Detecting DDoS attacks with Nagios

DDOS attacks are under the limelight (and the media) from the Wikileaks affair.
It is quite difficult to detect attack because unlike most “traditional” attacks, it is based on the fact that flood the target machine requests from a large number of zombie machines (ie infected a program that will launch an attack).
In this post we will see how to use Nagios to send alerts when it detects an attack type DDOS SYN Flood .
For that I developed (licnce under GPL v3) a Nagios plugin available at following address:

https://raw.github.com/nicolargo/nagiosautoinstall/master/check_ddos.pl

Installing the script

It requires a properly configured Nagios server.Then run the following commands:

cd /usr/local/nagios/libexec

sudo rm -f check_ddos.pl

wget https://raw.github.com/nicolargo/nagiosautoinstall/master/check_ddos.pl

chmod a+rx check_ddos.pl

sudo chown nagios:nagios check_ddos.pl

Test script:

./Check_ddos.pl -w 50 -c 60

No DDOS attack detected (5/50)

Nagios configuration
To add a service DDOS SYN Flood detection on the local machine (light to check DDOS attacks to the server hosting Nagios) must initially commands.cfg edit the file (by default in the / local / usr / nagios / etc / objects) to add the new control detection DDOS SYN Flood:

# check_ddos
define command{
command_name check_ddos
command_line $USER1$/check_ddos.pl -w $ARG1$ -c $ARG2$
}

Then you have to edit the file localhost.cfg (which is also found in the /usr/local/nagios/etc/objects)

# Warning: >50 SYN_RECV
# Critical: >70 SYN_RECV
define service{
use local-service
host_name bilbo
service_description DDOS SYN Flood detect
check_command check_ddos!50!70
}

So we just define a service that will send a Warning alert when the server has more than 50 connections SYN_RECV open type (more than 70 for a Critical alert ). These figures are of course tailored to the individual servers …
As a bonus, if an alert is generated, the plugin displays the top 10 IP addresses of zombie machines (useful for blocking with iptables firewall rules ).
If you want to monitor DDOS SYN Flood attacks on another machine, you must use the NRPE plugin that will make the interface between the Nagios server and the server to monitor.