shariff v10- bsc (hons) project

Detection and Prevention of DoS/DDos

attacks Using IPtables and Snort

Network Intrusion Detection Systems

Sharmarke Xasan Sharif

Submitted in fulfilment for the Honours degree of

Digital Forensic and Cyber Security

School of Informatics and Engineering,

Institute of Technology Blanchardstown,

Dublin, Ireland

© Copyright

By

Sharmarke Xasan Sharif

May, 2015

Sharmarke Xasan Sharif of 72

Acknowledgement

I would like to express my deepest gratitude for my parents who have always

been there to support me. Also I would like to thank my wife Idil and my two

daugthers, Ikran and Eman, without their unconditional and absolute support

I would have never succeeded in my goals.

I am also greatly thankful to my supervisor, Mark Cummins whose

encouragement, guidance and support from the initial to the final phase

enabled me to develop a deep and thorough understanding of the subject.

Also, I extend my regards and blessings to all of those who sustained me in any

respect during the culmination of the dissertation.

Special thanks to my thesis editor Ms Alex Glass, she helped me to improve my

writing and her advices made my work easier.


Abstract

Nowadays Denial of service(DoS) attacks has become hazardous threat of the

cloud environment and today’s internet security. These attacks are growing

rapidly. With the new technologies and new techniques, the purpose of these

attacks is to prevent regular users to access the server. Whatever the reasons

behind lauching these DDoS attacks they are increasing rapidl.

There are many DoS/DDoS attacks types but the popular ones are UDP Flood,

ICMP Flood and TCP SYN Flood which a summary of these attacks will be given

later within the thesis.

The aim of DoS/DDoS attacks is to make network services unavailable to

legitimate users by overwhelming the victim machine.

This work discusses the techniques using firewall against DoS/DDoS attacks and

also detection of Snort IDS. Firewall were written using command-line tool in Linux

to stop or permit traffic coming trough the network.


Contents

Acknowledgement ........................................................................................... 3

Abstract ............................................................................................................... 4

Abbreviations and Acronyms .................................................................... 11

Chapter 1: Introduction .............................................................................. 12

1.1 Main Objective .................................................................................................... 12

1.2 Project Objectives and Aims ......................................................................... 12

1.3 Methodology ....................................................................................................... 13

1.4 Boundary Line .................................................................................................... 13

1.5 Thesis Organisation ......................................................................................... 14

1.6 Thesis Time-line ................................................................................................ 15

Chapter 2: An Overview of Denial of Service and

Distributed Denial of Service (DDoS) attacks ..................................... 17

2.1 DoS Attacks..........................................................................................................18

2.2 History of DoS and DDos Attacks ............................................................... 18

2.3 The goal of DDos ................................................................................................ 19

2.4 Elements of DDos ............................................................................................. 19

2.5 Types of DoS/DDos Attacks ......................................................................... 19

Chapter 3: Methods of DDoS Attacks ...................................................... 20

3.1 Smurf Attack........................................................................................................ 24

3.2 SYN flood Attack ................................................................................................ 25

3.3 UDP flood Attack ............................................................................................... 25

Chapter 4: DDoS Attacks Tools ................................................................. 27


4.1 Trin00 .................................................................................................................... 28

4.2 Tribe Flood Network (TFN) .......................................................................... 28

4.3 TNF2K .................................................................................................................... 28

4.4 Stacheldraht ........................................................................................................ 28

4.5 Shaft ........................................................................................................................ 29

4.6 Low Orbit Ion Cannon ..................................................................................... 29

4.7 High Orbit Ion Cannon .................................................................................... 29

4.8 Hping ...................................................................................................................... 30

Chapter 5: SNORT .......................................................................................... 30

5.1 SNORT Introduction ........................................................................................ 30

5.2 Intrusion Detection System .......................................................................... 31

5.3 SNORT Architecture ......................................................................................... 31

5.3.1 Packet Decoder ............................................................................................... 32

5.3.2 Pre-processors ............................................................................................... 32

5.3.3 Detection Engine ........................................................................................... 32

5.3.4 Logging and Alerting System .................................................................... 33

5.3.5 Output Modules .............................................................................................. 33

5.3.6 SNORT Modes ................................................................................................. 33

Chapter 6: DDoS Defence and Classification ......................................... 36

6.1 Firewall ................................................................................................................ 36

6.2 Types of Firewalls ............................................................................................ 37

6.2.1 Packet Filters .................................................................................................. 38

6.2.2 Statefull Firewalls ........................................................................................ 38

6.3 Intrusion Detection System (IDS) ............................................................. 39

6.4 Host-based IDS .................................................................................................. 39

6.5 Network-based IDS ......................................................................................... 40

6.6 Intrusion Prevention Systems (IPS) ........................................................ 40


Chapter 7: Literature Review ................................................................... 42

7.1 Detection and Prevention DoS/DDoS Attack........................................44

7.2 Firewall used as Intrusion Detection and Prevention System ..... 42

7.3 SNORT used as Intrusion Detection System ......................................... 43

Chapter 8: System Design ........................................................................... 44

8.1 Experiment Outline .......................................................................................... 44

8.2 Activity Diagram ................................................................................................ 46

Chapter 9: Experiment and Results ........................................................ 48

9.1 Experiment Objectives .................................................................................... 49

9.2 Experiment 1: SYN Flood Attack with Hping Command .................. 50

9.2.1 Writing IPtables script to defend against SNY Flood Attack ...... 52

9.3 UDP Flood Attack with Hping Command ................................................ 53

9.4 Writing IPtables script to defend against LOIC UDP Flood Attack55

9.5 ICMP Flood Attack with Hping Command ............................................. 56

9.5.1 Writing IPtable script to defend against ICMP Flood Attack ...... 59

9.6 Experiment 2: DDoS Defense using SNORT IDS ................................... 61

9.6.1 UDP Flood Attack with Low Orbit Ion Cannon (LOIC) ................. 61

9.6.2 SNORT detection against LOIC attacks ............................................... 63

Chapter 10: Conclusion and Further Work ........................................... 66

Conclusion ................................................................................................................... 66

Future Scope ............................................................................................................... 67

Appendix A: Installation of Snort for Windows .................................. 68

Appendix B: Installation of Low Orbit Ion cannon ............................. 69

Appendix C: References ............................................................................... 69

Project Research Resources ................................................................................. 69


List of Figures

Figure 1: Organisation of Thesis ....................................................................... 15

Figure 2: Project Time-line ................................................................................... 16

Figure 3: DDoS Attack[1] ....................................................................................... 17

Figure 4: DDoS Attack Classification ............................................................... 21

Figure 5: Smurf Flood Attack ............................................................................... 24

Figure 6: SYN Flood Attack ................................................................................... 25

Figure 7: UDP Flood Attack................................................................................... 26

Figure 8: ICMP Flood Attack ................................................................................. 27

Figure 9: Low Orbit Ion Cannon Interface GUI .......................................... 29

Figure 10: High Orbit Ion Cannon Interface GUI ...................................... 30

Figure 11: SNORT IDS Architecture ................................................................. 31

Figure 12: SNORT Flow Chart .............................................................................. 35

