IP Density Estimation Demo

Here we provide an on-line demo of our IP Density Estimation System. It determines a range of IP addresses which are likely to appear in the future based on previously observed addresses.

Applications

Allowing regular users and denying others is usefull, e.g. if you are under an heavy highly distributed DDoS attack in order to reduce server load. A second application is mitigating a botnet that performs a distributed password guessing attack on your SSH server. As input file you can use the apache logfiles or in the latter case "auth.log" data with your regular user IPs.

Input file format

As an input file you have to provide an apache log file (containing IPs not hostnames) or a plain text file containing one IP Address (dotted format) per line. The file might be zipped using gzip (*.gz)

Firewall

The output of this script can directly be used as firewall rules. Since iptables does not perform well with more than 200 rules, we recommend using nf-HiPAC, nf-hiShape or ipset instead (especially in the DDoS scenario).

Background

The method used here is described in detail in the publication Server-side Prediction of Source IP Addresses using Density Estimation. If you have any questions, please contact Markus Goldstein. You may also want to visit our Network Security Homepage.

Please note that the computation take some time and you get a link to the result once it is computed.

Submit File

File (max. 50MB):

Mask (resolution of smoothing):

Kernel:

Kernel Bandwidth:

Cut Kernel Width:

Limit (Threshold):

Distance measure:

Output Format:

Print debug output (progress)

It may take several minutes until you get the result!


Programmatic Interface

To submit your data programmatically, you can simply POST to this URL; the input file should be a parameter named "file".

From the command line, you can do this using:

curl -F 'file=@access.log;type=ascii/text' -F 'kernel=gauss' -F 'mask=24' -F 'bandwidth=2' -F 'output=allow' -F 'distance=xor' -F 'cut=0' -L http://demo-madm.dfki.uni-kl.de/ip-density/ > filterrules.txt 

You can also do this easily using the HTTP implementation in your favorite programming language (C#, Python, Java, Perl, etc.).