mirror of
https://github.com/pavel-odintsov/fastnetmon
synced 2024-11-27 08:25:47 +01:00
Introduce stable attack protocol detection; Closes #59
This commit is contained in:
parent
feed0d8c38
commit
89f81f7afe
@ -238,14 +238,14 @@ public:
|
|||||||
class attack_details : public map_element {
|
class attack_details : public map_element {
|
||||||
public:
|
public:
|
||||||
attack_details() :
|
attack_details() :
|
||||||
attack_power(0), max_attack_power(0), average_in_bytes(0), average_out_bytes(0), average_in_packets(0), average_out_packets(0), average_in_flows(0), average_out_flows(0) {
|
attack_protocol(0), attack_power(0), max_attack_power(0), average_in_bytes(0), average_out_bytes(0), average_in_packets(0), average_out_packets(0), average_in_flows(0), average_out_flows(0) {
|
||||||
}
|
}
|
||||||
direction attack_direction;
|
direction attack_direction;
|
||||||
// first attackpower detected
|
// first attackpower detected
|
||||||
unsigned int attack_power;
|
unsigned int attack_power;
|
||||||
// max attack power
|
// max attack power
|
||||||
unsigned int max_attack_power;
|
unsigned int max_attack_power;
|
||||||
|
unsigned int attack_protocol;
|
||||||
/*
|
/*
|
||||||
unsigned int in_bytes;
|
unsigned int in_bytes;
|
||||||
unsigned int out_bytes;
|
unsigned int out_bytes;
|
||||||
@ -389,6 +389,7 @@ bool we_do_real_ban = true;
|
|||||||
void block_all_traffic_with_82599_hardware_filtering(string client_ip_as_string);
|
void block_all_traffic_with_82599_hardware_filtering(string client_ip_as_string);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
unsigned int get_max_used_protocol(unsigned int tcp, unsigned int udp, unsigned int icmp);
|
||||||
string get_printable_protocol_name(unsigned int protocol);
|
string get_printable_protocol_name(unsigned int protocol);
|
||||||
void print_attack_details_to_file(string details, string client_ip_as_string, attack_details current_attack);
|
void print_attack_details_to_file(string details, string client_ip_as_string, attack_details current_attack);
|
||||||
bool folder_exists(string path);
|
bool folder_exists(string path);
|
||||||
@ -2294,6 +2295,29 @@ direction get_packet_direction(uint32_t src_ip, uint32_t dst_ip, unsigned long&
|
|||||||
return packet_direction;
|
return packet_direction;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
unsigned int detect_attack_protocol(map_element& speed_element, direction attack_direction) {
|
||||||
|
if (attack_direction == INCOMING) {
|
||||||
|
return get_max_used_protocol(speed_element.tcp_in_packets, speed_element.udp_in_packets, speed_element.icmp_in_packets);
|
||||||
|
} else {
|
||||||
|
// OUTGOING
|
||||||
|
return get_max_used_protocol(speed_element.tcp_out_packets, speed_element.udp_out_packets, speed_element.icmp_out_packets);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
unsigned int get_max_used_protocol(unsigned int tcp, unsigned int udp, unsigned int icmp) {
|
||||||
|
unsigned int max = max(max(udp, tcp), icmp);
|
||||||
|
|
||||||
|
if (max == tcp) {
|
||||||
|
return IPPROTO_TCP;
|
||||||
|
} else if (max == udp) {
|
||||||
|
return IPPROTO_UDP;
|
||||||
|
} else if (max == icmp) {
|
||||||
|
return IPPROTO_ICMP;
|
||||||
|
}
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
void execute_ip_ban(uint32_t client_ip, map_element speed_element, unsigned int in_pps, unsigned int out_pps, unsigned int in_bps, unsigned int out_bps, unsigned int in_flows, unsigned int out_flows, string flow_attack_details) {
|
void execute_ip_ban(uint32_t client_ip, map_element speed_element, unsigned int in_pps, unsigned int out_pps, unsigned int in_bps, unsigned int out_bps, unsigned int in_flows, unsigned int out_flows, string flow_attack_details) {
|
||||||
struct attack_details current_attack;
|
struct attack_details current_attack;
|
||||||
unsigned int pps = 0;
|
unsigned int pps = 0;
|
||||||
@ -2305,15 +2329,7 @@ void execute_ip_ban(uint32_t client_ip, map_element speed_element, unsigned int
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
// TODO: add protocol detection here
|
|
||||||
unsigned int attack_protocol = 0;
|
|
||||||
|
|
||||||
// IPPROTO_TCP
|
|
||||||
// IPPROTO_UDP
|
|
||||||
// IPPROTO_ICMP
|
|
||||||
|
|
||||||
// Detect attack direction with simple heuristic
|
// Detect attack direction with simple heuristic
|
||||||
|
|
||||||
if (abs(in_pps - out_pps) < 1000) {
|
if (abs(in_pps - out_pps) < 1000) {
|
||||||
// If difference between pps speed is so small we should do additional investigation using bandwidth speed
|
// If difference between pps speed is so small we should do additional investigation using bandwidth speed
|
||||||
if (in_bps > out_bps) {
|
if (in_bps > out_bps) {
|
||||||
@ -2333,6 +2349,8 @@ void execute_ip_ban(uint32_t client_ip, map_element speed_element, unsigned int
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
current_attack.attack_protocol = detect_attack_protocol(speed_element, data_direction);
|
||||||
|
|
||||||
if (ban_list.count(client_ip) > 0) {
|
if (ban_list.count(client_ip) > 0) {
|
||||||
if ( ban_list[client_ip].attack_direction != data_direction ) {
|
if ( ban_list[client_ip].attack_direction != data_direction ) {
|
||||||
logger<<log4cpp::Priority::INFO<<"We expected very strange situation: attack direction for "
|
logger<<log4cpp::Priority::INFO<<"We expected very strange situation: attack direction for "
|
||||||
@ -2590,6 +2608,8 @@ string get_attack_description(uint32_t client_ip, attack_details& current_attack
|
|||||||
<<"Initial attack power: " <<current_attack.attack_power<<" packets per second\n"
|
<<"Initial attack power: " <<current_attack.attack_power<<" packets per second\n"
|
||||||
<<"Peak attack power: " <<current_attack.max_attack_power<< " packets per second\n"
|
<<"Peak attack power: " <<current_attack.max_attack_power<< " packets per second\n"
|
||||||
<<"Attack direction: " <<get_direction_name(current_attack.attack_direction)<<"\n"
|
<<"Attack direction: " <<get_direction_name(current_attack.attack_direction)<<"\n"
|
||||||
|
<<"Attack protocol: " <<get_printable_protocol_name(current_attack.attack_protocol)<<"\n"
|
||||||
|
|
||||||
<<"Total incoming traffic: " <<convert_speed_to_mbps(current_attack.in_bytes)<<" mbps\n"
|
<<"Total incoming traffic: " <<convert_speed_to_mbps(current_attack.in_bytes)<<" mbps\n"
|
||||||
<<"Total outgoing traffic: " <<convert_speed_to_mbps(current_attack.out_bytes)<<" mbps\n"
|
<<"Total outgoing traffic: " <<convert_speed_to_mbps(current_attack.out_bytes)<<" mbps\n"
|
||||||
<<"Total incoming pps: " <<current_attack.in_packets<<" packets per second\n"
|
<<"Total incoming pps: " <<current_attack.in_packets<<" packets per second\n"
|
||||||
|
Loading…
Reference in New Issue
Block a user