Figure 13: Firewall .................................................................................................... 37

Figure 14: Network Lab Environment ........................................................... 44

Figure 15: Flow of Implementation Steps ...................................................... 46

Figure 16: Experiment 1 (Using IPtable as Defence) ............................. 48

Figure 17: Experiment 2 (Using SNORT as IDS/IPS) .............................. 49


Figure 18: SYN Flood with Hping Command ............................................... 50

Figure 19: Wireshark Output for SNY Flood ............................................... 51

Figure 20: Wireshark Output after IPtable Protection against SYN

Flood.................................................................................................................................. 53

Figure 21: UDP Flood using LOIC DDoS Tool .............................................. 54

Figure 22: Wireshark Output After LOIC UDP Attack ............................ 54

Figure 23: Windows XP unable to ping the Victim Machine

(Ubuntu) ......................................................................................................................... 55

Figure 24: ICMP Flood with Hping Command ............................................ 56

Figure 25: Wireshark Output for ICMP Flood ............................................ 57

Figure 26: Windows XP unable to ping the Victim Machine .............. 58

Figure 27: IPtables rules to stop ICMP Flood Attacks ........................... 60

Figure 28: Wireshark Output after IPtable Protection against ICMP

Flood.................................................................................................................................. 60

Figure 29: UDP Flood Attack Using LOIC Tool ........................................... 62

Figure 30: UDP Alerts and Logs.......................................................................... 62

Figure 31: CPU Usage after the Attack............................................................ 63

Figure 32: ICMP Flood with Hping Command ............................................ 64

Figure 33: ICMP Alerts and Logs ........................................................................ 65

Figure 34: Lower CPU and No logs captured ............................................. 66

List of Tables


Table 1: Descriptionn of types of DDoS Attacks 22

Table 2: Types of DDoS Attacks at Application Layer ........................... 23

Table 3: SNORT IDS Modes ................................................................................... 34

Table 4: SYN with Hping command description ....................................... 51

Table 5: SYN-Flood Protection with IPtable ............................................... 52

Table 6: IPtable Protection against LOIC UDP Flood ............................. 56

Table 7: Description of ICMP with Hping Command .............................. 57

Table 8: ICMP-Flood Protection with IPtable ............................................ 59

Table 9: SNORT Installation ................................................................................. 68

Table 10: Installation of LOIC DDoS Tool ..................................................... 69


Abbreviations and Acronyms

DoS Denial of Service

DDoS Distributed Denial of Service

SYN Synchronize Sequence Numbers

TCP Transmission Control Protocol

HTTP Hypertext Transfer Protocol

UDP User Datagram Protocol

DNS Domain Name Services

ICMP Internet Control Message Protocol

FTP File Transfer Protocol

LOIC Low Orbit Ion Cannon


Chapter 1: Introduction

1.1 Main Objective

The most well-known obstacle the internet and cloud environment confronting

today originates from DDoS assault. With increased technology and sophisticated

techniques, it has become very easy for the attackers to dispatch attacks.

Therefore, there are different tools that overpower the servers by launching Denial

of Service.

When it comes to large network environments, it gets much harder to detect these

assaults. Consequently, these attacks have ended up being genuine threats that

bring down businesses with huge revenue losses.

This research mainly focuses first on DDoS (Distributed Denial of Service) attacks,

types of DDoS attacks and their defence mechanisms. Secondly this work discusses

the effeciency of Iptables to defend against DOS/DDoS attacks and also intrusion

detection system know as SNORT to detect these attacks.

1.2 Project Objectives and Aims

DDoS attacks are without question the most potent form of attacks carried out by

intrudes. The main purpose of this study is to provide a clear and thorough

coverage of the area of DDoS attacks.


In principle, this study attempts to aid the DDoS research on the issues related to

the field of attack mechanisms. The prime objectives of this paper can be

summarized to the following:

Analyse the details of DDoS attack mechanisms and the principles DDoS

attacks

Present the novel classification of DDoS attack mechanisms

Discuss a few of the possible evolutions of the DDoS attack mechanisms

What are the differents types of DDoS attacks?

What are the available defense methods?

What are the different methods to mitigate the effects of DDoS attacks?

Propose an infrastructure that can stop a DDoS attack quickly and its cost

effectiveness

Based on this infrastructure, a complete solution for the DDoS attack

problem can then be achieved.

1.3 Methodology

This section will demonstrate the necessary steps and methods employed in

parliamentary procedure to reach the goal of this report.

First, define the problem

Collect pertinent data

Break down and select a resolution

Test these and other features implementing our solution

1.4 Boundary Line

In this thesis, the chosen focus of the research how to prevent attack from DDoS

using firewall Iptables and SNORT( Intrusion detection System Tool). This thesis is


intended for readers with a computer background and basic knowledge of

computer security. It is recommended that the reader has had previous experience

in Linux command .

1.5 Thesis Organisation

The structure of the thesis is illustrated in the Figure below.

Chapter 2 provides an overview of the field of Denial-of-Service attacks,

which for instance, includes a glance to the history of DoS attacks and an

introduction to the subject of DDoS. The chapter is largely based on

literature review. Chapter two also provides a figure and an overview of the

classification as well as explains the functions of the main classes of the

classification.

Chapter 3 provides the type of methods of DDoS attack mechanisms in

length. Chapter three details the DoS attack mechanisms in theory and in

practice how it relates to Smurf, SYN, UDP and ICMP attacks.

Chapter 4 discusses in details about various types of DDoS attack tool.

Chapter 5 gives an insight about Intrusion Detection system (SNORT) and

Snort Architecture components.

Chapter 6 discusses the literature review paper related to the topic discuss

within the thesis.

Chapter 7 demonstrates the practicality of implementation and System

Design.

Chapter 8 concludes the study. A review and discussion of the most

important results achieved will be presented. In addition, topics for further

research will be proposed.


Figure 1: Organisation of Thesis

1.6 Thesis Time-line


Figure 2: Project Time-line


Chapter 2: An overview of Denial of Service and

Distributed Denial of Service (DDoS) attacks

Distributed Denial of Service (DDoS) attack is a powerfull version of DoS attacks

and pose a grave risk too todays Internet. The term “Distributed Denial of Service”

(DDoS) originates from “Denial of Service” (DoS) which in computing represents an

attempt to stop the victim(s) from serving and preventing legitimate users from

accessing the service.

This is done by an overwhelming quantity of packets being sent from multiple

attack sites to a victim site and the key resource of the victim (bandwiths, CPU) is

quickly exhausted wher DoS attack damages a single computer and denying all

forms of access to the computer. The term Distributed-Denial-of Service (DDoS)

attack come from the DOS attack

Figure 3: DDoS Attack[1]


2.1 DoS Attack

Denial of Service (DoS) attacks are expected to shutdown the servers or targeted

machine for a period of time and the server wont be able to handle the requests

from the legitimate user.

2.2 History of DoS and DDos Attacks

DoS/DDoS attacks have not been around with any significance for very long over

the history of IT, but in little more than a decade, they have become a worldwide

threat that shows no sign of abating, or even diminishing, any time soon.

