See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/338660054

DETECTING DDoS ATTACK USING Snort

Technical Report · March 2018

CITATIONS READS

3 50,295

2 authors, including:

Sourav Mishra
Indian Institute of Information Technology Allahabad
35 PUBLICATIONS 9 CITATIONS

SEE PROFILE

All content following this page was uploaded by Sourav Mishra on 17 January 2020.

The user has requested enhancement of the downloaded file.

 DETECTING DDoS ATTACK
USING Snort
Manas Gogoi Sourav Mishra

PCL2017001 ICL2017005

Abstract - A DDoS(distributed denial-of-service) attack is very common and easy to

execute and does not require any sophisticated tools. It can happen to anyone. In this
project we deploy snort in our home network as a NIDS(Network Intrusion Detection
System) to detect a DDoS attack and prevent it.

I. INTRODUCTION

Snort is an open source network intrusion prevention system, capable of performing real-
time traffic analysis and packet logging on IP networks. It can perform protocol analysis,
content searching/matching, and can be used to detect a variety of attacks and probes, such
as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting
attempts, and much more.

Fig: Snort Architecture

A denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to
make a machine or network resource unavailable to its intended users by temporarily or
indefinitely disrupting services of a host connected to the internet. Denial of service is
typically accomplished by flooding the targeted machine or resource with superfluous
requests in an attempt to overload systems and prevent some or all legitimate requests from
being fulfilled.

Denial-of-service attacks are characterized by an explicit attempt by attackers to prevent

legitimate use of a service. There are two general forms of DoS attacks: those that crash
services and those that flood services. The most serious attacks are distributed.

A distributed denial-of-service (DDoS) is a DoS attack where the perpetrator uses more
than one unique IP address, often thousands of them. Since the incoming traffic flooding the
victim originates from many different sources, it is impossible to stop the attack simply by
using ingress filtering. It also makes it very difficult to distinguish legitimate user traffic from
attack traffic when spread across so many points of origin. As an alternative or augmentation
of a DDoS, attacks may involve forging of IP sender addresses (IP address spoofing) further
complicating identifying and defeating the attack. The scale of DDoS attacks has continued to
rise over recent years, by 2016 exceeding a terabit per second.

Fig: A DDoS attack

II. PROCEDURE

First we download Snort and install it. Then To verify the Snort version, we open the terminal
and type in snort -V and hit Enter. Next, we need to configure our HOME_NET value: the
network we will be protecting. We enter ifconfig in our terminal shell to see the network
configuration. We note the IP address and the network interface value.
Next, type the following command to open the snort configuration file in gedit text editor:
sudo nano /etc/snort/snort.conf. We enter the password for Server. When the snort.conf file
opens we change the IP address to be your actual class C subnet. “192.168.132.0/24”

At this point, Snort is ready to run. Except, it doesn’t have any rules loaded. We now write
rules that will enable snort to detect a DDoS attack. Open the local.rules file in a text editor as
root with the following command: sudo gedit /etc/snort/rules/local.rules

Then we type in the following :

alert icmp any any -> $HOME_NET any (msg:"ICMP flood"; sid:1000001; rev:1;
classtype:icmp-event; detection_filter:track by_dst, count 500, seconds 3;)

Let us walk through the syntax of this rule:

Rule Header

 alert – Rule action. Snort will generate an alert when the set condition is met.
 any – Source IP. Snort will look at all sources.

 any – Source port. Snort will look at all ports.

 -> – Direction. From source to destination.

 $HOME_NET – Destination IP. We are using the HOME_NET value from the
snort.conf file.

 any – Destination port. Snort will look at all ports on the protected network

Rule Options

 msg:”ICMP flood” – Snort will include this message with the alert.

 sid:1000001 – Snort rule ID. Remember all numbers < 1,000,000 are reserved, this is
why we are starting with 1000001 (you may use any number, as long as it’s greater
than 1,000,000).

 rev:1 – Revision number. This option allows for easier rule maintenance.

 classtype:icmp-event – Categorizes the rule as an “icmp-event”, one of the predefined

Snort categories. This option helps with rule organization.

 detection_filter:track by_dst - Snort tracks the destination IP address for detection.

 seconds 3 - sampling period is set to 3 seconds

 count 500 - if during the sampling period Snort detects more than 500 requests then
we will receive the alert.

Now, let’s start Snort in IDS mode and tell it to display alerts to the console:

sudo snort -A console -c /etc/snort/snort.conf -i eth0

Here we are pointing Snort to the configuration file it should use (-c) and specifying
the interface (-i eth0). The -A console option prints alerts to standard output. We
don’t see any output when we enter the command because Snort hasn’t detected any
activity specified in the rule we wrote. We generate some activity and see if our rule
is working. We launch our VM.

Then we run a tool called hping3 to launch an ICMP flooding attack on our local
host. We see alerts generated for every ICMP echo request past the specified count
value within the sampling period with the message text we specified in the msg
option.
 We can also see the source IP address of the host responsible for the alert-generating
activity.

We then stop snort and return to prompt by pressing Ctrl+C.

The above rule is for detecting ICMP flooding. Now we write another rule to detect SYN
flooding. We once again open the local.rules file and add the following in a new line :

alert tcp any any -> $HOME_NET 80 (flags: S; msg:"Possible DoS Attack Type : SYN
flood"; flow:stateless; sid:3; detection_filter:track by_dst, count 20, seconds 10;)

In this rule we have changed the protocol to TCP and set the destination port number to 80.
The keyword flag checks if specific TCP flag bits(in this case SYN flag) are present. The
sampling period is set to 10 seconds. If during this time period more than 20 requests are
detected then we will receive the alert.

We then run snort again in similar fashion. Once again we don't see any output when we
enter the command because Snort hasn’t detected any activity specified in the rule we wrote.
So we generate some activity and see if our rule is working.

We launch our VM.

Then we run hping3 tool to launch a flooding attack on our local host but this time using
SYN packets. We see alerts generated for every TCP packet with SYN requests past the
specified count value within the sampling period with the message text we specified in the
msg option.

Here also we can see the source IP address of the host responsible for the alert-generating
activity.
 We then stop snort and return to prompt by pressing Ctrl+C.

III. CONCLUSION
Thus we were successful in our attempt to detect a DDoS attack (both ICMP flooding and
SYN flooding) using snort. Moreover our procedure also enables us to find the IP address of
the perpetrator behind the attack.

View publication stats