DDOS attacks are under the limelight (and the media) from the Wikileaks affair.
It is quite difficult to detect attack because unlike most “traditional” attacks, it is based on the fact that flood the target machine requests from a large number of zombie machines (ie infected a program that will launch an attack).
In this post we will see how to use Nagios to send alerts when it detects an attack type DDOS SYN Flood .
For that I developed (licnce under GPL v3) a Nagios plugin available at following address:
Installing the script
It requires a properly configured Nagios server.Then run the following commands:
sudo rm -f check_ddos.pl
chmod a+rx check_ddos.pl
sudo chown nagios:nagios check_ddos.pl
./Check_ddos.pl -w 50 -c 60
No DDOS attack detected (5/50)
To add a service DDOS SYN Flood detection on the local machine (light to check DDOS attacks to the server hosting Nagios) must initially commands.cfg edit the file (by default in the / local / usr / nagios / etc / objects) to add the new control detection DDOS SYN Flood:
command_line $USER1$/check_ddos.pl -w $ARG1$ -c $ARG2$
Then you have to edit the file localhost.cfg (which is also found in the /usr/local/nagios/etc/objects)
# Warning: >50 SYN_RECV
# Critical: >70 SYN_RECV
service_description DDOS SYN Flood detect
So we just define a service that will send a Warning alert when the server has more than 50 connections SYN_RECV open type (more than 70 for a Critical alert ). These figures are of course tailored to the individual servers …
As a bonus, if an alert is generated, the plugin displays the top 10 IP addresses of zombie machines (useful for blocking with iptables firewall rules ).
If you want to monitor DDOS SYN Flood attacks on another machine, you must use the NRPE plugin that will make the interface between the Nagios server and the server to monitor.