Initially, in early 1990’s DoS attacks started with a single user attacking another

user just with a single click of a button. In late 1990’s, a set of compromised

computers which are controlled by attackers, technically called as “Botnets” were

formed. These Botnets resulted in the formation of Distributed Denial of Service

attacks. In February 2000, something previously unseen in the history of the

Internet occurred. The wave of massive DDoS attacks began. Among many other

news sites, BBC News reported that Yahoo! was brought down for three hours

(BBC News 2000). A day later eBay, Buy.com, CNN.com, Amazon.com were all

under heavy DDoS attacks as reported by Seattle Post-Intelligencer (2000).

Almost all these companies had significant presence in internet. In year 2004, these

attacks were used for hire and extortion. Most recently, in years 2007 and 2008,

these attacks were widely used against political dissident groups and even against

Republic of Georgia during military conflict with Russia.

Overall, a lot has happened during the past few years in the DDoS field as a whole.

The considerably large power of DDoS attacks have been noted everywhere, which

is verified by the events discussed previously.


2.3 The goal of DDos

The objective of DoS/DDoS attack is to harm and damage on the victim, either for

indivudual reasons for material gain (damaging competitors' resources) or for

popularity .

2. 4 Elements of DDos

A DDoS attack uses many computers to launch a coordinated attack against one or

more targets. A DDoS attack is made of of four elements, as illustrated in the above

figure.

Attacker/Attacking Hosts:

The mastermind behind the real attack that compromise the victim machine

by relying on brute force to overload the victim’s resources.

Agent/ Handler:

These programs coordinates the attack to the victim through out agents and

install the software attack on them.

Attack Deamon Agents (Zombies):

These programs are actually responsible for carrying out the attack on

targeted victim and also responsible for generating a stream of packets

toward the victim.

Target Marchine:

It receives the brunt of the attack which totally overwhelms the victim host.

2.5 Types of DDos Attacks

As Distributed Denial-of-Service attacks are launched from multiple computers to

make the resources of a targeted system less accessible to the intended users, there


are three types of DDoS attacks types, Volume Based Attacks, Protocols Based

Attacks and Application Layer Attacks [2].

Volume–based attacks:

These mainly include TCP flood, ICMP flood, UDP flood and spoofed packet flood

attacks. The aim of these are to consume the bandwidth of sites which are

attacked by making the service unavailable to its legitimate users. These attaks

can be DDoS direct attacks or reflector DDoS attacks.

Protocol-based attacks:

These attacks attempts to consume the connection state tables which are

present in the infrastructure such as load-balancers, firewalls and the

application servers. It incorporates SYN floods, fragmented packet attacks,

Ping of Death, Smurf DDoS and more. This type of attack consumes actual

servers’ useful resources or those of intermediary communication tools,

such as firewalls and load balancers and is measured in Packets per second.

Application-based attacks:

These attacks attempts to send regular HTTP attacks request and these

attacks are more efficient than TCP or UDP attacks ..

Chapter 3: Methods of DDoS Attacks

There are a number of techniques that are used to initiate and launch these attacks

however most of them involve sending large amounts of packets to the target


machine so its networking capabilities are overflowed and no legitimate users will

be allowed access.

In order to be able to understand DoS/DDoS attacks it is absolutely necessary to

have DoS/DDoS classification. The taxonomy created by Mirkovic and Reiher

(2004) shows the classification of DDoS attack according to the characteristics of

the attack. There are wide variety of DDoS attacks in order to be able to make an

absolute effective attack. It is highly recommended to know the full taxonomy

classification for DDoS attacks (refer to the Appendix A). We propose a

classification of DDoS attacks that combines the classifications proposed by

Mirkovic [1] efficiently.

Figure 4: DoS/DDoS Attack Classification


Types of DoS/DDoS Attacks (Network and Transport Layer)

Attack Description

SYN Flood A connection is established between source system and the target. The

target system responds with a SYN-ACK message for each SYN message it

receives. The target source never send back the final ACK messages,

therefore the target system is overwhelmed with incomplete

connections.

UDP Flood Attacker sends UDP packets to all ports of the target machine. The victim

system is overloaded while processing the UDP packets and attempting

to send reply messages to the source system.

UDP

Fragmentation

The attacker uses large, fragmented forged packets to consume more

bandwidth and the target expands CPU resources.

ICMP Flood Normally theses packets are used for legitimately but if used for DDoS

attack, they can overwhelm the target system.

Ping Attacks During a ping flood, the target system receives spoofed ping at a very

high packet rate then the victim machine is overwhelmed by large

number of incoming Ping packets.

Smurf All the systems receive ICMP Echo Request messages will reply to the

spoofed IP address with ICMP Echo Request therefore overloading the

target system.

DNS Attacks High rate of spoofed DNS request packets overwhelm the target machine.

ACK and Push

Flood

The victim system receives ACK packets then the ASCK flood exhausts the

victim resources.

Fragmented ACK These packets consume bandwidth.

Table 1: Description of Types of DDoS Attacks


Types of DoS/DDoS Attacks (Application Layer)

Attack Description

HTTP Floods

Attacker sends large amounts of legitimate requests to an application

which can exhaust all the server processing capability. Attacker sends a

SYN packet and the target responds with a SYN ACK. Therefore, the

three-way handshake with an ACK packet is established.

SMTP Floods Spammers send a flood of traffic that overwhelms an email server

Slow HTTP POST

Sends headers to signal how much data is to be sent , but sends the data

very slowly, using thousands of HTTP POST connections to DDoS the web

server.

Slowloris Sends partial requests to the target server, opening connections, and then

sending HTTP Headers, augmenting but never completing the request.

Table 2: Types of DDoS Attacks at Application Layer


3.1 Smurf Attack

In a “Smurf attack”, the victim is flooded with a huge quantity of Internet Control

Message Protocol (ICMP) echo reply packets. Attackers are using ICMP echo

request packets to generate these attacks. The result is that the victim’s machine(s)

is subjected to network congestion that could potentially make the network

unusable.

Figure 5: Smurf Flood Attack


3.2 SYN flood Attack

This is a TCP SYN attack which sends a large amount of SYN requests faster than the

targeted machine can treat them causing the networks saturation point to exceed

and making it impossible for legitimate traffic to go through.

3.3 UDP flood Attack

This approach involves sending stream of UDP packets to the target victim machine

where the depletion of the bandwidth along with the saturation point of packets to

the network for legitimate service requests to the victim system is overwhelmed.

The attacker sends a UDP packet to one or more port on the victim machine.

.

Figure 6: SYN Flood Attack


3.4 ICMP flood Attack

ICMP Flood Attacks exploit ICMP (Internet Control Message Protocol) in which the

victim send an echo request to a remote machine and to determine whether it’s

alive. For a logical understanding of DDoS ICMP Flood packet, the attacker send

large quantity of ICMP ECHO Request (ping) packets fast as possible directed at the

victim without waiting for replies. The victim responds to each ICMP request (ping)

packets from the attacker and causes a saturation of all available the bandwidth of

the victim machine.

