\u8ba9\u6211\u4eec\u6765\u770b\u4e00\u4e2a\u4f7f\u7528Python\u5b9e\u73b0\u57fa\u672c\u8ffd\u8e2a\u7cfb\u7edf\u7684\u5b9e\u9645\u793a\u4f8b\uff1a<\/p>\n

\r\nimport numpy as np\r\nfrom scapy.all import *\r\n\r\ndef analyze_packet_patterns(pcap_file):\r\n    packets = rdpcap(pcap_file)\r\n    src_ips = {}\r\n    \r\n    for pkt in packets:\r\n        if IP in pkt:\r\n            src = pkt[IP].src\r\n            if src in src_ips:\r\n                src_ips[src] += 1\r\n            else:\r\n                src_ips[src] = 1\r\n    \r\n    # \u8bc6\u522b\u6f5c\u5728\u653b\u51fb\u6e90\r\n    threshold = np.mean(list(src_ips.values())) + 2*np.std(list(src_ips.values()))\r\n    suspicious_ips = {ip: count for ip, count in src_ips.items() if count > threshold}\r\n    \r\n    return suspicious_ips\r\n<\/code><\/pre>\n
\u5b9e\u65bd\u5b9e\u65f6\u9632\u5fa1\u7cfb\u7edf<\/strong><\/h2>\n
\u73b0\u4ee3\u670d\u52a1\u5668\u79df\u7528\u73af\u5883\u9700\u8981\u81ea\u52a8\u5316\u9632\u5fa1\u673a\u5236\u3002\u8003\u8651\u8fd9\u4e2anginx\u901f\u7387\u9650\u5236\u914d\u7f6e\u793a\u4f8b\uff1a<\/p>\n
\r\nhttp {\r\n    limit_req_zone $binary_remote_addr zone=one:10m rate=30r\/s;\r\n    \r\n    server {\r\n        location \/ {\r\n            limit_req zone=one burst=10 nodelay;\r\n            proxy_pass http:\/\/backend;\r\n        }\r\n    }\r\n}\r\n<\/code><\/pre>\n
\u7f8e\u56fd\u670d\u52a1\u5668\u4fdd\u62a4\u7b56\u7565<\/strong><\/h2>\n
\u5bf9\u4e8e\u7f8e\u56fd\u7684\u670d\u52a1\u5668\u6258\u7ba1\u548c\u670d\u52a1\u5668\u79df\u7528\u63d0\u4f9b\u5546\uff0c\u5b9e\u65bd\u5f3a\u5927\u7684\u4fdd\u62a4\u9700\u8981\u5168\u9762\u7684\u65b9\u6cd5\u3002\u8ba9\u6211\u4eec\u6765\u770b\u4e00\u4e2a\u6709\u6548\u7684iptables\u57fa\u7ebf\u4fdd\u62a4\u914d\u7f6e\uff1a<\/p>\n
\r\n# iptables\u901f\u7387\u9650\u5236\u914d\u7f6e\r\niptables -A INPUT -p tcp --dport 80 -m string --string \"GET \/wp-login.php\" --algo bm -m recent --name wp_login --set\r\niptables -A INPUT -p tcp --dport 80 -m string --string \"GET \/wp-login.php\" --algo bm -m recent --name wp_login --rcheck --seconds 60 --hitcount 10 -j DROP\r\n\r\n# \u9632\u62a4SYN\u6cdb\u6d2a\r\niptables -N syn_flood\r\niptables -A INPUT -p tcp --syn -j syn_flood\r\niptables -A syn_flood -m limit --limit 1\/s --limit-burst 3 -j RETURN\r\niptables -A syn_flood -j DROP\r\n<\/code><\/pre>\n
\u81ea\u52a8\u54cd\u5e94\u7cfb\u7edf<\/strong><\/h2>\n
\u4ee5\u4e0b\u662f\u4e00\u4e2a\u6f14\u793a\u4e0e\u5e38\u89c1\u670d\u52a1\u5668\u79df\u7528\u63a7\u5236\u9762\u677f\u96c6\u6210\u7684\u81ea\u52a8\u54cd\u5e94\u7cfb\u7edf\u7684Python\u811a\u672c\uff1a<\/p>\n
