ISSN: 2393-994X
Karpagam Journal of Engineering Research (KJER)
Vol: 5, 1, Special Issue on 2016 International Conference on Innovations in Information, Embedded and Communication Systems (ICIIECS)
A Review of Open Source Tools to Detect and Prevent DoS
Attack
Jyoti Kamat1, R.H.Goudar2
1
Dept of CNE, ,Visvesvaraya Technological University Belagavi-590018, jdk611990@gmail.com,
India 2 Dept of CNE, ,Visvesvaraya Technological University Belagavi-590018, rhgoudar@gmail.com,
India
Abstract
The main goal of survey is to provide the overview of functionality of different types of DOS attacks.
Mainly there are two types such as application layer DOS attack and network layer DOS attack. In this
paper, we have highlighted other types of DOS attacks such as Smurf, Snork, Land, SYN flooding,
TearDrop, Ping of Death. We can detect and prevent this attack by making use of IDS (Intrusion
Detection System) and IPS (Intrusion Prevention System). In this paper, we have illustrated open source
tools which are available to detect and prevent DOS attack.
Keywords: DOS, IDS, IPS;
1. Introduction
Organizations that are connected to the internet can be affected by DOS attack. DOS attack is not possible to
prevent, it takes more time to handle and this process is very costly. It takes more time to understand how it occurs
and how to handle this situation. There are some reasons which are responsible to appear in DOS attack.
By using threats of DOS attack, attacker uses his ability to disrupt the victim activity and demands for money
to prevent from DOS attack. Various groups are engaged in using DOS as weapon against each other for retrieving
the legitimate files. For competition purpose cyber criminals offer DOS for obtaining the competitors website and
disturb the services.
In DOS attack, there are some following reasons by which we come to know that attack is happening:
User unable to find particular websites and receives plenty of spam messages in their account. While opening
files and websites network slows down.
Steps to take forward when user experiences DOS attack:
User should contact to the technical professionals if he found that he is unable to access his own files or he is
unable to get for particular website. User should contact to the internet service provider (ISP) if he is suffering
similar experience with his home computer. Following precautions can be taken to avoid DOS attack:
By installing security patches user can fight against the SYN flooding attack and can reduce the chances of
occurring such attacks. By using Intrusion Detection System i.e. IDS can be used to detect and stop illegal activities
in the network. By using firewalls user can stop DOS attack by means of identifying the internet protocol of
attacker and blocking all the traffic. By configuration of routers, the network can be monitored by limiting access to
the network and dropping all illegal packets.
96
2. Different Types of DOS Attacks and Tools of IDS and IPS
Mainly there are two types of denial of service attacks as follows: 1. Application layer DOS attack. 2. Network
layer DOS attack.
Denial of service attacks includes following types:-
Fig 1: Types of DoS attack, Tools of IDS and IPS
2.1 Smurf: This attack slows down the network of user, and sends ping messages to the user from the
spoofed IP address .It makes use of Internet Control Message Protocol i.e. (ICMP), and amplifies the ping message
about 255 times. Because of amplification of the ping message 255 times it causes the buffer overflow and corrupts
the data containing files of users.
2.2 Snork: This is DOS attack, which fight against Windows NT RPC service. This attack causes to
consumption of CPU 100% for infinite period of time.
2.3 SYN Flooding: This DOS attack causes all the consumption of the server resources and makes the
system unresponsiveness for legitimate traffic (packets). In SYN Flooding attack the attacker sends more packets
but does not send the acknowledgement back to the server. Then still connections are not closed fully, connections
are still half opened and hence it consumes more server resources.
2.4 LAND: This is nothing but local area network denial of service attack it causes by sending spoofed
packets to system. This attack is as same as SYN Flooding attack. It is also known as ― M3LT
‖. It sends the
duplicate packets of TCP SYN with host IP.