Figure 7: UDP Flood Attack


Figure 8: ICMP Flood Attack

Chapter 4: DDoS Attacks Tools

While this paper concentrates on the types of DDoS attacks and guarded measures

against DDoS, it is essential to know the names of the tools used to launch these

attacks - and how they have effectively developed. Some of these newer DDoS tools


are Low Orbit Ion Cannon (LOIC), High Orbit Ion Cannon (HOIC), Hping and

Slowloris.

4.1 Trin00

Trin00 [ 2] was the first known DDoS tool used against the University of Minnesota in

August 1999 and it uses UDP Flooding as attack strategy.

4.2 Tribe Flood Network (TFN)

The Tribe Flood Network (TFN) [3]started to appear after trin00. TFN client and

daemon programs implement a DDoS network capable of applying a number of

approaches, such as ICMP flood, SYN flood, UDP flood, and SMURF style attacks.

4.3 TNF2K

This is the newer version of the TFN attack[4]. It randomly chooses TCP, UDP or

ICMP for messages to confuse any network monitoring. Therefore, it’s more

difficult to track TFN2K traffic.

4.4 Stacheldraht

Stacheldraht [5] is a DDoS instrument that began to show up in the late summer of

1999 and consolidates highlights of trin00 and TFN. It conceals the source

locations of its activity and includes mixture of DoS. The possible attacks are

similar to those of TFN; namely, ICMP flood, SYN flood, UDP flood, and SMURF

attacks.


4.5 Shaft

Shaft [6] is modelled after Trin00. Communications between the master and the

slave is achieved using the UDP packets and the attack implemented is the UDP

flood attack. An important feature of this attack is its ability to switch control

master servers and ports in real time, thereby making the detection by intrusion

detection tools difficult.

4.6 Low Orbit Ion Cannon

Low Orbit Ion cannon (LOIC) was originally developed by Praetox Technologies as

an open source network testing tool is a simple flooding tool, able to generate

massive amounts of TCP, UDP and HTTP traffic with the intention of disruption the

service of a particular server.

Figure 9: Low Orbit Ion Cannon Interface GUI

4.7 High Orbit Ion Cannon

This tool is the follow-up DDoS tools Low Orbit Ion Cannon (LOIC) and is also a

simple application easy to use GUI.


Figure 10: High Orbit Ion Cannon Interface GUI

4.8 Hping

Hping can be used to send large volumes of TCP traffic at a target while spoofing

the source IP address, making it appear random or even originating from a specific

user-defined source.

Chapter 5: SNORT

5.1 SNORT Introduction

Snort is an open-source intrusion detection system that is developed by Sourcefire.

Snort was created in 1998 by Martin Roesch. It is capable of performing real-time

traffic analysis and packet logging on IP networks. Snort is compatible with most

operating systems (e.g. Linux, Mac OS X, FreeBSD, OpenBSD, UNIX and

Windows)[7].


5.2 Intrusion Detection System

IDS (Intrusion detection systems) are an important part of any network security

architectureNetwork Intrusion Detection Systems (NIDS) perform deep packet

inspection on packet payloads to identify, prevent, and inhibit malicious attacks

over the Internet. Snort is a lightweight intrusion detection system that can log

packets coming across your network.

5.3 SNORT Architecture

Snort is composed into multiple parts.The below figure 11 represents the major

components of Snort-based IDS:

Figure 11: SNORT IDS Architecture


5.3.1 Packet Decoder

The packet decoder is a series of decoders that each decodes specific protocol

elements into an internal data structure. It starts with the lower level Data Link

protocols, and works its way up the network stack decoding each protocol as it

moves up. When packets move through the decoders, a data structure is filled up

with decoded packet data. Now the data stored in the data structure is ready to be

analysed by the pre-processors and the detection engine. Libpcap is used to

capture the raw packets, this makes sure all protocol headers are unaltered by the

OS.

5.3.2 Pre-processors

There are two categories of pre-processors. One purpose is to make the packet

suitable for the detection engine to apply rules to it. The main goal for these pre-

processors is to defeat attacks that try to evade the detection engine by

manipulating patterns in the traffic. Defragmenting packets is also a task for the

pre-processor. This is vital because before any rules may be applied, the packet

must be reassembled. The reason for this is to avoid being misled by attacks that

have been divided into several packets. Pre-processors used by SNORT in default

configuration are listed below

5.3.3 Detection Engine

The most important part of SNORT is the detection engine. It serves two major

functions: parsing rules and detecting signatures. By parsing the SNORT rules, the

detection engine builds attack signatures. The rules are read line by line, and load

into an internal data structure (important to write the rules correctly, or the

detection engine will fail when loading them into the internal data structure). Now

all traffic is run through the loaded rule set in the order they were loaded into

memory.


5.3.4 Logging and Alerting System

Depending upon what the detection engine finds inside a packet, the packet may be

used to log the activity or generate an alert.. All of the log files are stored under

/var/log/snort folder on a UNIX system by default.

5.3.5 Output Modules

These modules are used to control the output from SNORT detection engine.

Normally the alerts and logs go into files in the /var/log/snort directory. By using

these output modules, outputs can be processed and messages can be sent to a

number of different destinations.

5.3.6 SNORT Modes

Snort is a powerful tool that can be used to monitor and stop any attacks, an

intrusion detection system could provide a solution to analyze packets and filter

traffic based on pre-defined rule sets. SNORT in one of the most used intrusion

detection systems to defend against such attacks and is reasonably easy to install

and setup(refer to the appendix A).

Snort has three different types of modes: Sniffer mode, packet logger mode and IDS

mode.Table 1 shows the SNORT modes and figure 2 shows the flowchart of

SNORT.


Snort Mode Description

Sniffer Mode This mode only reads incoming packets and

simply displays them.

Packet Logger Mode This mode only reads incoming packets

and simply displays them and

additionally logs the packets to the disk.

NIDS Mode

In this mode, SNORT analyse incoming

traffic and matches to the pre-defined

rules.

Table 3: SNORT IDS Modes


Figure 12: SNORT Flow Chart


Chapter 6: DDoS Defence and Classification

DDoS attacks are a difficult problem to solve and the distributed nature of DDoS

attacks makes them extremely difficult to combat or tracing them back to the

source. Attackers may also use IP spoofing in order to hide their true identity and

this make the traceback even more difficult. Our classification of DDoS mechanisms

is illustrated in the Appendix B.

6.1 Firewall

One of focuses in the thesis is the free available Linux Firewall IPtables. This

chapter discuss what is firewalls , various types of firewalls technologies, the ways

firewall can be implemented and firewall architectures.

Firewalls are the first component to protect the network. They are located between

the internet and the private network. A firewall is a device widely used to provide

network security to dismiss unauthorized traffic from penetrating into the private

network; meanwhile to approve authorized traffic to go through the network

according to the predefined rules and policies.


Figure 13: Firewall

Firewalls have some advantage and disadvantages they are summarized below:

Advantage

• Firewalls can deny access any suspicious traffic to penetrate.

Disadvantage

• Firewalls use predefined set of rules to differentiate legitimate traffic

from non-legitimate traffic.

• Firewalls cannot examine network traffic between any two inside hosts

because they can only examine traffic passing through the network from

the outside.

• Although firewalls are important part of the network security, they are

not a complete security solution.

• Firewalls cannot protect you against malicious insider.

