shariff v10- bsc (hons) project
TRANSCRIPT
Detection and Prevention of DoS/DDos
attacks Using IPtables and Snort
Network Intrusion Detection Systems
Sharmarke Xasan Sharif
Submitted in fulfilment for the Honours degree of
Digital Forensic and Cyber Security
School of Informatics and Engineering,
Institute of Technology Blanchardstown,
Dublin, Ireland
© Copyright
By
Sharmarke Xasan Sharif
May, 2015
Sharmarke Xasan Sharif Page 3 of 72
Acknowledgement
I would like to express my deepest gratitude for my parents who have always
been there to support me. Also I would like to thank my wife Idil and my two
daugthers, Ikran and Eman, without their unconditional and absolute support
I would have never succeeded in my goals.
I am also greatly thankful to my supervisor, Mark Cummins whose
encouragement, guidance and support from the initial to the final phase
enabled me to develop a deep and thorough understanding of the subject.
Also, I extend my regards and blessings to all of those who sustained me in any
respect during the culmination of the dissertation.
Special thanks to my thesis editor Ms Alex Glass, she helped me to improve my
writing and her advices made my work easier.
Sharmarke Xasan Sharif Page 4 of 72
Abstract
Nowadays Denial of service(DoS) attacks has become hazardous threat of the
cloud environment and today’s internet security. These attacks are growing
rapidly. With the new technologies and new techniques, the purpose of these
attacks is to prevent regular users to access the server. Whatever the reasons
behind lauching these DDoS attacks they are increasing rapidl.
There are many DoS/DDoS attacks types but the popular ones are UDP Flood,
ICMP Flood and TCP SYN Flood which a summary of these attacks will be given
later within the thesis.
The aim of DoS/DDoS attacks is to make network services unavailable to
legitimate users by overwhelming the victim machine.
This work discusses the techniques using firewall against DoS/DDoS attacks and
also detection of Snort IDS. Firewall were written using command-line tool in Linux
to stop or permit traffic coming trough the network.
Sharmarke Xasan Sharif Page 5 of 72
Contents
Acknowledgement ........................................................................................... 3
Abstract ............................................................................................................... 4
Abbreviations and Acronyms .................................................................... 11
Chapter 1: Introduction .............................................................................. 12
1.1 Main Objective .................................................................................................... 12
1.2 Project Objectives and Aims ......................................................................... 12
1.3 Methodology ....................................................................................................... 13
1.4 Boundary Line .................................................................................................... 13
1.5 Thesis Organisation ......................................................................................... 14
1.6 Thesis Time-line ................................................................................................ 15
Chapter 2: An Overview of Denial of Service and
Distributed Denial of Service (DDoS) attacks ..................................... 17
2.1 DoS Attacks..........................................................................................................18
2.2 History of DoS and DDos Attacks ............................................................... 18
2.3 The goal of DDos ................................................................................................ 19
2.4 Elements of DDos ............................................................................................. 19
2.5 Types of DoS/DDos Attacks ......................................................................... 19
Chapter 3: Methods of DDoS Attacks ...................................................... 20
3.1 Smurf Attack........................................................................................................ 24
3.2 SYN flood Attack ................................................................................................ 25
3.3 UDP flood Attack ............................................................................................... 25
Chapter 4: DDoS Attacks Tools ................................................................. 27
Sharmarke Xasan Sharif Page 6 of 72
4.1 Trin00 .................................................................................................................... 28
4.2 Tribe Flood Network (TFN) .......................................................................... 28
4.3 TNF2K .................................................................................................................... 28
4.4 Stacheldraht ........................................................................................................ 28
4.5 Shaft ........................................................................................................................ 29
4.6 Low Orbit Ion Cannon ..................................................................................... 29
4.7 High Orbit Ion Cannon .................................................................................... 29
4.8 Hping ...................................................................................................................... 30
Chapter 5: SNORT .......................................................................................... 30
5.1 SNORT Introduction ........................................................................................ 30
5.2 Intrusion Detection System .......................................................................... 31
5.3 SNORT Architecture ......................................................................................... 31
5.3.1 Packet Decoder ............................................................................................... 32
5.3.2 Pre-processors ............................................................................................... 32
5.3.3 Detection Engine ........................................................................................... 32
5.3.4 Logging and Alerting System .................................................................... 33
5.3.5 Output Modules .............................................................................................. 33
5.3.6 SNORT Modes ................................................................................................. 33
Chapter 6: DDoS Defence and Classification ......................................... 36
6.1 Firewall ................................................................................................................ 36
6.2 Types of Firewalls ............................................................................................ 37
6.2.1 Packet Filters .................................................................................................. 38
6.2.2 Statefull Firewalls ........................................................................................ 38
6.3 Intrusion Detection System (IDS) ............................................................. 39
6.4 Host-based IDS .................................................................................................. 39
6.5 Network-based IDS ......................................................................................... 40
6.6 Intrusion Prevention Systems (IPS) ........................................................ 40
Sharmarke Xasan Sharif Page 7 of 72
Chapter 7: Literature Review ................................................................... 42
7.1 Detection and Prevention DoS/DDoS Attack........................................44
7.2 Firewall used as Intrusion Detection and Prevention System ..... 42
7.3 SNORT used as Intrusion Detection System ......................................... 43
Chapter 8: System Design ........................................................................... 44
8.1 Experiment Outline .......................................................................................... 44
8.2 Activity Diagram ................................................................................................ 46
Chapter 9: Experiment and Results ........................................................ 48
9.1 Experiment Objectives .................................................................................... 49
9.2 Experiment 1: SYN Flood Attack with Hping Command .................. 50
9.2.1 Writing IPtables script to defend against SNY Flood Attack ...... 52
9.3 UDP Flood Attack with Hping Command ................................................ 53
9.4 Writing IPtables script to defend against LOIC UDP Flood Attack55
9.5 ICMP Flood Attack with Hping Command ............................................. 56
9.5.1 Writing IPtable script to defend against ICMP Flood Attack ...... 59
9.6 Experiment 2: DDoS Defense using SNORT IDS ................................... 61
9.6.1 UDP Flood Attack with Low Orbit Ion Cannon (LOIC) ................. 61
9.6.2 SNORT detection against LOIC attacks ............................................... 63
Chapter 10: Conclusion and Further Work ........................................... 66
Conclusion ................................................................................................................... 66
Future Scope ............................................................................................................... 67
Appendix A: Installation of Snort for Windows .................................. 68
Appendix B: Installation of Low Orbit Ion cannon ............................. 69
Appendix C: References ............................................................................... 69
Project Research Resources ................................................................................. 69
Sharmarke Xasan Sharif Page 8 of 72
List of Figures
