Enhancing Network Security: Wireshark-Based Anomaly Detection for Flooding Attacks (2018)

This dissertation aims to explore the capabilities of Wireshark in identifying network flooding attacks. Wireshark employs anomaly detection technologies within its packet analyzer to detect flooding attacks, characterized as assault techniques on computer networks. In such attacks, assailants send various surges to users or administrators, intending to disrupt the network framework. Types of flooding assaults include UDP surges, ping surges, and Syn surges.

Various challenges are associated with ping surge scenarios, utilizing ping commands to operate the framework, and the delivery of Wireshark. This includes establishing a casualty that quantifies the number of ping parcels received within a predefined time period associated with the flooding attack under study. The TCP SYN flood, commonly known as a Distributed Denial of Service (DDoS) attack, exploits the standard three-way handshake of TCP, consuming all resources of the target server and rendering it unresponsive.

In flooding attacks, the three-way handshake mechanism of TCP is exploited, leading to limitations in maintaining half-open connections. When a server receives a SYN request, it responds with a SYN/ACK packet (known as SYN acknowledgement) to the client. The connection remains in a half-open state until the client acknowledges the SYN/ACK packet, or the TCP connection times out, usually lasting for 75 seconds. Each server has a finite-size backlog queue in its system memory to maintain these half-open connections. However, when the backlog queue is full, all connections are dropped.

Dissertation objectives

To ascertain the types of flooding attacks that are possible for online attack
To investigate all such issues that leads to detection of flooding attack
To study the attack detection technique of flooding attack
To evaluate the attack detection methodology for the anomaly detection
To study the characteristics of the Wireshark application in detecting flooding attacks

10,000 words – 48 pages in length
Excellent use of literature
Good analysis of subject area
Well written throughout
Ideal for network and cyber security students

1 – Introduction
Background Study
Scope of the Research
Aim of the Research
Objective of the Research
Research Questions

2 – Literature Review
Feature of Flood Detection System
Different Flooding attacks
UDP Flood
ICMP Flood (Ping)
SYN Flood
Ping of Death (POD)
Slowloris
NTP Amplification
HTTP Flood
Issues that are related with the Flooding Detection
Packet Classification
Placement of Detection Mechanism
Discrepancy between SYNs and FINs
Introduction of Wireshark

3 – Data Evaluation
Using of Wireshark
Process to Download and Install Wireshark
Process to Capture Data Packets
To View and Analyze Packet Contents
Color Rules of Wireshark
Simulation of the Network Attack and using Wireshark for its Detection
Command used for scanning the active host in the network
Open ports of the targeted host is scanned using the following command
For finding the service running on the port the following command is used
In the next step the metasploitable console is started using the following command
Brute Force attack using File Transfer protocol
Tools used for simulating the attack
MAC flooding
Summary

4 – Conclusion and Recommendation
Conclusion
Linking with the Objective
Recommendations

References