Package SSF.App.DDoS

DDoS demo package.


Class Summary
CD_DDoSTracer Cross Domain DDoS Tracer
DDoSMessage Protocol Message used by the DDoS Sessions.
DDoSMonitor Used to monitor the process of DDoS hosts, generating data used in animation (demo).
DDoSSession This does NOT has many features in DDoSSessionRand, please use DDoSSessionRand instead unless the user wants to have full control of the attacking relay network.
DDoSSessionRand DDoS Session, the attacker chooses masters and agents randomly.
DestList Tempararily used Destination List tool in DDoS trace back.
DestList_2 Tempararily used Destination List tool in DDoS trace back.
DestList_3 Tempararily used Destination List tool in DDoS trace back.
httpServer_WM A simple HTTP server traffic generator.
RequestsMonitor Used to monitor the requests received by a httpServer.
SD_DDoSTracer Tempararily used DDoS Tracer in a single domain.
SpoofFloodTracer version 1.0.4
SpoofFloodTracer: tracing spoofed ip packets flood with given destination address.
SYNMonitor Used to monitor the SYNs arrive at or go pass a httpServer.

Package SSF.App.DDoS Description

DDoS demo package.

This package provides facilities to set up a DDoS attack scenario in SSFNet simulation. DDoSSession and DDoSSessionRand are the two protocol sesssion implementations of DDoS SYN attacks. The later one chooses hosts to be hijacked randomly.

The package also includes a few preliminary tools used to analyze NetFlow data collected in the DDoS experiments. DestList_x tools are a set of tools that list the suspicious addressses when doing trace back. CD_DDoSTracer is "cross domain DDoS tracer", and it aims at locating the AS from which the attack was launched. SD_DDoSTracer is "single domain DDoS tracer", and it extends the effort of locating the attacker when the attacking AS is located.

SpoofFloodTracer is used to trace the source ASes (domains) of a flooding attack. In this context they are often the domains where DDoS agents locate.

Notice: 1) To cooperate with the experiment, an extended flow collector: SSF.OS.NetFlow.IpFlowCollectorWD is used. It provides "domain information" that is easy to collect in the real world but not that obviouse even to specify in a simulation. 2) The effort of locating the attacker by analyzing the traffic pattern has its limitaion especially when the attacker is aware of the existence of the such devices and tries to sweep his trails.

Yougu Yuan
Last modified: Mon Jan 28 16:30:14 EST 2002