Figure 1: Organisation of Thesis ....................................................................... 15
Figure 2: Project Time-line ................................................................................... 16
Figure 3: DDoS Attack[1] ....................................................................................... 17
Figure 4: DDoS Attack Classification ............................................................... 21
Figure 5: Smurf Flood Attack ............................................................................... 24
Figure 6: SYN Flood Attack ................................................................................... 25
Figure 7: UDP Flood Attack................................................................................... 26
Figure 8: ICMP Flood Attack ................................................................................. 27
Figure 9: Low Orbit Ion Cannon Interface GUI .......................................... 29
Figure 10: High Orbit Ion Cannon Interface GUI ...................................... 30
Figure 11: SNORT IDS Architecture ................................................................. 31
Figure 12: SNORT Flow Chart .............................................................................. 35
Figure 13: Firewall .................................................................................................... 37
Figure 14: Network Lab Environment ........................................................... 44
Figure 15: Flow of Implementation Steps ...................................................... 46
Figure 16: Experiment 1 (Using IPtable as Defence) ............................. 48
Figure 17: Experiment 2 (Using SNORT as IDS/IPS) .............................. 49
Sharmarke Xasan Sharif Page 9 of 72
Figure 18: SYN Flood with Hping Command ............................................... 50
Figure 19: Wireshark Output for SNY Flood ............................................... 51
Figure 20: Wireshark Output after IPtable Protection against SYN
Flood.................................................................................................................................. 53
Figure 21: UDP Flood using LOIC DDoS Tool .............................................. 54
Figure 22: Wireshark Output After LOIC UDP Attack ............................ 54
Figure 23: Windows XP unable to ping the Victim Machine
(Ubuntu) ......................................................................................................................... 55
Figure 24: ICMP Flood with Hping Command ............................................ 56
Figure 25: Wireshark Output for ICMP Flood ............................................ 57
Figure 26: Windows XP unable to ping the Victim Machine .............. 58
Figure 27: IPtables rules to stop ICMP Flood Attacks ........................... 60
Figure 28: Wireshark Output after IPtable Protection against ICMP
Flood.................................................................................................................................. 60
Figure 29: UDP Flood Attack Using LOIC Tool ........................................... 62
Figure 30: UDP Alerts and Logs.......................................................................... 62
Figure 31: CPU Usage after the Attack............................................................ 63
Figure 32: ICMP Flood with Hping Command ............................................ 64
Figure 33: ICMP Alerts and Logs ........................................................................ 65
Figure 34: Lower CPU and No logs captured ............................................. 66
List of Tables
Sharmarke Xasan Sharif Page 10 of 72
Table 1: Descriptionn of types of DDoS Attacks 22
Table 2: Types of DDoS Attacks at Application Layer ........................... 23
Table 3: SNORT IDS Modes ................................................................................... 34
Table 4: SYN with Hping command description ....................................... 51
Table 5: SYN-Flood Protection with IPtable ............................................... 52
Table 6: IPtable Protection against LOIC UDP Flood ............................. 56
Table 7: Description of ICMP with Hping Command .............................. 57
Table 8: ICMP-Flood Protection with IPtable ............................................ 59
Table 9: SNORT Installation ................................................................................. 68
Table 10: Installation of LOIC DDoS Tool ..................................................... 69
Sharmarke Xasan Sharif Page 11 of 72
Abbreviations and Acronyms
DoS Denial of Service
DDoS Distributed Denial of Service
SYN Synchronize Sequence Numbers
TCP Transmission Control Protocol
HTTP Hypertext Transfer Protocol
UDP User Datagram Protocol
DNS Domain Name Services
ICMP Internet Control Message Protocol
FTP File Transfer Protocol
LOIC Low Orbit Ion Cannon
Sharmarke Xasan Sharif Page 12 of 72
Chapter 1: Introduction
1.1 Main Objective
The most well-known obstacle the internet and cloud environment confronting
today originates from DDoS assault. With increased technology and sophisticated
techniques, it has become very easy for the attackers to dispatch attacks.
Therefore, there are different tools that overpower the servers by launching Denial
of Service.
When it comes to large network environments, it gets much harder to detect these
assaults. Consequently, these attacks have ended up being genuine threats that
bring down businesses with huge revenue losses.
This research mainly focuses first on DDoS (Distributed Denial of Service) attacks,
types of DDoS attacks and their defence mechanisms. Secondly this work discusses
the effeciency of Iptables to defend against DOS/DDoS attacks and also intrusion
detection system know as SNORT to detect these attacks.
1.2 Project Objectives and Aims
DDoS attacks are without question the most potent form of attacks carried out by
intrudes. The main purpose of this study is to provide a clear and thorough
coverage of the area of DDoS attacks.
Sharmarke Xasan Sharif Page 13 of 72
In principle, this study attempts to aid the DDoS research on the issues related to
the field of attack mechanisms. The prime objectives of this paper can be
summarized to the following:
Analyse the details of DDoS attack mechanisms and the principles DDoS
attacks
Present the novel classification of DDoS attack mechanisms
Discuss a few of the possible evolutions of the DDoS attack mechanisms
What are the differents types of DDoS attacks?
What are the available defense methods?
What are the different methods to mitigate the effects of DDoS attacks?
Propose an infrastructure that can stop a DDoS attack quickly and its cost
effectiveness
Based on this infrastructure, a complete solution for the DDoS attack
problem can then be achieved.
1.3 Methodology
This section will demonstrate the necessary steps and methods employed in
parliamentary procedure to reach the goal of this report.
First, define the problem
Collect pertinent data
Break down and select a resolution
Test these and other features implementing our solution
1.4 Boundary Line
In this thesis, the chosen focus of the research how to prevent attack from DDoS
using firewall Iptables and SNORT( Intrusion detection System Tool). This thesis is
Sharmarke Xasan Sharif Page 14 of 72
intended for readers with a computer background and basic knowledge of
computer security. It is recommended that the reader has had previous experience
in Linux command .
1.5 Thesis Organisation
The structure of the thesis is illustrated in the Figure below.
Chapter 2 provides an overview of the field of Denial-of-Service attacks,
which for instance, includes a glance to the history of DoS attacks and an
introduction to the subject of DDoS. The chapter is largely based on
literature review. Chapter two also provides a figure and an overview of the
classification as well as explains the functions of the main classes of the
classification.
Chapter 3 provides the type of methods of DDoS attack mechanisms in
length. Chapter three details the DoS attack mechanisms in theory and in
practice how it relates to Smurf, SYN, UDP and ICMP attacks.
Chapter 4 discusses in details about various types of DDoS attack tool.
Chapter 5 gives an insight about Intrusion Detection system (SNORT) and
Snort Architecture components.
Chapter 6 discusses the literature review paper related to the topic discuss
within the thesis.
Chapter 7 demonstrates the practicality of implementation and System
Design.
Chapter 8 concludes the study. A review and discussion of the most
important results achieved will be presented. In addition, topics for further
research will be proposed.
Sharmarke Xasan Sharif Page 15 of 72
Figure 1: Organisation of Thesis
1.6 Thesis Time-line
Sharmarke Xasan Sharif Page 16 of 72
Figure 2: Project Time-line
Sharmarke Xasan Sharif Page 17 of 72
Chapter 2: An overview of Denial of Service and
Distributed Denial of Service (DDoS) attacks
Distributed Denial of Service (DDoS) attack is a powerfull version of DoS attacks
and pose a grave risk too todays Internet. The term “Distributed Denial of Service”
(DDoS) originates from “Denial of Service” (DoS) which in computing represents an
attempt to stop the victim(s) from serving and preventing legitimate users from
accessing the service.
This is done by an overwhelming quantity of packets being sent from multiple
attack sites to a victim site and the key resource of the victim (bandwiths, CPU) is
quickly exhausted wher DoS attack damages a single computer and denying all
forms of access to the computer. The term Distributed-Denial-of Service (DDoS)
attack come from the DOS attack
Figure 3: DDoS Attack[1]
Sharmarke Xasan Sharif Page 18 of 72
2.1 DoS Attack
Denial of Service (DoS) attacks are expected to shutdown the servers or targeted
machine for a period of time and the server wont be able to handle the requests
from the legitimate user.
2.2 History of DoS and DDos Attacks
DoS/DDoS attacks have not been around with any significance for very long over
the history of IT, but in little more than a decade, they have become a worldwide
threat that shows no sign of abating, or even diminishing, any time soon.
