Detecting Attacks

subashini_hariharan · June 11, 2016, 5:22am

Hello,

I am Subashini, a graduate student. I am interested in doing my project in
Network Security. I have a doubt related to it.

The aim is to detect DoS/DDoS attacks using the application. I am going to
use ELK (ElasticSearch, Logstash, Kibanna) for processing the logs (Log
Analytics).

My doubt is regarding how do we generate logs for detecting this attack? As
I am new to this process, I am not sure about it.

Also, if it is possible to do any other attacks similar to this, you can
please give a hint about it.

Could anyone please help with this, it would be a great help!!

Suresh_Ramasubramani · June 11, 2016, 5:42pm

Is your aim to generate attack traffic? Or rather a mix of normal and attack traffic. That's one part. Googling ddos simulator will get you lots of results you can evaluate

Logging it appropriately and capturing the logs, storing them in a db is the next.

--srs

Otto_Monnig · June 11, 2016, 10:01pm

Security Onion is a FOSS Linux distribution with several great security tools integrated into an installer.
https://security-onion-solutions.github.io/security-onion/

Snort & Suricata are signature based detection tools. Bro is a domain specific language for packet analysis and processing.

https://isc.sans.edu/forums/diary/Why+I+think+you+should+try+Bro/15259/

Valdis_Kletnieks · June 12, 2016, 4:04pm

Bad approach. At that point, not only is the application being DDoS'ed,
but now your logging system may be overwhelmed as well. And a favorite
attack method is to throw a DDoS at one application (your http server, for
instance), and while you're drowning in logfiles, slip in an exploit for
something else (you *did* patch that tftpd server, right?)

Also, the vast majority of DDoS attempts are just fill-the-pipe attacks,
which often don't even bother attacking an application, just an IP address.
This leverages the fact that there's a lot of routers that can switch average
sized packets at line speed, but not minimum sized packets. So the link
falls over faster if it's getting pounded with ICMP Echo Request packets
or TCP SYN packets than if it's getting 800-byte http requests.

Pavel_Odintsov · June 12, 2016, 6:41pm

Hello!

You could try my open source project:
https://github.com/pavel-odintsov/fastnetmon

It's pretty popular and used by a very big number of really big networks.

We have option for capturing "pcap" dump for each attack for detailed
investigation.