How to detect a DDOS attack ?
Hello guys have you ever done a ddos attack before, well this your lucky article and this is going to show you how to do just that so get ready to hack. This is a very serious attack and difficult to detect, where it is nearly impossible to guess whether the traffic is coming from a fake host or a real host. If in a DoS attack, traffic is coming from only one source then we can block that particular host. Based on certain assumptions, we can make rules to detect DDoS attacks. If the web server is running only traffic containing port 80, it should be allowed. Now, let’s go through a very simple code to detect a DDoS attack.
The program’s name is DDOS_detect1.py:
import socket
import struct
from datetime import datetime
s = socket.socket(socket.PF_PACKET, socket.SOCK_RAW, 8)
dict = {}
file_txt = open(“dos.txt”,’a’)
file_txt.writelines(“**********”)
t1= str(datetime.now())
file_txt.writelines(t1)
file_txt.writelines(“**********”)
file_txt.writelines(“\n”)
print “Detection Start …….”
D_val =10
D_val1 = D_val+10
while True:
pkt = s.recvfrom(2048)
ipheader = pkt[0][14:34]
ip_hdr = struct.unpack(“!8sB3s4s4s”,ipheader)
IP = socket.inet_ntoa(ip_hdr[3])
print “Source IP”, IP
if dict.has_key(IP):
dict[IP]=dict[IP]+1
print dict[IP]
if(dict[IP]>D_val) and (dict[IP]<D_val1) :
line = “DDOS Detected “
file_txt.writelines(line)
file_txt.writelines(IP)
file_txt.writelines(“\n”)
else:
dict[IP]=1
If you want to learn more about DDOS attacks and preventive measures then below tutorials are must read:
In the previous code, we used a sniffer to get the packet’s source IP address. The file_txt = open(“dos.txt”,’a’) statement opens a file in append mode, and this dos. txt file is used as a logfile to detect the DDoS attack. Whenever the program runs, the file_txt.writelines(t1) statement writes the current time. The D_val =10 variable is an assumption just for the demonstration of the program. The assumption is made by viewing the statistics of hits from a particular IP. Consider a case of a tutorial website. The hits from the college and school’s IP would be more. If a huge number of requests come in from a new IP, then it might be a case of DoS. If the count of the incoming packets from one IP exceeds the D_val variable, then the IP is considered to be responsible for a DDoS attack. The D_val1 variable will be used later in the code to avoid redundancy. I hope you are familiar with the code before the if dict.has_key(IP): statement. This statement will check whether the key (IP address) exists in the dictionary or not. If the key exists in dict, then the dict[IP]=dict[IP]+1 statement increases the dict[IP] value by 1, which means that dict[IP] contains a count of packets that come from a particular IP.
The if(dict[IP]>D_val) and (dict[IP]<D_val1) : statements are the criteria to detect and write results in the dos.txt file; if(dict[IP]>D_val) detects whether the incoming packet’s count exceeds the D_val value or not. If it exceeds it, the subsequent statements will write the IP in dos.txt after getting new packets. To avoid redundancy, the (dict[IP]<D_val1) statement has been used. The upcoming statements will write the results in the dos.txt file. Run the program on a server and run mimp.py on the attacker’s machine.so there you have it guys and trust me by looking at this it is very simple to implement.
