Difference between revisions of "Suricata: Test DDoS Attack"
Jump to navigation
Jump to search
Onnowpurbo (talk | contribs) (Created page with "Sumber: https://kifarunix.com/install-and-setup-suricata-on-ubuntu-18-04/ Kita akan uji nyali melakukan DDoS Attack ke server yan menjalankan SURICATA. ==Menyiapkan Rules===...") |
Onnowpurbo (talk | contribs) |
||
| (13 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
Sumber: https://kifarunix.com/install-and-setup-suricata-on-ubuntu-18-04/ | Sumber: https://kifarunix.com/install-and-setup-suricata-on-ubuntu-18-04/ | ||
| − | Kita akan uji nyali melakukan DDoS Attack ke server | + | Kita akan uji nyali melakukan DDoS Attack ke server yang menjalankan SURICATA. |
| − | ==Menyiapkan Rules | + | ==Menyiapkan Rules== |
Edit file | Edit file | ||
| Line 13: | Line 13: | ||
Rule ini akan mencatat jika ada 100 usaha connection dalam 10 detik. | Rule ini akan mencatat jika ada 100 usaha connection dalam 10 detik. | ||
| − | Kita masukan rules | + | Kita masukan rules test-ddos.rules di bagian rule-files: |
vi /etc/suricata/suricata.yaml | vi /etc/suricata/suricata.yaml | ||
| + | af-packet: | ||
| + | - interface: enp0s3 | ||
| + | .. | ||
rule-files: | rule-files: | ||
| − | + | - suricata.rules | |
| − | |||
| − | |||
# - Custom Test rules | # - Custom Test rules | ||
| − | + | - test-ddos.rules | |
| + | Supaya aman copykan ke /var/lib/suricata/rules | ||
| + | mkdir -p /var/lib/suricata/rules | ||
| + | cp /etc/suricata/rules/test-ddos.rules /var/lib/suricata/rules | ||
| + | |||
| + | ==Persiapan Attack== | ||
| + | |||
| + | Pastikan kita disable packet offload features di network interface, | ||
| + | |||
| + | ethtool -K enp0s3 gro off lro off | ||
| + | |||
| + | Jika tidak bisa, tidak apa2. Pastikan denga perintah, | ||
| + | |||
| + | ethtool -k enp0s3 | grep large | ||
| + | |||
| + | large-receive-offload: off [fixed] | ||
| + | |||
| + | |||
| + | ==Run Suricata== | ||
| + | |||
| + | Run, | ||
| + | |||
| + | killall suricata | ||
| + | rm /var/run/suricata.pid | ||
| + | suricata -D -c /etc/suricata/suricata.yaml -i enp0s3 | ||
| + | |||
| + | Bisa dilihat dengan, | ||
| + | |||
| + | suricata --list-runmodes | ||
| + | |||
| + | |||
| + | |||
| + | ==Kali Linux Attack== | ||
| + | |||
| + | Attack menggunakan Kali Linux | ||
| + | |||
| + | hping3 -S -p 80 --flood --rand-source 192.168.1.148 | ||
| + | |||
| + | Bisa dilihat di | ||
| + | |||
| + | tail /var/log/suricata/fast.log | ||
| + | watch -n 5 tail /var/log/suricata/fast.log | ||
| + | |||
| + | 03/30/2020-03:34:55.010006 [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 81.62.51.224:60904 -> 192.168.1.148:80 | ||
| + | 03/30/2020-03:34:56.007899 [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 237.104.128.81:19964 -> 192.168.1.148:80 | ||
| + | 03/30/2020-03:34:57.007973 [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 145.248.102.92:44709 -> 192.168.1.148:80 | ||
| + | 03/30/2020-03:34:58.007980 [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 204.51.197.102:3773 -> 192.168.1.148:80 | ||
| + | 03/30/2020-03:34:59.007818 [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 94.209.60.14:28833 -> 192.168.1.148:80 | ||
| + | 03/30/2020-03:35:00.010719 [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 101.90.0.42:53510 -> 192.168.1.148:80 | ||
| + | 03/30/2020-03:35:01.007911 [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 209.155.69.24:12740 -> 192.168.1.148:80 | ||
