens32: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.16.0.1  netmask 255.255.255.0  broadcast 172.16.0.255
        inet6 fe80::20c:29ff:fe6b:f816  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:6b:f8:16  txqueuelen 1000  (Ethernet)
        RX packets 468898417  bytes 501283507007 (466.8 GiB)
        RX errors 0  dropped 21  overruns 0  frame 0
        TX packets 204740528  bytes 51779684137 (48.2 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 13  bytes 1083 (1.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 13  bytes 1083 (1.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

You are looking for the device with your server’s WAN (or NAT) IP address. In my case the device name is

1
ens32
.

Your send and receive thresholds should be something reasonable. The point of a DDoS attack is to send junk traffic to your server which uses up the full bandwidth of your server. If your server has a 100Mbit connection an attack will use the full 100Mbit so that your server can’t handle any legitimate traffic. In most cases legitimate traffic will not be anywhere near the full port speed of your server. For example my server has a 10Gbit connection, but traffic doesn’t typically exceed 150Mbit combined up and down. My packets per second [

1
PPS_THRESHOLD
] doesn’t typically exceed 50,000. In this scenario it’s not recommended to set the thresholds to these numbers, it should be higher. My
1
PPS_THRESHOLD
is set to 100000.
1
SEND_THRESHOLD
is 250[MBit/s] and
1
RECV_THRESHOLD
is also 250[MBit/s]. If any of these limitations are reached DoSMon will log the attack to the logging directory, which by default is
1
/var/log/dosmon/
.

Installing DoSMon

Installing DoSMon is typically straight forward, make sure you have

1
tcpdump
installed and make sure that you have the Perl module 
1
Net::Server::Damonize
.

sudo apt-get install tcpdump
sudo cpan Net::Server::Daemonize
sudo emerge -av net-analyzer/tcpdump
sudo cpan Net::Server::Daemonize
sudo yum install tcpdump
sudo cpan Net::Server::Daemonize

Once you have the dependencies installed, it’s time to download and install DoSMon.

git https://github.com/xnite/dosmon
cd dosmon
chmod +x INSTALL.sh
sudo ./INSTALL.sh

If you prefer to install the files manually the script runs the following commands

mkdir /etc/dosmon
mv /etc/dosmon.conf /etc/dosmon/
cp ./sample_conf /etc/dosmon/
cp dosmon.pl /usr/sbin/dosmon.pl
chmod +x /usr/sbin/dosmon.pl
mkdir /var/log/dosmon

Now it’s time to edit your configuration found at

1
/etc/dosmon/sample_config
. Once you are comfortable with your configuration save it with the .conf extension (eg- eth0.conf). Once configured you can run DoSMon by issuing the following command:
1
/usr/sbin/dosmon.pl start
 as root. If you need to stop DoSMon for any reason, issue the command
1
/usr/sbin/dosmon.pl stop
.

 

I hope you found this post helpful! Please leave any questions/comments/concerns in the comments below. If you run into any issues while running this code, or would like to suggest new features, please post to the issues section on Github.

Robert Whitney
I'm a geek, gamer and breaker of things. I'm a programmer by day and an apache attack helicopter by night. Some would call me their spirit animal.
Opinions expressed here, even 💩 ones, are my own and do not represent those of my employer or associates.
Referral Links

Using my referral links is the best way to help me pay for my projects and development servers and get something out of it for yourself.

Copyright©2011 - 2018, Robert Whitney; All rights reserved.