This repository contains the development of the DDoS Dissector tool (ddos_dissector_cli). This tools is intended to analyse post-mortem network traces that contain one or multiple DDoS attacks. The tool dissects the input network traffic (pcap, pcapng, netflow v5, v9, IPFIX*, and Sflow*) for extracting a summary of the main characteristics of each attack vector, called DDoS attack fingerprints. Each fingerprint is a .json format file.

In addition to output DDoS attack fingerprint, the DDoS dissector also outputs per attack vector the filtered and anonymised network trace (containing ONLY the attack vector).

The list of dependencies and a bash-script can be found here!. Instead of using the bash-script, you can manually install the python libraries (with pip3 install -r src/requirements.txt), Tshark, and Bit-Twist.

For testing the DDoS Dissector tool you must have a network trace that contains a DDoS attack (.pcap, .pcapng, netflow, ...). There are some attack traces made publicly available by SimpleWeb, by The Centre for Research on Cryptography and Security of the Masaryk University, by CAIDA, and others. You can also download any .pcap file from ddosdb.org.

python3 ddos_dissector_cli.py --input <attack_trace_path.pcap>

The output (fingerprints, anonymized filtered attack vectors, and a log file) will be available in the folder 'output'

For contributing with data (output from DDoS Dissector tool), you must first ask an authorization to the admins of ddosdb. After you receive the confirmation that your account is authorized to upload data, you must edit settings.py for adding your USERNAME and PASSWORD.