\r\nfrom datetime import datetime\r\nimport subprocess\r\nimport re\r\n\r\nclass DDOSMonitor:\r\n    def __init__(self, threshold=1000):\r\n        self.threshold = threshold\r\n        self.connection_count = {}\r\n        \r\n    def check_connections(self):\r\n        netstat = subprocess.check_output(\r\n            \"netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n\",\r\n            shell=True\r\n        ).decode()\r\n        \r\n        for line in netstat.split('\\n'):\r\n            if line:\r\n                count, ip = re.match(r'\\s*(\\d+)\\s+([\\d.]+)', line).groups()\r\n                if int(count) > self.threshold:\r\n                    self.block_ip(ip)\r\n    \r\n    def block_ip(self, ip):\r\n        subprocess.run([\r\n            'iptables',\r\n            '-A', 'INPUT',\r\n            '-s', ip,\r\n            '-j', 'DROP'\r\n        ])\r\n        self.log_attack(ip)\r\n\r\n    def log_attack(self, ip):\r\n        with open('\/var\/log\/ddos_monitor.log', 'a') as f:\r\n            f.write(f\"{datetime.now()}: \u5df2\u5c01\u9501IP {ip} \u56e0\u8fc7\u591a\u8fde\u63a5\\n\")\r\n<\/code><\/pre>\n
\u6cd5\u5f8b\u5408\u89c4\u6027\u548c\u6587\u6863\u8bb0\u5f55<\/strong><\/h2>\n
\u5728\u8ffd\u8e2a\u9488\u5bf9\u7f8e\u56fd\u670d\u52a1\u5668\u7684DDoS\u653b\u51fb\u8005\u65f6\uff0c\u4fdd\u6301\u9002\u5f53\u7684\u6587\u6863\u8bb0\u5f55\u5bf9\u4e8e\u53ef\u80fd\u7684\u6cd5\u5f8b\u884c\u52a8\u81f3\u5173\u91cd\u8981\u3002\u4ee5\u4e0b\u662f\u8bb0\u5f55\u4e8b\u4ef6\u7684\u7ed3\u6784\u5316\u65b9\u6cd5\uff1a<\/p>\n
\n
\u653b\u51fb\u5f00\u59cb\u65f6\u95f4\u6233<\/li>\n
\u7f51\u7edc\u6d41\u91cf\u6355\u83b7(pcap\u6587\u4ef6)<\/li>\n
\u7cfb\u7edf\u8d44\u6e90\u4f7f\u7528\u65e5\u5fd7<\/li>\n
\u5df2\u5b9e\u65bd\u7684\u7f13\u89e3\u63aa\u65bd<\/li>\n
\u5f71\u54cd\u8bc4\u4f30\u6587\u6863<\/li>\n<\/ul>\n
\u6848\u4f8b\u7814\u7a76\u5206\u6790<\/strong><\/h2>\n
\u8ba9\u6211\u4eec\u6765\u5206\u6790\u4e00\u6b21\u9488\u5bf9\u4e3b\u8981\u7f8e\u56fd\u670d\u52a1\u5668\u79df\u7528\u63d0\u4f9b\u5546\u7684\u6700\u8fd1DDoS\u653b\u51fb\u3002\u8be5\u653b\u51fb\u91c7\u7528\u4e86\u590d\u6742\u7684\u591a\u5411\u91cf\u65b9\u6cd5\uff0c\u7ed3\u5408\u4e86\u5bb9\u91cf\u578bUDP\u6cdb\u6d2a\u548c\u5e94\u7528\u5c42\u653b\u51fb\u3002\u4ee5\u4e0b\u662f\u653b\u51fb\u6a21\u5f0f\u7684\u5206\u6790\uff1a<\/p>\n
\r\n# \u653b\u51fb\u6a21\u5f0f\u5206\u6790\r\n\u65f6\u95f4: 2024-01-10 15:30 UTC\r\n\u5cf0\u503c\u6d41\u91cf: 850 Gbps\r\n\u653b\u51fb\u5411\u91cf: \r\n- UDP\u6cdb\u6d2a (\u7aef\u53e3 53)\r\n- HTTP GET\u6cdb\u6d2a\r\n- TCP SYN\u6cdb\u6d2a\r\n\r\n# \u7f13\u89e3\u54cd\u5e94\r\niptables -A INPUT -p udp --dport 53 -m u32 --u32 \"0>>22&0x3C@ 12>>26&0x3C@ 0&0xFFFFFFFF=0x00000000\" -j DROP\r\n<\/code><\/pre>\n
\u6027\u80fd\u5f71\u54cd\u8bc4\u4f30<\/strong><\/h2>\n
\u5728DDoS\u4e8b\u4ef6\u671f\u95f4\uff0c\u76d1\u63a7\u7cfb\u7edf\u6027\u80fd\u81f3\u5173\u91cd\u8981\u3002\u4ee5\u4e0b\u662f\u5b9e\u65f6\u6027\u80fd\u8ffd\u8e2a\u7684Python\u811a\u672c\uff1a<\/p>\n
