DDoS DISSECTOR - Overview

DDos_Dissector is responsible for summarizing DDoS attack traffic from stored traffic (pcap/flows). The key point is to build a heuristic/algorithm that can find similarities in the analyzed network traffic.

In order to improve software efficiency, we are working on software components that can parse specific DDoS attacks, such as amplification and TCP Syn flood attacks.

How to start?

1. Install the dissector

git clone https://github.com/ddos-clearing-house/ddos_dissector
pip install -r requirements.txt

2. Provide a pcap to be analized

We do provide some pcap samples. Check the directory pcap_samples. Note, you can provide any type of cap and the size of pcap will influence the processing time. We encourage the use of a medium-size file (25Mbytes to 50Mbytes). You can find other pcap samples online, such as in the this repository.

3. Run the software

./ddos_dissector.py -f pcap_samples/sample1.pcap --summary

4. Check the generated fingerprint (json file).

<snip>
  "ip_proto": [
    17
  ],
  "highest_protocol": [
    "DNS"
  ],
  "dns_qry_name": [
    "anonsc.com"
  ],
  "eth_type": [
    "0x00000800"
  ],
  "frame_len": [
    397
  ],
  "srcport": [
    53
  ],
  "fragmentation": [
    true
  ],
  "amplifiers": [
    "109.93.47.83",
  ],
  "start_time": "2020-08-08 21:36:23"
}
</snip>

Usage

 _____  _____        _____ _____  ____
|  __ \|  __ \      / ____|  __ \|  _ \
| |  | | |  | | ___| (___ | |  | | |_) |
| |  | | |  | |/ _ \\___ \| |  | |  _ <
| |__| | |__| | (_) |___) | |__| | |_) |
|_____/|_____/ \___/_____/|_____/|____/

Upload using configuration file [ddosdb.conf]
usage: ddos_dissector.py [options]

optional arguments:
  -h, --help            show this help message and exit
  --version             print version and exit
  -v, --verbose         print info msg
  -d, --debug           print debug info
  -q, --quiet           ignore animation
  --status              check available repositories
  -s, --summary         present fingerprint evaluation summary
  -u, --upload          upload to the selected repository
  --log [LOG]           Log filename. Default =./log.txt"
  --config [CONFIG]     Configuration File. Default =./ddosdb.conf"
  --host [HOST]         Upload host.
  --user [USER]         repository user.
  --passwd [PASSWD]     repository password.
  -g, --graph           build dot file (graphviz). It can be used to plot a visual representation
                         of the attack using the tool graphviz. When this option is set, youn will
                         received information how to convert the generate file (.dot) to image (.png).
  -f [FILENAME], --filename [FILENAME]

Example: ./ddos_dissector.py -f ./pcap_samples/sample1.pcap --summary --upload

Input file not provided. Use '-f' for that.

Examples

./ddos_dissector.py -f pcap_samples/sample1.pcap --summary [process file and show evaluation function]
./ddos_dissector.py -f pcap_samples/sample1.pcap --verbose [provide details about the pcap processing]
./ddos_dissector.py -f pcap_samples/sample1.pcap -g        [generate a .dot file used to represent a graphical visualization]

• Green: benign traffic
• Red: malicious traffic