I am currently using Elastic stack to parse Apache and Nginx web logs with Filebeat installed on multiple remote servers shipping logs to my Elastic server. I want to use the same infrastructure to be able to detect DDoS attacks on the web servers using the log data in the real time.
Is there any similar feature available to use web logs to detect DDoS attacks, in the Elastic or third party?
Thanks in advance.
In my (humble) opinion there are two methods you can use in the elastic stack for this
- Machine Learning with detection rule
- Threshold detection rule
Depending on the scope/size/implementation of your application(s) you can choose either one.
For larger dynamic applications (meaning the traffic varies over time) i'd say use a Machine learning job.
For smaller static applications (about the same amount of traffic over time) i would recommend using a threshold detection as there put less load on your system.
Some rough guidelines for a ML job:
- Set the datafeed as correctly scoped as possible
- add a high_count detector with the source.ip fields as population.
- add a high_count detector
What this job will do is detect high amount of request coming from a single ip in relation to all the other ip's as well as general detection on more traffic then usual for the given time.
You then configure a detection rule on this new ML job.
The threshold rule is relatively straight forward. Just don't set your threshold to low as this will blow you from your socks (so to speak)