Recently, we had a rootkit infect a customers Linux machine. It went un-noticed for almost 10 hours until, one of their users could not get a proper out from netstat. The machine was spewing out SYN flood in the network at a random time and we could not actually see the entries in netstat. We then remembered about FloodMon.
FloodMon is an open source perl script, which acts like a daemon, constantly monitoring a server to detect SYN flood attacks. It does not rely on other applications which run netstat like commands. Instead, it retrieves all connection information from ‘/proc/net’ and ‘/proc/sys/net’. This feature really helped us! FloodMon tweaks the TCP/IP stack. It can tweak queue sizes, timeout, retransmissions, etc. All modifications are performed in real time in the ‘/proc’ pseudo file system. It can also null-route entire subnets (/8, /16 or /24) and block remote ports at a high rate. It has 4 protection levels, each one having its own configuration. In null routing, matching packets are dropped rather than being forwarded. This can isolate the infected machine and prevent from further damage. After it has done this, it can even alert you via e-mail and/or SMS’es! Isn’t it cool?
It has a very simple installation. All you need is an admin access to set a few rights & copy files to their respective locations. In addition to those, you need: Time::HiRes, MIME::QuotedPrint & Net::Pcap. FloodMon will use the following programs to perform its activites: iproute, iptables, sendmail & wget.
The latest version is v0.9.3, which was released on 25-June-2009.
You can find more information about this tool & download it here.
Related External Links
floodmon