Initially, in early 1990’s DoS attacks started with a single user attacking another
user just with a single click of a button. In late 1990’s, a set of compromised
computers which are controlled by attackers, technically called as “Botnets” were
formed. These Botnets resulted in the formation of Distributed Denial of Service
attacks. In February 2000, something previously unseen in the history of the
Internet occurred. The wave of massive DDoS attacks began. Among many other
news sites, BBC News reported that Yahoo! was brought down for three hours
(BBC News 2000). A day later eBay, Buy.com, CNN.com, Amazon.com were all
under heavy DDoS attacks as reported by Seattle Post-Intelligencer (2000).
Almost all these companies had significant presence in internet. In year 2004, these
attacks were used for hire and extortion. Most recently, in years 2007 and 2008,
these attacks were widely used against political dissident groups and even against
Republic of Georgia during military conflict with Russia.
Overall, a lot has happened during the past few years in the DDoS field as a whole.
The considerably large power of DDoS attacks have been noted everywhere, which
is verified by the events discussed previously.
Sharmarke Xasan Sharif Page 19 of 72
2.3 The goal of DDos
The objective of DoS/DDoS attack is to harm and damage on the victim, either for
indivudual reasons for material gain (damaging competitors' resources) or for
popularity .
2. 4 Elements of DDos
A DDoS attack uses many computers to launch a coordinated attack against one or
more targets. A DDoS attack is made of of four elements, as illustrated in the above
figure.
Attacker/Attacking Hosts:
The mastermind behind the real attack that compromise the victim machine
by relying on brute force to overload the victim’s resources.
Agent/ Handler:
These programs coordinates the attack to the victim through out agents and
install the software attack on them.
Attack Deamon Agents (Zombies):
These programs are actually responsible for carrying out the attack on
targeted victim and also responsible for generating a stream of packets
toward the victim.
Target Marchine:
It receives the brunt of the attack which totally overwhelms the victim host.
2.5 Types of DDos Attacks
As Distributed Denial-of-Service attacks are launched from multiple computers to
make the resources of a targeted system less accessible to the intended users, there
Sharmarke Xasan Sharif Page 20 of 72
are three types of DDoS attacks types, Volume Based Attacks, Protocols Based
Attacks and Application Layer Attacks [2].
Volume–based attacks:
These mainly include TCP flood, ICMP flood, UDP flood and spoofed packet flood
attacks. The aim of these are to consume the bandwidth of sites which are
attacked by making the service unavailable to its legitimate users. These attaks
can be DDoS direct attacks or reflector DDoS attacks.
Protocol-based attacks:
These attacks attempts to consume the connection state tables which are
present in the infrastructure such as load-balancers, firewalls and the
application servers. It incorporates SYN floods, fragmented packet attacks,
Ping of Death, Smurf DDoS and more. This type of attack consumes actual
servers’ useful resources or those of intermediary communication tools,
such as firewalls and load balancers and is measured in Packets per second.
Application-based attacks:
These attacks attempts to send regular HTTP attacks request and these
attacks are more efficient than TCP or UDP attacks ..
Chapter 3: Methods of DDoS Attacks
There are a number of techniques that are used to initiate and launch these attacks
however most of them involve sending large amounts of packets to the target
Sharmarke Xasan Sharif Page 21 of 72
machine so its networking capabilities are overflowed and no legitimate users will
be allowed access.
In order to be able to understand DoS/DDoS attacks it is absolutely necessary to
have DoS/DDoS classification. The taxonomy created by Mirkovic and Reiher
(2004) shows the classification of DDoS attack according to the characteristics of
the attack. There are wide variety of DDoS attacks in order to be able to make an
absolute effective attack. It is highly recommended to know the full taxonomy
classification for DDoS attacks (refer to the Appendix A). We propose a
classification of DDoS attacks that combines the classifications proposed by
Mirkovic [1] efficiently.
Figure 4: DoS/DDoS Attack Classification
Sharmarke Xasan Sharif Page 22 of 72
Types of DoS/DDoS Attacks (Network and Transport Layer)
Attack Description
SYN Flood A connection is established between source system and the target. The
target system responds with a SYN-ACK message for each SYN message it
receives. The target source never send back the final ACK messages,
therefore the target system is overwhelmed with incomplete
connections.
UDP Flood Attacker sends UDP packets to all ports of the target machine. The victim
system is overloaded while processing the UDP packets and attempting
to send reply messages to the source system.
UDP
Fragmentation
The attacker uses large, fragmented forged packets to consume more
bandwidth and the target expands CPU resources.
ICMP Flood Normally theses packets are used for legitimately but if used for DDoS
attack, they can overwhelm the target system.
Ping Attacks During a ping flood, the target system receives spoofed ping at a very
high packet rate then the victim machine is overwhelmed by large
number of incoming Ping packets.
Smurf All the systems receive ICMP Echo Request messages will reply to the
spoofed IP address with ICMP Echo Request therefore overloading the
target system.
DNS Attacks High rate of spoofed DNS request packets overwhelm the target machine.
ACK and Push
Flood
The victim system receives ACK packets then the ASCK flood exhausts the
victim resources.
Fragmented ACK These packets consume bandwidth.
Table 1: Description of Types of DDoS Attacks
Sharmarke Xasan Sharif Page 23 of 72
Types of DoS/DDoS Attacks (Application Layer)
Attack Description
HTTP Floods
Attacker sends large amounts of legitimate requests to an application
which can exhaust all the server processing capability. Attacker sends a
SYN packet and the target responds with a SYN ACK. Therefore, the
three-way handshake with an ACK packet is established.
SMTP Floods Spammers send a flood of traffic that overwhelms an email server
Slow HTTP POST
Sends headers to signal how much data is to be sent , but sends the data
very slowly, using thousands of HTTP POST connections to DDoS the web
server.
Slowloris Sends partial requests to the target server, opening connections, and then
sending HTTP Headers, augmenting but never completing the request.
Table 2: Types of DDoS Attacks at Application Layer
Sharmarke Xasan Sharif Page 24 of 72
3.1 Smurf Attack
In a “Smurf attack”, the victim is flooded with a huge quantity of Internet Control
Message Protocol (ICMP) echo reply packets. Attackers are using ICMP echo
request packets to generate these attacks. The result is that the victim’s machine(s)
is subjected to network congestion that could potentially make the network
unusable.
Figure 5: Smurf Flood Attack
Sharmarke Xasan Sharif Page 25 of 72
3.2 SYN flood Attack
This is a TCP SYN attack which sends a large amount of SYN requests faster than the
targeted machine can treat them causing the networks saturation point to exceed
and making it impossible for legitimate traffic to go through.
3.3 UDP flood Attack
This approach involves sending stream of UDP packets to the target victim machine
where the depletion of the bandwidth along with the saturation point of packets to
the network for legitimate service requests to the victim system is overwhelmed.
The attacker sends a UDP packet to one or more port on the victim machine.
.
Figure 6: SYN Flood Attack
Sharmarke Xasan Sharif Page 26 of 72
3.4 ICMP flood Attack
ICMP Flood Attacks exploit ICMP (Internet Control Message Protocol) in which the
victim send an echo request to a remote machine and to determine whether it’s
alive. For a logical understanding of DDoS ICMP Flood packet, the attacker send
large quantity of ICMP ECHO Request (ping) packets fast as possible directed at the
victim without waiting for replies. The victim responds to each ICMP request (ping)
packets from the attacker and causes a saturation of all available the bandwidth of
the victim machine.
