Detect DDoS Source & Destination IP Address with OURMON

We have OURMON running on one of network segment for quite some time, it is very helpful and resourceful when DDoS attack happened, especially to help our customer to find out which destination is targeted on the attack and from which sources. Below is the graph that we previously captured while running OURMON version 2.70.

OURMON Version 2.81

On the recent released of OURMON, the topn graphs didn’t show the traffic by Mbit/s instead of bit/s. The long no. is confusing when the NOC engineer is doing the monitoring(minimal 7 digits will show up). I have made some changes on omupdate.pl, one of OURMON script that generate html static page, to show extra value – Mbit/s. Our current OURMON graph looks something like below;

Below will show you how to add extra Mbit/s value on your OURMON Topn section;

edit omupdate.pl file

vi /usr/local/mrourmon/bin/omupdate.pl

On line 3137, add the code looks like below;

my $uappf = $items[$i+2];       # old hw app flags
my $uappl = $items[$i+3];       # app lower case
my $uapph = $items[$i+4];       # app upper case
my $bps = int(($items[$i+1] * 8)/30);
my $mbps = sprintf("%.2f", ($bps/1024)/1024); # convert bits to mbits
my $uaf = get_appflag($uappf, $uappl, $uapph);

this line of code my $mbps = sprintf(“%.2f”, ($bps/1024)/1024); is to declare the new variable $mbps and convert the bit/s value to Mbit/s by dividing 1024*1024.

Next is to display the value on the page, do something on line of code 3146;

"bits/sec: $bps, Mbits/sec: $mbps, "

Done, wait for a few second for the web page to refresh with extra Mbit/s value. Btw, you can remove bit/s if you want to, to save some extra space 😉