Wiki
Clone wikiaiengine / DDoSAttacksPython
Detect DDoS attacks
By using the method add_timer and the get_counters we can detect easily DDoS attacks, lets see how it works:
import pyaiengine st = None
We create a function handler for the DDoS detection method, in this example we will use the relationship between syn and synack packets for make the detection.
def tcp_dos_handler(): c = st.get_counters("tcp) syns = int(c["syn"]) synacks = int(c["synack"]) """ Check the relationship between the flags """ if (syns > (synacks * 10)): print("TCP Syn DoS attack detected")
On the other hand, we can create another handler for detect NTP distributed attacks very easily
def ntp_ddos_handler(): c = st.get_counters("NTPProtocol") total = 0 iph = dict() def ntp_ips_function(f): if (f.l7_protocol_name == "NTPProtocol"): iph[f.srcip] = 1 total = total + 1 map(ntp_ips_function,st.udp_flow_manager) # Condition for check that we are under a attack # Use any condition you think is interesting, also the c object contains useful information if (total == iph.len()): print("NTP DDoS attack detected")
Create a new IPv6 stack object.
if __name__ == '__main__': st = pyaiengine.StackLanIPv6()
Allocate the maximum number of flows on the stack, if we are interested on TCP attacks lets create a big TCP cache.
st.udp_flows = 163840 st.tcp_flows = 1500000
Open the network device with a PacketDispatcher instance, use the add_timer callback of the PacketDispatcher class, so every 5 seconds the callback will be called, and finally set the IPv6 stack and let the engine works
with pyaiengine.PacketDispatcher("eth0") as pd: pd.add_timer(tcp_dos_handler,5) pd.stack = st pd.run()
Updated