6.2 Types of Firewalls

To understand how firewall works, some basic understanding of the different

firewall that exist at different levels are required. These are packet filter firewalls,

stateful inspection firewall and proxy firewall.


6.2.1 Packet Filters

A packet filtering is the most used firewall, they fast, simple and widely avail bale.

The firewall; consists of a set of rules (called chain) and packets are sent into the

chain for examination. If the packet passes all the rules defined in the chain, then

the packet get forwarded to its destination. If the packet is deny by the predefined

set of rules in the chain, then it get dropped or rejected. By the default, there are

three default chains (INPUT, FORWARD, and OUTPUT) and actions can be assigned

to each chain. They designed to filter IP address. Packet filtering firewall are

designed to filter IP address, MAC addresses, TCP or UDP ports.

6.2.2 Statefull Firewalls

Stateful inspection firewalls are enrichment of the packet filter technology and they

are generally described to be more secure than packet filter firewalls.

Application proxies are the most sophisticated firewalls. The previous two types of

firewalls sometimes are called packet filters. Proxy firewall has numerous

advantages over packet firewalls and stateful firewall. These advantages are:

• The proxy firewall can examine the entire network packet rather than just

the network addresses and ports.

• Proxy firewall can prevent more attacks than packet filter, stateful firewalls

can. For example, proxy can stop an intruder trying to set up a virtual

private network (VPN) through a way of tunnelled HTTP requests.

• Extensive logs can be collected which help the network administrator at

several levels.


6.3 Intrusion Detection System (IDS)

Intrusion detection has been a very active research area. By performing intrusion

detection, servers and network can lookout them-selves against being a source of

network attack as well as being a victim of a DDoS attack.

Intrusion detection refers to the process of monitoring the system for unauthorised

access incidents which can be the violation of the security policy. This signifies that

at one time an intrusion is detected the IDS generates an alert and provides all the

relevant information (Time, IP packets, and so forth) that set off the alert.

They can be software or hardware that monitors for anomalies of the surroundings

they are to guard. The IDS functions in a very conform way in order to increase

packet throughput as inspecting every packet can slow traffic considerably.

Intrusion detection systems can be broadly classified into two types:

• Host based

• Network based

6.4 Host-based IDS

Host based IDSs analyse the suspicious activities by monitoring the state of the host

and it is not just to monitor traffic but also it can detect anomalies at the host level.

Host intrusion detection systems are installed locally on host machines making it a

very versatile system compared to NIDS (Network-based). HIDS can be installed on

many different types of machines namely servers, workstations and notebook

computers.

Host based intrusion detection systems perform all or some of the following

operations.

• Detect failed login attempts for the administrator (root) user or any user in

general


• Detect sequence of operations that could be anomalous to regular user

activity

• Detect unauthorized modification of system binaries o Figure 3 depicts the

functioning of HIDS

6.5 Network-based IDS

Network-based IDS (NIDS) observe, monitor and analyse network traffic in order to

discover suspicious unauthorized access. It is most commonly deployed at a

boundary between networks such as routers, firewalls, virtual private networks

etc.

6.6 Intrusion Prevention Systems (IPS)

The best mitigating strategy against any attack is to completely prevent the attack.

In this stage we try to stop DDoS attacks from being launched in the first place.

Intrusion prevention system (IPS) is the process of both detecting intrusion

activities or threats and managing responsive actions on those detected intrusions

and threats throughout the network.

Key functions performed by an IPS are:

• IPS detects and takes preventative actions against malicious attacks

• IPS stops the attack itself

• IPS changes the security environment

• IPS changes the attack’s contents

There are many DDoS defence mechanisms that try to prevent systems from

attacks such as:

• Ingress filtering is an approach to set up a router such that to disallow

incoming packets with illegitimate source addresses into the network.


• Egress Filtering is an outbound filter which ensures that only assigned or

allocated IP address space leaves the network.

• Route-based distributed packet filtering is an approach capable of

filtering out a large portion of spoofed IP packets and preventing attack

packets from reaching their targets. If an unexpected source address

appears in an IP packet on a link then it is assumed that the source address

has been spoofed, and hence the packet can be filtered.

• History-based IP filtering (HIP) is a filtering mechanism for preventing

DDoS attacks in which the router allows the incoming packets according to a

pre-built IP address database which keeps all the IP addresses that frequent

the network. During an attack, the target machine only admits the packets

whose source IP addresses belong to the IP address database.

• Disabling unused services is another approach in order to prevent DDoS

attacks.

• Changing IP address is a simple solution to a DDoS attack in order to

invalidate the victims’ computers IP address by changing it with a new one.

• Disabling IP broadcasts mechanism can prevent DDoS attacks but it can

only be successful if all the neighboring networks disable IP broadcasts.

• Load balancing is a simple approach that enables network providers to

increase the provided bandwidth on critical connections and prevent them

from going down in the event of an attack.


Chapter 7: Literature Review

7.1 Detection and Prevention of DoS/DDoS Attacks

Jelena Mirkovic [7] has looked it the problem of DoS/DDoS Attacks in two ways:

first to understand the origin of the problem and all its variation, Secondly the

author has presented defense mechanism system called D-WARD that prevents

DoS/DDoS attacks from deploying networks.

Misha Singhal [8] has defined Denial-of-Service as a network security problem that

poses a serious challenge to trustworthiness of services deployed on the servers.

The author has suggested that there are many proposed methods which aim are to

stop the problem of DoS/DDoS attacks such as Ingress filtering, IP Trackback,

Intrusion Detection System and Traffic Volume Normalization. However, in his

work the author has used firewall is an efficient packet filtering technique to

defend against DoS/DDoS attacks

R. Vijayasarathy [9], the author has developed an approach to detect DoS attacks

based on Naïve Bayesian classifier. The author has focused on two transport layers

(TCP and UDP).

Bahaa Qasim [10], has described Denial-of-Service as a serious challenge to

reliability of services deployed on the servers. The aim of DoS is to exhaust a

resource in the target system. The author has discussed the efficient packet

filtering technique using firewall as defender against DoS/DDoS attacks.

Tao Peng [11], the author has investigated DoS attack (including DDoS attacks) and

has divided his work into three parts: the first part was to categorize existing

defense mechanism and the second is to develop and evaluate three defense

models for DoS attacks( Victim model, Victim-Router Model and Router-Router

Model).Finally the third part of his model was to assess the effectiveness of his

defense models for different types of DoS attacks

R. Sangwook Seo [12], the author has developed an approach to detect DoS attacks

based on Naïve Bayesian classifier. The author has focused on two transport layers

(TCP and UDP).


7.2 Firewall used as Intrusion Detection and Prevention System

Author Rik Busschers[13] describes the different types of attacks executing by

anonymous using LOIC and also some of the available defense methods to mitigate the

effects of these attacks. He evaluate how effective each of the defences are and which

one should be used to protect a website against LOIC attacks.

Koushik Chatterjee[14] describe that the Linux kernel based packet filter firewall

can control the incoming and outoing traffic on a network traffic. He then

introduces a design based on firewall for detecting and preventing the most

harmful and difficult to detect DoS/DDoS attacks. Packet sniffer tool was used to

display the effectiveness and performance of the firewall scripts in mitigating the

various kids of DoS/DDoS attacks.

