Difference between revisions of "Suricata: Test DDoS Attack"

From OnnoWiki
Jump to navigation Jump to search
 
(6 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
Sumber: https://kifarunix.com/install-and-setup-suricata-on-ubuntu-18-04/
 
Sumber: https://kifarunix.com/install-and-setup-suricata-on-ubuntu-18-04/
  
Kita akan uji nyali melakukan DDoS Attack ke server yan menjalankan SURICATA.
+
Kita akan uji nyali melakukan DDoS Attack ke server yang menjalankan SURICATA.
  
 
==Menyiapkan Rules==
 
==Menyiapkan Rules==
Line 24: Line 24:
 
  # - Custom Test rules
 
  # - Custom Test rules
 
   - test-ddos.rules
 
   - test-ddos.rules
 +
 +
 +
Supaya aman copykan ke /var/lib/suricata/rules
 +
 +
mkdir -p /var/lib/suricata/rules
 +
cp /etc/suricata/rules/test-ddos.rules /var/lib/suricata/rules
  
 
==Persiapan Attack==
 
==Persiapan Attack==
Line 60: Line 66:
 
Bisa dilihat di  
 
Bisa dilihat di  
  
  tail -f /var/log/suricata/fast.log
+
  tail /var/log/suricata/fast.log
 +
watch -n 5 tail /var/log/suricata/fast.log
 +
 
 +
03/30/2020-03:34:55.010006  [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)]  [Priority: 3] {TCP} 81.62.51.224:60904 -> 192.168.1.148:80
 +
03/30/2020-03:34:56.007899  [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 237.104.128.81:19964 -> 192.168.1.148:80
 +
03/30/2020-03:34:57.007973  [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 145.248.102.92:44709 -> 192.168.1.148:80
 +
03/30/2020-03:34:58.007980  [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 204.51.197.102:3773 -> 192.168.1.148:80
 +
03/30/2020-03:34:59.007818  [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 94.209.60.14:28833 -> 192.168.1.148:80
 +
03/30/2020-03:35:00.010719  [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 101.90.0.42:53510 -> 192.168.1.148:80
 +
03/30/2020-03:35:01.007911  [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 209.155.69.24:12740 -> 192.168.1.148:80
 +
03/30/2020-03:35:02.009702  [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 146.152.251.23:37741 -> 192.168.1.148:80
 +
03/30/2020-03:35:03.009742  [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 39.113.86.44:62281 -> 192.168.1.148:80
 +
03/30/2020-03:35:04.053830  [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 234.214.11.78:22803 -> 192.168.1.148:80
  
 
==Referensi==
 
==Referensi==
Line 69: Line 87:
  
 
* [[Suricata]]
 
* [[Suricata]]
 +
* [[Suricata (software)]]
 +
* [[Suricata: Instalasi di Ubuntu]]
 +
* [[Suricata: Instalasi di Ubuntu 18.04]]
 +
* [[Suricata: Konfigurasi Minimal Ubuntu 18.04]]
 +
* [[Suricata: Test DDoS Attack]]
 +
* [[Suricata: Konfigurasi Dasar]]
 +
* [[Suricata: Manajemen Rule dengan Oinkmaster]]
 +
* [[Suricata: Instalasi Snorby & barnyard2]]

Latest revision as of 10:41, 30 March 2020

Sumber: https://kifarunix.com/install-and-setup-suricata-on-ubuntu-18-04/

Kita akan uji nyali melakukan DDoS Attack ke server yang menjalankan SURICATA.

Menyiapkan Rules

Edit file

vi /etc/suricata/rules/test-ddos.rules
alert tcp any any -> $HOME_NET 80 (msg: "Possible DDoS attack"; flags: S; flow: stateless; threshold: type both, track by_dst, count 200, seconds 1; sid:1000001; rev:1;)

Rule ini akan mencatat jika ada 100 usaha connection dalam 10 detik.

Kita masukan rules test-ddos.rules di bagian rule-files:

vi /etc/suricata/suricata.yaml
af-packet:
  - interface: enp0s3
..
rule-files:
  - suricata.rules
# - Custom Test rules
  - test-ddos.rules


Supaya aman copykan ke /var/lib/suricata/rules

mkdir -p /var/lib/suricata/rules
cp /etc/suricata/rules/test-ddos.rules /var/lib/suricata/rules

Persiapan Attack

Pastikan kita disable packet offload features di network interface,

ethtool -K enp0s3 gro off lro off

Jika tidak bisa, tidak apa2. Pastikan denga perintah,

ethtool -k enp0s3 | grep large
large-receive-offload: off [fixed]


Run Suricata

Run,

killall suricata
rm /var/run/suricata.pid
suricata -D -c /etc/suricata/suricata.yaml -i enp0s3

Bisa dilihat dengan,

suricata --list-runmodes


Kali Linux Attack

Attack menggunakan Kali Linux

hping3 -S -p 80 --flood --rand-source 192.168.1.148

Bisa dilihat di

tail /var/log/suricata/fast.log
watch -n 5 tail /var/log/suricata/fast.log
03/30/2020-03:34:55.010006  [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)]  [Priority: 3] {TCP} 81.62.51.224:60904 -> 192.168.1.148:80
03/30/2020-03:34:56.007899  [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 237.104.128.81:19964 -> 192.168.1.148:80
03/30/2020-03:34:57.007973  [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 145.248.102.92:44709 -> 192.168.1.148:80
03/30/2020-03:34:58.007980  [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 204.51.197.102:3773 -> 192.168.1.148:80
03/30/2020-03:34:59.007818  [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 94.209.60.14:28833 -> 192.168.1.148:80
03/30/2020-03:35:00.010719  [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 101.90.0.42:53510 -> 192.168.1.148:80
03/30/2020-03:35:01.007911  [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 209.155.69.24:12740 -> 192.168.1.148:80
03/30/2020-03:35:02.009702  [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 146.152.251.23:37741 -> 192.168.1.148:80
03/30/2020-03:35:03.009742  [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 39.113.86.44:62281 -> 192.168.1.148:80
03/30/2020-03:35:04.053830  [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 234.214.11.78:22803 -> 192.168.1.148:80

Referensi

Pranala Menarik