Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Federated Example: DDOS attacks

Jump to bottom Edit New page
billhowe edited this page Jun 11, 2015 · 3 revisions

Note: Assumes unsupported recursive syntax for clarity

--=================
-- Run this on MyriaX
--=================

-- syntactic sugar to ignore irrelevant attributes
flow = select src, dst, start, end from Ipflow

-- count the flows to dst starting in a given window
flowcount = select dst, count(src) as number_of_flows 
              from flow where 4:59 pm < start, start < 5:00 pm

-- a DDOS attack is a large number of flows
-- to one destination in a short time
DDOS = select flow.dst 
         from flowcount where number_of_flows > 100k

-- A bot is any IP participating in an attack
bot = select src 
        from DDOS, flow where DDOS.dst = flow.dst

--=================
-- Run this on GEMS
--=================

-- a controller is a bot
controllers = select src from bot 

-- ...or anyone connected to another controller (excuse the recursion...)
controllers = select src 
                from flow, controllers where flow.dst = controllers.src

--================
-- Run this on MyriaX
--=================

-- master controllers connect to many controllers
master = select src 
           from flow, flowcount, controllers 
          where flow.dst = flowcount.dst 
            and number_of_flows > 20
Add a custom footer
Add a custom sidebar

Clone this wiki locally