7.3 SNORT used as Intrusion Detection System

Authors Hifaa Bait Baraka,Huaglory Tianfield [15] had presented in this paper an

implementation of intrusion detection system to secure virtualized servers on the

cloud platform and validates intrusion detection system in detecting DDoS attack

against the virtualized environment.

The authors [16] presents an anlyzis of the majors factors affecting the

performance and detection capability of Snort and has recommended techniques to

make Snort a better intrusion detection system(IDS).They have used Snort to

detect against TCP Flooding distributed Denial of service attack.

Dac-Nhuong Le [17] has introduced a classification of Ddos attacks , DDoS defense

systems and DDoS attack tools. The author used IP Multimedia Subsystem of NGNs

using Snort rules. He concludes that the defense implemented can control the DDoS


attack effectiveness. However, Snort requires the most effort to manually analyse

and write attack signatures

Chapter 8: System Design

8.1 Experiment Outline

This experiment shows how a server is attacked under using packet flooding. It

shows how to capture the packets using Wireshark and it too presents the setup

tools used to do the experiment. VMware workstation is used to setup the lab

network environment of the three machine used in this experiment. The attacker

machine (kali Linux) has an IP address 192.169.204.134 and the target machine

with IP address 192.168 204.132 and finally a legitimate machine (Ubuntu 12.0.4)

has an IP address 192.168.204.128 as seen in Figure below.

Figure 14: Network Lab Environment


8.2 Activity Diagram

Figure 15: Flow of Implementation Steps


Step 1: VMware workstation is used for the installation of kali Linux, Windows

Operating system (XP) and UBUNTU 12.0.4 operating systems are all installed on it.

Step 2: DDoS packet generator Hping3 was installed on the attacker machine to

generate high volume traffic towards the victim machine performing DDoS attack

using the following command.

# apt –get install Hping3

Step 3: Download Wireshark and Snort IDS are installed capturing network

packets on eth0 interface on the victim machine (Windows XP) and download LOIC

DDoS attack tool window 7 machine.

Step 4: Writing rules in Snort.Conf to detect DDoS attack (Local. Rules file).

Step 5: After analysing logs file in snort or in Wireshark writing down IPtables

rules to block traffic from the attacker machine or the external network.

Step 6: Verifying that IPtables rules created are working by again analysing Snort

logs or Wireshark.


Chapter 9: Experiment and Results

In this section, the experiment will be composed in two parts:

1) Performing attacks using Hping tools from the Kali machine as the attacker

to the victim machine (Ubuntu) where Wireshark displays those attacks

and Iptables rules to defend against attacks.

Figure 16: Experiment 1 (Using IPtable as Defence)


2) Performing attacks using Low Orbit Ion Cannon (LOIC) from the attacker

machine (Window 7) to the victim machine (Windows XP) where Snort is

installed and configured to detect these attacks.

Figure 17: Experiment 2 (Using SNORT as IDS/IPS)

9.1 Experiment Objectives

Gain experience on deploying Iptables

Use Hping3 attack tool to test the predefined rules in Iptables Rules

Gain experience of deploying and configuring Snort

Use Low Orbit Cannon (LOIC) to test the Snort rules.


9.2 Experiment 1: SYN Flood Attack with Hping Command

The attacker machine runs the following Hping command to flood TCP packet the

Victim machine.

Figure 18: SYN Flood with Hping Command

Using this command (#hping3 –flood –S –p 80 192.168.204. 132), we can

establish the following sequence.

Hping3 –flood –S –p 80 192.168.204.132

Description

hping3 Hping generator Dos tool

--flood Send the packet as fast as possible

-S Sets the SYN flag in TCP mode

-p 80 Sends the packet to port 80 on the target

machine

192.168.204.132 IP Address of the victim machine


Table 4: SYN with Hping command description

Figure 19: Wireshark Output for SNY Flood

As you can see in Figure 1 above, Wireshark has capture the responding SYN

packet send by the attacker machine (192.168.204.134) and a huge numbers of

this type of connection will exhaust the victim machine.The victim machine with IP

address 192.168.204.132 is responding to every single TCP packet coming from

the attacker machine


9.2.1 Writing IPtables script to defend against SNY Flood Attack

IPtable commands

Commands Description

#!/bin/bash IPTABLES=/sbin/iptables

Sudo iptables - -flush Start flushing the exciting rules

Sudo iptables –N syn-flood Sudo iptables –A syn-flood –m limit –limit

1\s –limit-burst 3 –j RETURN Sudo iptables –A syn-flood –j DROP

Create a new chain call SYN-Flood Set limit packet to 1 second Drop SYN Flood if its not matches

Sudo IPtables –L –v List Rules

Table 5: SYN-Flood Protection with IPtable


Figure 20: Wireshark Output after IPtable Protection against SYN Flood

9.3 UDP Flood Attack with Hping Command

The attacker machine run the following LOIC(LOW)DDoS tool to flood TCP packet

the Victim machine.


Figure 21: UDP Flood using LOIC DDoS Tool

Figure 22: Wireshark Output After LOIC UDP Attack


As can be seen in Figure 6 above, the victim machine is responding with ICMP port

Destination Unreachable. In this case all the resources of the victim machine are

consumed by attacker system and trusted requests will not be served as the victim

is busy serving the attacker as shown in the figure 7 below.

Figure 23: Windows XP unable to ping the Victim Machine (Ubuntu)

9.4 Writing IPtables script to defend against LOIC UDP Flood Attack

IPtable commands against LOIC UDP Flood





Sudo iptables –N udp-flood Sudo iptables –A INPUT –p udp –j

udp-flood

Sudo iptables –A syn-flood –j DROP

Create a new chain call SYN-Flood Jump to chain when ICMP is detected Drop SYN Flood if its not matches

Sudo IPtables –L -v List Rules

Table 6: IPtable Protection against LOIC UDP Flood

9.5 ICMP Flood Attack with Hping Command

The attacker machine runs the following Hping command to flood TCP packet the

Victim machine.

Figure 24: ICMP Flood with Hping Command

#hping3 –p 80 –flood --icmp 192.168.204. 132

hping3 –p 80 –flood --icmp

192.168.204. 132 Hping command with ICMP Flood attack

hping3 Hping generator Dos tool


-p 80 Sends the packet to port 80 on the target machine

(192.168.204.132)

--flood Send the packet as fast as possible

--icmp Sets the SYN flag in ICMP mode

192.168.204.132 IP Address of the victim machine(UBUNTU)

Table 7: Description of ICMP with Hping Command

Figure 25: Wireshark Output for ICMP Flood

As you can see in Figure 1 above, Wireshark has capture the responding SYN

packet send by the attacker machine (192.168.204.134) and a huge numbers of

this type of connection will exhaust the victim machine.The victim machine with IP


address 192.168.204.132 is responding to every single TCP packet coming from

the attacker machine.

Figure 26: Windows XP unable to ping the Victim Machine

The above figure shows that theWindows XP was ping the Victim machine but after

the victim machine has been under heavy loads ICMP Flood Request to reply each

ICMP received from the attacker machine.


