[Environment]: CentOS or Ubuntu
We use the iptables hash limit to determine where the attack is coming from during high traffic.
I try to log srcip that exceeds the threshold that I have decided.
I think it will be similar, but is it possible to determine where the access (attack source) is coming from in real time with tcpdump alone?
Even if you run it normally with the tcpdump-iIF name option, it will be difficult to determine which one is the source of the attack.
If you know any techniques (options or techniques) to squeeze and tcpdump hosts that have abnormal access (more access than other srcip's) for one minute (although time is not required), could you tell me?
If it's impossible, I'd appreciate it if you could just tell me a few words.
linux tcpdump
If you want to check quickly on Linux,
tcptrack, iftop, and so on.
If you do it properly, it's like netflow or sflow.
http://labs.gree.jp/blog/2015/12/15515/
The rest is IDS.
If you know any techniques (options or techniques) to squeeze and tcpdump hosts that have abnormal access (more access than other srcip's) for one minute (although time is not required), could you tell me?
I don't have any.
© 2024 OneMinuteCode. All rights reserved.