Figure 7: UDP Flood Attack
Sharmarke Xasan Sharif Page 27 of 72
Figure 8: ICMP Flood Attack
Chapter 4: DDoS Attacks Tools
While this paper concentrates on the types of DDoS attacks and guarded measures
against DDoS, it is essential to know the names of the tools used to launch these
attacks - and how they have effectively developed. Some of these newer DDoS tools
Sharmarke Xasan Sharif Page 28 of 72
are Low Orbit Ion Cannon (LOIC), High Orbit Ion Cannon (HOIC), Hping and
Slowloris.
4.1 Trin00
Trin00 [ 2] was the first known DDoS tool used against the University of Minnesota in
August 1999 and it uses UDP Flooding as attack strategy.
4.2 Tribe Flood Network (TFN)
The Tribe Flood Network (TFN) [3]started to appear after trin00. TFN client and
daemon programs implement a DDoS network capable of applying a number of
approaches, such as ICMP flood, SYN flood, UDP flood, and SMURF style attacks.
4.3 TNF2K
This is the newer version of the TFN attack[4]. It randomly chooses TCP, UDP or
ICMP for messages to confuse any network monitoring. Therefore, it’s more
difficult to track TFN2K traffic.
4.4 Stacheldraht
Stacheldraht [5] is a DDoS instrument that began to show up in the late summer of
1999 and consolidates highlights of trin00 and TFN. It conceals the source
locations of its activity and includes mixture of DoS. The possible attacks are
similar to those of TFN; namely, ICMP flood, SYN flood, UDP flood, and SMURF
attacks.
Sharmarke Xasan Sharif Page 29 of 72
4.5 Shaft
Shaft [6] is modelled after Trin00. Communications between the master and the
slave is achieved using the UDP packets and the attack implemented is the UDP
flood attack. An important feature of this attack is its ability to switch control
master servers and ports in real time, thereby making the detection by intrusion
detection tools difficult.
4.6 Low Orbit Ion Cannon
Low Orbit Ion cannon (LOIC) was originally developed by Praetox Technologies as
an open source network testing tool is a simple flooding tool, able to generate
massive amounts of TCP, UDP and HTTP traffic with the intention of disruption the
service of a particular server.
Figure 9: Low Orbit Ion Cannon Interface GUI
4.7 High Orbit Ion Cannon
This tool is the follow-up DDoS tools Low Orbit Ion Cannon (LOIC) and is also a
simple application easy to use GUI.
Sharmarke Xasan Sharif Page 30 of 72
Figure 10: High Orbit Ion Cannon Interface GUI
4.8 Hping
Hping can be used to send large volumes of TCP traffic at a target while spoofing
the source IP address, making it appear random or even originating from a specific
user-defined source.
Chapter 5: SNORT
5.1 SNORT Introduction
Snort is an open-source intrusion detection system that is developed by Sourcefire.
Snort was created in 1998 by Martin Roesch. It is capable of performing real-time
traffic analysis and packet logging on IP networks. Snort is compatible with most
operating systems (e.g. Linux, Mac OS X, FreeBSD, OpenBSD, UNIX and
Windows)[7].
Sharmarke Xasan Sharif Page 31 of 72
5.2 Intrusion Detection System
IDS (Intrusion detection systems) are an important part of any network security
architectureNetwork Intrusion Detection Systems (NIDS) perform deep packet
inspection on packet payloads to identify, prevent, and inhibit malicious attacks
over the Internet. Snort is a lightweight intrusion detection system that can log
packets coming across your network.
5.3 SNORT Architecture
Snort is composed into multiple parts.The below figure 11 represents the major
components of Snort-based IDS:
Figure 11: SNORT IDS Architecture
Sharmarke Xasan Sharif Page 32 of 72
5.3.1 Packet Decoder
The packet decoder is a series of decoders that each decodes specific protocol
elements into an internal data structure. It starts with the lower level Data Link
protocols, and works its way up the network stack decoding each protocol as it
moves up. When packets move through the decoders, a data structure is filled up
with decoded packet data. Now the data stored in the data structure is ready to be
analysed by the pre-processors and the detection engine. Libpcap is used to
capture the raw packets, this makes sure all protocol headers are unaltered by the
OS.
5.3.2 Pre-processors
There are two categories of pre-processors. One purpose is to make the packet
suitable for the detection engine to apply rules to it. The main goal for these pre-
processors is to defeat attacks that try to evade the detection engine by
manipulating patterns in the traffic. Defragmenting packets is also a task for the
pre-processor. This is vital because before any rules may be applied, the packet
must be reassembled. The reason for this is to avoid being misled by attacks that
have been divided into several packets. Pre-processors used by SNORT in default
configuration are listed below
5.3.3 Detection Engine
The most important part of SNORT is the detection engine. It serves two major
functions: parsing rules and detecting signatures. By parsing the SNORT rules, the
detection engine builds attack signatures. The rules are read line by line, and load
into an internal data structure (important to write the rules correctly, or the
detection engine will fail when loading them into the internal data structure). Now
all traffic is run through the loaded rule set in the order they were loaded into
memory.
Sharmarke Xasan Sharif Page 33 of 72
5.3.4 Logging and Alerting System
Depending upon what the detection engine finds inside a packet, the packet may be
used to log the activity or generate an alert.. All of the log files are stored under
/var/log/snort folder on a UNIX system by default.
5.3.5 Output Modules
These modules are used to control the output from SNORT detection engine.
Normally the alerts and logs go into files in the /var/log/snort directory. By using
these output modules, outputs can be processed and messages can be sent to a
number of different destinations.
5.3.6 SNORT Modes
Snort is a powerful tool that can be used to monitor and stop any attacks, an
intrusion detection system could provide a solution to analyze packets and filter
traffic based on pre-defined rule sets. SNORT in one of the most used intrusion
detection systems to defend against such attacks and is reasonably easy to install
and setup(refer to the appendix A).
Snort has three different types of modes: Sniffer mode, packet logger mode and IDS
mode.Table 1 shows the SNORT modes and figure 2 shows the flowchart of
SNORT.
Sharmarke Xasan Sharif Page 34 of 72
Snort Mode Description
Sniffer Mode This mode only reads incoming packets and
simply displays them.
Packet Logger Mode This mode only reads incoming packets
and simply displays them and
additionally logs the packets to the disk.
NIDS Mode
In this mode, SNORT analyse incoming
traffic and matches to the pre-defined
rules.
Table 3: SNORT IDS Modes
Sharmarke Xasan Sharif Page 35 of 72
Figure 12: SNORT Flow Chart
Sharmarke Xasan Sharif Page 36 of 72
Chapter 6: DDoS Defence and Classification
DDoS attacks are a difficult problem to solve and the distributed nature of DDoS
attacks makes them extremely difficult to combat or tracing them back to the
source. Attackers may also use IP spoofing in order to hide their true identity and
this make the traceback even more difficult. Our classification of DDoS mechanisms
is illustrated in the Appendix B.
6.1 Firewall
One of focuses in the thesis is the free available Linux Firewall IPtables. This
chapter discuss what is firewalls , various types of firewalls technologies, the ways
firewall can be implemented and firewall architectures.
Firewalls are the first component to protect the network. They are located between
the internet and the private network. A firewall is a device widely used to provide
network security to dismiss unauthorized traffic from penetrating into the private
network; meanwhile to approve authorized traffic to go through the network
according to the predefined rules and policies.
Sharmarke Xasan Sharif Page 37 of 72
Figure 13: Firewall
Firewalls have some advantage and disadvantages they are summarized below:
Advantage
• Firewalls can deny access any suspicious traffic to penetrate.