97
2.5 Teardrop: This is type of denial of service attack, which causes to crash O.S. and also resources, because
of viruses in their TCP/IP fragmentation reassembly code [2] [6]. In the teardrop attack IP uses very large packets
which are very difficult to handle and divide in the fragments to the routers [7]. IP address of the attacker places the
confusing offset value after second fragment or in the very large fragment because of this system crash occurs.
2.6 Ping of Death: When this attack happens that time there are chances of crash of the system as well as the
buffer overflow. User can send maximum sizes of packets are 65, 535 bytes. Suppose one user sends the packets
larger than the specified size then the destination system immediately exhaust the connection and it crashes and also
overflow of buffer occurs [5]. This attack sends many unwanted ping messages to the computer. Solution on this
attack is to verify that every coming IP segment which tells that packet is valid or not [1].
Intrusion Detection System (IDS): This denial of service attack can be detected by using intrusion detection
system i.e. IDS. We can overcome this attack by configuring firewall, routers and by blocking malformed traffic also
by minimizing packets coming from the duplicate IP, blocking the traffic of ICMP.
Intrusion Prevention System (IPS): Denial of service attack can be prevented by using IPS. This detects and
prevents any known and unknown attacks and stops the attack from hardware and software. IPS involved many
algorithms which operate on application layer. There are 2 types of IPS. Such as follows: 1. Host based IPS. 2.
Network based IPS.
3. IDS and IPS Tools:
3.1 Snort: For detection of the intrusion in the network, Snort is used. Snort is open source simulation tool. This
tool is allowed to add the particular rules. This is compatible for Windows, Mac OS and also for Linux OS. Its result
is not scalable for system which supports multi core, because it is not applicable for multithreading systems [9].
Since snort is open source so that user can download the source file and can run on the windows, Linux platform.
This software is programmed in C Language user can also download and executes its rule files, which describes the
IDS features.
Lib/winpcap: Web based network security IDS captures and analyzes the entire network packet to examine
network cord. By using packet capture technology lib/winpcap supports OS like Linux, Unix etc.
Decoder: For analyzing and processing of packets, packet data decoder is used. Decoder runs on various IDPS
(intrusion detection protocol stack) from the data link, transport and application layer.)
Fig.4: Snort flow diagram
98
Pre-processors: This module in snort is pre-processes data packets for NS-IDS.
Pre-processors consist of four features:
1. Analog of TCP/IP stack features.
2. Decoding of plugin data.
3. Attack detection.
4. Detection engine.
Output plug: It consists of three format log and six forms of alert data. Snort collects data in the binary format,
decoded data it analysis and it records the entire data log from the database. There are data rules in which each rule
has its unique attack identity [10].
3.2. Arc Sight SIEM: This tool is used for IDS called as Arc Sight Security Information and Event Management.
AIEM is tool to provide security complex distributed system. SIEM is combination of SIM i.e. security information
management and SEM i.e. Security event management. One of the most important advantage of this tool is it
handles the large volume of log messages, generated by computer.
3.3 Suricata: This IDS tool is as similar as snort which can be used for IDS as well as IPS. Architecture of
Suricata is as similar as snort. This tool is lies on the signature; it uses the emerging thread rule set only when snort
is not available.
3.4 Honeyd: This tool is use to create the virtual host on the network, for behavioral analysis. Main aim of this tool
is to present and compare malware sample behavior. This tool keeps track of malware in the spiral format, which
helps to classify malwares, which belongs to same family. Also it allows us forensic recovery, investigation, research
of intruder.
3.5 Open WIPS- NG: This tool is used for intrusion detection and prevention system, which depends on server,
sensor, and interfaces.
3.6 OSSEC: This tool is open source which is used to detect intrusion. It provides facilities to client, such as file
integrity, monitoring, root-kit detection. This tool can be run on OS like Windows, Linux and Mac OS. It provides
commercial support, also it has strong log analysis engine to it.
