1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

What does a ddos attack look like on tomato firewall logs?

Discussion in 'Tomato Firmware' started by devlin016, Sep 15, 2013.

  1. devlin016

    devlin016 Networkin' Nut Member

    Im trying to make a script that checks my logs for a ddos attack and if it finds one it will change my wan mac address which will change the IP I get from my isps dhcp server. What does this look like on the logs?
  2. phuque99

    phuque99 LI Guru Member

    Tomato does not log allowed ingress traffic or any denied/dropped traffic by default. So there won't be any data. The router may likely hang or reboot from the DDoS traffic onslaught.
  3. devlin016

    devlin016 Networkin' Nut Member

    my syslog logs dropped packets and its being logged to a usb
  4. phuque99

    phuque99 LI Guru Member

    Utilities like snort may help detect intrusion attempts or surveillance. An effective DDoS is usually against opened ports, not closed/dropped/denied ports.
  5. devlin016

    devlin016 Networkin' Nut Member

    I was able to launch a ddos agaisnt a closed port on myself to see what it looks like in my logs I kicked myself offline I was able to see all the connection attempts to the port in my logs but I cant figure out how to tell a ddos attack apart from just random connection attemps in syslog. I was able to write a small script that changes my wan mac address which forces my cable modem to give me a new IP. if only I could figure out syslog :(
  6. darkknight93

    darkknight93 Networkin' Nut Member

    I am currently logging firewall events to another logfile and created a small webinterface where all dropped ip packets are listed with source ip. You can sort them by ip to check whether any bad ass users try to do a portscan or sth like that.
    Here is the syslog-ng config (you need to use another logger)
    I will upload a picture of this webinterface so you can check.
    Via scheduled tasks it should be easy to check the logfile for many dropped packets -> new mac and clean the logfile to not do this over and over..

    Just a thought

Share This Page