check dos or ddos attack in Nagios

kaushalshriyan · Post by **kaushalshriyan** » Thu Oct 25, 2018 12:35 pm

Hi,

Is there a way to monitor DOS or DDOS attack in Nagios. For example i see multiple requests from a specific IP bombarding the web services.

Best Regards,

Kaushal

npolovenko · Post by **npolovenko** » Fri Oct 26, 2018 9:48 am

Hello, @kaushalshriyan. You could use the check_ddos.pl plugin. I'll attach the description in a text file.
Here's another plugin:
https://exchange.nagios.org/directory/P ... os/details

kaushalshriyan · Post by **kaushalshriyan** » Sat Oct 27, 2018 5:08 am

Hi npolovenko,

Thanks for your reply and much appreciated. I have a follow-up question. Is there a difference between SYN_RECV and SYN_flood (https://en.wikipedia.org/wiki/SYN_flood) Network packets?

Code: Select all

/usr/lib/nagios/plugins/check_ddos.pl
check_ddos.pl 0.4
usage: check_ddos.pl [options]
 -h: Print the command line help
 -v: Print the program version
 -w <int>: Warning value (number of SYN_RECV)
 -c <int>: Critical value (number of SYN_RECV)

Thanks in Advance and looking forward to hearing from you.

Best Regards,

Kaushal

npolovenko · Post by **npolovenko** » Mon Oct 29, 2018 3:01 pm

@kaushalshriyan, SYN_RECV stands for SYN-RECEIVED.

The TCP SYN-RECEIVED state is used to indicate that the connection is only half open, and that the legitimacy of the request is still in question.

https://www.cisco.com/c/en/us/about/pre ... tacks.html

Nagios Support Forum

check dos or ddos attack in Nagios

check dos or ddos attack in Nagios

Re: check dos or ddos attack in Nagios

Re: check dos or ddos attack in Nagios

Re: check dos or ddos attack in Nagios