-
Notifications
You must be signed in to change notification settings - Fork 4
DoS Plugin
This plugin attempts to identify remote IP addresses that appear to be targets of DOS attacks, based on backscatter observed in the packet capture.
This plugin is primarily intended for use with network telescopes or other similar passive monitors that cover a decent-sized, mostly-dark address space.
The simplest, but vaguest, definition that we use to identify a DoS attack in this plugin is the observation of multiple packets sourced from the same IP address, where the packet rate must exceed some pre-defined minimum rate at least once and the duration of the period where packets sent by the source IP also exceeds another pre-defined duration. The observed packets may be destined for any number of destination IPs within the monitored network (which is assumed to be primarily consisting of unused address space) -- the more destination addresses that are observed as part of the attack, the more "distributed" the attack.
A more practical, but still over-simplified, example: assume we have a "dark" IPv4 /24 (e.g. 256 addresses). If 100 of those addresses all observe a TCP SYN ACK packet from the source IP 5.6.7.8 at approximately the same time (give or take a few seconds), then we can reasonably assume that 5.6.7.8 is likely being targeted with a DoS attack. Our dark addresses have been used as spoofed source addresses in the TCP SYN packets that were sent to 5.6.7.8 by the attacker, so the replies get sent to our monitored network. The spoofing means that the victim cannot easily identify the source(s) of the attack. It also means that the networks where the attack is coming from do not have to deal with any of the response traffic from the victim, so they can continue their attack at full speed.
We use a simple sliding-window method to calculate the approximate packet rate for an observed possible DoS attack. Packets identified as part of the attack are assigned to the nearest 10-second bin, based on the time that the packet was observed. The "current" packet rate is determined by summing the number of packets that are in the last 6 complete bins (i.e. effectively the last complete 60 second period). Once another 10 seconds have passed, the oldest bin is discarded and the bin for the newly-completed 10 second period is added, then the packet rate is recalculated by summing again.
With this method, we sacrifice some small amount of precision in exchange for an algorithm that is simple to implement and requires relatively little processing power to run.
The choice of minimum packet rate and attack duration for identifying attacks is configurable; the defaults used by corsaro are a duration of 60 seconds with a minimum packet rate of 30 packets per minute.
We also allow the sliding-window parameters to be tweaked as well, if desired.
As with all corsaro3 plugins, the configuration is expressed as a YAML map underneath the plugin name in the configuration file, e.g.:
plugins:
- dos:
<DoS plugin config>
The configuration options that are supported by the DoS plugin are.
min_attack_packets The minimum number of packets that must be
seen from a source IP before it is considered
to be the target of an attack. Defaults to 25.
min_attack_duration The minimum duration in seconds for an attack
to be included in the plugin output. Defaults
to 60.
min_attack_packet_rate The minimum number of packets that must be
observed within a single window for an attack
to be included in the plugin output. Defaults
to 30.
rate_window_size The size of the window to use when determining
the packet rate for an attack (in seconds). This
must be a multiple of the rate_window_slide option.
Defaults to 60.
rate_window_slide The frequency that the window should be moved
forward and the packet rate re-calculated
(in seconds). Defaults to 10.
By default, the DoS plugin writes details about each observed attack to files on disk using the Avro format. Writing occurs on each interval boundary, and all attacks that were active during the interval have their cumulative statistics written for that interval (i.e. if an attack spans 2 intervals, the packet count that is written for the second interval is the sum of the packet count for both intervals).
The following fields are used when describing an observed DoS attack (in the order that they appear):
bin_timestamp: The timestamp for the interval that this attack was observed in.
initial_packet_len: The size of the first packet observed as part of this attack.
target_ip: The IP address of the address that was the target of the DoS attack (i.e. the source address of
the observed packets). Encoded as a 32 bit integer.
target_protocol: The transport protocol used for the attack (1 = ICMP, 6 = TCP, 17 = UDP).
attacker_slash16_cnt: The number of distinct /16 subnets in our monitored network that received packets from the victim.
attack_port_cnt: The number of unique source ports used by the attacker (i.e. the number of unique destination ports
seen on received packets attributed to this attack).
target_port_cnt: The number of unique ports that were targeted on the victim (i.e. the number of unique source ports
seen on received packets attributed to this attack).
packet_cnt: The number of packets that were attributed to this attack.
icmp_mismatches: The number of ICMP packets attributed to this attack where the source IP address in the body of
the ICMP packet (e.g. the original datagram reflected in a Destination Unreachable message) does
not match the IP address that the ICMP packet was sent to.
byte_cnt: The number of bytes that have been sent to our network due to this attack (based on IP length).
max_ppm_interval: The peak observed packet rate observed for this attack.
start_time_sec: The seconds portion of the Unix timestamp of the first packet attributed to this attack.
start_time_usec: The microseconds portion of the Unix timestamp of the first packet attributed to this attack.
latest_time_sec: The seconds portion of the Unix timestamp of the last packet attributed to this attack.
latest_time_usec: The microseconds portion of the Unix timestamp of the last packet attributed to this attack.
first_attack_port: The source port that was used by the first packet that was attributed to this attack.
first_target_port: The destination port that was used by the first packet that was attributed to this attack.
maxmind_continent: The continent where the target IP address is located, according to Maxmind geo-location data.
maxmind_country: The country where the target IP address is located, according to Maxmind geo-location data.
initial_packet: A binary blob containing the entire contents of the first packet attributed to this attack,
including link layer headers.
An older version of the DoS plugin also recorded the entire set of flowtuples that were observed for each attack. We have disabled this feature because the storage requirements outweighed the value of this information, but I'll leave these notes here in case anyone has reason to look over the handful of files that we did collect previously.
The attack flowtuples reported here are described using a custom 7-tuple of (interval, source IP, source port, dest IP, dest port, protocol, packet size). For each attack reported, we write the corresponding flowtuples to the dosflows output file for potential further analysis.
These are the fields that will be reported for an attack flowtuple, in the order which they appear:
bin_timestamp: The timestamp for the interval that this attack was observed in.
target_ip: The IP address of the address that was the target of the DoS attack (i.e. the source address of
the observed packets). Encoded as a 32 bit integer.
attacker_ip: The IP address that the attack packet appeared to come from (i.e. the destination address of the
observed packets. Encoded as a 32 bit integer.
attacker_port: The port used by the attacker as a source port on the attack traffic (i.e. the destination port
on the packets that we observed).
target_port: The port on the victim that the attack traffic was sent to (i.e. the source port on the packets
that we observed).
protocol: The transport protocol used for the attack (1 = ICMP, 6 = TCP, 17 = UDP).
packet_size: The size of the packets sent in response to the original attack traffic -- each different size
observed will result in a separate flowtuple.
total_packets: The number of packets that matched this flowtuple description.
start_time_sec: The seconds portion of the Unix timestamp of the first packet attributed to this flowtuple.
start_time_usec: The microseconds portion of the Unix timestamp of the first packet attributed to this flowtuple.