Hobbit DDOS Attack Detection (submission)

Charles Jones jonescr at cisco.com
Fri Jan 25 21:59:08 CET 2008 

I had a hobbit-monitored site become the victim of a DDOS syn-flood 
attack.  To help detect this in the futrue and also aid 
information-gathering, I did the following, which I am sharing:

1. Made the following additions to hobbit-clients.cfg
  # Detect more than 100 half-open connections (possible syn-flood attack)
  PORT STATE=SYN_RECV MIN=0 MAX=100 COLOR=red TRACK="SYN"
  # Detect more than 2000 established connections (possible simple DDOS 
http get attack)
  PORT STATE=ESTABLISHED MIN=0 MAX=2000 COLOR=red

2. Made a small modification to hobbit-linux.sh, specifically to the 
[ports] section. I crammed it all into a single line.
  echo "[ports]"
  echo "SYN_REC Quick Stats:";SYNs=`netstat -pant 2>/dev/null | grep SYN 
| awk -F: '{print $2;}' |awk {'print $2"\t"$1'}| sort |  uniq -c |sort 
-n`;if [ -n "$SYNs" ]; then echo "      #  Address        Port";printf 
"$SYNs\n";echo =============================;else echo "No SYNs 
Found";echo =============================;fi
  # Bug in RedHat's netstat spews annoying error messages.
  netstat -ant 2>/dev/null

#1 allows Hobbit to detect and alert for 2 common DDOS attack signatures 
(syn floods and plain old http overloading), as well as creating graphs 
via the "track" feature.

#2 prefixes the netstat output you see in the "ports" column with a 
table of IPs that have half-open connections. It shows the address, IP, 
and what port they are "attacking".  Here is an example (IPs and ports 
masked of course):

SYN_REC Quick Stats:
      #  Address        Port
      1	289.122.3.20	  80
      1	213.102.135.60	  80
      1	200.120.152.6	8080
      1	201.192.9.130	 443
      1	174.231.84.4	 443
      2	191.136.92.135	  80
      2	216.122.32.240	8080
=============================

The prefixing of this data in the client message has no effect on the 
Hobbit server, as it is only looking for the netstat output in the ports 
section, and so ignores that extra data (but still displays it). So if 
the site gets a syn flood, you can check the ports column of your web 
host(s) and easily see the offending IP(s) that are performing the 
attack.  Note that most "floodbots" are coded such that they spoof their 
IP addresses, so the information you gather may not actually help you 
determine who is attacking, but is still useful for temporarily 
firewalling or whatever other steps you need to take to block it.

Note: this works on RHEL, so should work on RedHat/CentOS/Fedora. I 
havn't checked to see if debian/ubuntu has the same netstat parameters I 
used, so YMMV :)

-Charles

More information about the Xymon mailing list