Disadvantage
• Firewalls use predefined set of rules to differentiate legitimate traffic
from non-legitimate traffic.
• Firewalls cannot examine network traffic between any two inside hosts
because they can only examine traffic passing through the network from
the outside.
• Although firewalls are important part of the network security, they are
not a complete security solution.
• Firewalls cannot protect you against malicious insider.
6.2 Types of Firewalls
To understand how firewall works, some basic understanding of the different
firewall that exist at different levels are required. These are packet filter firewalls,
stateful inspection firewall and proxy firewall.
Sharmarke Xasan Sharif Page 38 of 72
6.2.1 Packet Filters
A packet filtering is the most used firewall, they fast, simple and widely avail bale.
The firewall; consists of a set of rules (called chain) and packets are sent into the
chain for examination. If the packet passes all the rules defined in the chain, then
the packet get forwarded to its destination. If the packet is deny by the predefined
set of rules in the chain, then it get dropped or rejected. By the default, there are
three default chains (INPUT, FORWARD, and OUTPUT) and actions can be assigned
to each chain. They designed to filter IP address. Packet filtering firewall are
designed to filter IP address, MAC addresses, TCP or UDP ports.
6.2.2 Statefull Firewalls
Stateful inspection firewalls are enrichment of the packet filter technology and they
are generally described to be more secure than packet filter firewalls.
Application proxies are the most sophisticated firewalls. The previous two types of
firewalls sometimes are called packet filters. Proxy firewall has numerous
advantages over packet firewalls and stateful firewall. These advantages are:
• The proxy firewall can examine the entire network packet rather than just
the network addresses and ports.
• Proxy firewall can prevent more attacks than packet filter, stateful firewalls
can. For example, proxy can stop an intruder trying to set up a virtual
private network (VPN) through a way of tunnelled HTTP requests.
• Extensive logs can be collected which help the network administrator at
several levels.
Sharmarke Xasan Sharif Page 39 of 72
6.3 Intrusion Detection System (IDS)
Intrusion detection has been a very active research area. By performing intrusion
detection, servers and network can lookout them-selves against being a source of
network attack as well as being a victim of a DDoS attack.
Intrusion detection refers to the process of monitoring the system for unauthorised
access incidents which can be the violation of the security policy. This signifies that
at one time an intrusion is detected the IDS generates an alert and provides all the
relevant information (Time, IP packets, and so forth) that set off the alert.
They can be software or hardware that monitors for anomalies of the surroundings
they are to guard. The IDS functions in a very conform way in order to increase
packet throughput as inspecting every packet can slow traffic considerably.
Intrusion detection systems can be broadly classified into two types:
• Host based
• Network based
6.4 Host-based IDS
Host based IDSs analyse the suspicious activities by monitoring the state of the host
and it is not just to monitor traffic but also it can detect anomalies at the host level.
Host intrusion detection systems are installed locally on host machines making it a
very versatile system compared to NIDS (Network-based). HIDS can be installed on
many different types of machines namely servers, workstations and notebook
computers.
Host based intrusion detection systems perform all or some of the following
operations.
• Detect failed login attempts for the administrator (root) user or any user in
general
Sharmarke Xasan Sharif Page 40 of 72
• Detect sequence of operations that could be anomalous to regular user
activity
• Detect unauthorized modification of system binaries o Figure 3 depicts the
functioning of HIDS
6.5 Network-based IDS
Network-based IDS (NIDS) observe, monitor and analyse network traffic in order to
discover suspicious unauthorized access. It is most commonly deployed at a
boundary between networks such as routers, firewalls, virtual private networks
etc.
6.6 Intrusion Prevention Systems (IPS)
The best mitigating strategy against any attack is to completely prevent the attack.
In this stage we try to stop DDoS attacks from being launched in the first place.
Intrusion prevention system (IPS) is the process of both detecting intrusion
activities or threats and managing responsive actions on those detected intrusions
and threats throughout the network.
Key functions performed by an IPS are:
• IPS detects and takes preventative actions against malicious attacks
• IPS stops the attack itself
• IPS changes the security environment
• IPS changes the attack’s contents
There are many DDoS defence mechanisms that try to prevent systems from
attacks such as:
• Ingress filtering is an approach to set up a router such that to disallow
incoming packets with illegitimate source addresses into the network.
Sharmarke Xasan Sharif Page 41 of 72
• Egress Filtering is an outbound filter which ensures that only assigned or
allocated IP address space leaves the network.
• Route-based distributed packet filtering is an approach capable of
filtering out a large portion of spoofed IP packets and preventing attack
packets from reaching their targets. If an unexpected source address
appears in an IP packet on a link then it is assumed that the source address
has been spoofed, and hence the packet can be filtered.
• History-based IP filtering (HIP) is a filtering mechanism for preventing
DDoS attacks in which the router allows the incoming packets according to a
pre-built IP address database which keeps all the IP addresses that frequent
the network. During an attack, the target machine only admits the packets
whose source IP addresses belong to the IP address database.
• Disabling unused services is another approach in order to prevent DDoS
attacks.
• Changing IP address is a simple solution to a DDoS attack in order to
invalidate the victims’ computers IP address by changing it with a new one.
• Disabling IP broadcasts mechanism can prevent DDoS attacks but it can
only be successful if all the neighboring networks disable IP broadcasts.
• Load balancing is a simple approach that enables network providers to
increase the provided bandwidth on critical connections and prevent them
from going down in the event of an attack.
Sharmarke Xasan Sharif Page 42 of 72
Chapter 7: Literature Review
7.1 Detection and Prevention of DoS/DDoS Attacks
Jelena Mirkovic [7] has looked it the problem of DoS/DDoS Attacks in two ways:
first to understand the origin of the problem and all its variation, Secondly the
author has presented defense mechanism system called D-WARD that prevents
DoS/DDoS attacks from deploying networks.
Misha Singhal [8] has defined Denial-of-Service as a network security problem that
poses a serious challenge to trustworthiness of services deployed on the servers.
The author has suggested that there are many proposed methods which aim are to
stop the problem of DoS/DDoS attacks such as Ingress filtering, IP Trackback,
Intrusion Detection System and Traffic Volume Normalization. However, in his
work the author has used firewall is an efficient packet filtering technique to
defend against DoS/DDoS attacks
R. Vijayasarathy [9], the author has developed an approach to detect DoS attacks
based on Naïve Bayesian classifier. The author has focused on two transport layers
(TCP and UDP).
Bahaa Qasim [10], has described Denial-of-Service as a serious challenge to
reliability of services deployed on the servers. The aim of DoS is to exhaust a
resource in the target system. The author has discussed the efficient packet
filtering technique using firewall as defender against DoS/DDoS attacks.
Tao Peng [11], the author has investigated DoS attack (including DDoS attacks) and
has divided his work into three parts: the first part was to categorize existing
defense mechanism and the second is to develop and evaluate three defense
models for DoS attacks( Victim model, Victim-Router Model and Router-Router
Model).Finally the third part of his model was to assess the effectiveness of his
defense models for different types of DoS attacks
R. Sangwook Seo [12], the author has developed an approach to detect DoS attacks
based on Naïve Bayesian classifier. The author has focused on two transport layers
(TCP and UDP).
Sharmarke Xasan Sharif Page 43 of 72
7.2 Firewall used as Intrusion Detection and Prevention System
Author Rik Busschers[13] describes the different types of attacks executing by
anonymous using LOIC and also some of the available defense methods to mitigate the
effects of these attacks. He evaluate how effective each of the defences are and which
one should be used to protect a website against LOIC attacks.
