Find the answer to your Linux question:
Results 1 to 2 of 2
Hi, I run a Centos server that quite a few people have access to. I trust every user on the system, but i've had problems before like one user's account ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jul 2009
    Posts
    7

    System/script to detect outgoing DOS flood?


    Hi, I run a Centos server that quite a few people have access to. I trust every user on the system, but i've had problems before like one user's account gets hacked and someone starts using my box to DDOS. Each user has their own ip.. And I would like to write a script or use an existing solution (if one exists) to monitor number of tcp/udp connections each minute and see if it's unusually high. I don't want it to stop the flooding or anything, I just want to be notified by email or something. Does anyone know of anything?

  2. #2
    Linux Engineer Kloschüssel's Avatar
    Join Date
    Oct 2005
    Location
    Italy
    Posts
    773
    This kind of thing is hard to find out. There are several kind of DOS attacks and each is different. I know of no software/tool that could detect that easily cause there (probably) is no deterministic way to determine if the computer is being used for a (d)dos attack. all detectino modes that I can think of would produce a high level of false alarms. To list some:

    - monitor used outgoing bandwidth
    - monitor actual packet count
    - monitor packet rate for specific protocols that often are used for DOS attacks (i.e. http, https, icmp, dns, ..)
    - monitor logged in users, their connected timespan and the source ip for their login

    with these you can determine what is normal and identify some treshold later that identifies a alarm or detect if a user on your system was hijacked. But I really don't think that this system would really work. If this system raises a false alarm each day it is just as useful as no alarm cause you would probably not investigate into a real alarm. Who really wants to investigate every day if a false alarm was a real alarm?

    I would regard the hijack-prevention as a more realistic approach to this problem. Good countermeasures are:

    - force all your users to use a very safe password that is hard to bruteforce
    - force all your users to use ssh keys over passwords [and when one user logs in with a password, raise alarm cause you know it is none of your trusted users]
    - use fail2ban to prevent bruteforce attacks to be successful; in combination with a good password I consider a system being safe (unless there is some bogus/bug that can work around the login)
    Last edited by Kloschüssel; 10-18-2010 at 09:09 AM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •