Grace - XY plotting tool

I have collected packets of a DDOS attack on one machine recently. It is just pure SYN attack to destination port 80, with over 5000 packets from different IP in 1 second. I try to create a graph with this packet by using Grace, a WYSIWYG 2D plotting tool for the X Window System and M*tif. Grace runs on practically any version of Unix-like OS. As well, it has been successfully ported to VMS, OS/2, and Win9*/NT/2000/XP.

First, I used Argus client - ra to show unidirectional RMON stat, with only source port and destination port selected, piped it to awk to make it readable data by Grace, and then convert the number for destination port. For example, X=0, Y=2224 (source port), then X=1, Y=80 (destination port):

[guti@nsm /]# ra -nr syn.argus -M rmon -s sport | awk '{ print 0,$1 }' | sed -e 's/0 80/1 80/g' > syn.dat

The output of syn.dat looks like this:

[guti@nsm /]# head -n 6 syn.dat
0 2224
1 80
0 2236
1 80
0 2242
1 80

Then use grace to plot it.

[guti@nsm /]# xmgrace6 syn.dat &

This is the graph of 23 seconds DDOS from source port to destination port.
DDOS Ports Grace Graph

If I use afterglow to show the connection from source to destination port, the graph looks like this.
DDOS Ports Afterglow Graph

This is the graph after I converted the source and destination IP to decimal, for example, from 192.168.1.123 to 3232235899.
DDOS IP Grace Graph

1 second source port to destination port graph, approximate 5000 SYN per second:
DDOS Ports Grace 1 Second Graph

From the port graph, I guess the DDOS was launched from 1 host with spoofed source IP and large bandwidth pipe, what do you think?

Tags: , , ,

2 Responses to “Grace - XY plotting tool”

  1. nawuza Says:

    how does it work with tcpdump..you mean that it read from packet read by tcpdump which are save into a file right?!from the file save by tcpdump..what is the next step?

  2. GuTi Says:

    Hi nawuza,

    If you have the tcpdump file, first, you have to convert it to argus format. You could refer here. http://www.gutizz.com/argus-to-check-traffic-spike/
    Then you could use the ra client to convert it.

    Or you could directly save your network traffic into argus format, by running command below:
    # argus -i eth0 -w argus.file
    Command above will read the packet from eth0 and save it as argus format.

Leave a Reply