Tuesday, October 6, 2015

Detect Sudden Increase In Your Network Traffic : The First Step Towards Preventing Attack In Your System



Be it a Ping Flood or SYN Flood or any other DoS attack, the first step towards detecting a DoS attack is detecting an anomaly in network traffic in your system. That is the first ever sign that can indicate your system may be having a DoS attack.

If you can monitor the network traffic in your system, and get informed about an anomaly well in advance, you can take action and probably, you still can prevent the attack.






In this article, I will show you, how to make your own tool of monitoring network traffic in your system that can alert you when there is a sudden increase in abnormal traffic.

Again, my system is a Ubuntu one, and here I will use, a simple utility called tcpstat along with shell script. Please note that, my intention is to show you a basic tool, based on which you can make your own IDS or IPS.



Firstly, you need to install tcpstat in your system.

# sudo apt-get install tcpstat



Now, run this simple command in your terminal :

# sudo tcpstat -i eth1

You may have to select appropriate network interface for your system.


You will see, in every 5 second tcpstat will give you few information like, number of network packets, bps etc.

This tcpstat has an option '-o' through which you can specify the output formatting.

Here, I will use the format “%n” which will give me number of packets in each 5 seconds.


Next, I will redirect the output in a file and in a while loop I will see the last line in the file, which gives, number of packets in last 5 seconds. And then, I will compare the number with a threshold.



I have experimented with few attacks, and determined the threshold to be 20,000 in my system.


Next, the job is simple. If the traffic goes beyond the threshold, set a flag. And if the increased traffic continues for a time, say, 15 seconds, I know, it is time for action to be taken. The action may be, setting a temporary new iptables rules or analyzing the traffic further.


So, how does the script look like? Please find it below.



#!/bin/bash
INTERVAL=0
sudo tcpstat -i eth1 -o "%n\n" > ofile &
while :
do
    sleep 5;
    THRESHOLD=`tail -1 ofile`
#echo "THRESHOLD is: $THRESHOLD"
    if [ $THRESHOLD -gt 20000 ]
    then
         flag=1
         ((INTERVAL=INTERVAL+1))
        if [ $INTERVAL -gt 3 ]
        then
            echo -e "Take Action!\n"
        else
            echo "Excess traffic"
        fi
    else
        flag=0
        INTERVAL=0
    fi

done


This was a very simple script, but you can use it for further improvement.
Hope you found it useful!

No comments:

Post a Comment