Koushik Chatterjee[14] describe that the Linux kernel based packet filter firewall
can control the incoming and outoing traffic on a network traffic. He then
introduces a design based on firewall for detecting and preventing the most
harmful and difficult to detect DoS/DDoS attacks. Packet sniffer tool was used to
display the effectiveness and performance of the firewall scripts in mitigating the
various kids of DoS/DDoS attacks.
7.3 SNORT used as Intrusion Detection System
Authors Hifaa Bait Baraka,Huaglory Tianfield [15] had presented in this paper an
implementation of intrusion detection system to secure virtualized servers on the
cloud platform and validates intrusion detection system in detecting DDoS attack
against the virtualized environment.
The authors [16] presents an anlyzis of the majors factors affecting the
performance and detection capability of Snort and has recommended techniques to
make Snort a better intrusion detection system(IDS).They have used Snort to
detect against TCP Flooding distributed Denial of service attack.
Dac-Nhuong Le [17] has introduced a classification of Ddos attacks , DDoS defense
systems and DDoS attack tools. The author used IP Multimedia Subsystem of NGNs
using Snort rules. He concludes that the defense implemented can control the DDoS
Sharmarke Xasan Sharif Page 44 of 72
attack effectiveness. However, Snort requires the most effort to manually analyse
and write attack signatures
Chapter 8: System Design
8.1 Experiment Outline
This experiment shows how a server is attacked under using packet flooding. It
shows how to capture the packets using Wireshark and it too presents the setup
tools used to do the experiment. VMware workstation is used to setup the lab
network environment of the three machine used in this experiment. The attacker
machine (kali Linux) has an IP address 192.169.204.134 and the target machine
with IP address 192.168 204.132 and finally a legitimate machine (Ubuntu 12.0.4)
has an IP address 192.168.204.128 as seen in Figure below.
Figure 14: Network Lab Environment
Sharmarke Xasan Sharif Page 45 of 72
Sharmarke Xasan Sharif Page 46 of 72
8.2 Activity Diagram
Figure 15: Flow of Implementation Steps
Sharmarke Xasan Sharif Page 47 of 72
Step 1: VMware workstation is used for the installation of kali Linux, Windows
Operating system (XP) and UBUNTU 12.0.4 operating systems are all installed on it.
Step 2: DDoS packet generator Hping3 was installed on the attacker machine to
generate high volume traffic towards the victim machine performing DDoS attack
using the following command.
# apt –get install Hping3
Step 3: Download Wireshark and Snort IDS are installed capturing network
packets on eth0 interface on the victim machine (Windows XP) and download LOIC
DDoS attack tool window 7 machine.
Step 4: Writing rules in Snort.Conf to detect DDoS attack (Local. Rules file).
Step 5: After analysing logs file in snort or in Wireshark writing down IPtables
rules to block traffic from the attacker machine or the external network.
Step 6: Verifying that IPtables rules created are working by again analysing Snort
logs or Wireshark.
Sharmarke Xasan Sharif Page 48 of 72
Chapter 9: Experiment and Results
In this section, the experiment will be composed in two parts:
1) Performing attacks using Hping tools from the Kali machine as the attacker
to the victim machine (Ubuntu) where Wireshark displays those attacks
and Iptables rules to defend against attacks.
Figure 16: Experiment 1 (Using IPtable as Defence)
Sharmarke Xasan Sharif Page 49 of 72
2) Performing attacks using Low Orbit Ion Cannon (LOIC) from the attacker
machine (Window 7) to the victim machine (Windows XP) where Snort is
installed and configured to detect these attacks.
Figure 17: Experiment 2 (Using SNORT as IDS/IPS)
9.1 Experiment Objectives
Gain experience on deploying Iptables
Use Hping3 attack tool to test the predefined rules in Iptables Rules
Gain experience of deploying and configuring Snort
Use Low Orbit Cannon (LOIC) to test the Snort rules.
Sharmarke Xasan Sharif Page 50 of 72
9.2 Experiment 1: SYN Flood Attack with Hping Command
The attacker machine runs the following Hping command to flood TCP packet the
Victim machine.
Figure 18: SYN Flood with Hping Command
Using this command (#hping3 –flood –S –p 80 192.168.204. 132), we can
establish the following sequence.
Hping3 –flood –S –p 80 192.168.204.132
Description
hping3 Hping generator Dos tool
--flood Send the packet as fast as possible
-S Sets the SYN flag in TCP mode
-p 80 Sends the packet to port 80 on the target
machine
192.168.204.132 IP Address of the victim machine
Sharmarke Xasan Sharif Page 51 of 72
Table 4: SYN with Hping command description
Figure 19: Wireshark Output for SNY Flood
As you can see in Figure 1 above, Wireshark has capture the responding SYN
packet send by the attacker machine (192.168.204.134) and a huge numbers of
this type of connection will exhaust the victim machine.The victim machine with IP
address 192.168.204.132 is responding to every single TCP packet coming from
the attacker machine
Sharmarke Xasan Sharif Page 52 of 72
9.2.1 Writing IPtables script to defend against SNY Flood Attack
IPtable commands
Commands Description
#!/bin/bash IPTABLES=/sbin/iptables
Sudo iptables - -flush Start flushing the exciting rules
Sudo iptables –N syn-flood Sudo iptables –A syn-flood –m limit –limit
1\s –limit-burst 3 –j RETURN Sudo iptables –A syn-flood –j DROP
Create a new chain call SYN-Flood Set limit packet to 1 second Drop SYN Flood if its not matches
Sudo IPtables –L –v List Rules
Table 5: SYN-Flood Protection with IPtable
Sharmarke Xasan Sharif Page 53 of 72
Figure 20: Wireshark Output after IPtable Protection against SYN Flood
9.3 UDP Flood Attack with Hping Command
The attacker machine run the following LOIC(LOW)DDoS tool to flood TCP packet
the Victim machine.
Sharmarke Xasan Sharif Page 54 of 72
Figure 21: UDP Flood using LOIC DDoS Tool
Figure 22: Wireshark Output After LOIC UDP Attack
Sharmarke Xasan Sharif Page 55 of 72
As can be seen in Figure 6 above, the victim machine is responding with ICMP port
Destination Unreachable. In this case all the resources of the victim machine are
consumed by attacker system and trusted requests will not be served as the victim
is busy serving the attacker as shown in the figure 7 below.
Figure 23: Windows XP unable to ping the Victim Machine (Ubuntu)
9.4 Writing IPtables script to defend against LOIC UDP Flood Attack
IPtable commands against LOIC UDP Flood
Commands Description
#!/bin/bash IPTABLES=/sbin/iptables
Sharmarke Xasan Sharif Page 56 of 72
Sudo iptables - -flush Start flushing the exciting rules
Sudo iptables –N udp-flood Sudo iptables –A INPUT –p udp –j
udp-flood
Sudo iptables –A syn-flood –j DROP
Create a new chain call SYN-Flood Jump to chain when ICMP is detected Drop SYN Flood if its not matches
Sudo IPtables –L -v List Rules
Table 6: IPtable Protection against LOIC UDP Flood
9.5 ICMP Flood Attack with Hping Command
The attacker machine runs the following Hping command to flood TCP packet the
Victim machine.
