A Review of Open Source Tools to Detect and Prevent DoS Attack

Transcription

1 ISSN: X Karpagam Journal of Engineering Research (KJER) Vol: 5, 1, Special Issue on 2016 International Conference on Innovations in Information, Embedded and Communication Systems (ICIIECS) A Review of Open Source Tools to Detect and Prevent DoS Attack Jyoti Kamat 1, R.H.Goudar 2 1 Dept of CNE,,Visvesvaraya Technological University Belagavi , jdk611990@gmail.com, India 2 Dept of CNE,,Visvesvaraya Technological University Belagavi , rhgoudar@gmail.com, India Abstract The main goal of survey is to provide the overview of functionality of different types of DOS attacks. Mainly there are two types such as application layer DOS attack and network layer DOS attack. In this paper, we have highlighted other types of DOS attacks such as Smurf, Snork, Land, SYN flooding, TearDrop, Ping of Death. We can detect and prevent this attack by making use of IDS (Intrusion Detection System) and IPS (Intrusion Prevention System). In this paper, we have illustrated open source tools which are available to detect and prevent DOS attack. Keywords: DOS, IDS, IPS; 1. Introduction Organizations that are connected to the internet can be affected by DOS attack. DOS attack is not possible to prevent, it takes more time to handle and this process is very costly. It takes more time to understand how it occurs and how to handle this situation. There are some reasons which are responsible to appear in DOS attack. By using threats of DOS attack, attacker uses his ability to disrupt the victim activity and demands for money to prevent from DOS attack. Various groups are engaged in using DOS as weapon against each other for retrieving the legitimate files. For competition purpose cyber criminals offer DOS for obtaining the competitors website and disturb the services. In DOS attack, there are some following reasons by which we come to know that attack is happening: User unable to find particular websites and receives plenty of spam messages in their account. While opening files and websites network slows down. Steps to take forward when user experiences DOS attack: User should contact to the technical professionals if he found that he is unable to access his own files or he is unable to get for particular website. User should contact to the internet service provider (ISP) if he is suffering similar experience with his home computer. Following precautions can be taken to avoid DOS attack: By installing security patches user can fight against the SYN flooding attack and can reduce the chances of occurring such attacks. By using Intrusion Detection System i.e. IDS can be used to detect and stop illegal activities in the network. By using firewalls user can stop DOS attack by means of identifying the internet protocol of attacker and blocking all the traffic. By configuration of routers, the network can be monitored by limiting access to the network and dropping all illegal packets. 96

2 2. Different Types of DOS Attacks and Tools of IDS and IPS Mainly there are two types of denial of service attacks as follows: 1. Application layer DOS attack. 2. Network layer DOS attack. Denial of service attacks includes following types:- Fig 1: Types of DoS attack, Tools of IDS and IPS 2.1 Smurf: This attack slows down the network of user, and sends ping messages to the user from the spoofed IP address.it makes use of Internet Control Message Protocol i.e. (ICMP), and amplifies the ping message about 255 times. Because of amplification of the ping message 255 times it causes the buffer overflow and corrupts the data containing files of users. 2.2 Snork: This is DOS attack, which fight against Windows NT RPC service. This attack causes to consumption of CPU 100% for infinite period of time. 2.3 SYN Flooding: This DOS attack causes all the consumption of the server resources and makes the system unresponsiveness for legitimate traffic (packets). In SYN Flooding attack the attacker sends more packets but does not send the acknowledgement back to the server. Then still connections are not closed fully, connections are still half opened and hence it consumes more server resources. 2.4 LAND: This is nothing but local area network denial of service attack it causes by sending spoofed packets to system. This attack is as same as SYN Flooding attack. It is also known as M3LT. It sends the duplicate packets of TCP SYN with host IP. 97

3 2.5 Teardrop: This is type of denial of service attack, which causes to crash O.S. and also resources, because of viruses in their TCP/IP fragmentation reassembly code [2] [6]. In the teardrop attack IP uses very large packets which are very difficult to handle and divide in the fragments to the routers [7]. IP address of the attacker places the confusing offset value after second fragment or in the very large fragment because of this system crash occurs. 2.6 Ping of Death: When this attack happens that time there are chances of crash of the system as well as the buffer overflow. User can send maximum sizes of packets are 65, 535 bytes. Suppose one user sends the packets larger than the specified size then the destination system immediately exhaust the connection and it crashes and also overflow of buffer occurs [5]. This attack sends many unwanted ping messages to the computer. Solution on this attack is to verify that every coming IP segment which tells that packet is valid or not [1]. Intrusion Detection System (IDS): This denial of service attack can be detected by using intrusion detection system i.e. IDS. We can overcome this attack by configuring firewall, routers and by blocking malformed traffic also by minimizing packets coming from the duplicate IP, blocking the traffic of ICMP. Intrusion Prevention System (IPS): Denial of service attack can be prevented by using IPS. This detects and prevents any known and unknown attacks and stops the attack from hardware and software. IPS involved many algorithms which operate on application layer. There are 2 types of IPS. Such as follows: 1. Host based IPS. 2. Network based IPS. 3. IDS and IPS Tools: 3.1 Snort: For detection of the intrusion in the network, Snort is used. Snort is open source simulation tool. This tool is allowed to add the particular rules. This is compatible for Windows, Mac OS and also for Linux OS. Its result is not scalable for system which supports multi core, because it is not applicable for multithreading systems [9]. Since snort is open source so that user can download the source file and can run on the windows, Linux platform. This software is programmed in C Language user can also download and executes its rule files, which describes the IDS features. Lib/winpcap: Web based network security IDS captures and analyzes the entire network packet to examine network cord. By using packet capture technology lib/winpcap supports OS like Linux, Unix etc. Decoder: For analyzing and processing of packets, packet data decoder is used. Decoder runs on various IDPS (intrusion detection protocol stack) from the data link, transport and application layer.) Fig.4: Snort flow diagram 98

