IP Density Estimation Demo
Here we provide an on-line demo of our IP Density Estimation System. It determines
a range of IP addresses which are likely to appear in the future based on previously observed addresses.
Allowing regular users and denying others is usefull, e.g. if you are under an heavy highly
distributed DDoS attack in order to reduce server load.
A second application is mitigating a botnet that performs a distributed password guessing attack on your SSH server.
As input file you can use the apache logfiles or in the latter case "auth.log" data with your regular user IPs.
Input file format
As an input file you have to provide an apache log file (containing IPs not hostnames) or a plain
text file containing one IP Address (dotted format) per line. The file might be zipped using gzip (*.gz)
The output of this script can directly be used as firewall rules. Since iptables does not perform well with more than 200
rules, we recommend using nf-HiPAC,
ipset instead (especially in the DDoS scenario).
The method used here is described in detail in the publication Server-side Prediction of Source IP Addresses using Density Estimation.
If you have any questions, please contact Markus Goldstein.
You may also want to visit our Network Security Homepage.
Please note that the computation take some time and you get a link to the result once it is computed.
To submit your data programmatically, you can simply POST to this URL; the
input file should be a parameter named "file".
From the command line, you can do this using:
curl -F 'firstname.lastname@example.org;type=ascii/text' -F 'kernel=gauss' -F 'mask=24' -F 'bandwidth=2' -F 'output=allow' -F 'distance=xor' -F 'cut=0' -L http://demo-madm.dfki.uni-kl.de/ip-density/ > filterrules.txt
You can also do this easily using the HTTP implementation in your favorite
programming language (C#, Python, Java, Perl, etc.).