Intrusion Detecting System (IDS) is used to detect unusual traffic and unauthorized access. In other hand Intrusion Prevention System (IPS) will help us to place a rule to prevent those traffic and access. In general, there are several IDS & IPS tools are available. For instance, CISCO NGIPS, Vectra Cognito, SNORT, and few more. Considering Open source and easy to use, we are going to see “SNORT”. Note: Honeypot is different from IDS since Honeypot will attract the bad hackers by keeping require ports open.

1. Incident Handling - Tools research & Presentation
Report by - Sathish Kumar
DETECTING DOS/DDOS ATTACKS

2. Contents What is DoS and DDoS attack?
Introduction to IDS & IPS
Introduction to SNORT
Incident Scenario
Scenario 1
Scenario 2
Solution
Reference

3. What is DoS and DDoS attack?
DoS - Denial of Service. Flooding a targeted server with TCP and UDP packets to bringing down its capacity to
make the server unavailable is called DoS attack.
DDoS – Distributed Denial of Service. DDoS is like DoS attack; however, it is particularly performed for multiple
systems targeting a single server.
All DDoS = DoS, however not all DoS = DDoS.
In general, this attack can be executed majorly in Network layer (3), Transport layer (4), Presentation layer (6),
Application layer (7). Corresponding application and tools are available to mitigate this attack. In this report we
are going to focus on Network layer, where predominant attacks take place.
Introduction to IDS & IPS:
Intrusion Detecting System (IDS) is used to detect unusual traffic and unauthorized access. In other hand Intrusion
Prevention System (IPS) will help us to place a rule to prevent those traffic and access. In general, there are several IDS &
IPS tools are available. For instance, CISCO NGIPS, Vectra Cognito, SNORT, and few more. Considering Open source and
easy to use, we are going to see “SNORT”. Note: Honeypot is different from IDS since Honeypot will attract the bad
hackers by keeping require ports open.

4.  Introduction to SNORT:
 It’s an Open-source tool. It has three main
Operational modes, Packet Sniffing, Packet
logging, Network Intrusion detection. Any IDS,
their rules are vital to detect or prevent the
environment, having said that SNORT rules are
easy to create and use, also there are
thousands of predefined rules which will cover
most of the prevention scenarios. However, we
can create our own rules according to our
need. Rules can be an alert, reject, log, drop,
action, etc.
 As mentioned, Snort rules are straight forward
to create, however if still need assistance to
create a complex scenario there is a tool called
“SNORPY”, where we can input our condition
to generate the rules.

5.  Installing and Configuring Snort:
 Download required file from
https://www.snort.org/, then follow the
installation steps. Once Snort has been installed
check the status and its version by > snort –
version
 Snort.conf file is Important in Snort, which will
help us to configure snort.
 Rules: Rules are important in Snort there are two
categories. Local rule and community Rules(pre-
defined rules)

6. Incident Scenario:
Assuming we are getting performance Issue in our network and NOC team suspected some unusual traffic. Then
they requested SOC team to perform further investigation about those traffics. To investigate further, we going to
Implement SNORT in the network to detect the traffic. For demonstration purpose we are going to take three virtual
servers.
a. Kali_Linux – 198.168.99.4 (Server A)
b. Ubuntu_Snort – 198.168.99.8 (Snort Server)
c. Ubuntu_lightweight – 198.168.99.7 (Server B)
Scenario 1:
Install Snort in one of the servers and enable snort to detect the traffic across the network. Installed Snort and created ICMP rule
to capture any ICMP traffic in the network. For instance, if Server A pings Server B it will be automatically detected and logged in
the Snort server. To achieve this created a snort rule as below.
Alert icmp any any -> $HOME_NET any (msg:” ICMP Ping Detected”; sid:100001; rev:1;)
Here we are asking Snort to alert if there is any ICMP traffic in the network to our Home network which is variable of
HOME_NET.

7.  It will give us breakdown about the traffic, also we
can log this traffic and even integrate to tools like
Splunk for further treatment.

8.  Now, scenario to detect the SSH authentication, for that
Rules as below.
 alert tcp any any -> $HOME_NET 22 (msg: “SSH
Authentication Detected”; sid:100002; rev:1;)

9. Solution:
As, illustrated above we successfully detected ICMP traffic and SSH authentication alerts.
Similarly, we can extend our rules from alert to reject, log, action to address wide range of
attacks. Also, there are predefined rules are available within Snort to utilize.
Reference:
https://www.snort.org/
http://www.cyb3rs3c.net/