Real-time Port Scanning Monitoring

[michaelkeevildown]

What config do I need to build a DDOS real-time demo?

[michaelkeevildown]

The data needed to illustrate a DDOS attack are:

• Port
• Source IP (Public IP)
• Target IP (Internal IP)
• Location on all IPs (GeoIP)

It would be great to use graph on this dataset, need to keep that in mind.

We will need 2 config files

1. Normal OK traffic - Run at a constant rate
2. DDOS attack - Ramp this up to illustrate how things change.

[michaelkeevildown]

Look at tcpdump and analyse how this can be sliced and diced in Logstash. This can then power:

1. tcpdump log file
2. Grok pattern to parse this - so raw json conversion
3. Show dashboard
4. Run real-time simulation

[michaelkeevildown]

Example tcpdump port scan payload:

https://gist.github.com/michaelkeevildown/ebaa1d92c34d83bd088024c1ccc416d1