CrowdSec•6mo ago

detect ddos attack

Hello, is there a way to detect DDoS attacks with CrowdSec? I was attacked, but there was no detection on the CrowdSec side.

13 Replies

CrowdSec•6mo ago

Important Information

Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command /resolve or press the green resolve button below.

Log Files

If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.

Guide Followed (CrowdSec Official)

If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.

Screenshots

Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.

GNU Plus Windows User•6mo ago

did you install the http dos collection?

bbuddhaOP•6mo ago

Yes. Just to clarify, it's a web application in Python with Caddy as a reverse proxy and mariadb for db. command dos : sudo hping3 -S --flood -V -p 443 1.2.3.4

GNU Plus Windows User•6mo ago

That might be the issue, CrowdSec can only detect HTTP based DoS attacks. unless you want to create a custom parser and scenario

bbuddhaOP•6mo ago

Hmmmm, that's what I was afraid of. I'll see how to do it differently or, as you said, create a specific scenario parser.

bbuddhaOP•6mo ago

When I go to the metrics, I can see that a DoS scenario is being triggered, but it doesn't seem to be enough. Do you know why? @GNU Plus Windows User

GNU Plus Windows User•6mo ago

can you share the top row? I can't see exactly what's what, or even better if you can copy-paste the output with the top row preserved.

iiamloz•6mo ago

remember that hping is just a syn flood attack and we rely on something to log these events as we are HIDS, not NIDS. So if traefik reporting anything in logs when the hping comes in? cause trafeik might not be reporting anything unless your using their TCP modules, cause it not directly sending http data

GNU Plus Windows User•6mo ago

^ pretty much if it's not in a log then CrowdSec can't detect it

iiamloz•6mo ago

might be useful, typically syn floods are hard to get overcome by: https://www.cyberciti.biz/tips/howto-limit-linux-syn-attacks.html but you can use the iptables example to do some logging instead of return and you can then use iptables parser and craft your own scenario to block if they repeatly go over the limit.

bbuddhaOP•6mo ago

I might have found something—either way, it stopped me in my tracks. What do you think? @iiamloz

# iptables-dos-parser.yaml
onsuccess: next_stage
debug: true
filter: "evt.Parsed.program == 'kernel' and evt.Parsed.message contains 'IPTABLES DROP:'"
name: crowdsecurity/iptables-dos-parser
description: "Parse iptables drop logs for DoS detection"
grok:
  pattern: '%{GREEDYDATA}SRC=%{IP:src_ip} DST=%{IP:dst_ip}%{GREEDYDATA}PROTO=%{WORD:proto} SPT=%{INT:src_port} DPT=%{INT:dst_port}'
  apply_on: message
statics:
  - meta: source_ip
    expression: evt.Parsed.src_ip
  - meta: dest_ip
    expression: evt.Parsed.dst_ip
  - meta: source_port
    expression: evt.Parsed.src_port  
  - meta: dest_port
    expression: evt.Parsed.dst_port
  - meta: protocol
    expression: Lower(evt.Parsed.proto)
  - meta: log_type
    expression: "'iptables_drop'"
  - meta: service
    expression: Lower(evt.Parsed.proto)

# iptables-dos-parser.yaml
onsuccess: next_stage
debug: true
filter: "evt.Parsed.program == 'kernel' and evt.Parsed.message contains 'IPTABLES DROP:'"
name: crowdsecurity/iptables-dos-parser
description: "Parse iptables drop logs for DoS detection"
grok:
  pattern: '%{GREEDYDATA}SRC=%{IP:src_ip} DST=%{IP:dst_ip}%{GREEDYDATA}PROTO=%{WORD:proto} SPT=%{INT:src_port} DPT=%{INT:dst_port}'
  apply_on: message
statics:
  - meta: source_ip
    expression: evt.Parsed.src_ip
  - meta: dest_ip
    expression: evt.Parsed.dst_ip
  - meta: source_port
    expression: evt.Parsed.src_port  
  - meta: dest_port
    expression: evt.Parsed.dst_port
  - meta: protocol
    expression: Lower(evt.Parsed.proto)
  - meta: log_type
    expression: "'iptables_drop'"
  - meta: service
    expression: Lower(evt.Parsed.proto)

# iptables-dos-scenario.yaml
type: leaky
name: crowdsecurity/dos-attack
description: "Détecte les attaques par déni de service via iptables logs"
filter: "evt.Meta.log_type == 'iptables_drop' && evt.Meta.protocol == 'tcp'"
groupby: evt.Meta.source_ip
distinct: evt.Meta.source_port
capacity: 100
leakspeed: 5s
blackhole: 5m
labels:
  remediation: true
  classification:
    - attack.T1498
    - attack.T1499
  behavior: "tcp:dos"
  label: "DoS Attack"
  spoofable: 3
  confidence: 8

# iptables-dos-scenario.yaml
type: leaky
name: crowdsecurity/dos-attack
description: "Détecte les attaques par déni de service via iptables logs"
filter: "evt.Meta.log_type == 'iptables_drop' && evt.Meta.protocol == 'tcp'"
groupby: evt.Meta.source_ip
distinct: evt.Meta.source_port
capacity: 100
leakspeed: 5s
blackhole: 5m
labels:
  remediation: true
  classification:
    - attack.T1498
    - attack.T1499
  behavior: "tcp:dos"
  label: "DoS Attack"
  spoofable: 3
  confidence: 8

I don't know if it's really good Maybe add more conditions, I don't know.

