THESIS PRESENTATION

ANALYSIS OF MODSECURITY AND

MODANTILORIS IN DDOS
SLOWHTTP ATTACKS ON WEB
SERVERS
Fariz Fadhilah || 19101072

Advisor Examiner
Eka Wahyudi Eka Wahyudi
Eko Fajar Cahyadi, S.T., M.T., Ph.D. Eko Fajar Cahyadi, S.T., M.T., Ph.D.
 INTRODUCTIONS Background, Formulation of the problem, Research objectives, Benefits

BASIC THEORY Main literature review, Basic theory

RESEARCH METHODS Research flow, Network topology,

RESULTS AND DISCUSSION Implementation, Parameter Testing

CLOSING Conclusion
 1
INTRODUCTIONS
INTRODUCTIONS ||

A disabled web server can disrupt client processes in accessing information. Web
server paralysis can be caused by several attacks, one of which is Distributed
Denial of Service (DDoS). DDoS attacks have many variants, one of which is the
slowhttp DDos attack, which works where a large number of incomplete HTTP
requests are sent, increasing the number but never completing the request thereby
forcing the web server to keep the connection open. An open connection can easily
be taken for resources thereby making legitimate clients unable to access the web
server. The application of modsecurity as network security offers a solution to
network security issues. The use of modsecurity as network security functions to
filter, monitor, and block HTTP on the 7th layer of open system interconnection
(OSI). Modsecurity will analyze requests contained in HTTP which are then matched
with the configured firewall rules for then blocking and rejection access to the web
application if there is a suspicious traffic. mod_antiloris prevents clients from
hogging connection slots but doesn't drop slow connections.
INTRODUCTIONS ||

1) How is the performance of the modsecurity and modaltiloris methods in

handle slowhttp DDoS attacks seen from the level of CPU usage,
Response time, throughput, and packet loss?
2) How effective is the use of modsecurity and modiloris in handle attacks
compared to without using modsecurity and modantiloris?
INTRODUCTIONS ||

1) Analyze the current implementation of modsecurity and modantiloris an

attack occurred.
2) Analyze the comparison of CPU usage, throughput, response time and
Packet loss on the implementation of modsecurity and modantiloris.
INTRODUCTIONS ||

This study discusses the comparison of network security using

modsecurity and modantiloris with CPU usage testing parameters,
throughput, response timet time, and packet loss as test parameters.
This research is expected to provide an overview and analysis regarding
network security based on a comparison of modsecurity with
modantiloris.
 2
BASIC THEORY
 BASIC THEORY ||

Pemasangan
Serangan Parameter
Firewall Parameter Parameter Parameter
Penelitian Oleh DDoS Modsecurity Modantiloris Implementasi Response
Pada Web CPU Usage Troughput Packetloss
SlowHttp Time
Server

Baskoro (2019) P P P

P P P
Rizal, Sumaryana (2020)

Mukhtar, Azer (2020) P P P

Molavi Arman (2020) P P P P

Pahlawan (2021) P P P

Fariz Fadhilah (2023) P P P P P P P P P

BASIC THEORY ||
● Web Server
Web Server or more precisely the world wide Web Server is Internet server capable of serving
data transfer connections iHTTP (Hyper Text Transfer Protocol) protocol and waiting for
connection from a certain port. The Web Server is responsible for receiving requests against a
specific document written in URL format, then looks for a file that matches the file on the
system, reads it then send it to the client who requested it.
● Modsecurity
Mod Security is an open-source web application firewall. ModSecurity enables automatic
monitoring of security web application in real-time. Set of protection rules allows admin to
inspect HTTP traffic and automatically reliably block unwanted traffic.
● Modantiloris
In the apache web server there is a mod_antiloris module used to anticipate attacks that need
to be activated in apache, the function of mod_antiloris prevents the client from hogging the
connection slot but not dropping slow connection.
● SlowHTTP DoS Attack
Slow HTTP Denial of Service (DoS) is application layer DoS attacks in which a large number of
requests Incomplete HTTP sent. This is layer 7 DoS. Application attack DoS is a new class of
DoS attacks that exploit weaknesses in application design or implementation.
.
BASIC THEORY ||

