my problem is that I've got a report that my IP was used in a DOS attack. Problem is that I do not know which computer is infected and the attack is not active anymore.
Is there simple Linux tool for my router (running fedora) which will count packet rate per local IP and if it is over my selected constant it will start my shell script?
Note I'm also interested in packets generated from local host (just in case the server itself was hacked).
So I've figure out one solution using iptables:
# create new chain for every local ip we wanna monitor
iptables -N ip10
# forward traffic from monitored IP to it's chain "ip10"
iptables -A FORWARD -i myLan -s 192.168.2.10 -o myWan -j ip10
# trafic from other IP's we trusted we just accept
iptables -A FORWARD -i myLan -o myWan -j ACCEPT
# here we have even better thing than I asked for
# we can ban the DOS attack before it gets out
# in following line we set maximum 100 packet per second
iptables -A ip10 -m limit --limit 100/s --limit-burst 300 -j ACCEPT
# here we can directly log if above limit is breached
# log will be in /var/log/message and it will contains IP src+dst, src mac and other info
# note limit 3 msg per minute is important to not have too big log file
iptables -A ip10 -m limit --limit 3/m --limit-burst 10 -j LOG --log-prefix 'mylog:' --log-level 4
# finally packets over limit will be discarded
iptables -A ip10 -j DROP
too see sent packets and their size from one IP then can be obtained by calling:
iptables -L ip10 -vxn
you would need to do it in some script and recount it to packets per second if interested
Note to monitor server itself you would need to do similar approach for chain
iptables -A OUTPUT
tested on fedora 18. I tried to attack my other computer and packets were really stopped :)
This is a typical scenario for NetFlow. It would give you historical data for your traffic broken down to addresses, protocols and ports which you could evaluate and look at in fancy graphs.
