Automated DDoS & DoS Detection and Response System
Once you deploy the setup, you don't have to worry about DDoS & DoS attacks. It will Automatically secure your application using the logs continuously using the Jenkins Pipeline & ML.
Created on 13th December 2020
•
Automated DDoS & DoS Detection and Response System
Once you deploy the setup, you don't have to worry about DDoS & DoS attacks. It will Automatically secure your application using the logs continuously using the Jenkins Pipeline & ML.
The problem Automated DDoS & DoS Detection and Response System solves
DDoS & DoS Attacks have been the notorious attack since the discovery of it. During the pandemic, the business has moved digitally exponentially. Doing so, they have increased the attack surface for such an attack. It causes huge losses in terms of the financial and image of a company in the market. This is a kind of attack that can't be solved at once and for all but, we can for most of the time because it's always a rotating attack among Layer 7,3,4. So, our solution is a combination of ML (Machine Learning), DevOps, and Security. It can be classified as MLDevSecOps. It will solve all three-layer attacks from a single web server log file. We can rely on this solution because it uses the K-Means Clustering algorithm to separate the blacklist IPs. We have used Jenkins to automate this architecture to run every two minutes of two pipelines. One to fetch code and others to take the log file, data cleaning/ data pre-processing, and then running cluster algorithm comparing the number of requests and the status code from a single IP. This will cover all the pages under attack also, hence effective and fast at the same time.
Challenges we ran into
- Getting varied data was a challenge, hence we created our own real-life setup. We set up a container with the httpd web server on a docker container and tool the log out from attaching the volume. Then we set up many docker containers of kali Linux and used slowloris to create DDoS attacks. Then ran Jenkins pipeline at first and then every two minutes it does the detection and blocking automated every two minutes, we can change it according to our need in the code.
- Data pre-processing was a task. We built our custom shell script to do that. We used a basic Linux command to make it like "sed".
- We want it to be automated and continuous, hence we used Jenkins to automate it.
- Feature selection on the data, we were to choose which factors to compare to create the blacklist IP. We finally choose a number of requests and the status code of each IP. Doing so, we overcame, attacks on each page of the application can be detected and responded to even covers all layers of attack.
NOTE: Youtube video is bigger hence start it at 2:33 minutes.
Technologies used