● CPU Usage
CPU usage literally means capacity of computer use. We can detect CPU usage through the
menu task manager, which is the usage of the CPU itself will be expressed in the form of a
percentage (%). When in under normal circumstances, CPU usage will show the figure of 1% to
10% in standby with some programs that are walk.
● Response time
Response time is the response time required on when a system node responds to a client
request.
● Throughput
Throughput is the speed (rate) of data transfer effective, which is measured in bps. Throughput
is a number the total number of successful packet arrivals observed at the destination
over a specified time interval divided by the duration of the time interval.
● Packet loss
Packetloss is a parameter that describes a condition which shows the amount total packet loss
that can occur due to collisions and congestion on the network, the category to determine the
quality the network.
.
 3
RESEARCH METHODS
RESEARCH METHOD ||
Mulai

Studi literatur

Merancang
skenario
pengujian

Merancang
Perangkat
Lunak dan
Hardware

Menjalankan
Melakukan
pengujian
Research is carried out in several stages, namely the
pengujian ulang
stage of Literature Study, Designing Scenarios,
Mengubah Designing Topology, Taking Data Results, Report
Konfigurasi
Apakah Berhasil? No atau Analysis and Compiling Reports.
Rancangan
Hardware
Yes
Pengambilan
hasil data
Pengujian

Analisa dan
kesimpulan

Penyusunan
laporan

Selesai
RESEARCH METHOD ||

Research is carried out in several stages, namely the

stage of Literature Study, Designing Scenarios,
Designing Topology, Taking Data Results, Report
Analysis and Compiling Reports.
RESEARCH METHOD ||

SERVER

PC PENYERANG SWITCH PC CLIENT

The device used is using one computer device that is operated as a web server, one computer
device that is operated as an attacker and one computer device that acts as a legitimate client. Each
device is connected using a switch device with a straight type RJ 45 cable media. The web server
that is used is the Apache web server which is equipped with a modsecurity and modiloris security
system. On the server data will be collected before and after the attack. On the attacker side, the
Ubuntu operating system is installed to launch a slow HTTP DDoS attack using the slowhttptest tool
simultaneously pointing to the web server. Each device is assigned an IP address
 4
RESULT AND DISCUSSION
 RESULT AND DISCUSSION ||

192.168.121.222 - - [09/Apr/2023:15:37:05 +0700] "GET

/index.php HTTP/1.1" 408 482 "TESTING_PURPOSES_ONLY"
"Opera/9.80 (Macintosh; Intel Mac OS X 10.7.0; U;
Edition MacAppStore; en) Mozilla/5.0 (Macintosh;
Intel Mac OS X) AppleWebKit/534.34 (KHTML,like Gecko)
PhantomJS/1.9.0 (development) Safari/534.34"

The attack alert using modsecurity begins with the introduction of the attacker, namely "192.168.121.222" the IP
address where the request originates. and the access time information from the attacker is addressed to
”[09/Apr/2023:15:37:05 +0700]”. The code "GET /index.php HTTP/1.1" means that the attacker's IP is trying to enter a
website page named index.php via version 1.1 with a GET request. The code “408” means that the IP address does
not have permission to access the website or is showing a Request Timeout error. This means the server dropped the
connection because the client took too long to send the request. The code "TESTING_PURPOSES_ONLY" indicates
the page URL that redirects the client to the requested website. Code "Opera/9.80 (Macintosh; Intel Mac OS X 10.7.0;
U; MacAppStore Edition; en) Mozilla/5.0 (Macintosh; Intel Mac OS X) AppleWebKit/534.34 (KHTML,like Gecko)
PhantomJS/1.9.0 (development ) Safari/534.34" specifies the user's user agent, which provides information about the
attacker's browser and operating system. In this case, the user agent user indicates that the request was made using
Opera 9.80 on Mac OS X 10.7.0 .
RESULT AND DISCUSSION ||
192.168.121.222 - - [07/May/2023:15:54:14 +0700]
"GET /index.php HTTP/1.1" 408 482
"TESTING_PURPOSES_ONLY" "Mozilla/5.0 (Macintosh;
Intel Mac OS X 10_9_2) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/33.0.1750.152
Safari/537.36Mozilla/5.0 (Macintosh; Intel Mac
OS X 10_9_2) AppleWebKit/537.75.14 (KHTML, like
Gecko) Version/7.0.3 Safari/537.75.14"

In the attack alert using modiloris, it starts with the introduction of the attacker, namely "192.168.121.222". The code
[07/May/2023:15:54:14 +0700] shows the time when the request was made. "GET /index.php HTTP/1.1” code
indicating the attacker's IP trying to enter the index.php website page with a GET request. Code “408” means that the
IP address does not have permission to access the website or it is showing a Request Timeout error. This means the
server disconnected because the client took too long to send the request. 33.0.1750.152 Safari/537.36Mozilla/5.0
(Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/537.75.14"
shows the user's user agent, which provides information about the browser and the attacker's operating system.In this
case, the user agent user indicates that the request was made using Opera 9.80 on Mac OS X 10.9.2
 RESULT AND DISCUSSION ||