3.7 OSSIM- HIDS: It is open source security information management. This tool is use to incorporate with other
tools such as NAGIOS, OSSEC-HIDS and is used for compilation of tools.
3.8 Sguil: This tool is developed by network security analyst. The main component of this tool is GUI, which
supply real time events of snort and consists of component which monitors the network security, IDS alerts. It
provides facility of event driven analysis.
3.9 Open DLP: This is called as Open data leakage protection tool which helps to prevent the intrusion. It is also
called as IDS. This tool first identifies the sensitive data.
3.10 WIPS: It is IPS tool called as intrusion prevention system. It is used to make strong security of network.
WIPS is used to avoid unauthorized access of the internal information network. It includes server, console, database
and sensors. Database is used to store the information. Collection of raw data and analyzing of that collected data
done by the server. Sensors are used to monitor and keep track of the data. Console is used to establish the bridge
between user and administrator for confidentiality, integrity and availability. These are the security needs of WIPS.
99
4. Conclusion
Organizations that are using internet can be prevented from denial of service attack in many ways like making
use of firewalls, by installing security patches, configuring routers, by dropping all illegal packets. These are the
precautions steps. Even though DOS attack happens then we can detect and prevent this attack by making use of
Intrusion Detection System (IDS) and Intrusion Prevention System (IPS). There are many open source tools are
available to detect and prevent DOS attack.
References
1. Journal Article
[1] Upma Goyal1, Gayatri Bhatti2 and Sandeep Mehmi, A Dual Mechanism for defeating DDoS Attacks
in Cloud Computing Model‖, International Journal of Application or Innovation in Engineering &
Management (IJAIEM) Volume 2, Issue 3, 34-39 March 2013
[2] Siva, E.S.Phalguna Krishna, Controlling various network based ADoS Attacks in cloud computing
environment: By Using Port Hopping Technique‖, International Journal of Engineering Trends and
Technology (IJETT) - Volume4 Issue5 2099-2104 May 2013.
[3] Shweta Tripathi1, Brij Gupta1, Ammar Almomani2, Anupama Mishra1, Suresh Veluru,‖ Hadoop
Based Defense Solution to Handle Distributed Denial of Service (DDoS) Attacks‖, Journal of
Information Security, volume 4, 150-164 2013
[4] Shahram Jamali , Gholam Shaker, PSO-SFDD: Defense against SYN flooding DoS attacks by
employing PSO algorithm ‖, Computers and Mathematics with Applications 63 214–221 2012.
[5] Mehdi Ebady Manna and Angela Amphawan, review of synflooding attack detection mechanism‖,
International Journal of Distributed and Parallel Systems (IJDPS) Vol.3, No.1, 99-117 January 2012.
[6] Farhad Soleimanian Gharehchopogh, Neda Jabbari, Zeinab Ghaffari Azar, Evaluation of Fuzzy KMeans And K-Means Clustering Algorithms In Intrusion Detection Systems‖, international journal of
scientific & technology research volume 1, issue 11, 66-72 december 2012.
[7] Bahaa Qasim M. AL-Musawi College of Engineering University Of Kufa , An Najaf, Iraq, mitigating
dos/ddos attacks using iptables‖, International Journal of Engineering & Technology IJETIJENS Vol:
12 No: 03 101-111 2012.
[8] Zouheir Trabelsi and Walid Ibrahim, A Hands-on Approach for Teaching Denial of Service Attacks:
A Case Study, Journal of Information Technology Education: Volume 12, 300-318 2013 Innovations in
Practice.
[9] JeongJin Cheon , Tae-Young Choe, Distributed Processing of Snort Alert Log using Hadoop‖,
International Journal of Engineering and Technology (IJET) Vol 5 No 3 2685-2690 Jun-Jul 2013 .
[10] Li Yang a, Daiyun Weng, Snort-based Campus Network Security Intrusion Detection System‖, _
Springer-Verlag London Limited 201-208 2012.
100