Detect DDoS attacks

By using the method add_timer and the get_counters we can detect easily DDoS attacks, lets see how it works:

import pyaiengine
st = None

We create a function handler for the DDoS detection method, in this example we will use the relationship between syn and synack packets for make the detection.

def tcp_dos_handler():
    c = st.get_counters("tcp)
    syns = int(c["syn"])
    synacks = int(c["synack"])

    """ Check the relationship between the flags """
    if (syns > (synacks * 10)):
        print("TCP Syn DoS attack detected")

On the other hand, we can create another handler for detect NTP distributed attacks very easily

def ntp_ddos_handler():

    c = st.get_counters("NTPProtocol")

    total = 0
    iph = dict()
    def ntp_ips_function(f):
        if (f.l7_protocol_name == "NTPProtocol"):
            iph[f.srcip] = 1
            total = total + 1

    map(ntp_ips_function,st.udp_flow_manager)

    # Condition for check that we are under a attack
    # Use any condition you think is interesting, also the c object contains useful information
    if (total == iph.len()):
        print("NTP DDoS attack detected")

Create a new IPv6 stack object.

if __name__ == '__main__':

    st = pyaiengine.StackLanIPv6()

Allocate the maximum number of flows on the stack, if we are interested on TCP attacks lets create a big TCP cache.

st.udp_flows = 163840
st.tcp_flows = 1500000

Open the network device with a PacketDispatcher instance, use the add_timer callback of the PacketDispatcher class, so every 5 seconds the callback will be called, and finally set the IPv6 stack and let the engine works

with pyaiengine.PacketDispatcher("eth0") as pd:
    pd.add_timer(tcp_dos_handler,5)
    pd.stack = st
    pd.run()