DDoS 탐지 도구 만들기
DDoS detection tool
Overview
monitor network traffic (as you did for your assignment 1)
measure network statistics of each flow
what is the flow?
5 tuples - SRC IP, SRC PORT, DST IP, DST PORT, Protocol pair
e.g., 143.248.111.14:12345 -> 192.168.11.11:80 (TCP)
Requirement
show statistical information of each flow
you SHOULD NOT miss any flow
statistical information
BPS: bytes per second (1 minute accumulation)
PPS: packets per second (1 minute accumulation)
if TCP, # of successful TCP sessions, # of failed TCP sessions
e.g., (3-minutes trace)
10.0.0.1:12345 -> 11.11.11.2:80
BPS: 12345-80992-21112, PPS: 50-80-55,
# of successful TCP: 12, # of failed TCP: 5
Detection
3 cases
PPS
BPS
# of failed TCP / # of successful TCP
==================================================================================
1. OVERVIEW
We will evaluate your assignment as below,
1) Test if your program is capable of accepting PPS, BPS and TCP connection ratio as inputs.
2) Check if your DDoS detector captures all of flow arrived at an Ethernet interface.
3) Check if your DDoS detector highlights the flows that exceed pre-defined constraints (PPS, BPS, and TCP connection ratio.)
2. Input Interface
Your DDoS detector MUST provide the input interface described in below.
./p2 [-pps byte_per_second] [-bps packets_per_second] [-tcp #_of_failed_TCP_/_#_of_sucessful_TCP]
For example,
./p2 -pps 100 ./p2 ./p2 -bps 400 ./p2 -tcp 0.7 -bps 20
3. Requirement
1) Provide input interface to set detection rules, such as PPS, BPS, and TCP connection ratio.
2) Display all of flow
Output window could be refreshed every 1 second.
Each flow information has previous logs (1 min) and a real time statistics information (This value MUST be changed depending on current network status every 1 second). You can simply imagine sliding window concept.
e.g.,) The running time of you DDos detector : 86s. Then your output window MUST include previous log (1s - 60s) and real time statistics information ( 26s-86s)
3) Display flow information including PPS, BPS, and TCP connection. (See more details at section 4)
4) TCP
You MUST distinguish TCP success and TCP failure.
Except perfect 3-way handshaking between end hosts, other TCP trials are considered as FAILURE.
4. Output format
Refresh output window every 1 second.
-----------------------------DDoS detector--------------------------------------
[Source_IP : Source_Port] -> [Destination_IP : Destination_Port]
History
[From_Time : To_Time] : [BPS : byte_per_second], [PPS : packets_per_second], [TCP_S : #_of_successful_TCP]. [TCP_F : #_of failed_TCP], [TCP_R : #_of_failed_TCP/#_of_successful_TCP ] [Alert : Reason]
Real time
[BPS : byte_per_second], [PPS : packets_per_second], [TCP_S : #_of_successful_TCP]. [TCP_F : #_of failed_TCP], [TCP_R : #_of_failed_TCP/#_of_successful_TCP]
------------------------------------------------------------------------------
Example
-----------------------------DDoS detector--------------------------------------
./p2 -bps 4000 -tcp 10
[10.0.0.2:4432] -> [10.0.0.10:80]
History
[01s : 60s] : [BPS : 5332], [PPS : 30], [TCP_S : 2]. [TCP_F : 10], [TCP_R : 5] [Alert : BPS]
[61s : 120s] : [BPS : 5332], [PPS : 30], [TCP_S : 2]. [TCP_F : 30], [TCP_R : 15] [Alert : BPS, TCP]
Real Time
[BPS : 5332], [PPS : 30], [TCP_S : 2]. [TCP_F : 30], [TCP_R : 15] [Alert : BPS, TCP]
[10.0.0.4:4611] -> [10.0.0.10:80]
History
[01s : 60s] : [BPS : 5543], [PPS : 30], [TCP_S : 2]. [TCP_F : 10], [TCP_R : 5]
[61s : 120s] : [BPS : 522], [PPS : 10], [TCP_S : 2]. [TCP_F : 1], [TCP_R : 0.5]
Real Time
[BPS : 53325], [PPS : 20], [TCP_S : 2]. [TCP_F : 10], [TCP_R : 5] [Alert : BPS]
------------------------------------------------------------------------------
5. Document
documentation must be included as below,
how to install your program
how to run your program
Simple description of your program
and some more (any note, comment, …) ??
#_of_failed_TCP
============================================================================
1. How to install your program
파일을 압축해제하고 아래 2.(2)와 같이 실행.
2. How to run your program
(1) 압축에 포함된 파일은 아래와 같음
➀ p2/src/handtest.java: 프로그램 소스코드
➁ p2/bin/p2.jar: 프로그램 실행을 위한 jar 파일
➂ p2/lib: 프로그램 실행에 필요한 jnetpcap 라이브러리(libjnetpcap.so)
(2) 프로그램 실행 방법
Terminal 창에서 root 권한(sudo)으로 p2/bin/내에 있는 p2.jar를 실행
➀ p2/bin/ 경로로 이동한 뒤 -> sudo java –Djava.library.path=(p2/lib폴더의 경로) –jar p2.jar
➁ example : sudo java –Djava.library.path=/home/p2/lib –jar p2.jar
(3) 프로그램 테스트 방법
➀ Capture Start를 누르고 NIC 선택 & PPS BPS TCP 제한사항을 입력한다.
➁ print start버튼을 누르고 카운트가 시작되면 테스트 한다.
3. Description of the program
프로그램은 다음과 같이 총 3가지 영역으로 나뉘어져 있음.
[그림 1] 프로그램 실행 후 첫 화면
(1) capture start 영역:
NIC를 선택하고 pps, bps, tcp Input 인터페이스를 입력한다.
[그림 2] NIC 선택과 pps bps tcp 입력
(2) print start영역:
➀ 1초 단위로 flow별 정보를 출력한다.
[그림 3] flow 정보 출력
➁ 1분이 지나면 0초~60초까지의 history와 Realtime 정보가 출력됨.
[그림 4] history와 realtime 출력
➂ sliding window 법칙에 따라 기간이 지나가면 출력이 되지 않음.
(3) stop 영역:
스캔과 출력을 멈추고 NIC를 선택하는 곳으로 돌아감. (프로그램 종료는 x버튼을 클릭)
[그림 5] stop이 선택 되었을 경우