{"id":66,"date":"2013-04-11T22:32:18","date_gmt":"2013-04-12T03:32:18","guid":{"rendered":"https:\/\/adamkuj.net\/blog\/?p=66"},"modified":"2021-05-11T09:00:56","modified_gmt":"2021-05-11T14:00:56","slug":"using-abusing-awk-for-rudimentary-dos-detection","status":"publish","type":"post","link":"https:\/\/adamkuj.net\/blog\/2013\/04\/11\/using-abusing-awk-for-rudimentary-dos-detection\/","title":{"rendered":"Using (Abusing?) AWK For Rudimentary DoS Detection"},"content":{"rendered":"<p><a href=\"http:\/\/www.inmon.com\/technology\/sflowTools.php\"><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/www.inmon.com\/img\/logo-sflow.gif\" width=\"106\" height=\"37\" alt=\"sFlow(R)\" class=\"alignright\"\/><\/a>InMon&#8217;s <a href=\"http:\/\/www.inmon.com\/technology\/sflowTools.php\">sflowtool<\/a> comes with an sample script, <a href=\"http:\/\/www.inmon.com\/bin\/sflowutils.tar.gz\">ipTopTalkers<\/a> that uses awk to provide a list of toptalkers based on sflow sampled packets. All I&#8217;ve done here is build on their ipTopTalkers sample code to find which addresses are receiving &gt;10,000 pps or &gt;80 Mb\/s, and send that information to a log file and reporting-script (not shown).<\/p>\n<p>Converting the binary sflow feed to text, then piping it through awk to do basic math and sorting functions, is not exactly the most elegent solution. But hey, it works!<\/p>\n<p>[shell collapse=&#8221;true&#8221; title=&#8221;DoSTargets&#8221;]<br \/>\n#!\/usr\/bin\/mawk-cur -f<\/p>\n<p># ALK 2013-01-10<br \/>\n#<br \/>\n# for performance reasons, mawk is preferred to gawk<br \/>\n# newer versions of mawk include things like strftime that tradionally had been<br \/>\n# gawk-only features. code and builds of mawk-cur (cutting edge) can be found at:<br \/>\n#    http:\/\/invisible-island.net\/mawk\/<br \/>\n# (the features of mawk-cur aren&#8217;t available in official debian packages of mawk)<br \/>\n#<br \/>\n# based on ipTopTalkers from InMon:<br \/>\n#<br \/>\n# Copyright (c) 2001 InMon Corp. Licensed under the terms of the InMon sFlow licence:<br \/>\n# http:\/\/www.inmon.com\/technology\/sflowlicense.txt<\/p>\n<p># usage: sflowtool | DoSTargets<\/p>\n<p>BEGIN{<br \/>\nlastInt = 0;<br \/>\nreport = &#8220;tee -a \/var\/log\/ddos-report.log | dos-report.sh&#8221;;<br \/>\ninterval = 60; #1 minute window<br \/>\nBPSthreshold = 83886080; # alert threshold in bits per second i.e. 80 Mb\/s<br \/>\nPPSthreshold = 10000; # alert threshold in packets per second i.e 10kpps<br \/>\n}<br \/>\n\/unixSecondsUTC\/{<br \/>\ncurrentInt = $2 &#8211; ($2 % interval);<br \/>\nif(currentInt != lastInt) {<br \/>\nfor(i = 1; i &lt; = 1000; i++) { # consider up to 1000 simultaneous targets<br \/>\nBPSmaxCount = 0;<br \/>\nBPSmaxKey = &#8220;&#8221;;<br \/>\nfor(BPSkey in BPScount) {<br \/>\nif(BPScount[BPSkey] &gt; BPSmaxCount) {<br \/>\nBPSmaxCount = BPScount[BPSkey];<br \/>\nBPSmaxKey = BPSkey;<br \/>\n}<br \/>\n}<br \/>\nif(BPSmaxCount &gt; (BPSthreshold * interval)) printf(&#8220;%d %s %d %s&#8221;, strftime(&#8220;%s&#8221;, lastInt), BPSmaxKey, sprintf(&#8220;%d&#8221;,(BPSmaxCount\/1024\/1024\/interval)),&#8221;mbps\\n&#8221;) | report;<br \/>\ndelete BPScount[BPSmaxKey];<\/p>\n<p>PPSmaxCount = 0;<br \/>\nPPSmaxKey = &#8220;&#8221;;<br \/>\nfor(PPSkey in PPScount) {<br \/>\nif(PPScount[PPSkey] &gt; PPSmaxCount) {<br \/>\nPPSmaxCount = PPScount[PPSkey];<br \/>\nPPSmaxKey = PPSkey;<br \/>\n}<br \/>\n}<br \/>\nif(PPSmaxCount &gt; (PPSthreshold * interval)) printf(&#8220;%d %s %d %s&#8221;, strftime(&#8220;%s&#8221;, lastInt), PPSmaxKey, sprintf(&#8220;%d&#8221;,(PPSmaxCount\/interval)),&#8221;pps\\n&#8221;) | report;<br \/>\ndelete PPScount[PPSmaxKey];<br \/>\n}<br \/>\nfflush(stdout); # write out stdout buffer<br \/>\nclose(report); # send the alert email<br \/>\nlastInt = currentInt;<br \/>\ndelete BPScount;<br \/>\ndelete PPScount;<br \/>\n}<br \/>\n}<br \/>\n\/meanSkipCount\/{ samplingInterval = $2; }<br \/>\n\/sampledPacketSize\/{ sampledPacketSize = $2; }<br \/>\n\/dstIP\/{ BPScount[$2] = BPScount[$2] + ( samplingInterval * sampledPacketSize * 8); PPScount[$2] = PPScount[$2] + samplingInterval; }<br \/>\nEND{}<br \/>\n[\/shell]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>InMon&#8217;s sflowtool comes with an sample script, ipTopTalkers that uses awk to provide a list of toptalkers based on sflow sampled packets. All I&#8217;ve done here is build on their ipTopTalkers sample code to find which addresses are receiving &gt;10,000 pps or &gt;80 Mb\/s, and send that information to a log file and reporting-script (not [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[7,8,9],"class_list":["post-66","post","type-post","status-publish","format-standard","hentry","category-networking-tools","tag-awk","tag-ddos","tag-sflow"],"_links":{"self":[{"href":"https:\/\/adamkuj.net\/blog\/wp-json\/wp\/v2\/posts\/66","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/adamkuj.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/adamkuj.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/adamkuj.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/adamkuj.net\/blog\/wp-json\/wp\/v2\/comments?post=66"}],"version-history":[{"count":13,"href":"https:\/\/adamkuj.net\/blog\/wp-json\/wp\/v2\/posts\/66\/revisions"}],"predecessor-version":[{"id":320,"href":"https:\/\/adamkuj.net\/blog\/wp-json\/wp\/v2\/posts\/66\/revisions\/320"}],"wp:attachment":[{"href":"https:\/\/adamkuj.net\/blog\/wp-json\/wp\/v2\/media?parent=66"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/adamkuj.net\/blog\/wp-json\/wp\/v2\/categories?post=66"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/adamkuj.net\/blog\/wp-json\/wp\/v2\/tags?post=66"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}