호스팅 TIP > 시스템보안 > DDOS Monitor 관제

호스팅 TIP

보안

시스템

프로그래밍

시스템보안

월간 인기 게시물

	게시물 111건

DDOS Monitor 관제

글쓴이 : 최고관리자 날짜 : 2015-02-14 (토) 18:45 조회 : 8315

글주소 :

2년전에 공유된 자료이며… 올려놓으신분께서는 DDOS Monitor 라고 설명을 달아두었지만 그러기에는 거시기하고 동일한 아이피에서 접속자 추출하는 용도로 사용하면 딱일듯 싶습니다.

Ubuntu 환경에서 테스트되었으며 CentOS/RHEL 계열에서는 테스트 안되었습니다.

출처 https://github.com/edubart/ddosmon

아래와 같은 공격을 분류할수 있다고 명시되어있습니다.

- SYN Flood

- UDP Flood

- ICMP Flood

~~INSTALL~~

~~# wget https://github.com/edubart/ddosmon/archive/master.zip~~

~~# unzip master.zip~~

~~# cd ddosmon-master/~~

~~# mkdir build~~

~~# cd build~~

~~# yum install cmake~~

~~# cmake ..~~

~~# make~~

~~Scanning dependencies of target ddosmon~~

~~[ 7%] Building CXX object CMakeFiles/ddosmon.dir/src/configmanager.cpp.o~~

~~In file included from <command-line>:0:~~

~~/usr/local/src/ddosmon-master/src/headers.h:74:17: error: lua.h: 그런 파일이나 디렉터리가 없습니다~~

~~/usr/local/src/ddosmon-master/src/headers.h:75:21: error: lauxlib.h: 그런 파일이나 디렉터리가 없습니? ?~~

~~/usr/local/src/ddosmon-master/src/headers.h:76:20: error: lualib.h: 그런 파일이나 디렉터리가 없습니다~~

~~/usr/local/src/ddosmon-master/src/headers.h:85:21: error: ncurses.h: 그런 파일이나 디렉터리가 없습니? ?~~

~~In file included from /usr/local/src/ddosmon-master/src/configmanager.cpp:2:~~

~~/usr/local/src/ddosmon-master/src/configmanager.h:45: error: 'lua_State' has not been declared~~

~~/usr/local/src/ddosmon-master/src/configmanager.h:46: error: 'lua_State' has not been declared~~

~~/usr/local/src/ddosmon-master/src/configmanager.h:47: error: 'lua_State' has not been declared~~

~~/usr/local/src/ddosmon-master/src/configmanager.cpp: In member function 'void ConfigManager::loadFile ()':~~

~~/usr/local/src/ddosmon-master/src/configmanager.cpp:15: error: 'lua_State' was not declared in this s cope~~

~~/usr/local/src/ddosmon-master/src/configmanager.cpp:15: error: 'luaHandle' was not declared in this s cope~~

~~/usr/local/src/ddosmon-master/src/configmanager.cpp:15: error: 'lua_open' was not declared in this sc ope~~

~~/usr/local/src/ddosmon-master/src/configmanager.cpp:21: error: 'luaL_dofile' was not declared in this scope~~

~~/usr/local/src/ddosmon-master/src/configmanager.cpp:22: error: 'lua_close' was not declared in this s cope~~

~~/usr/local/src/ddosmon-master/src/configmanager.cpp:45: error: 'lua_close' was not declared in this s cope~~

~~/usr/local/src/ddosmon-master/src/configmanager.cpp: At global scope:~~

~~/usr/local/src/ddosmon-master/src/configmanager.cpp:91: error: 'std::string ConfigManager::getGlobalS tring' is not a static member of 'class ConfigManager'~~

~~/usr/local/src/ddosmon-master/src/configmanager.cpp:91: error: 'lua_State' was not declared in this s cope~~

~~/usr/local/src/ddosmon-master/src/configmanager.cpp:91: error: '_luaHandle' was not declared in this scope~~

~~/usr/local/src/ddosmon-master/src/configmanager.cpp:91: error: expected primary-expression before 'co nst'~~

~~/usr/local/src/ddosmon-master/src/configmanager.cpp:92: error: expected ',' or ';' before '{' token~~

~~make[2]: *** [CMakeFiles/ddosmon.dir/src/configmanager.cpp.o] 오류 1~~

~~make[1]: *** [CMakeFiles/ddosmon.dir/all] 오류 2~~

~~make: *** [all] 오류 2~~

~~==>>~~

Ubuntu 14.04

# git clone https://github.com/edubart/ddosmon.git ddosmon

# cd ddosmon

# mkdir build

# apt-get install cmake libboost-all-dev

~~# apt-get install liblua5.2 libncurses5-dev~~

# apt-get install liblua5.1-0-dev libncurses5-dev

# cmake ..

# make

# mkdir ../logs

# cd ..

# ./build/ddosmon configs/example.lua

설정파일을 시스템에 맞게...수정

# cat configs/example.lua

interface = "eth0"

global_traffic_threshold = 900000

global_packets_threshold = 30

ip_traffic_threshold = 500000

ip_packets_threshold = 125000

notification_traffic_threshold = 20000

notification_packets_threshold = 30

ipblock_retry_ticks = 5*3600*1000

notification_command = "./scripts/notificate \"%1%\" \"%2%\" &"

onblockip_command = "./scripts/ipblock block %1% &"

onunblockip_command = "./scripts/ipblock unblock %1% &"

network_uncompromise_ticks = 30

onnetwork_compromise_command = "./scripts/networkcompromise compromised &"

onnetwork_uncompromise_command = "./scripts/networkcompromise uncompromised &"

log="logs/example.log"

watchedips="configs/example_watchedips.xml"

notificationsubject="DDOS Monitor on server1 notification"

Building

git clone git@github.com:edubart/ddosmon ddosmon
cd ddosmon
mkdir build && cd build
cmake ..
make

Running

# optional, I usually run this inside a screen session
screen 

sudo ./build/ddosmon configs/example.lua

NOTE: Root is needed for sniffing the network adapter packets.

scripts

script called when a known DDOS attack starts or stops: ./scripts/networkcompromise <compromised/uncomprimised>

script called to notificate admins (usually via email): ./scripts/notificate <subject> <message>

script called when one of your servers ip address might be unreachable and you may want to block/unblock it from your main server: ./scripts/ipblock <block/unblock> <ip>

Configurations

You can find and edit these configuration for you needs inside configs/home.lua

interface = "eth0"
global_traffic_threshold = 900000
global_packets_threshold = 225000
ip_traffic_threshold = 500000
ip_packets_threshold = 125000
notification_traffic_threshold = 20000
notification_packets_threshold = 20000
ipblock_retry_ticks = 536001000
notification_command = "./scripts/notificate \"%1%\" \"%2%\" &"
onblockip_command = "./scripts/ipblock block %1% &"
onunblockip_command = "./scripts/ipblock unblock %1% &"
network_uncompromise_ticks = 30
onnetwork_compromise_command = "./scripts/networkcompromise compromised &"
onnetwork_uncompromise_command = "./scripts/networkcompromise uncompromised &"
log="logs/home.log"
watchedips="configs/example_watchedips.xml"
notificationsubject="DDOS Monitor on server1 notification"

Watched IPs

NOTE: Don't foger to configure the ips you want to monitor in the example_watchedips.xml file.

This program was intended to monitor multiple ip addresses, so you can configure as many you like.

여행스케치

웹소식

자유게시판

인기검색어

	and
	for
	ceph
	mon
	volume	2
	sq	1
	zero	2
	http	2
	all	1
	--