Copyright 2015 @ projectsinnetworking.com Flooding attack detection using anomaly techniques with wiresharkCopyright 2015 @ projectsinnetworking.com Project Scope Flooding is a type of attack, in which the attacker sends numerous floods of packets to the victim or associated service in an attempt to bring down the system. There are different types of flooding attacks like ping flood, Syn floods, UDP floods etc. The project simulates a ping flood scenario, by using the ping command on the operating system and wireshark is installed and setup on the victim, which would be used to analyse the number of ping packets received during a specified duration with reference to a threshold, based on which a flooding attack is detected. Hardware & Software Operating Systems (2 nos, Windows or Linux, (Windows 7, XP used in lab) Switch (1 nos) Wireshark (Free Download) Understanding Flooding attacks Flooding is a type of DOS attack (Denial of service), in which the goal of the attacker is to bring down the service or the target system. There are different types of flooding attacks like TCP Syn flood, UDP floods, ICMP floods etc. TCP Syn floods exploit the functionality of TCP protocol, which uses SYN connections to establish with the server. In a TCP Syn flood attack, the attacker sends floods of TCP Syn packets which would then make the server respond with TCP Syn ACK Packets to every connection. This would create half open connections on the server and would eventually exhaust the number of connections allowed, creating a DOS for the service rendered.Copyright 2015 @ projectsinnetworking.com An ICMP flood attack, which is also a ping flood attack, generates floods of ICMP packets to the victim. The victim on receipt of every ping request packet would respond with a ping reply. This would make the resources of the victim to slow down as it has to respond to each and every ping request. Ping floods can also result in the system crash, when the numbers of ping request are extremely high. Ping flood simulation Ping floods can be created using packet crafting tools like Scapy, nmap etc. It can also be simulated by using ping commands with appropriate options on Windows and Linux systems. The below screenshot shows how a continuous stream of ping packets can be send using the ping –t option on Windows. The above screenshot shows the ping with the –t option being executed. The command sends ping packets to the target, which is 192.168.0.1 in a loop, as in a ping flood attacks.Copyright 2015 @ projectsinnetworking.com Anomaly detection In a real time environment, network traffic is analysed for days, based on which normal traffic behaviour of traffic is analysed. Any deviation from normal traffic is classified as an anomaly. In the project it is assumed that 10 ping packets received on the victim in a time frame of 10 minutes is considered normal traffic if the ping packets exceed for the specified duration , it is considered an anomaly and classified as a ping flood. Anomaly detection with wireshark The following procedures are used to detect an anomaly with wireshark Time column editing in wireshark The time column in wireshark is edited to display in the required format. The following steps are used. Go to Edit -> PreferencesCopyright 2015 @ projectsinnetworking.com Select column and Field time as shown. (Select Time as Absolute date as shown) This would display the time column in the appropriate format as shown below.Copyright 2015 @ projectsinnetworking.com Filters to capture for specified duration The following wireshark filter is used to capture packets for a specified duration (frame.time >= "Nov 29, 2015 10:35:00") && (frame.time <= "Nov 29, 2015 10:45:00") The above filter displays all packets for 10 minutes, between 10.35 and 10.45 on the 29th of November. Filters to capture ping packets for specified duration (frame.time >= "Nov 29, 2015 10:45:00") && (frame.time <= "Nov 29, 2015 10:55:00") && icmp The above filter displays all ping packets (ICMP) for 10 minutes, between 10.45 and 10.55 on the 29th of November. Display the ICMP packet count with wiresharkCopyright 2015 @ projectsinnetworking.com The below screenshot shows how to display the packet count for ICMP (ping), which is used for anomaly detection. Go to Statistics -> Protocol hierarchy This would display the below screenshot. The Packets column (3rd) would display the number of packets received.Copyright 2015 @ projectsinnetworking.com Lab Setup and Topology The lab is setup using Windows system and a switch. Wireshark is setup on the victim. The topology diagram below shows the IP address design for the respective systems.Copyright 2015 @ projectsinnetworking.com Normal ping traffic generation Wireshark is started on the victim system before the normal ping traffic is started. The normal ping traffic is generated using ping 192.168.0.3 command from the attacker system to the victim. Wireshark is stopped and the filter (frame.time >= "Dec 1, 2015 10:15:00") && (frame.time <= "Dec 1, 2015 10:25:00") && icmp applied to capture ICMP packets between 10.15 and 10.25 (10 minutes). Note: The filter was started on Dec 1st 2015 and packets captured between 10.15 and 10.25 The number of ICMP packets is observed as 8 as shown below. This would include the ping request and corresponding reply. As the number of packets is less than 10 , there is no anomaly detected and a flooding attack is not suspected.Copyright 2015 @ projectsinnetworking.com Ping flood generation A ping flood is simulated using the command ping 192.168.0.3 –t for 10 iterations and wireshark stopped and the following filter is applied to capture ICMP packets between 10.30 and 10.40 (10 minutes) (frame.time >= "Dec 1, 2015 10:30:00") && (frame.time <= "Dec 1, 2015 10:40:00") && icmp The screenshot of wireshark showing the packet count is shown below. It can be observed that 20 ICMP packets are received within the duration, which signifies a traffic anomaly which leads to a suspected flooding attack.Copyright 2015 @ projectsinnetworking.com Conclusion By observing the packet count in wireshark, an anomaly in the traffic can be detected. This technique can be used to detect any type of flooding attacks, as a flooding attack would suddenly result in an increase in the number of packets. Normal traffic patterns and counts can be pre-analysed and any deviation from the same can be classified as an anomaly.