Detecting Attacks
alvin nanog
nanogml at Mail.DDoS-Mitigator.net
Sat Jun 11 18:40:26 UTC 2016
hi su..
On 06/10/16 at 10:39pm, subashini hariharan wrote:
> I am Subashini, a graduate student. I am interested in doing my project in
> Network Security. I have a doubt related to it.
duh... too broad of a subject ... you'd need to be more specific about which
of the hundred's of sub categories ...
> The aim is to detect DoS/DDoS attacks using the application.
good ... sorta specific but not ...
> I am going to
> use ELK (ElasticSearch, Logstash, Kibanna) for processing the logs (Log
> Analytics).
hummm, why that app and not the couple dozen other ways people are using
to detect incoming and/or outgoing DDoS attacks
if the "professor" says "use ELK" ... you have no ther choice ...
if not, there's much better options to detect DDoS attacks ...
( tcpdump -nnvv ) ... if you cannot explain each line, you've got a DDoS problem
> My doubt is regarding how do we generate logs for detecting this attack? As
> I am new to this process, I am not sure about it.
what's the doubt ?? if there is a doubt ... conduct and experiment and
see if it confirms your expected result or explain why its different
and do more experiments until "its all explained" and no more doubts
> Also, if it is possible to do any other attacks similar to this, you can
> please give a hint about it.
several dozens other types of attacks similar to DDoS, which takes over
a server or network offline including no-technical-skill required attacks
> Could anyone please help with this, it would be a great help!!
google/yahoo/bing is your assistant ready to give you ALL the
answer's you need and ant
-----------
side notes ...
a) if you log all incoming packets ( attacks ), you have increased the
effectiveness of ddos attacks since you have now gave them the power
to fill up your disk, use your cpu, use your memory, use your time
to review the logs, etc, etc
all of that is bad bad stuff to have the DDoS attackers do to you
b) for logs, etc, there are dozens of other apps that try to detect
attacks ( splunk, snort, hundred other apps, including eyeballs )
why are some methodologies better than others ?
c) detecting DDoS attacks is nice but, what's the point ??
you're still under attack ... and haven't resolved the issue
kinda like cooking dinner but not eating it ... you're still starving
d) every computer connected to the internet is under constant 24x7x365
attacks ... a good "ddos detector" will tell you how much traffic
is legitimate and how much bandwidth is wasted by the attacks
and which server and which ports they are attacking, etc etc
script kiddies are already attacking your network
( the one you're using bnow ) .. it's a free and harmless DDoS attacks
and you should be able to see what they are doing to you "now"
if you cannot "see what" they are attacking, you've got a major problem
e) if you want to generate some specific DDoS attacks ..
use ping, nping, hping, nmap, etc to start .... that should
keep you busy for the next year or few years
do NOT ever send packets outside to computers you do not own,
or some ominous looking folks might come looking for you
f) if you want to detect DDoS attacks .... post process tcpdump's output
magic pixie dust
alvin
#
# DDoS-Simulator.net
# DDoS-Mitigator.net
#
More information about the NANOG
mailing list