Page 1 of 1
check dos or ddos attack in Nagios
Posted: Thu Oct 25, 2018 12:35 pm
by kaushalshriyan
Hi,
Is there a way to monitor DOS or DDOS attack in Nagios. For example i see multiple requests from a specific IP bombarding the web services.
Best Regards,
Kaushal
Re: check dos or ddos attack in Nagios
Posted: Fri Oct 26, 2018 9:48 am
by npolovenko
Hello,
@kaushalshriyan. You could use the check_ddos.pl plugin. I'll attach the description in a text file.
Here's another plugin:
https://exchange.nagios.org/directory/P ... os/details
Re: check dos or ddos attack in Nagios
Posted: Sat Oct 27, 2018 5:08 am
by kaushalshriyan
Hi npolovenko,
Thanks for your reply and much appreciated. I have a follow-up question. Is there a difference between SYN_RECV and SYN_flood (
https://en.wikipedia.org/wiki/SYN_flood) Network packets?
Code: Select all
/usr/lib/nagios/plugins/check_ddos.pl
check_ddos.pl 0.4
usage: check_ddos.pl [options]
-h: Print the command line help
-v: Print the program version
-w <int>: Warning value (number of SYN_RECV)
-c <int>: Critical value (number of SYN_RECV)
Thanks in Advance and looking forward to hearing from you.
Best Regards,
Kaushal
Re: check dos or ddos attack in Nagios
Posted: Mon Oct 29, 2018 3:01 pm
by npolovenko
@kaushalshriyan, SYN_RECV stands for SYN-RECEIVED.
The TCP SYN-RECEIVED state is used to indicate that the connection is only half open, and that the legitimacy of the request is still in question.
https://www.cisco.com/c/en/us/about/pre ... tacks.html