ddos_detector.py to monitor DDOS attacks #2140
Conversation
jugurthab
requested review from
4ast,
brendangregg,
drzaeus77,
goldshtn and
yonghong-song
as code owners
|
[buildbot, test this please] |
examples/tracing/ddos_detector.py
Outdated
| // use perf buffer (avoid using /sys/kernel/debug/tracing/trace_pipe) | ||
| BPF_PERF_OUTPUT(events); | ||
|
|
||
| int detect_ddos(struct pt_regs *ctx, struct sk_buff *skb, struct net_device *dev, struct packet_type *pt, struct net_device *orig_dev){ |
There was a problem hiding this comment.
For unused parameters like "pt", you can just do "void *pt" to avoid compilation warning.
|
also could you change ddos_detector.py to be an executable? |
|
I have made the changes, thank's a lot for your help. |
examples/tracing/ddos_detector.py
Outdated
| @@ -0,0 +1,87 @@ | |||
| #!/usr/bin/env python | |||
| # | |||
| # ddos_detector.py DDOS dectection system. | |||
There was a problem hiding this comment.
pls chmod +x ddos_detector.py.
There was a problem hiding this comment.
I have changed permissions and uploaded the file using "upload file option" but seems like this does not keep the permissions.
There was a problem hiding this comment.
Okay, we can have a followup patch for this as there are a couple of scripts which need change as well.
examples/tracing/ddos_detector.py
Outdated
|
|
||
| /* If We receive more than 100 succesive packets with a difference of */ | ||
| /* timestamp between each one of them is less than 1000000ns */ | ||
| /* Trigger ALERT */ |
There was a problem hiding this comment.
Could you give more explanation when this could be a real case or a false positive? I am assuming detecting a real ddos is more complex than this.
examples/tracing/ddos_detector.py
Outdated
| struct detectionTimestamp detectionTs = {}; | ||
| // Counts number of received packets | ||
| u64 rcv_packets_nb = 0, rcv_packets_nb_inter=1, *rcv_packets_nb_ptr; | ||
| // Measures elapsed time between 2 successive received packets |
There was a problem hiding this comment.
could you give more description of algorithms here?
There was a problem hiding this comment.
Comments were added!
| 3 - ddos_detector.py triggers alerts and reports a DDOS attack: | ||
| DDOS detector started ... Hit Ctrl-C to end! | ||
| TIME(s) MESSAGE | ||
| 6714099756390 Attack detected |
There was a problem hiding this comment.
I think if you can somehow convert this TIME to a human understandable time, it would be great!
examples/tracing/ddos_detector.py
Outdated
| u64 ts; | ||
| }; | ||
|
|
||
| // use perf buffer (avoid using /sys/kernel/debug/tracing/trace_pipe) |
There was a problem hiding this comment.
this comment is not needed.
|
Thank's a lot for your review |
examples/tracing/ddos_detector.py
Outdated
| @@ -0,0 +1,97 @@ | |||
| #!/usr/bin/env python | |||
There was a problem hiding this comment.
could you change this to #!/usr/bin/python? Sorry if this is what I suggested. We just formalized that all python script shebang should be #!/usr/bin/python instead of #!/usr/bin/env python.
examples/tracing/ddos_detector.py
Outdated
| @@ -0,0 +1,87 @@ | |||
| #!/usr/bin/env python | |||
| # | |||
| # ddos_detector.py DDOS dectection system. | |||
There was a problem hiding this comment.
Okay, we can have a followup patch for this as there are a couple of scripts which need change as well.
examples/tracing/ddos_detector.py
Outdated
|
|
||
| BPF_HASH(rcv_packets); | ||
|
|
||
| // define C structure |
There was a problem hiding this comment.
This comment is not needed.
There was a problem hiding this comment.
thank's, I have removed the comment!
examples/tracing/ddos_detector.py
Outdated
| import datetime | ||
| prog = """ | ||
| #include <linux/skbuff.h> | ||
| #include <uapi/linux/ip.h> |
There was a problem hiding this comment.
add an empty line here for readability?
examples/tracing/ddos_detector.py
Outdated
| BPF_PERF_OUTPUT(events); | ||
|
|
||
| int detect_ddos(struct pt_regs *ctx, void *skb){ | ||
| struct detectionPackets detectionPacket = {}; |
There was a problem hiding this comment.
