!/usr/bin/python

coding=utf-8

import dpkt

import socket

import optparse

默認(rèn)設(shè)置檢測不正常數(shù)據(jù)包的數(shù)量的閾值為1000

THRESH = 1000

def findDownload(pcap):

for (ts, buf) in pcap:

try:

eth = dpkt.ethernet.Ethernet(buf)

ip = eth.data

src = socket.inet_ntoa(ip.src)

# 獲取TCP數(shù)據(jù)

tcp = ip.data

# 解析TCP中的上層協(xié)議HTTP的請求

http = dpkt.http.Request(tcp.data)

# 若是GET方法，且請求行中包含“.zip”和“l(fā)oic”字樣則判斷為下載LOIC

if http.method == 'GET':

uri = http.uri.lower()

if '.zip' in uri and 'loic' in uri:

print "[!] " + src + " Downloaded LOIC."

except:

pass

def findHivemind(pcap):

for (ts, buf) in pcap:

try:

eth = dpkt.ethernet.Ethernet(buf)

ip = eth.data

src = socket.inet_ntoa(ip.src)

dst = socket.inet_ntoa(ip.dst)

tcp = ip.data

dport = tcp.dport

sport = tcp.sport

# 若目標(biāo)端口為6667且含有“!lazor”指令，則確定是某個(gè)成員提交一個(gè)攻擊指令

if dport == 6667:

if '!lazor' in tcp.data.lower():

print '[!] DDoS Hivemind issued by: '+src

print '[+] Target CMD: ' + tcp.data

# 若源端口為6667且含有“!lazor”指令，則確定是服務(wù)器在向HIVE中的成員發(fā)布攻擊的消息

if sport == 6667:

if '!lazor' in tcp.data.lower():

print '[!] DDoS Hivemind issued to: '+src

print '[+] Target CMD: ' + tcp.data

except:

pass

def findAttack(pcap):

pktCount = {}

for (ts, buf) in pcap:

try:

eth = dpkt.ethernet.Ethernet(buf)

ip = eth.data

src = socket.inet_ntoa(ip.src)

dst = socket.inet_ntoa(ip.dst)

tcp = ip.data

dport = tcp.dport

# 累計(jì)各個(gè)src地址對目標(biāo)地址80端口訪問的次數(shù)

if dport == 80:

stream = src + ':' + dst

if pktCount.has_key(stream):

pktCount[stream] = pktCount[stream] + 1

else:

pktCount[stream] = 1

except:

pass

for stream in pktCount:

pktsSent = pktCount[stream]

# 若超過設(shè)置檢測的閾值，則判斷為進(jìn)行DDoS攻擊

if pktsSent > THRESH:

src = stream.split(':')[0]

dst = stream.split(':')[1]

print '[+] ' + src + ' attacked ' + dst + ' with ' + str(pktsSent) + ' pkts.'

def main():

parser = optparse.OptionParser("[*]Usage python findDDoS.py -p -t ")

parser.add_option('-p', dest='pcapFile', type='string', help='specify pcap filename')

parser.add_option('-t', dest='thresh', type='int', help='specify threshold count ')

(options, args) = parser.parse_args()

if options.pcapFile == None:

print parser.usage

exit(0)

if options.thresh != None:

THRESH = options.thresh

pcapFile = options.pcapFile

# 這里的pcap文件解析只能調(diào)用一次，注釋掉另行修改

# f = open(pcapFile)

# pcap = dpkt.pcap.Reader(f)

# findDownload(pcap)

# findHivemind(pcap)

# findAttack(pcap)

with open(pcapFile, 'r') as f:

pcap = dpkt.pcap.Reader(f)

findDownload(pcap)

with open(pcapFile, 'r') as f:

pcap = dpkt.pcap.Reader(f)

findHivemind(pcap)

with open(pcapFile, 'r') as f:

pcap = dpkt.pcap.Reader(f)

findAttack(pcap)

if name == 'main':

main()

image.png

總結(jié)

以上是生活随笔為你收集整理的python ddos_python 检查是否存在ddos攻击的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。