Figure 24: ICMP Flood with Hping Command
#hping3 –p 80 –flood --icmp 192.168.204. 132
hping3 –p 80 –flood --icmp
192.168.204. 132 Hping command with ICMP Flood attack
hping3 Hping generator Dos tool
Sharmarke Xasan Sharif Page 57 of 72
-p 80 Sends the packet to port 80 on the target machine
(192.168.204.132)
--flood Send the packet as fast as possible
--icmp Sets the SYN flag in ICMP mode
192.168.204.132 IP Address of the victim machine(UBUNTU)
Table 7: Description of ICMP with Hping Command
Figure 25: Wireshark Output for ICMP Flood
As you can see in Figure 1 above, Wireshark has capture the responding SYN
packet send by the attacker machine (192.168.204.134) and a huge numbers of
this type of connection will exhaust the victim machine.The victim machine with IP
Sharmarke Xasan Sharif Page 58 of 72
address 192.168.204.132 is responding to every single TCP packet coming from
the attacker machine.
Figure 26: Windows XP unable to ping the Victim Machine
The above figure shows that theWindows XP was ping the Victim machine but after
the victim machine has been under heavy loads ICMP Flood Request to reply each
ICMP received from the attacker machine.
Sharmarke Xasan Sharif Page 59 of 72
9.5.1 Writing IPtable script to defend against ICMP Flood Attack
The following table represents the iptable rules to protect against ICMP Attacks
from the attacker machine.
IPtable commands
Commands Description
#!/bin/bash IPTABLES=/sbin/iptables
Sudo iptables - -flush Start flushing the exciting rules
Sudo iptables –N icmp-flood
Sudo iptables –A INPUT-p icmp –j icmp-flood Sudo iptables –A icmp-flood –m limit –limit 1\s –
limit-burst 3 –j RETURN Sudo iptables –A icmp-flood –j DROP
Create achain dedicated to ICMP-Flood Jump to chain when ICMP is detected Set limit packet to 1 second with a burst of 3 per second Drop ICMP Flood if its not matches
Sudo IPtables –L -v List Rules
Table 8: ICMP-Flood Protection with IPtable
Sharmarke Xasan Sharif Page 60 of 72
Figure 27: IPtables rules to stop ICMP Flood Attacks
Figure 28: Wireshark Output after IPtable Protection against ICMP Flood
Sharmarke Xasan Sharif Page 61 of 72
As seen the figure above, the attacker is sending ICMP Echo Request packets but the
victim machine is not responding by replies back to the attacker because the
IPtable rule defined in the previous table are dropping ICMP Request .
9.6 Experiment 2: DDoS Defense using SNORT IDS
Snort were installed on the victim machine in this case Window XP to detect and
prevent DdoS attacks. After analysis of the attacked packet in Wireshark, Snort
rules were pre-defined. Snort is one of the most used intrusion detection systems
to defend against the above mentioned attacks and is reasonably easy to install and
setup. In this section, I focused on evaluating Snort rules triggered by Snort. As
already explained in Chapter 5, Snort can run in three different modes: Sniffer
mode, packet logger and NIDS mode.
In this section for the installation of Snort and LOIC refer to the Appendix A and
Apendix B. To evaluate the effectiviness of Snort rules, DDoS attacks was simulated
against the target machine (Windows XP) that has SNORT installed. Low Orbit Ion
Cannon (LOIC) DDoS tool was used to simulate the attack. This tool has three
floodings methods: UDP, TCP, HTTP and the target IP address, port number are
illustrated in figure 6.
From LOIC tool, enter an address want to attack and set the packet size. WireShark
software to detect packets types that Attacker send to estabilish a connection.
9.6.1 UDP Flood Attack with Low Orbit Ion Cannon (LOIC)
As LOIC tool was installed on the second attacker machine (window 7). The
figure below shows the target IP was specified as 192.168.204.128 using UDP
flooding to port 21, then Snort will run and the flooding attack is detected, after
which Snort will send alerts into the logs file (Snort\etc\logs).
Sharmarke Xasan Sharif Page 62 of 72
Figure 29: UDP Flood Attack Using LOIC Tool
Figure 30: UDP Alerts and Logs
Sharmarke Xasan Sharif Page 63 of 72
Figure 31: CPU Usage after the Attack
9.6.2 SNORT detection against LOIC attacks
Hping command is used to flood ICMP Attack on the victims machine. The figure
below shows the command flooding ICMP Attack on IP address victim
(192.168.204.128) in this case Windows XP. Then when Snort will run and the
flooding attack is detected, then Snort will send alerts in the logs file
(Snort\etc\logs).
Sharmarke Xasan Sharif Page 64 of 72
Figure 32: ICMP Flood with Hping Command
Sharmarke Xasan Sharif Page 65 of 72
Figure 33: ICMP Alerts and Logs
9.6.3 Snort Prevent against LOIC/Hping Attacks
The scenario of attack from the machine window 7 (using LOIC Tool) and the kali
linux machine are performed against the window XP machine. The window XP
machine has been predefined with some rules that will prevent against these
attacks.
The example below shows on the rules that was configure in the Snort machine
(Window XP) in Snort configuration file (Snort.conf).
Drop icmp 192.168.204.134 any ->$HOME_NET 21(msg:”DoS/DdoS
attack ICMP Flooding “; sid:1000001;)
Sharmarke Xasan Sharif Page 66 of 72
drop udp 192.168.204.131 any -> $HOME_NET 21(msg:”DoS/DdoS
attack UDP Flooding “; sid:1000002;)
After the performing the attacks on the victim machine, the figure 34 below
shows a lower CPU usage and no logs has been captured by Snort because the
aboves rules are saved the local.rules files and these rules deny these attacks to
overwhemed the victim machine(Window XP).
Figure 34: Lower CPU and No logs captured
Chapter 10: Conclusion and Further Work
Conclusion
As seen, the DOS / DDoS attack is genuine threats that cause serious damage to
many organizations and internet users. Until a reasonable defence against DDoS
attacks is found a number of systems can be attacked and compromised all
continue to increase.
Sharmarke Xasan Sharif Page 67 of 72
IN this work, the study of the defence mechanism against DDoS attacks is exploring
the capability of the firewall. Firewall relies on a set of rules to determine whether
the network traffic is legitimate or not. So these set of rules tell the firewall
whether to consider the traffic as legitimate one or what to do with the network
traffic coming from unauthorized sources.
Major concentration of the thesis has been on capturing and detecting the live
traffic using the network protocol analyser, Wireshark and the intrusion detection
system knows as Snort with the basis IPtables script to allow or deny the network
traffic depending of the set of rules predefined in the IPtables script.
Future Scope
IPtables system is ideal for a Linux systems network administrator who wants to
configure their firewall according to their needs against unwanted traffic such as
DoS/DDoS attacks.
The given work can be extended further using advanced features of IPtables such
as NAT, packet redirect.
Another area to focus on could be to develop policy scripts using BRO IDS and
Security Onion to detect DoS/DDoS attacks and to develop efficient anti-DoS/DDoS
for Snort IDS.