9.5.1 Writing IPtable script to defend against ICMP Flood Attack

The following table represents the iptable rules to protect against ICMP Attacks

from the attacker machine.

IPtable commands




Sudo iptables –N icmp-flood

Sudo iptables –A INPUT-p icmp –j icmp-flood Sudo iptables –A icmp-flood –m limit –limit 1\s –

limit-burst 3 –j RETURN Sudo iptables –A icmp-flood –j DROP

Create achain dedicated to ICMP-Flood Jump to chain when ICMP is detected Set limit packet to 1 second with a burst of 3 per second Drop ICMP Flood if its not matches

Sudo IPtables –L -v List Rules

Table 8: ICMP-Flood Protection with IPtable


Figure 27: IPtables rules to stop ICMP Flood Attacks

Figure 28: Wireshark Output after IPtable Protection against ICMP Flood


As seen the figure above, the attacker is sending ICMP Echo Request packets but the

victim machine is not responding by replies back to the attacker because the

IPtable rule defined in the previous table are dropping ICMP Request .

9.6 Experiment 2: DDoS Defense using SNORT IDS

Snort were installed on the victim machine in this case Window XP to detect and

prevent DdoS attacks. After analysis of the attacked packet in Wireshark, Snort

rules were pre-defined. Snort is one of the most used intrusion detection systems

to defend against the above mentioned attacks and is reasonably easy to install and

setup. In this section, I focused on evaluating Snort rules triggered by Snort. As

already explained in Chapter 5, Snort can run in three different modes: Sniffer

mode, packet logger and NIDS mode.

In this section for the installation of Snort and LOIC refer to the Appendix A and

Apendix B. To evaluate the effectiviness of Snort rules, DDoS attacks was simulated

against the target machine (Windows XP) that has SNORT installed. Low Orbit Ion

Cannon (LOIC) DDoS tool was used to simulate the attack. This tool has three

floodings methods: UDP, TCP, HTTP and the target IP address, port number are

illustrated in figure 6.

From LOIC tool, enter an address want to attack and set the packet size. WireShark

software to detect packets types that Attacker send to estabilish a connection.

9.6.1 UDP Flood Attack with Low Orbit Ion Cannon (LOIC)

As LOIC tool was installed on the second attacker machine (window 7). The

figure below shows the target IP was specified as 192.168.204.128 using UDP

flooding to port 21, then Snort will run and the flooding attack is detected, after

which Snort will send alerts into the logs file (Snort\etc\logs).


Figure 29: UDP Flood Attack Using LOIC Tool

Figure 30: UDP Alerts and Logs


Figure 31: CPU Usage after the Attack

9.6.2 SNORT detection against LOIC attacks

Hping command is used to flood ICMP Attack on the victims machine. The figure

below shows the command flooding ICMP Attack on IP address victim

(192.168.204.128) in this case Windows XP. Then when Snort will run and the

flooding attack is detected, then Snort will send alerts in the logs file

(Snort\etc\logs).


Figure 32: ICMP Flood with Hping Command


Figure 33: ICMP Alerts and Logs

9.6.3 Snort Prevent against LOIC/Hping Attacks

The scenario of attack from the machine window 7 (using LOIC Tool) and the kali

linux machine are performed against the window XP machine. The window XP

machine has been predefined with some rules that will prevent against these

attacks.

The example below shows on the rules that was configure in the Snort machine

(Window XP) in Snort configuration file (Snort.conf).

Drop icmp 192.168.204.134 any ->$HOME_NET 21(msg:”DoS/DdoS

attack ICMP Flooding “; sid:1000001;)


drop udp 192.168.204.131 any -> $HOME_NET 21(msg:”DoS/DdoS

attack UDP Flooding “; sid:1000002;)

After the performing the attacks on the victim machine, the figure 34 below

shows a lower CPU usage and no logs has been captured by Snort because the

aboves rules are saved the local.rules files and these rules deny these attacks to

overwhemed the victim machine(Window XP).

Figure 34: Lower CPU and No logs captured

Chapter 10: Conclusion and Further Work

Conclusion

As seen, the DOS / DDoS attack is genuine threats that cause serious damage to

many organizations and internet users. Until a reasonable defence against DDoS

attacks is found a number of systems can be attacked and compromised all

continue to increase.


IN this work, the study of the defence mechanism against DDoS attacks is exploring

the capability of the firewall. Firewall relies on a set of rules to determine whether

the network traffic is legitimate or not. So these set of rules tell the firewall

whether to consider the traffic as legitimate one or what to do with the network

traffic coming from unauthorized sources.

Major concentration of the thesis has been on capturing and detecting the live

traffic using the network protocol analyser, Wireshark and the intrusion detection

system knows as Snort with the basis IPtables script to allow or deny the network

traffic depending of the set of rules predefined in the IPtables script.

Future Scope

IPtables system is ideal for a Linux systems network administrator who wants to

configure their firewall according to their needs against unwanted traffic such as

DoS/DDoS attacks.

The given work can be extended further using advanced features of IPtables such

as NAT, packet redirect.

Another area to focus on could be to develop policy scripts using BRO IDS and

Security Onion to detect DoS/DDoS attacks and to develop efficient anti-DoS/DDoS

for Snort IDS.


Appendix A: Installation of Snort for Windows

Snort Installation

Download Snort Visit Snort.org website(http:www.snort.org)

Download Rules You must register to get the rules

Installing Snort Double click on the .exe to install snort

Extracting the Rules Files You will need WinRAR for the .gz file

Paste the rules extracted in C:\Snort\rules

Modify your Snort. conf C:\Snort\etc\snort.conf( for the IP address to protect)

Open Command Line and

Navigate C:\Snort\bin

Check the interface snort

detect C:\Snort\bin>snort -W

To start Snort in IDS mode Snort –c c:\snort\etc\snort.conf –l c:\snort\log –i 1

To generate Log Files Snort –A console i 1 –c c:\Snort\etc\snort.conf –l

c:\Snort\log –K ascii

Table 9: SNORT Installation


Appendix B: Installation of Low Orbit Ion cannon

Installation of LOIC Tool in windows

Step 1: go to “sourceforge.net/projects/loic/”

Step 2: Click Download for LOIC Tool

Step 3:You will see LOIC-DDoS.exe file

Step 4: Click save and run the tool

Step 5:Copy the URL of the site or IP you want to DDoS

Table 10: Installation of LOIC DDoS Tool

Appendix C: References

Project Research Resources

[1] Author(s) Last name, Initials. (Year): Gary C.Kessler (2000)

Page Title: A taxonomy of DDoS attacks and DDoS defence mechanisms

Available at: http://www.garykessler.net/library/ddos.html/

Last accessed: 10/02/2015

[2]

