The Analysis of Web Server Security For Multiple Attacks in The Tic Timor IP Network

T he current technology is changing rapidly, with the significant growth of the internet technology, cyber threats are becoming challenging for IT professionals in the companies and organisations to guard their system. Especially when all the hacking tools and instructions are freely available on the Internet for beginners to learn how to hack such as stealing data and information. The location of the testing was Timor Tic IP. This research was intended to make a security system on server using rules made for snort with function to give massage or warning to network administrator, so user can identify attack. Rules made on snort can detect attack and display alert. In TCP protocol it used 764 Mb memory with total 4099 attacks. For UDP flooding 9140 Mb memory was used with 1310 attacks. Meanwhile for ICMP flooding protocol there were 305864 attacks and used memory of 5808 Mb


INTRODUCTION
The network security system is an important aspect to an organisation or company. The availability of free tools and applications in the cyber world technology has made it easier for almost any beginners in the cyber world to start an attack such as stealing data, brute-forcing a password or performing a D-DoS attack. As a result, the attacks and threats will always be increasing these days [1]. Some of the firewalls are unable to provide around the perimeter network security and some only detect attacks that are coming from the external networks. As a result, the IDS tool exists to maximize the security of the network perimeter [2]. To build a sistem of IDS in detection security for web server network traffic monitoring with the rules of snort it can be giving warning for network administrator for furthe action [3]. The measurements of snort in attack detecting based on alert implemented of the rules [4]. The Suricata, an open source-based intrusion detection system (IDS) and intrusion prevention system (IPS) on the web and database server can be utilized to detect port scanning and brute force attacks. It is a free application and sufficient tool to help network administrators to take preventive actions against these attacks [5]. The IDS and IPS is primary requirement to secure a network system from threats as well as helping administrators to monitor and analyze anomalies packets in the network traffic. The IDS is a security system that is able to monitor and analyze the incoming network traffics and also traffics originating from the inside [6].
TIC Timor IP is a public institution that operates and runs government's data center. With the newly established office, security system has not been well established to protect the servers such as snort-based IDS. As a result, it is essential safeguard Tic Timor IP's confidential data and protect its network system from inside and outside threats. As a matter of fact, a security system also depends on how fast responses and changes are being made during an attack. The snort-based IDS has been used by many organizations around the world to detect intrusions and most importantly it has the capability to respond quickly when an attack is taken place.

METHODS
This chapter will explain steps that will be done in testing attack detection. It consisted of system design analysis route, topology design and rule implementation. The snort-based is the tool that is going to be utilized in this project to identify and collect data in the form of log files [7]. Network topology is the arrangement of network elements in a certain structure to define various types of telecommunication networks, including computer networks. The IDS is a sensor device or a network application that monitors traffic for malicious or unwanted activities happening within a network [8]. It typically reports any intrusion activity to the network administrator or collecting information centrally using a security management system [9].

System Analysis
This section describes the flow analysis system activities in this report. This flow diagram analyzes the performance of network-based snort according to the standard. The process of designing an attack detection system and a data analysis system can be seen in Figure 1.  Figure 1 shows how the snort detects attacks. The incoming attack is detected by the snort and then the log file is taken and saved in the barnyard2 database. It is then displayed on the Basic Analysis and Security Engine (BASE), a web-based tool. And then the logs will be analyzed accordingly.

Network Simulation Design
This research experiment was conducted at the TIC Timor IP premises which is part of the government's data center. The current network topology in TIC Timor IP has 2 routers and 4 firewalls. The below diagram is the current network topology in Tic Timor IP as shown in Figure 2.  is intended to make clearer attack architecture. In this architecture, there is attacker doing attack over server. Attacker sent attack package through internet network connected directly to router passed to firewalls. In firewall, attack package was passed to Multi Layer Switch. In the switch it was set using trunking and passed to snort. In snort, the package was analyzed whether it is attack or not. When the package is stated as an attack snort will give warning that the package is an attack. When the package is not attack the package will be passed to server.

Snort Configuration
After the installation phase, Snort needs to be configured to run as expected. There are basic settings needed to be configured to run the application as desired. One important configuration file that needs to be configured is snort.conf as shown below:

Configuration Rules
Snort utilizes rules to carefully examine all the packets that pass through in the network traffic. Rules have two parts, namely the rule header and option, where rule header includes action header, ICMP protocol, source IP address, destination IP address and destination ports while option consists of message option, reference, types and others. An example of the rules can be seen in the below figure 4.

System Analysis Testing IP Scanning Testing
The first attack experiment uses Angry IP Scanner to scan active IP addresses. This attack will display all active IP address in blue color as shown in figure below. Before an attack is carried out to a webserver, it is essential to find out which IP addresses are currently active and inactive. Figure 6 shows the result of the Angry IP Scanner.

Figure 5. Process of Scanning IP Address Port Scanning Testing
The next step is the port scanning which uses zenmap application. It aims to get information on the active ports. After having the knowledge of active IP addresses on the network, the next phase is to look for open ports, as shown in Figure 6. However, the port scanning using Nmap will end automatically as soon as ports information are captured. Meanwhile, the snort-based rules can also be configured to detect port scanning attacks. Shown in Figure 7.

UDP Flooding Testing
After having obtained the active IP addresses, the next step is to implement attacks the webserver. This attack is performed by using Ping Flooding. The figure shown below is UDP flooding attack experiment on the webserver directed to the IP address of 192.168.20.101, as shown in Figure 8.  Figure 9 is an experiment of UDP flooding attack where packets are simultaneously sent to port 80 with data threads 40 and 19320 requests. This UDP flooding attack will result in traffic overloaded on the target computer as shown in Figure 9. In this experiment, the snort intrusion detection system will detect and send a warning to the administrator, as shown in Figure 10.

TCP Flooding Testing
The second experiment was performed using the TCP Flooding attack. This atack will be carried out on the webserver directed to port 80 with 40 threads of packet. The screenshot of the TCP flooding attack can be seen on Figure 11.  Ping of death testing In this section, the attacker uses ICMP ping method on the terminal. This attack was carried out on 2 (two) terminals by sending large packets simultaneously. The attack is shown in Figure 14. Then, while the attack is taken place on the target IP address, the suspicious activities are captured by the snort IDS server which has been configured to monitor the indicated IP address, as shown in Figure 15.

Results System
The results of the penetration testing which was conducted on the TIC TIMOR IP network can be summarized as follows: The results of attacks on the Tic Timor IP network, can be seen in Figure 18.

Advantages and Disadvantages
The advantage gained from the IDS experiment on this attack can be carried out with several processes in the IDS implementation. The results obtained by the IDS system are capable of detecting and capturing all network attacks that function as sensors and events that occur within the network. However, all these experiments have only been conducted on a simulation system.

CONCLUSIONS
Based on the experiment results at the TIC Timor IP with the snort-based intrusion detection system (IDS) method, it is beneficial to implement the traffic rules to generate log files. The result findings of the research can be summarized as follow: 1. Security system on server with rules made for snort can detect DOS attack such as TCP flooding, UDP flooding and ICMP flooding 2. Attack on TCP protocol used memory of 764 Mb with 4099 attacks. Attack on UDP flooding protocol used 9140 Mb memory with total 1310 attacks and for ICMP flooding protocol attack there were 305864 attacks using memory of 5808 Mb