Sharmarke Xasan Sharif Page 68 of 72
Appendix A: Installation of Snort for Windows
Snort Installation
Download Snort Visit Snort.org website(http:www.snort.org)
Download Rules You must register to get the rules
Installing Snort Double click on the .exe to install snort
Extracting the Rules Files You will need WinRAR for the .gz file
Paste the rules extracted in C:\Snort\rules
Modify your Snort. conf C:\Snort\etc\snort.conf( for the IP address to protect)
Open Command Line and
Navigate C:\Snort\bin
Check the interface snort
detect C:\Snort\bin>snort -W
To start Snort in IDS mode Snort –c c:\snort\etc\snort.conf –l c:\snort\log –i 1
To generate Log Files Snort –A console i 1 –c c:\Snort\etc\snort.conf –l
c:\Snort\log –K ascii
Table 9: SNORT Installation
Sharmarke Xasan Sharif Page 69 of 72
Appendix B: Installation of Low Orbit Ion cannon
Installation of LOIC Tool in windows
Step 1: go to “sourceforge.net/projects/loic/”
Step 2: Click Download for LOIC Tool
Step 3:You will see LOIC-DDoS.exe file
Step 4: Click save and run the tool
Step 5:Copy the URL of the site or IP you want to DDoS
Table 10: Installation of LOIC DDoS Tool
Appendix C: References
Project Research Resources
[1] Author(s) Last name, Initials. (Year): Gary C.Kessler (2000)
Page Title: A taxonomy of DDoS attacks and DDoS defence mechanisms
Available at: http://www.garykessler.net/library/ddos.html/
Last accessed: 10/02/2015
[2]
Author(s) Last name, Initials. (Year): Phillip Boyle
Page Title: Distributed Denial of Service Attack Tools
Available at: www.sans.org/security-resources/idfaq/trinoo.php
Last accessed: 15/02/2015
Sharmarke Xasan Sharif Page 70 of 72
[3] Author(s) Last name, Initials. (Year): D.Dittrich
Page Title: The Tribe Flood Network Distributed Denial of Service attack tool
Available at: https://staff.washington.edu/dittrich/misc/tfn.analysis
Last accessed: 15/01/2015
[4] Author(s) Last name, Initials. (Year): J.Barlow, W.thrower
Page Title: TFN2k-An Ana;ysis
Available at: https://staff.washington.edu/dittrich/misc/tfn.analysis
Last accessed: 15/01/2015
[5]
Author(s) Last name, Initials. (Year): D.Dittrich
Page Title: “The Stacheldraht Distributed Denial of Service attack tool”
University of washington,December 1999
Available at:
https://staff.washington.edu/dittrich/misc/stacheldraht.analysis
Last accessed: 15/01/2015
[6]
Author(s) Last name, Initials. (Year): S.Dietrich, N. Long, D. Dittrich
Page Title: “Analyzing Distributed Denial of Service Tools:The Saft
Case”Pp.329-339 of the Proceedings
Available at :
https://www.usenix.org/legacy/publications/library/proceedings/lisa2000/
full_papers/dietrich/dietrich_html/index.html
Last accessed: 16/01/2015
[7]
Author(s) Rik Busschers (Jun 21, 2010)
Paper Title:” Effectiveness of Defense Methods against DDoS Attacks by
Anonymous”
Available at:
http://referaat.cs.utwente.nl/conference/16/paper/7312/effectiveness-of-
defense-methods-against-ddos-attacks-by-anonymous.pdf
Last accessed: 23/01/2015
Sharmarke Xasan Sharif Page 71 of 72
[8] Author(s) Last name, Initials. (Year): Misha Singhal June 2011
Page Title: Design and Development of Anti-Dos/DdoS Attacks Framework
Using IPtables
Available at:
http://dspace.thapar.edu:8080/dspace/bitstream/10266/1383/1/Misha%2
0Singhal%28800932013%29.pdf
Last accessed: 15/02/2015
[9] Author(s) Last name, Initials. (Year): R. VIJAYASARATHY (2012)
Page Title: A System Approch to Network Modelling for DdoS Attack Detection
using Naive Nayes Classifier
Available at:
http://www.cse.iitm.ac.in/~ravi/papers/Vijayasarathy_thesis.pdf
Last accessed: 16/02/2015
[10] Author(s) Last name, Initials. (Year): Bahaa qasim M. Al-Musawi
Page Title: Mitigating DoS/DdoS Attacks Using IPTABLES
Available at: http://www.ijens.org/vol_12_i_03/1210803-7474-ijet-ijens.pdf
Last accessed: 18/02/2015
[11] Author(s) Last name, Initials. (Year): Tao Peng(2004)
Page Title: Defending against Distributed Denail of service Attacks
Available at:
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.125.788&rep=re
p1&type=pdf
Last accessed: 21/02/2015
Sharmarke Xasan Sharif Page 72 of 72
[12] Author(s) Last name, Initials. (Year): Snagwook Seo (2009)
Page Title: Detection and Protection of DoS/DdoS attacks in WIBro System
Availableat:
http://library.kaist.ac.kr/thesis02/2009/2009M020064566_S1VerICC.pdf
Last accessed: 23/02/2015
[13]
Webpage: http://www.ijarcsse.com/
Author(s) Last name, Initials. (Year): Koushik Chatterjee,(2013)
Paper Title: “Design and Development of a framework to Mitigate Dos/DDoS
Attacks Using IPtables Firewall”, international Journan of Computer Science
and teelcommunications {Volume 4,Issue 3 ,March 2013]
Available at: http://www.ijcst.org/Volume4/Issue3/p11_4_3.pdf
Last accessed: 13/04/2015
[14]
Webpage: http://www.ijarcsse.com/
Author(s) Last name, Initials. (Year): Hifaa Bait Baraka , Huaglory
Tiaanfield(9-11 September 2014)
Paper Title: “Intrusion Detection System for Cloud Environment”
Edition: 7th International Conference on Security of Information and
Networks(SIN’14)
Available at: http://voterlab.org.uk/publication/2014sin14_ids.pdf
Last accessed: 13/04/2015
[15]
Webpage: http://www.ijarcsse.com/
Author(s) Last name, Initials. (Year): Saboor , A ; Akhlaq, M ; Aslam, B
Paper Title:” Experimental evaluation of Snort against DDoS attacks under
different hadware configurations”.
Edition: Information Assurance(NCIA0,2013 2nd National Conference 11-12
Dec.2013
Available at:
http://ieeexplore.ieee.org/xpl/articleDetails.jsp?reload=true&arnumber=672
5321
Last accessed: 14/04/2015
Sharmarke Xasan Sharif Page 73 of 72
[16]
Author Last name, Initials. (Year): Dac-Nhuong Le
Paper Title: “DDoS Attack defense in IP multimedia susbsystem of NGNS using
rules in Snort”.
Edition: Global Journal of Computer Science and Information Technology,
Vol.1(1), 2014,88-99
Available at:
https://encrypted.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=6
&ved=0CDoQFjAF&url=http%3A%2F%2Fwww.researchgate.net%2Fprofile%
2FDac_Nhuong_Le_le_Dac_Nhuong%2Fpublication%2F269412085_DDOS_AT
TACK_DEFENSE_IN_IP_MULTIMEDIA_SUBSYSTEM_OF_NGNS_USING_RULERS_
IN_SNORT%2Flinks%2F548bddbf0cf225bf669f8c08.pdf&ei=8g0-
Vdq7NOep7Aa1i4DACw&usg=AFQjCNGHwQXncqUCkPKEUjz8Zg5TRKELKA
Last accessed: 27/04/2015
[17] Webpage: http://www2.ensc.sfu.ca/~ljilja/index.html
Author(s) Last name, Initials. (Year): F. Lau, S. H. Rubin, M. H. Smith, and Lj.
Trajkovic (2000) Simon Fraser University
Page Title: Distributed Denial of Service Attacks
Edition: Proc. 2000 IEEE Int. Conf. on Systems, Man, and Cybernetics,
Nashville, TN,
Oct. 2000, pp. 2275-2280.
Available at:
http://www2.ensc.sfu.ca/~ljilja/cnl/publications_by_cnl_alumuni.html
Last accessed: 10/02/2015