Author(s) Last name, Initials. (Year): Phillip Boyle

Page Title: Distributed Denial of Service Attack Tools

Available at: www.sans.org/security-resources/idfaq/trinoo.php


http://www.eecis.udel.edu/~sunshine/publications/ccr.pdf


http://www.eecis.udel.edu/

http://www.eecis.udel.edu/




[3] Author(s) Last name, Initials. (Year): D.Dittrich

Page Title: The Tribe Flood Network Distributed Denial of Service attack tool

Available at: https://staff.washington.edu/dittrich/misc/tfn.analysis


[4] Author(s) Last name, Initials. (Year): J.Barlow, W.thrower

Page Title: TFN2k-An Ana;ysis

Available at: https://staff.washington.edu/dittrich/misc/tfn.analysis


[5]

Author(s) Last name, Initials. (Year): D.Dittrich

Page Title: “The Stacheldraht Distributed Denial of Service attack tool”

University of washington,December 1999

Available at:

https://staff.washington.edu/dittrich/misc/stacheldraht.analysis


[6]

Author(s) Last name, Initials. (Year): S.Dietrich, N. Long, D. Dittrich

Page Title: “Analyzing Distributed Denial of Service Tools:The Saft

Case”Pp.329-339 of the Proceedings

Available at :

https://www.usenix.org/legacy/publications/library/proceedings/lisa2000/

full_papers/dietrich/dietrich_html/index.html


[7]

Author(s) Rik Busschers (Jun 21, 2010)

Paper Title:” Effectiveness of Defense Methods against DDoS Attacks by

Anonymous”

Available at:

http://referaat.cs.utwente.nl/conference/16/paper/7312/effectiveness-of-

defense-methods-against-ddos-attacks-by-anonymous.pdf





https://www.usenix.org/legacy/publications/library/proceedings/lisa2000/full_papers/dietrich/dietrich_html/index.html

https://www.usenix.org/legacy/publications/library/proceedings/lisa2000/full_papers/dietrich/dietrich_html/index.html

http://www.ijarcsse.com/docs/papers/january2012/V2I1073.pdf

http://referaat.cs.utwente.nl/conference/16/paper/7312/effectiveness-of-defense-methods-against-ddos-attacks-by-anonymous.pdf

http://referaat.cs.utwente.nl/conference/16/paper/7312/effectiveness-of-defense-methods-against-ddos-attacks-by-anonymous.pdf


[8] Author(s) Last name, Initials. (Year): Misha Singhal June 2011

Page Title: Design and Development of Anti-Dos/DdoS Attacks Framework

Using IPtables

Available at:

http://dspace.thapar.edu:8080/dspace/bitstream/10266/1383/1/Misha%2

0Singhal%28800932013%29.pdf


[9] Author(s) Last name, Initials. (Year): R. VIJAYASARATHY (2012)

Page Title: A System Approch to Network Modelling for DdoS Attack Detection

using Naive Nayes Classifier

Available at:

http://www.cse.iitm.ac.in/~ravi/papers/Vijayasarathy_thesis.pdf


[10] Author(s) Last name, Initials. (Year): Bahaa qasim M. Al-Musawi

Page Title: Mitigating DoS/DdoS Attacks Using IPTABLES

Available at: http://www.ijens.org/vol_12_i_03/1210803-7474-ijet-ijens.pdf


[11] Author(s) Last name, Initials. (Year): Tao Peng(2004)

Page Title: Defending against Distributed Denail of service Attacks

Available at:

http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.125.788&rep=re

p1&type=pdf







[12] Author(s) Last name, Initials. (Year): Snagwook Seo (2009)

Page Title: Detection and Protection of DoS/DdoS attacks in WIBro System

Availableat:

http://library.kaist.ac.kr/thesis02/2009/2009M020064566_S1VerICC.pdf


[13]

Webpage: http://www.ijarcsse.com/

Author(s) Last name, Initials. (Year): Koushik Chatterjee,(2013)

Paper Title: “Design and Development of a framework to Mitigate Dos/DDoS

Attacks Using IPtables Firewall”, international Journan of Computer Science

and teelcommunications {Volume 4,Issue 3 ,March 2013]

Available at: http://www.ijcst.org/Volume4/Issue3/p11_4_3.pdf


[14]


Author(s) Last name, Initials. (Year): Hifaa Bait Baraka , Huaglory

Tiaanfield(9-11 September 2014)

Paper Title: “Intrusion Detection System for Cloud Environment”

Edition: 7th International Conference on Security of Information and

Networks(SIN’14)

Available at: http://voterlab.org.uk/publication/2014sin14_ids.pdf


[15]


Author(s) Last name, Initials. (Year): Saboor , A ; Akhlaq, M ; Aslam, B

Paper Title:” Experimental evaluation of Snort against DDoS attacks under

different hadware configurations”.

Edition: Information Assurance(NCIA0,2013 2nd National Conference 11-12

Dec.2013

Available at:

http://ieeexplore.ieee.org/xpl/articleDetails.jsp?reload=true&arnumber=672

5321



http://www.ijarcsse.com/



http://www.ijcst.org/Volume4/Issue3/p11_4_3.pdf




http://voterlab.org.uk/publication/2014sin14_ids.pdf







[16]

Author Last name, Initials. (Year): Dac-Nhuong Le

Paper Title: “DDoS Attack defense in IP multimedia susbsystem of NGNS using

rules in Snort”.

Edition: Global Journal of Computer Science and Information Technology,

Vol.1(1), 2014,88-99

Available at:

https://encrypted.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=6

&ved=0CDoQFjAF&url=http%3A%2F%2Fwww.researchgate.net%2Fprofile%

2FDac_Nhuong_Le_le_Dac_Nhuong%2Fpublication%2F269412085_DDOS_AT

TACK_DEFENSE_IN_IP_MULTIMEDIA_SUBSYSTEM_OF_NGNS_USING_RULERS_

IN_SNORT%2Flinks%2F548bddbf0cf225bf669f8c08.pdf&ei=8g0-

Vdq7NOep7Aa1i4DACw&usg=AFQjCNGHwQXncqUCkPKEUjz8Zg5TRKELKA


[17] Webpage: http://www2.ensc.sfu.ca/~ljilja/index.html

Author(s) Last name, Initials. (Year): F. Lau, S. H. Rubin, M. H. Smith, and Lj.

Trajkovic (2000) Simon Fraser University

Page Title: Distributed Denial of Service Attacks

Edition: Proc. 2000 IEEE Int. Conf. on Systems, Man, and Cybernetics,

Nashville, TN,

Oct. 2000, pp. 2275-2280.

Available at:

http://www2.ensc.sfu.ca/~ljilja/cnl/publications_by_cnl_alumuni.html



https://encrypted.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=6&ved=0CDoQFjAF&url=http%3A%2F%2Fwww.researchgate.net%2Fprofile%2FDac_Nhuong_Le_le_Dac_Nhuong%2Fpublication%2F269412085_DDOS_ATTACK_DEFENSE_IN_IP_MULTIMEDIA_SUBSYSTEM_OF_NGNS_USING_RULERS_IN_SNORT%2Flinks%2F548bddbf0cf225bf669f8c08.pdf&ei=8g0-Vdq7NOep7Aa1i4DACw&usg=AFQjCNGHwQXncqUCkPKEUjz8Zg5TRKELKA






http://www2.ensc.sfu.ca/~ljilja/index.html

http://www2.ensc.sfu.ca/~ljilja/index.html



shariff v10- bsc (hons) project

Documents