Detecting the Attacker from Logs using Machine Learning
This is What I something learn new about DDOS attack. A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.
So in this task, use technologies like Jenkins, Machine Learning, RHEL 8,NodeJs,Python, lots of google search.
*Here I am breaking the task using a simple scenario*
1. This system will keep log of the information about the clients hit or request to the server.
2. This log data of clients will be used for finding the unusual pattern of a client request for example if a client is sending request repeatedly. for this purpose, we can use here clustering to make clusters of different patterns of client request and to identify which cluster of client requests can cause some security and performance issue in the server.
3. If any kind of unusual pattern we got then we can use Jenkins to perform certain task for example it can run some command to block that Ip which is causing this trouble.
Job1 – Copy logs
This job will copy the logs of httpd from /var/log/httpd/access_log to different destination on system because we cannot disturb the original log file.
Job 2 – send data from git
This job will pull the github repository and send it to the destination folder here the folder is at /home/anant/logger
Below is the github repo for the project.
https://github.com/amanjagdev/apache-logger
Job-3 create csv
This job is using Nodejs and sorting the log file into csv file using REGEX.
You will find the code snippet in the github repo.
Job-4 CSV label
Job-5 Find the attacker
This is where we are doing the machine learning magic
I would suggest installing python2 and pandas as well as sklearn to perform this step and use pip2 for installation.
Job-6 Reading attacker ip
Here we will read the attacker Ip address and send the data to my Email.
Job-7 Saving-the-world
Here the system will block the malicious IP address
------------------------> To Block An IP Address <------------------------
#sudo iptables -A INPUT -s <IP Address> -j DROP
------------------------> To Unblock An IP Address <----------------------
#sudo iptables -D INPUT -s <IP Address> -j DROP
To test the environment, you can use HULK DDos Tool for attacking
HULK is a Denial of Service (DoS) tool used to attack web servers by generating volumes of unique and obfuscated traffic. HULK's generated traffic also bypasses caching engines and hits the server's direct resource pool. This tool is used to test network devices like a firewall.
#python hulk.py <IP Address> Python hulk.py http://192.168.0.110/ Mine worked with Python hulk.py http://192.168.0.110/
Good work 👏
Well done 👏