dds/dds.conf at master · pgul/dds · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
# mac-address of the router
# Used for separate incoming/outgoing traffic at monitoring port
# It requires for monitoring port and can be autodetected for pc-router
# "all-in" and "all-out" values can be used for process all traffic
# at the port as incoming or as outgoing.
#mymac=00e0.34f0.041c

# listen interface
# comment out if you use netflow
iface=fxp1

# netflow import
# port or ip:port
# comment out if you use SPAN
netflow=9992

# in defined dds receive tcp-connection to this port
# and report there about current DoS-attacks state
serv-port=9993

# snmp timeout in ms
snmp-timeout=10000

# router(s) and uplink interface(s)
# you can specify uplink ports as uplink-ifindex, uplink-ifname,
# uplink-ifdescr, uplink-ifalias, uplink-ifip.
# used for process netflow data.
router=public@10.0.1.1
uplink-ifdescr=FastEthernet0/0.202
myas-ifdescr=FastEthernet0/0.192
# used for sampled netflow
#sampled=1024

router=public@10.0.2.1
uplink-ifdescr=FastEthernet0/1.203
myas-ifdescr=FastEthernet0/1.192
#sampled=256

log=/var/log/dds/dds.log
#log=syslog

# snap 100M of traffic to this file if SIGUSR1 received.
snap=/var/log/dds/snap

pid=/var/run/dds.pid

# Drop privileges to this user after binding to the interface or port.
# Note: when used this option dds cannot restart itself by SIGUSR2 signal.
user=dds

# Command executed if alarm caused.
# Macros:
#  %p - pps
#  %b - "pps", "bps", "syn pps", "udp pps" or "icmp pps" string from check rule
#  %d - attacked host or net, "a.b.c.d->d.e.f.g" form for bysrcdst rules
#  %t - "to" or "from" string according to in|out rule check
#  %i - alarm id. You can use it for generate message-id in form
#       <%i@`hostname`> and put all messages about one alarm into one thread.
alarm="echo '%b %p' | mail -s 'DoS %t %d' alarm@your.domain"
noalarm="echo '%b %p' | mail -s 'DoS %t %d finished' alarm@your.domain"
#contalarm="echo '%b %p' | mail -s 'DoS %t %d continue' alarm@your.domain"

# If dds built with embedded perl support, you can set file with
# perl functions alarm_start(), alarm_finish(), alarm_cont()

#perlfile=/usr/local/etc/dds.pl

# Interval for checked statistics (seconds).
# Note: it should be more then flow-cache timeout on the router
# if netflow used for DoS detecting.
interval=60

# Expire entry if it's unused this time (seconds)
expire=300

# Report about finished alarm after this number of intervals
# during which traffic is less then safelimit
noalarm-intervals=1

# Save info about traffic and reprocess it if detailed info needed.
# If "no", detailed info will be generated only in next time interval,
# report about DoS (bysrcdst or bydstport) in this case will be on
# one time interval later.
# Saving info needs extra memory: 20 bytes for every pkt in pcap case
# and for every flow in netflow case. It's about 25M for 100M-link with
# 1-min interval in pcap case and about 4M in netflow case.
recheck=yes

# Inhibit less specific alarm events by more specific.
# I.e. do not report about large pps to a host when reported about large
# udp pps to it.
inhibit=yes

# ALARM RULES

# check {pps|bps|syn|udp|icmp} {in|out} <ip>[/<preflen>] <limit> <stoplimit> [bysrc|bydst|bysrcdst|bydstport] [break]
#   pps  - check packets per second rate
#   bps  - check bit per second rate
#   syn  - check tcp syn packets (without ACK bit) per second rate
#   udp  - check udp packets per second rate
#   icmp - check icmp packets per second rate
#
#   in  - check incoming traffic (or outgoing if -r switch specified)
#   out - check outgoing traffic (or incoming if -r switch specified)
#
#   ip[/preflen] - use this rule only if destination host for "in"
#                  or source host if "out" matched this network.
#
#   limit     - report about DoS if pps/bps is more then this limit
#   stoplimit - report that DoS is finished if pps/bps is less then this limit
#
#   bysrc     - collect statistics for any source host separately
#   bydst     - collect statistics for any destination host separately
#   bysrcdst  - collect statistics for any src/dst pair separately
#   bydstport - collect statistics for any port of dst host separately
#   Store more information requires more memory and CPU resources.
#   If "bydstport" specified only tcp and udp traffic checks.
#
#   break - do not check the rest of rules if ip and direction matches
#           this rule. Non-tcp and non-syn packets does not match the
#           rule if bydstport or syn is a criterio.

# Alarm if tcp syn requests rate to single host more then 500 per second.
# Report DoS is finished when tcp syn speed is less then 100 per sec.
# Note: syn checks is not exact in netflow case.
check syn in 0.0.0.0/0 500 100 bydst

# Alarm if total incoming pps more then 60k
# Report DoS is finished when pps is less then 40k
check pps in 0.0.0.0/0 60k 40k

# Host with huge traffic, "break" mean do not check other rules for it
check pps in 82.144.192.35 10k 6k break
# Alarm if incoming pps for any single host more then 4k
check pps in 0.0.0.0/0 4k 1k bydst

# 60Mbps of outgoing traffic from news2.volia.net is OK
check bps out 82.144.192.35 60M 30M break
# Alarm if outgoing bps from any other single host more then 20M
check bps out 0.0.0.0/0 20M 4M bysrc

# Check client networks
alarm="echo '%b %p' | mail -s 'DoS %t %d' alarm@colocall.net"
noalarm="echo '%b %p' | mail -s 'DoS %t %d finished' alarm@colocall.net"
check pps in 62.149.0.0/19 4k 1k bydst