::1 - - [07/May/2023:15:54:35 +0700] "OPTIONS *

HTTP/1.0" 200 126 "-" "Apache/2.4.52 (Ubuntu)
mod_antiloris/0.7.0 (internal dummy connection)"

The code ::1 specifies the IP address of the client making the request to the server and represents the loopback
address normally used by the server itself. Code [07/May/2023:15:54:35 +0700] shows the time when the request
was made. "OPTIONS * HTTP/1.0" code that indicates the attacker made a request to the server. Code 200 indicates
the status of the attacker's request that has been returned by the server has been successful. The code
"apache/2.4.52 (Ubuntu) mod_antiloris/0.7.0 (internal dummy connection)" shows the user agent information that
made the request using that device and the request was made by the dummy connection
 RESULT AND DISCUSSION ||

CPU USAGE
Besaran Rata-rata CPU Usage (dalam satuan %)
2.75
2.25
1.75
1.25
0.75
0.25
SKENARIO 1 SKENARIO 2 SKENARIO 3 SKENARIO 4
Series 1 0.34 1.9 1.65 2.5

Based on the graph obtained, modaltiloris is superior to modsecurity in the CPU Usage parameter, this value is
because modilloris works to scan and resist attacks so that the CPU Usage that is obtained is lower than scenario 2
 RESULT AND DISCUSSION ||

RESPONSETIME
Besaran Rata-rata Responsetime
750
650
550
450
350
250
150
50
SKENARIO 1 SKENARIO 2 SKENARIO 3 SKENARIO 4
Series 1 46.33 744.24 11.29 13.89

Based on the graph obtained, modtiloris is better than modsecurity on the Response Time parameter, the length of
the modsecurity response time makes the web server down for 744 seconds because mod security needs to identify
and match attack patterns
 RESULT AND DISCUSSION ||

THROUGHPUT
Besaran Rata-rata Throughput
1,100.00

900.00

700.00

500.00

300.00

100.00

SKENARIO 1 SKENARIO 2 SKENARIO 3 SKENARIO 4

Series 1 1001.21 73.87 197.3 197.2

Based on the graph obtained, modaltiloris is 197.3 KBps, which is better than modsecurity, which is 73.87 KBps in the
Throughput parameter. Throughput will decrease if the arrival of large-value connections such as security mods that
require identification and matching attack patterns and do not block all attacks that will enter the web server which will
make incoming connections even bigger
 RESULT AND DISCUSSION ||

PACKET LOSS
Besaran Rata-rata Packet Loss

0%

SKENARIO 1 SKENARIO 2 SKENARIO 3 SKENARIO 4

Series 1 0 0.00374633333333 0 0
333

Based on the graph obtained, modiloris is 0% better than modsecurity is 0.3746% on the packet loss parameter. In
Scenario 3 there is no packet loss because the modulatoris rejects all attacks within an abnormal time limit and in
scenario 2 it takes time to identify the attack resulting in a loss of 0.3746% packet loss.
 The journal was uploaded in Jurnal Listrik
Telekomunikasi elektronika on August 3, 2023
 CONCLUSION
1. Implementation of Modsecurity and Modantiloris based on access logs and error logs explaining
that modsecurity can prevent and identify the types of attacks that enter the web server, while
modtilloris only rejects/blocks and identifies attacks without finding out what types of attacks will
enter
2. In the CPU Usage parameter, Modantiloris is superior because Modantiloris works to scan and
resist attacks while Modsecurity works to identify matching attack patterns and block attacks.
3. In the Response Time parameter Modantiloris is superior to Modantiloris because it does not
identify matching attack patterns such as Modsecurity while Modantiloris works to scan and reject.
4. The Modantiloris Throughput parameter is superior because the Throughput will decrease if the
arrival of a connection has a large value such as mod security while the Throughput will be high if
the arrival of a connection has a small value.
5. The Packet Loss Modantiloris parameter is 0% superior to modsecurity by 0.3746% in the
packetloss parameter. In Scenario 3 there is no packet loss because modaltiloris rejects all attacks
based on "Connection rejected by Antiloris, too many connections" and in scenario 2 it takes time
to identify attacks resulting in a loss of 0.3746% packet loss.
THANKYOU!