Posts Tagged ‘ddos’

Grace - XY plotting tool

Saturday, April 5th, 2008

I have collected packets of a DDOS attack on one machine recently. It is just pure SYN attack to destination port 80, with over 5000 packets from different IP in 1 second. I try to create a graph with this packet by using Grace, a WYSIWYG 2D plotting tool for the X Window System and M*tif. Grace runs on practically any version of Unix-like OS. As well, it has been successfully ported to VMS, OS/2, and Win9*/NT/2000/XP.

First, I used Argus client - ra to show unidirectional RMON stat, with only source port and destination port selected, piped it to awk to make it readable data by Grace, and then convert the number for destination port. For example, X=0, Y=2224 (source port), then X=1, Y=80 (destination port):

[[email protected] /]# ra -nr syn.argus -M rmon -s sport | awk '{ print 0,$1 }' | sed -e 's/0 80/1 80/g' > syn.dat

The output of syn.dat looks like this:

[[email protected] /]# head -n 6 syn.dat
0 2224
1 80
0 2236
1 80
0 2242
1 80

Then use grace to plot it.

[[email protected] /]# xmgrace6 syn.dat &

This is the graph of 23 seconds DDOS from source port to destination port.
DDOS Ports Grace Graph

If I use afterglow to show the connection from source to destination port, the graph looks like this.
DDOS Ports Afterglow Graph

This is the graph after I converted the source and destination IP to decimal, for example, from to 3232235899.
DDOS IP Grace Graph

1 second source port to destination port graph, approximate 5000 SYN per second:
DDOS Ports Grace 1 Second Graph

From the port graph, I guess the DDOS was launched from 1 host with spoofed source IP and large bandwidth pipe, what do you think?