GNU Plus Windows User•6mo ago

It looks like your trying to detect a portscan rather than a DoS attack

bbuddhaOP•6mo ago

Yeah, I thought the same thing — I relied too much on the other iptables parser. I redid it, and I think it's better like this. What do you think?

# iptables-dos-parser.yaml
onsuccess: next_stage
debug: true
filter: "evt.Parsed.program == 'kernel' and evt.Parsed.message contains 'IPTABLES DROP:'"
name: crowdsecurity/iptables-dos-parser
description: "Parse iptables drop logs for DoS detection"
grok:
  pattern: '%{GREEDYDATA}SRC=%{IP:src_ip} DST=%{IP:dst_ip}%{GREEDYDATA}PROTO=%{WORD:proto} SPT=%{INT:src_port} DPT=%{INT:dst_port}%{GREEDYDATA}(?:WINDOW=%{INT:window})?(?:\\s+RES=0x%{WORD:tcp_reserved})?(?:\\s+(?P<syn>SYN))?(?:\\s+(?P<ack>ACK))?(?:\\s+(?P<fin>FIN))?(?:\\s+(?P<rst>RST))?(?:\\s+(?P<psh>PSH))?(?:\\s+URGP=%{INT:urgp})?'
  apply_on: message
statics:
  - meta: source_ip
    expression: evt.Parsed.src_ip
  - meta: dest_ip
    expression: evt.Parsed.dst_ip
  - meta: source_port
    expression: evt.Parsed.src_port  
  - meta: dest_port
    expression: evt.Parsed.dst_port
  - meta: protocol
    expression: Lower(evt.Parsed.proto)
  - meta: tcp_window
    expression: evt.Parsed.window
  - meta: tcp_flags
    expression: >-
      (evt.Parsed.syn != '' ? 'SYN ' : '') + 
      (evt.Parsed.ack != '' ? 'ACK ' : '') + 
      (evt.Parsed.fin != '' ? 'FIN ' : '') + 
      (evt.Parsed.rst != '' ? 'RST ' : '') + 
      (evt.Parsed.psh != '' ? 'PSH ' : '')
  - meta: log_type
    expression: "'iptables_drop'"
  - meta: service
    expression: Lower(evt.Parsed.proto)

# iptables-dos-parser.yaml
onsuccess: next_stage
debug: true
filter: "evt.Parsed.program == 'kernel' and evt.Parsed.message contains 'IPTABLES DROP:'"
name: crowdsecurity/iptables-dos-parser
description: "Parse iptables drop logs for DoS detection"
grok:
  pattern: '%{GREEDYDATA}SRC=%{IP:src_ip} DST=%{IP:dst_ip}%{GREEDYDATA}PROTO=%{WORD:proto} SPT=%{INT:src_port} DPT=%{INT:dst_port}%{GREEDYDATA}(?:WINDOW=%{INT:window})?(?:\\s+RES=0x%{WORD:tcp_reserved})?(?:\\s+(?P<syn>SYN))?(?:\\s+(?P<ack>ACK))?(?:\\s+(?P<fin>FIN))?(?:\\s+(?P<rst>RST))?(?:\\s+(?P<psh>PSH))?(?:\\s+URGP=%{INT:urgp})?'
  apply_on: message
statics:
  - meta: source_ip
    expression: evt.Parsed.src_ip
  - meta: dest_ip
    expression: evt.Parsed.dst_ip
  - meta: source_port
    expression: evt.Parsed.src_port  
  - meta: dest_port
    expression: evt.Parsed.dst_port
  - meta: protocol
    expression: Lower(evt.Parsed.proto)
  - meta: tcp_window
    expression: evt.Parsed.window
  - meta: tcp_flags
    expression: >-
      (evt.Parsed.syn != '' ? 'SYN ' : '') + 
      (evt.Parsed.ack != '' ? 'ACK ' : '') + 
      (evt.Parsed.fin != '' ? 'FIN ' : '') + 
      (evt.Parsed.rst != '' ? 'RST ' : '') + 
      (evt.Parsed.psh != '' ? 'PSH ' : '')
  - meta: log_type
    expression: "'iptables_drop'"
  - meta: service
    expression: Lower(evt.Parsed.proto)

# iptables-dos-scenario.yaml
type: leaky
name: crowdsecurity/dos-attack
description: "Détecte les attaques par déni de service via iptables logs"
filter: "evt.Meta.log_type == 'iptables_drop' && evt.Meta.protocol == 'tcp'"
groupby: "evt.Meta.source_ip + '|' + evt.Meta.tcp_flags"
capacity: 200
leakspeed: "1s"
blackhole: 10m
labels:
  remediation: true
  classification:
    - attack.T1498
    - attack.T1499
  behavior: "tcp:dos"
  label: "DoS Attack"
  spoofable: 3
  confidence: 8

# iptables-dos-scenario.yaml
type: leaky
name: crowdsecurity/dos-attack
description: "Détecte les attaques par déni de service via iptables logs"
filter: "evt.Meta.log_type == 'iptables_drop' && evt.Meta.protocol == 'tcp'"
groupby: "evt.Meta.source_ip + '|' + evt.Meta.tcp_flags"
capacity: 200
leakspeed: "1s"
blackhole: 10m
labels:
  remediation: true
  classification:
    - attack.T1498
    - attack.T1499
  behavior: "tcp:dos"
  label: "DoS Attack"
  spoofable: 3
  confidence: 8

Gaming

Programming

detect ddos attack

Did you find this page helpful?