An empty line here?
There was a problem hiding this comment.
Empty line added!
examples/tracing/ddos_detector.py
Outdated
| /* (which is not like regular applications behaviour). */ | ||
| /* This script looks for this difference in time and if it sees */ | ||
| /* more than 1000 succesive packets with a difference */ | ||
| /* of timestamp between each one of them less than 1000000ns, */ |
There was a problem hiding this comment.
Please the above 1000 and 1000000 with macro names?
examples/tracing/ddos_detector.py
Outdated
| rcv_packets_ts_inter = bpf_ktime_get_ns(); | ||
| rcv_packets.update(&rcv_packets_nb, &rcv_packets_nb_inter); | ||
| rcv_packets.update(&rcv_packets_ts_index, &rcv_packets_ts_inter); | ||
| return 0; // always return 0 |
There was a problem hiding this comment.
Comment // always return 0 is not needed.
examples/tracing/ddos_detector.py
Outdated
|
|
||
| def trigger_alert_event(cpu, data, size): | ||
| event = ct.cast(data, ct.POINTER(DetectionTimestamp)).contents | ||
| print("%-26s %s %ld" % (datetime.datetime.now(), \ |
There was a problem hiding this comment.
Most other python scripts in bcc does not use /?
There was a problem hiding this comment.
I have just noticed that, thank you. "" removed!
There was a problem hiding this comment.
I mean backslash removed!
| @@ -0,0 +1,44 @@ | |||
| Demonstrations of ddos_detector.py, the Linux eBPF/bcc version. | |||
|
|
|||
| This tracks ip_rcv function (using kprobe) and elapsed time between received packets to detect potential DDOS attacks. | |||
There was a problem hiding this comment.
Break this into two lines?
| TIME(s) MESSAGE | ||
|
|
||
|
|
||
|
|
There was a problem hiding this comment.
One extra line is enough. The same for below.
There was a problem hiding this comment.
Extra lines removed!
|
Minor comment: if one day someone ever considers moving this from examples/tracing to /tools, then I'd ask to shorten the name to fit with the other /tools. Could call it dddos: short for detect ddos. |
|
Thank's for your code review. I have made the changes as you have recommended. |
|
[buildbot, test this please] |
|
Looks good. Thanks! |
* master: (609 commits) docs: references_guide.md: add/fix search examples/tools links (iovisor#2186) Fix misc file permissions (iovisor#2185) sync with latest bpf (iovisor#2184) sync with latest libbpf repo (iovisor#2183) docs: fix broken link of bpf_log2l(iovisor#2176) examples/tracing: some minor fixes Fix tools/syscount -l (iovisor#2180) examples/tracing/bitehist.py: add example of linear histogram (iovisor#2177) cachestat: bring back HITRATIO column Fix debuginfo search on Ubuntu Add installation instructions for Amazon Linux 1 AMI Sign-Off-By Travis Davies <trdavies@amazon.com> [iovisor/bcc] trace: Incorrect symbol offsets when using build_id (iovisor#2161) (iovisor#2162) profile: exclude CPU idle stacks by default (iovisor#2166) fix cpuunclaimed.py with cfs_rq structure change (iovisor#2164) tools: rename "deadlock_detector" to "deadlock" (iovisor#2152) (iovisor#2160) use libbpf api in bpf_attach_xdp (iovisor#2158) support symbol resolution of short-lived process. (iovisor#2144) profile.py: return kernel annotations for folded stacks use libbpf APIs from libbpf.c (iovisor#2156) ddos_detector.py to monitor DDOS attacks (iovisor#2140) ...
ddos_detector.py to monitor DDOS attacks
ddos_detector.py to monitor DDOS attacks
Written as a basic networking example of using ePBF to detect a potential DDOS attack against a system