# DDoS and Intrusion detection notifications

In this exercise we'll set up DDoS and intrusion detection alerts. We'll send these alerts as Jupyter notifications, although in a regular environment, these would be sent as emails or Slack/chat messages.

First, Install support for python Jupyter notifications.

In [1]:
%%bash
# Install the required Python 3 dependencies
python3 -m pip install kafka-python jupyternotify  # type: ignore


Collecting jupyternotify
  Downloading jupyternotify-0.1.15.tar.gz (7.2 kB)
  Preparing metadata (setup.py): started
  Preparing metadata (setup.py): finished with status 'done'
Collecting jupyter
  Downloading jupyter-1.0.0-py2.py3-none-any.whl (2.7 kB)
Collecting qtconsole
  Downloading qtconsole-5.2.1-py3-none-any.whl (120 kB)
Collecting jupyter-console
  Downloading jupyter_console-6.4.0-py3-none-any.whl (22 kB)
Collecting qtpy
  Downloading QtPy-1.11.3-py2.py3-none-any.whl (59 kB)
Building wheels for collected packages: jupyternotify
  Building wheel for jupyternotify (setup.py): started
  Building wheel for jupyternotify (setup.py): finished with status 'done'
  Created wheel for jupyternotify: filename=jupyternotify-0.1.15-py3-none-any.whl size=8743 sha256=9543e21240f6d1f3595f724f4b27a9a457fff90b04ac33c73e5a74fc802bac5f
  Stored in directory: /home/jovyan/.cache/pip/wheels/db/f4/43/06c94fe0f5bacf0029ea8ebb8d080f372b97661740be7b3d74
Successfully built jupyternotify
Installing col

Load the notification extension. Click "Allow Notifications" when the browser asks you.

![](img/enable-notifications.png)

In [3]:
%load_ext jupyternotify

<IPython.core.display.Javascript object>

You can now send notifications using `%notify -m 'test'`

In [7]:
def send_test_notification():
    %notify -m 'test'

send_test_notification()

<IPython.core.display.Javascript object>

## Exercise

Create a Python Kafka consumer that reads the topics `clicks-calculated-ddos` and `clicks-calculated-forbidden`.

* The consumer creates a notification when, for a given window in `clicks-calculated-ddos` more messages are flagged as possible ddos than ones that are not. *Note: since each window has two rows, one for flagged messages and one for unflagged, you will need to keep a local cache of the windows you've already encountered.*
* The consumer creates a notification every time a message from `clicks-calculated-forbidden` has the `forbidden` value set to `True`.

In [None]:
import json
from kafka import KafkaConsumer, KafkaProducer
from kafka.common import KafkaError


KAFKA_BROKERS = 'localhost:9092'
KAFKA_TOPICS = ['clicks-calculated-ddos', 'clicks-calculated-forbidden']
KAFKA_OFFSET_RESET = 'latest' # TODO


kafka_consumer = KafkaConsumer(auto_offset_reset=KAFKA_OFFSET_RESET,
                               bootstrap_servers=KAFKA_BROKERS,
                               enable_auto_commit=False, # TODO
                               # group_id=KAFKA_GROUP,
                               value_deserializer=lambda value: json.loads(value.decode('utf-8')))
kafka_consumer.subscribe(KAFKA_TOPICS)

# We receive flagged counts one by one from spark so we have to keep a data structure to match true and false flagged.
# Structure:
# {
#     'timestamp': {
#         'flagged_true': 7,
#         'flagged_false': 1,
#     }
# }
window_cache = {}


def extract_window_key(message):
    return '{}-{}'.format(message['window']['start'], message['window']['start'])


def add_to_window_cache(message):
    '''
    message structure:
    {"window":{"start":"2018-01-13T05:04:00.000Z","end":"2018-01-13T05:04:10.000Z"},"flagged":true,"count":7}
    '''
    key = extract_window_key(message)
    if key not in window_cache:
        window_cache[key] = {}
    if message['flagged']:
        window_cache[key]['flagged_true'] = message['count']
    else:
        window_cache[key]['flagged_false'] = message['count']
    return len(window_cache[key]) == 2
    

def ddos_window_detection(message):
    key = extract_window_key(message)
    # For this exercise we will keep the "detection" very simple by calculting the ratio of (true / total) > threshold
    ddos_ratio = window_cache[key]['flagged_true'] / (window_cache[key]['flagged_false'] + window_cache[key]['flagged_true'])
    print(ddos_ratio)
    if ddos_ratio > 0.50:
        # Trigger alert, possible ddos
        return True
    # If no suspicious activity was found, we can delete the window from the cache
    del window_cache[key]
    return False
    

def notify_admin_ddos(message):
    key = extract_window_key(message)
    window = window_cache.pop(key)
    %notify -m 'DDOS alert'
    
def notify_admin_forbidden_url(message):
    %notify -m 'Forbidden URL alert'
    
    
# {"window":{"start":"2018-01-13T05:04:00.000Z","end":"2018-01-13T05:04:10.000Z"},"flagged":true,"count":7}
for msg in kafka_consumer:
    if msg.topic == 'clicks-calculated-ddos':
        if add_to_window_cache(msg.value) and ddos_window_detection(msg.value):
            notify_admin_ddos(msg.value)
    elif msg.topic == 'clicks-calculated-forbidden':
        if msg.value['forbidden']:
            notify_admin_forbidden_url(msg.value)

