Acasă Explorează Ajutor
Înregistrare Autentificare
root
/
phbpf
1
0
Bifurcare 0
Fisiere Probleme 0 Trageți solicitările 0 Wiki
Arbore: 347bca545b
Ramuri Etichete
phbpf
/
examples
/
tracing
/
dddos.php

dddos.php 3.1 KB
Istoric Crud

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687 
  1. <?php
    2. 

  2. $prog = <<<EOT
    3. 

  3. #include <linux/skbuff.h>
    4. 

  4. #include <uapi/linux/ip.h>
    5. 

  5. 

  6. #define MAX_NB_PACKETS 1000
    7. 

  7. #define LEGAL_DIFF_TIMESTAMP_PACKETS 1000000
    8. 

  8. 

  9. BPF_HASH(rcv_packets);
    10. 

  10. 

  11. struct detectionPackets {
    12. 

  12.     u64 nb_ddos_packets;
    13. 

  13. };
    14. 

  14. 

  15. BPF_PERF_OUTPUT(events);
    16. 

  16. 

  17. int detect_ddos(struct pt_regs *ctx, void *skb){
    18. 

  18.     struct detectionPackets detectionPacket = {};
    19. 

  19. 

  20.     // Used to count number of received packets
    21. 

  21.     u64 rcv_packets_nb_index = 0, rcv_packets_nb_inter=1, *rcv_packets_nb_ptr;
    22. 

  22. 

  23.     // Used to measure elapsed time between 2 successive received packets
    24. 

  24.     u64 rcv_packets_ts_index = 1, rcv_packets_ts_inter=0, *rcv_packets_ts_ptr;
    25. 

  25. 

  26.     /* The algorithm analyses packets received by ip_rcv function
    27. 

  27.     * and measures the difference in reception time between each packet.
    28. 

  28.     * DDOS flooders send millions of packets such that difference of
    29. 

  29.     * timestamp between 2 successive packets is so small
    30. 

  30.     * (which is not like regular applications behaviour).
    31. 

  31.     * This script looks for this difference in time and if it sees
    32. 

  32.     * more than MAX_NB_PACKETS successive packets with a difference
    33. 

  33.     * of timestamp between each one of them less than
    34. 

  34.     * LEGAL_DIFF_TIMESTAMP_PACKETS ns,
    35. 

  35.     * ------------------ It Triggers an ALERT -----------------
    36. 

  36.     * Those settings must be adapted depending on regular network traffic
    37. 

  37.     * -------------------------------------------------------------------
    38. 

  38.     * Important: this is a rudimentary intrusion detection system, one can
    39. 

  39.     * test a real case attack using hping3. However; if regular network
    40. 

  40.     * traffic increases above predefined detection settings, a false
    41. 

  41.     * positive alert will be triggered (an example would be the
    42. 

  42.     * case of large file downloads).
    43. 

  43.     */
    44. 

  44.     rcv_packets_nb_ptr = rcv_packets.lookup(&rcv_packets_nb_index);
    45. 

  45.     rcv_packets_ts_ptr = rcv_packets.lookup(&rcv_packets_ts_index);
    46. 

  46.     if(rcv_packets_nb_ptr != 0 && rcv_packets_ts_ptr != 0){
    47. 

  47.         rcv_packets_nb_inter = *rcv_packets_nb_ptr;
    48. 

  48.         rcv_packets_ts_inter = bpf_ktime_get_ns() - *rcv_packets_ts_ptr;
    49. 

  49.         if(rcv_packets_ts_inter < LEGAL_DIFF_TIMESTAMP_PACKETS){
    50. 

  50.             rcv_packets_nb_inter++;
    51. 

  51.         } else {
    52. 

  52.             rcv_packets_nb_inter = 0;
    53. 

  53.         }
    54. 

  54.         if(rcv_packets_nb_inter > MAX_NB_PACKETS){
    55. 

  55.             detectionPacket.nb_ddos_packets = rcv_packets_nb_inter;
    56. 

  56.             events.perf_submit(ctx, &detectionPacket, sizeof(detectionPacket));
    57. 

  57.         }
    58. 

  58.     }
    59. 

  59.     rcv_packets_ts_inter = bpf_ktime_get_ns();
    60. 

  60.     rcv_packets.update(&rcv_packets_nb_index, &rcv_packets_nb_inter);
    61. 

  61.     rcv_packets.update(&rcv_packets_ts_index, &rcv_packets_ts_inter);
    62. 

  62.     return 0;
    63. 

  63. }
    64. 

  64. EOT;
    65. 

  65. $b    = new Bpf(["text" => $prog]);
    66. 

  66. 

  67. $b->attach_kprobe("ip_rcv", "detect_ddos");
    68. 

  68. 

  69. echo "DDOS detector started ... Hit Ctrl-C to end!\n";
    70. 

  70. 

  71. echo sprintf("%-26s %-10s\n", "TIME(s)", "MESSAGE");
    72. 

  72. 

  73. function trigger_alert_event($ctx, $data, $size)
    74. 

  74. {
    75. 

  75.     $event = unpack("Qnb_ddos_packets", $data);
    76. 

  76.     echo sprintf("%-26s %s %ld\n", date("Y-m-d H:i:s"), "DDOS Attack => nb of packets up to now: ", $event['nb_ddos_packets']);
    77. 

  77. }
    78. 

  78. 

  79. $b->events->open_perf_buffer("trigger_alert_event");
    80. 

  80. 

  81. while (true) {
    82. 

  82.     try {
    83. 

  83.         $b->perf_buffer_poll();
    84. 

  84.     } catch (Exception $e) {
    85. 

  85.         exit;
    86. 

  86.     }
    87. 

  87. }
    88.