| + | 03/30/2020-03:35:02.009702 [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 146.152.251.23:37741 -> 192.168.1.148:80 | ||
| + | 03/30/2020-03:35:03.009742 [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 39.113.86.44:62281 -> 192.168.1.148:80 | ||
| + | 03/30/2020-03:35:04.053830 [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 234.214.11.78:22803 -> 192.168.1.148:80 | ||
==Referensi== | ==Referensi== | ||
| Line 34: | Line 87: | ||
* [[Suricata]] | * [[Suricata]] | ||
| + | * [[Suricata (software)]] | ||
| + | * [[Suricata: Instalasi di Ubuntu]] | ||
| + | * [[Suricata: Instalasi di Ubuntu 18.04]] | ||
| + | * [[Suricata: Konfigurasi Minimal Ubuntu 18.04]] | ||
| + | * [[Suricata: Test DDoS Attack]] | ||
| + | * [[Suricata: Konfigurasi Dasar]] | ||
| + | * [[Suricata: Manajemen Rule dengan Oinkmaster]] | ||
| + | * [[Suricata: Instalasi Snorby & barnyard2]] | ||
Latest revision as of 10:41, 30 March 2020
Sumber: https://kifarunix.com/install-and-setup-suricata-on-ubuntu-18-04/
Kita akan uji nyali melakukan DDoS Attack ke server yang menjalankan SURICATA.
Menyiapkan Rules
Edit file
vi /etc/suricata/rules/test-ddos.rules
alert tcp any any -> $HOME_NET 80 (msg: "Possible DDoS attack"; flags: S; flow: stateless; threshold: type both, track by_dst, count 200, seconds 1; sid:1000001; rev:1;)
Rule ini akan mencatat jika ada 100 usaha connection dalam 10 detik.
Kita masukan rules test-ddos.rules di bagian rule-files:
vi /etc/suricata/suricata.yaml
af-packet: - interface: enp0s3 .. rule-files: - suricata.rules # - Custom Test rules - test-ddos.rules
Supaya aman copykan ke /var/lib/suricata/rules
mkdir -p /var/lib/suricata/rules cp /etc/suricata/rules/test-ddos.rules /var/lib/suricata/rules
Persiapan Attack
Pastikan kita disable packet offload features di network interface,
ethtool -K enp0s3 gro off lro off
Jika tidak bisa, tidak apa2. Pastikan denga perintah,
ethtool -k enp0s3 | grep large
large-receive-offload: off [fixed]
Run Suricata
Run,
killall suricata rm /var/run/suricata.pid suricata -D -c /etc/suricata/suricata.yaml -i enp0s3
Bisa dilihat dengan,
suricata --list-runmodes
Kali Linux Attack
Attack menggunakan Kali Linux
hping3 -S -p 80 --flood --rand-source 192.168.1.148
Bisa dilihat di
tail /var/log/suricata/fast.log watch -n 5 tail /var/log/suricata/fast.log
03/30/2020-03:34:55.010006 [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 81.62.51.224:60904 -> 192.168.1.148:80
03/30/2020-03:34:56.007899 [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 237.104.128.81:19964 -> 192.168.1.148:80
03/30/2020-03:34:57.007973 [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 145.248.102.92:44709 -> 192.168.1.148:80
03/30/2020-03:34:58.007980 [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 204.51.197.102:3773 -> 192.168.1.148:80
03/30/2020-03:34:59.007818 [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 94.209.60.14:28833 -> 192.168.1.148:80
03/30/2020-03:35:00.010719 [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 101.90.0.42:53510 -> 192.168.1.148:80
03/30/2020-03:35:01.007911 [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 209.155.69.24:12740 -> 192.168.1.148:80
03/30/2020-03:35:02.009702 [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 146.152.251.23:37741 -> 192.168.1.148:80
03/30/2020-03:35:03.009742 [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 39.113.86.44:62281 -> 192.168.1.148:80
03/30/2020-03:35:04.053830 [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 234.214.11.78:22803 -> 192.168.1.148:80