This repository contains DDiDD software, which decides what filter to activate and deactivate depending on the perceived load on the server. (Please see the enclosed README for instructions.)
ddidd -h/ -r FOLDER -s EPOCH -b NUM -l NUM -m SECS [-w FILE] [-H FILE] [-u FILE] [-F FILE] [-T PTS] [-e EXT] [-a ATFILE] [-q QUERY] [-n NLIM]
- Display help
- Read input files in pcap.xz format from this folder
- Start reading around 300 seconds before this attack start time
- How many times above the avg number of requests we can allow.
- In case that avg requests are zero, this is absolute number of requests we will allow
- Run for this number of seconds (usually duration of the attack)
- Optional training file for WR filter
- Opional training file for HCF filter
- Optional training file for UR filter
- Optional training file for FQ filter
- Optional deviance score threshold for WR filter
- Optional file extension. In case folder has files for several POPs, only files with the given extension in the filename will be processed
- Optional file listing IPs of resolvers participating in the attack
- Optional query (or list of queries, multiple -q options can be given) that are part of the attack. This is useful to establish ground truth when list of attack IPs is not available or is too long.
- Optional argument, how many windows to use for WR filter
Compile for linux computer
Compile DDiDD with dynamically-linked library (see dependency for libraries)
- A S M Rizvi, Jelena Mirkovic, John Heidemann and Wes Hardaker and Robert Story 2023. Defending Root DNS Servers Against DDoS Using Layered Defenses. Proceedings of the IEEE International Conference on Communications Systems and Networks (COMSNETS). Dataset for this paper is released via https://ant.isi.edu/datasets/all.html (DoS_DDiDD_Experiments-20230111 and B_Root_Anomaly-xxx).