Intrusion Detection

By: Dillon, Modeste, Dazhawn, Calista, Dalton, Isaac

Intrusion Detection Review
● IDS are used to monitor traffic and network behavior in
order to notify system administrators of malicious
behavior
● Types:
○ Host-based
○ Distributed host-based
○ Network-based
Geni Topology
● Victim: Node we will attack
● Attacker: Node that will Launch
the Attack
● User: Standard User trying to
access server
● OVS: Highly Programmable
Switch
● Monitor: Node Running Snort
● Controller: Brain of the OVS
Introduction to Attack
● Victim will be running a simulated server: iperf -s
● User will be iperf client communicating with the server: iperf -c victim
-t 120
● Attacker will be SYN flooding the Victim Server: sudo timeout -sHUP
20s hping3 -i ul -S --flood --rand-source -p 80 victim
○ 20 Second Attack
○ --flood = send packets as past as possible
○ --rand-source = spoofed source addresses
○ -p 80 victim = send packets to port 80 on the victim
Our Snort Rule
● alert tcp any any -> $HOME_NET 80 (flags: S; msg: “Possible SYN Flood
DOS”; flow: stateless; detection_filter: track by_dst, count 70, seconds 10;
sin 10001;)
○ Incoming tcp connections from any IP and Any Port
○ Directed to our home network on port 80
○ Must be SYN packets
○ Alert Message: Possible SYN Flood DOS
○ Trigger alert if more than 70 SYN packets in 10 seconds sent to a single
destination
■ Customize rate based on normal traffic
Attack Demo
Client View
No SYN Flood

SYN Flood
Detection and Defense
● SYN Cookies: Send TCP state table information in the ACK response
to client
○ Resources are not reserved until client response
● TCP Stateful Packet Inspection: Log state of packets and TCP
connections
○ Limit and track number of half open TCP connections
● Rate Limiting: Limit number of SYN packets per second and drop any
above the limit
○ May discard valid packets