\r\nimport psutil\r\nimport time\r\nfrom collections import deque\r\n\r\nclass SystemMonitor:\r\n    def __init__(self, window_size=60):\r\n        self.cpu_history = deque(maxlen=window_size)\r\n        self.network_history = deque(maxlen=window_size)\r\n        \r\n    def collect_metrics(self):\r\n        # CPU\u4f7f\u7528\u7387\r\n        cpu_percent = psutil.cpu_percent(interval=1)\r\n        \r\n        # \u7f51\u7edcI\/O\r\n        net_io = psutil.net_io_counters()\r\n        bytes_sent = net_io.bytes_sent\r\n        bytes_recv = net_io.bytes_recv\r\n        \r\n        self.cpu_history.append(cpu_percent)\r\n        self.network_history.append((bytes_sent, bytes_recv))\r\n        \r\n        return {\r\n            'cpu': cpu_percent,\r\n            'network': {\r\n                'sent': bytes_sent,\r\n                'received': bytes_recv\r\n            }\r\n        }\r\n\r\n    def detect_anomaly(self):\r\n        if len(self.cpu_history) < 10:\r\n            return False\r\n            \r\n        avg_cpu = sum(self.cpu_history) \/ len(self.cpu_history)\r\n        return avg_cpu > 85.0\r\n<\/code><\/pre>\n
\u672a\u6765\u9632\u5fa1\u7b56\u7565\u7684\u89c4\u5212<\/strong><\/h2>\n
\u968f\u7740DDoS\u653b\u51fb\u6301\u7eed\u6f14\u53d8\uff0c\u670d\u52a1\u5668\u79df\u7528\u63d0\u4f9b\u5546\u5fc5\u987b\u8c03\u6574\u5176\u9632\u5fa1\u7b56\u7565\u3002\u4e3b\u8981\u5efa\u8bae\u5305\u62ec\uff1a<\/p>\n
\n
\u5b9e\u65bd\u57fa\u4e8eAI\u7684\u6d41\u91cf\u5206\u6790<\/li>\n
\u8de8\u5730\u7406\u533a\u57df\u7684\u5206\u5e03\u5f0f\u76d1\u63a7\u8282\u70b9<\/li>\n
\u5b9a\u671f\u5b89\u5168\u5ba1\u8ba1\u548c\u6e17\u900f\u6d4b\u8bd5<\/li>\n
\u4e0e\u5168\u7403\u5a01\u80c1\u60c5\u62a5\u7f51\u7edc\u96c6\u6210<\/li>\n<\/ul>\n
\u7ed3\u8bba<\/strong><\/h2>\n
\u6709\u6548\u7684DDoS\u68c0\u6d4b\u548c\u9ed1\u5ba2\u8ffd\u8e2a\u9700\u8981\u7ed3\u5408\u6280\u672f\u4e13\u957f\u3001\u9002\u5f53\u7684\u5de5\u5177\u548c\u7cfb\u7edf\u65b9\u6cd5\u3002\u5bf9\u4e8e\u7f8e\u56fd\u670d\u52a1\u5668\u6258\u7ba1\u548c\u670d\u52a1\u5668\u79df\u7528\u63d0\u4f9b\u5546\u6765\u8bf4\uff0c\u5728\u4fdd\u6301\u6cd5\u5f8b\u5408\u89c4\u6027\u7684\u540c\u65f6\u9886\u5148\u4e8e\u65b0\u5174\u5a01\u80c1\u81f3\u5173\u91cd\u8981\u3002\u901a\u8fc7\u5b9e\u65bd\u672c\u6307\u5357\u4e2d\u6982\u8ff0\u7684\u7b56\u7565\u548c\u5de5\u5177\uff0c\u7ec4\u7ec7\u53ef\u4ee5\u66f4\u597d\u5730\u4fdd\u62a4\u5176\u57fa\u7840\u8bbe\u65bd\u514d\u53d7\u590d\u6742\u7684DDoS\u653b\u51fb\u3002<\/p>\n
\u8bf7\u8bb0\u4f4f\uff0cDDoS\u9632\u62a4\u662f\u4e00\u4e2a\u9700\u8981\u6301\u7eed\u8b66\u60d5\u548c\u9002\u5e94\u65b0\u653b\u51fb\u5411\u91cf\u7684\u6301\u7eed\u8fc7\u7a0b\u3002\u5b9a\u671f\u66f4\u65b0\u5b89\u5168\u534f\u8bae\u548c\u6301\u7eed\u76d1\u63a7\u7f51\u7edc\u6a21\u5f0f\u5bf9\u4e8e\u5728\u5f53\u4eca\u7684\u5a01\u80c1\u73af\u5883\u4e2d\u7ef4\u62a4\u5f3a\u5927\u7684\u670d\u52a1\u5668\u4fdd\u62a4\u4ecd\u7136\u81f3\u5173\u91cd\u8981\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"