4 Pre-processors: This module in snort is pre-processes data packets for NS-IDS. Pre-processors consist of four features: 1. Analog of TCP/IP stack features. 2. Decoding of plugin data. 3. Attack detection. 4. Detection engine. Output plug: It consists of three format log and six forms of alert data. Snort collects data in the binary format, decoded data it analysis and it records the entire data log from the database. There are data rules in which each rule has its unique attack identity [10] Arc Sight SIEM: This tool is used for IDS called as Arc Sight Security Information and Event Management. AIEM is tool to provide security complex distributed system. SIEM is combination of SIM i.e. security information management and SEM i.e. Security event management. One of the most important advantage of this tool is it handles the large volume of log messages, generated by computer. 3.3 Suricata: This IDS tool is as similar as snort which can be used for IDS as well as IPS. Architecture of Suricata is as similar as snort. This tool is lies on the signature; it uses the emerging thread rule set only when snort is not available. 3.4 Honeyd: This tool is use to create the virtual host on the network, for behavioral analysis. Main aim of this tool is to present and compare malware sample behavior. This tool keeps track of malware in the spiral format, which helps to classify malwares, which belongs to same family. Also it allows us forensic recovery, investigation, research of intruder. 3.5 Open WIPS- NG: This tool is used for intrusion detection and prevention system, which depends on server, sensor, and interfaces. 3.6 OSSEC: This tool is open source which is used to detect intrusion. It provides facilities to client, such as file integrity, monitoring, root-kit detection. This tool can be run on OS like Windows, Linux and Mac OS. It provides commercial support, also it has strong log analysis engine to it. 3.7 OSSIM- HIDS: It is open source security information management. This tool is use to incorporate with other tools such as NAGIOS, OSSEC-HIDS and is used for compilation of tools. 3.8 Sguil: This tool is developed by network security analyst. The main component of this tool is GUI, which supply real time events of snort and consists of component which monitors the network security, IDS alerts. It provides facility of event driven analysis. 3.9 Open DLP: This is called as Open data leakage protection tool which helps to prevent the intrusion. It is also called as IDS. This tool first identifies the sensitive data WIPS: It is IPS tool called as intrusion prevention system. It is used to make strong security of network. WIPS is used to avoid unauthorized access of the internal information network. It includes server, console, database and sensors. Database is used to store the information. Collection of raw data and analyzing of that collected data done by the server. Sensors are used to monitor and keep track of the data. Console is used to establish the bridge between user and administrator for confidentiality, integrity and availability. These are the security needs of WIPS. 99

5 4. Conclusion Organizations that are using internet can be prevented from denial of service attack in many ways like making use of firewalls, by installing security patches, configuring routers, by dropping all illegal packets. These are the precautions steps. Even though DOS attack happens then we can detect and prevent this attack by making use of Intrusion Detection System (IDS) and Intrusion Prevention System (IPS). There are many open source tools are available to detect and prevent DOS attack. References 1. Journal Article [1] Upma Goyal1, Gayatri Bhatti2 and Sandeep Mehmi, A Dual Mechanism for defeating DDoS Attacks in Cloud Computing Model, International Journal of Application or Innovation in Engineering & Management (IJAIEM) Volume 2, Issue 3, March 2013 [2] Siva, E.S.Phalguna Krishna, Controlling various network based ADoS Attacks in cloud computing environment: By Using Port Hopping Technique, International Journal of Engineering Trends and Technology (IJETT) - Volume4 Issue May [3] Shweta Tripathi1, Brij Gupta1, Ammar Almomani2, Anupama Mishra1, Suresh Veluru, Hadoop Based Defense Solution to Handle Distributed Denial of Service (DDoS) Attacks, Journal of Information Security, volume 4, [4] Shahram Jamali, Gholam Shaker, PSO-SFDD: Defense against SYN flooding DoS attacks by employing PSO algorithm, Computers and Mathematics with Applications [5] Mehdi Ebady Manna and Angela Amphawan, review of synflooding attack detection mechanism, International Journal of Distributed and Parallel Systems (IJDPS) Vol.3, No.1, January [6] Farhad Soleimanian Gharehchopogh, Neda Jabbari, Zeinab Ghaffari Azar, Evaluation of Fuzzy K- Means And K-Means Clustering Algorithms In Intrusion Detection Systems, international journal of scientific & technology research volume 1, issue 11, december [7] Bahaa Qasim M. AL-Musawi College of Engineering University Of Kufa, An Najaf, Iraq, mitigating dos/ddos attacks using iptables, International Journal of Engineering & Technology IJETIJENS Vol: 12 No: [8] Zouheir Trabelsi and Walid Ibrahim, A Hands-on Approach for Teaching Denial of Service Attacks: A Case Study, Journal of Information Technology Education: Volume 12, Innovations in Practice. [9] JeongJin Cheon, Tae-Young Choe, Distributed Processing of Snort Alert Log using Hadoop, International Journal of Engineering and Technology (IJET) Vol 5 No Jun-Jul [10] Li Yang a, Daiyun Weng, Snort-based Campus Network Security Intrusion Detection System, _ Springer-Verlag London Limited