Changeset 144 for trunk

Timestamp:

12/21/10 16:01:36 (12 years ago)

Author:

andreu

Message:

DoS detection - detection in core (todo: email notification with renetcolSEC module)

Location:

trunk

Files:

• src/dataFlowSet.c (modified) (8 diffs)
• src/dataFlowSet.h (modified) (1 diff)
• src/renetcolParam.h (modified) (1 diff)
• src/renetcolSender.c (modified) (2 diffs)
• web/inf/thks.php (modified) (1 diff)

trunk/src/dataFlowSet.c

@@ -58 +58 @@
   int j = 0;
   int pos = 0;
+        int jdos = 0;
+        int posdos = 0;
   unsigned char buffer1;  
   unsigned char buffer2[2];
@@ -75 +77 @@
 #endif
   struct AggCache agCache;
+        struct DoSCache dosCache;
   int bool = 0; /* in IPV4 Agg mode enabled, we need to now if it's an IPv4 */
   int isIPv6 = 0;
@@ -330 +333 @@
                 agCache.bytes = *((unsigned long*)&buffer4);
                 if (
-                    ((unsigned long)((((RuleDefPtr)(*(myPtrs->rulesAddressPtr+pos)))->value->stor.lvalue) + ( (((RuleDefPtr)(*(myPtrs->rulesAddressPtr+pos)))->value->stor.lvalue)*10/100))
+                    ((unsigned long)((((RuleDefPtr)(*(myPtrs->rulesAddressPtr+pos)))->value->stor.lvalue) + ( (((RuleDefPtr)(*(myPtrs->rulesAddressPtr+pos)))->value->stor.lvalue)/5))
                      >= (*((unsigned long*)&buffer4)))
                     &&
-                    ( (unsigned long)((((RuleDefPtr)(*(myPtrs->rulesAddressPtr+pos)))->value->stor.lvalue) - ( (((RuleDefPtr)(*(myPtrs->rulesAddressPtr+pos)))->value->stor.lvalue)*10/100))
+                    ( (unsigned long)((((RuleDefPtr)(*(myPtrs->rulesAddressPtr+pos)))->value->stor.lvalue) - ( (((RuleDefPtr)(*(myPtrs->rulesAddressPtr+pos)))->value->stor.lvalue)/5))
                       <= (*((unsigned long*)&buffer4)) )
                     )
@@ -339 +342 @@
                     ((RuleDefPtr)(*(myPtrs->rulesAddressPtr+pos)))->check = 1;
                   }
-              }
+                                }
 #if defined(IPV4AGGIDR) || defined(IPV4AGGIDSNMP)
               if (pftmp->fieldType==10){
@@ -369 +372 @@
               }
 #endif
+              if (pftmp->fieldType==1){
+                      dosCache.bytes = *((unsigned long*)&buffer4);
+                                        dosCache.sampling = *myPtrs->currentRouterPtr->sampled;
+              }
+              if (pftmp->fieldType==2){
+                      dosCache.pkts = *((unsigned long*)&buffer4);
+                                }
               break;
             case 16:
@@ -633 +643 @@
           }
 #endif
+                if (pftmp->fieldType==1){
+            dosCache.bytes = *((unsigned long*)&buffer4);
+                        dosCache.sampling = *myPtrs->currentRouterPtr->sampled;
+          } 
+                if (pftmp->fieldType==2){
+            dosCache.pkts = *((unsigned long*)&buffer4);
+          }
           break;
         case 16:
@@ -1426 +1443 @@
         }
         isMplsFlow = 0;
+
+        /* DoS DETECTION */
+        if ( ( dosCache.packets*dosCache.sampling > MAX_PKTS_DOS )  
+                  && ((dosCache.packets)/(dosCache.bytes) < RATIO_DOS ) ) {
+                                jdos = 0;
+        posdos = 69*MAX_RULES_PER_FIELD+jdos;
+        while ( ((RuleDefPtr)(*(myPtrs->rulesAddressPtr+jdos))) != NULL ) {
+                                        ((RuleDefPtr)(*(myPtrs->rulesAddressPtr+posdos)))->check = 1;
+                                        jdos++;
+                                }
+        }
+
         /* 
          *
@@ -1465 +1494 @@
                                                    &tmp->sourceId, 
                                                    sizeof(unsigned long) 
-                                                   ), 
-                                           &tmp->templateFlowSetId, 
-                                           sizeof(tmp->templateFlowSetId) 
-                                           ), 
-                                   myPtrs->ptr_buffer+secondOffset, 
+                                                   ),
+                                           &tmp->templateFlowSetId,
+                                           sizeof(tmp->templateFlowSetId)
+                                           ),
+                                   myPtrs->ptr_buffer+secondOffset,
                                    flow_size
                                    ); 

trunk/src/dataFlowSet.h

@@ -95 +95 @@
 };
 
+struct DoSCache {
+  unsigned long bytes;
+        unsigned long pkts;
+        unsigned long sampling;
+}
 
 short 

trunk/src/renetcolParam.h

@@ -73 +73 @@
 #define MAX_IPV6_PREFIX 500
 #define MAX_IPV6_SUBNET 100
+
+#define MAX_PKTS_DOS 30000      /* dos threshold */
+#define RATIO_DOS 200   /* packets average size */
+#define RATIO_FIELD 69  /* field 69 is a "reserved" field who is not used actualy. */
 
 /* 

trunk/src/renetcolSender.c

@@ -252 +252 @@
       close (listenSock);
       todo(clientSock, remoteHost);
-      if (!(pidFile = fopen("/tmp/pidrenetcol.tmp", "r"))) {
-        syslog (LOG_ERR, "error during /tmp/pidrenetcol.tmp opening : %s\n",
+      if (!(pidFile = fopen("/var/run/renetcol.pid", "r"))) {
+        syslog (LOG_ERR, "error during /var/run/renetcol.pid opening : %s\n",
                 strerror(errno));
         exit(1);
@@ -404 +404 @@
       buffer4[3]= *(myText+i); i++;
       renetcolPID = *((pid_t *)&buffer4);
-      if (!(pidFile = fopen("/tmp/pidrenetcol.tmp", "w"))) {
-        syslog (LOG_ERR, "error during /tmp/pidrenetcol.tmp opening : %s\n",
+      if (!(pidFile = fopen("/var/run/renetcol.pid", "w"))) {
+        syslog (LOG_ERR, "error during /var/run/renetcol.pid opening : %s\n",
                 strerror(errno));
         exit(1);

trunk/web/inf/thks.php

@@ -3 +3 @@
 print " <div id=\"contenu\"> <p> Thanks to : \n";
 print "<ul>";
+print "<li> Dany Vandromme (director of RENATER) and Franck SIMON (RENATER CTO 2007-2009). </li>";
 print "<li> CERT RENATER (for his daily usage of renetcolGUI)</li>";
 print "<li> Anthony Fisson (for the syslog section and many discussions about parallel computing options)</li>";