IP FLood Detector 1.0
Dennis Opacki
dopacki@adotout.com


What is IP Flood Detector?  

IP Flood Detector is a derivative of an earlier project, DNS Flood Detector.
Much like DNS Flood Detector, which offers system managers insight into how
Internet users are interacting with recursive DNS servers, IP Flood detector
provides managers with an audit trail of TCP, UDP and ICMP packet floods
directed at Internet-facing servers. When packet rates exceed a specified
threshold, IP Flood Detector will syslog the offending IP address, along
with the associated protocol and traffic volume. IP Flood Detector is
distributed under the Gnu Public License (see included LICENSE file for
details).

How does it work?    

IP Flood Detector uses libpcap (in non-promiscuous mode) to monitor 
incoming TCP, UDP and ICMP traffic to a server. The tool may be run in one 
of two modes, either  daemon mode or "bindsnap" mode. In daemon mode, the tool 
will alarm via syslog. In bindsnap mode, the user is able to get 
near-real-time stats on usage to aid in more detailed troubleshooting. 
By default, it will ignore traffic sourced from any address in the same
network as the interface being watched; the -A,-M, and -Q options can be 
used to modify this behaviour.

How do I build it?

Execute ./configure.pl to select the appropriate make target. Then simply
type "make".

Why was it written?  

I wrote IP Flood Detector because a limited number of tools are available
to identify ongoing network attacks at the host-level. Further, some attacks
may go unnoticed by traditional monitoring tools. I wanted an audit trail
of who was flooding the servers I am responsible, when, and for how long.

What do I need to use it?  

You need libpcap and a little bit of patience.

What platforms does it work on?

Linux, BSDI, FreeBSD, Mac OSX, Solaris

Will it run under Windows {95,98,NT,2000,XP}?  

Maybe. I haven't tried. If it doesn't, feel free to submit a fix. 

What does it look like?  

Usage: ./ip_flood_detector [OPTION]

-i IFNAME               specify device name to listen on
-t N                    alarm at >N queries per second
-a N                    reset alarm after N seconds
-w N                    calculate stats every N seconds
-x N                    create N buckets
-m N                    report overall stats every N seconds
-A addr                 filter for specific address
-M mask                 netmask for filter (in conjunction with -A)
-Q                      don't filter by local interface address
-b                      run in foreground in bindsnap mode
-d                      run in background in daemon mode
-v                      verbose output - use again for more verbosity
-h                      display this usage information


What if I have questions?  

You can e-mail me at dopacki@adotout.com