\u5728\u4e0d\u65ad\u53d1\u5c55\u7684\u7f51\u7edc\u5b89\u5168\u9886\u57df\uff0cDDoS\u653b\u51fb\u4ecd\u7136\u662f\u5bf9\u670d\u52a1\u5668\u57fa\u7840\u8bbe\u65bd\u548c\u7f51\u7edc\u7a33\u5b9a\u6027\u6700\u6301\u7eed\u7684\u5a01\u80c1\u4e4b\u4e00\u3002\u5bf9\u4e8e\u7ba1\u7406\u7f8e\u56fd\u670d\u52a1\u5668\u79df\u7528\u73af\u5883\u7684\u7cfb\u7edf\u7ba1\u7406\u5458\u548c\u5b89\u5168\u4e13\u4e1a\u4eba\u5458\u6765\u8bf4\uff0c\u68c0\u6d4b\u548c\u8ffd\u8e2a\u8fd9\u4e9b\u653b\u51fb\u7684\u80fd\u529b\u5bf9\u4e8e\u7ef4\u62a4\u670d\u52a1\u53ef\u9760\u6027\u81f3\u5173\u91cd\u8981\u3002 \u4e86\u89e3\u73b0\u4ee3DDoS\u653b\u51fb\u7279\u5f81 DDoS\u653b\u51fb\u5df2\u7ecf\u8d85\u8d8a\u4e86\u7b80\u5355\u7684\u6cdb\u6d2a\u653b\u51fb\u65b9\u5f0f\u3002\u4eca\u5929\u7684\u653b\u51fb\u901a\u5e38\u91c7\u7528TCP SYN\u6cdb\u6d2a\u3001DNS\u653e\u5927\u548c\u7b2c7\u5c42\u653b\u51fb\u7b49\u590d\u6742\u6280\u672f\u3002\u4e3a\u4e86\u6709\u6548\u8bc6\u522b\u8fd9\u4e9b\u5a01\u80c1\uff0c\u6211\u4eec\u9700\u8981\u68c0\u67e5\u5177\u4f53\u7684\u6d41\u91cf\u6a21\u5f0f\u548c\u7cfb\u7edf\u6307\u6807\u3002 # \u7528\u4e8e\u68c0\u6d4bSYN\u6cdb\u6d2a\u7684Netflow\u5206\u6790\u547d\u4ee4 nfdump -R \/var\/cache\/nfdump\/flows -o “fmt:%ts %td %pr %sap -> %dap %pkt %byt” -n 10 ‘proto tcp and flags S and not flags ARFPU’ \u5173\u952e\u68c0\u6d4b\u6307\u6807\u548c\u76d1\u63a7\u5de5\u5177 \u5b9e\u65bd\u5065\u58ee\u7684\u76d1\u63a7\u7cfb\u7edf\u9700\u8981\u540c\u65f6\u8ddf\u8e2a\u591a\u4e2a\u6307\u6807\u3002\u4ee5\u4e0b\u662f\u91cd\u8981\u6307\u6807\u7684\u6280\u672f\u7ec6\u5206\uff1a \u7f51\u7edc\u541e\u5410\u91cf\u504f\u5dee\u6a21\u5f0f TCP\u8fde\u63a5\u72b6\u6001\u5206\u6790 \u6bcf\u79d2\u8bf7\u6c42(RPS)\u5f02\u5e38 \u8d44\u6e90\u5229\u7528\u7387\u5cf0\u503c \u9ad8\u7ea7\u6d41\u91cf\u5206\u6790\u6280\u672f \u8bc6\u522b\u653b\u51fb\u5411\u91cf\u9700\u8981\u5bf9\u7f51\u7edc\u6a21\u5f0f\u8fdb\u884c\u590d\u6742\u5206\u6790\u3002\u4ee5\u4e0b\u662f\u4f7f\u7528tcpdump\u6355\u83b7\u53ef\u7591\u6d41\u91cf\u7684\u5b9e\u9645\u5b9e\u73b0\uff1a # \u6355\u83b7\u548c\u5206\u6790\u53ef\u7591UDP\u6d41\u91cf tcpdump -i eth0 ‘udp and port 53 and length > 512’ -w dns_analysis.pcap # \u5206\u6790\u6355\u83b7\u7684\u6d41\u91cf\u6a21\u5f0f tshark […]<\/p>\n
Read More…<\/a><\/p>\n","protected":false},"author":3,"featured_media":21759,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[4816],"tags":[6092,6091,6090,2597,583],"class_list":["post-21762","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-america-dedicated-server-sc","tag-us-hosting-security-sc","tag-hacker-tracking-sc","tag-ddos-detection-sc","tag-server-protection-sc","tag-network-security-sc"],"acf":[],"yoast_head":"\n