Denial of Service (DoS) attack identification and analyse using sniffing technique in the network environment

. Network-based intruders such as (DoS) attacks have become one of the most significant internet interruptions. Some operations that rely on the internet, such as banking transactions, education, trade marketing, and social networking, have become the primary targets. The attacker is trying to surround and making it difficult for the system to defend. The research's objective is to recognize the characteristics and level of DoS attacks. In understanding the behavior of intruders against a target web server, Wireshark was used in all traffic networks—capturing the traffic in a networked environment. In this research, the user identifies the attack levels (TCP SYN, UDP, and HTTP protocol), ranging from low (Q1), medium (Q2), and high (Q4) attacks. The approach is to simulate the TCP, HTTP, and UDP flood attacks and analyze the attacks' effects on the network environment. In this work, normal scenarios and pattern attacks were compared. In this case, the intruder floods unwanted packets to the victim with a massive number of request packets; the SYN from the corresponding SYN-ACK replies are not achieved. This paper will identify the DoS attacks level and analyze the behavior of traffics.


INTRODUCTION
In modern technology, most of the users, depending on the internet to access their information resources instantly, the network performs a significant function for the users [1,2]. Nowadays, network-based attacks have become more adverse and continue to increase in number day by day [3][4][5]. The necessitate of the internet is significantly crucial if the users wish to obtain information resources or to communicate among themselves. In this case, the internet network allows its customers to use distributed resources on the internet for computations. However, the implementation of security becomes a big challenge in the development of a network environment [6][7][8]. The various techniques must be immediately implemented in improving the reliability and mitigating information system risks in information system technology [9].
The main reason for security in the network environment is preserving the integrity of data, resource availability, and confidentiality. The network system gives the users access to their information resources and communication; therefore, accessibility is essential [10][11][12].
In the generation where technology is dominant, information technology involves almost every daily activity to make things more comfortable to use. Therefore, the utilities of the internet to society have become the main target by trespassers to reduce the performance of network and service to legitimate users [13]. In the network environment, the intruders sent an enormous number of unwanted packets to the targeted server and put down the entire website [14,15]. These attackers and intruders achieved their objectives within the organization and website by making network resources unavailable for use [16,17].
Attackers success their mission by sending a massive number of fake packets to the target server. The unwanted flood packets, which can cause the failure of network. The attackers consume network bandwidth and CPU usage, as a result, the server cannot serve the users of internet [18]. In this paper, we identify and analyze making and filtering in DoS attacks with packet sniffing.

LITERATURE REVIEW
To foresee unwanted problems in the network security environment, especially in Denial of Service (DOS), researchers proposed the various types of methods against those attacks [19]. Kamesh and Sakthi Priya (2012a) Kamesh and Sakthi Priya (2012b) proposed packet marking methods which employed to locate such attackers approaching their sources. The packet mark consists of some traceback information about a router being combined in the IP packet properties. In this system, a path identifier was introduced to identify an attacker. The path identifier used to collect the attack packets to present a smart solution to measure protection against future attacks. The effects of an on-going attack cannot harm the system. [22] The methods programmed in self-learning include simple rule-based and include simple statistics, which also consist of rule modeling, immune system, neural network-based, and statistical methods.
The proposed method consists of identifying unusual events in time-series data and analyzing packets payloads. Denial of Service (DoS) involves sending multiple requests to a web server, which considered such as a collective anomaly [23,24]. Sun et al. (2018) proposed a probabilistic approach to defend those attacks and apply a prototype system ZePro for a zero-day path identification. A graph of a zero-day attack is essential to capture the malicious packet. A diagram is first built depending on the chart named object. The build system is based on Bayesian upon the instance graph. The Bayesian network is capable of analyzing the probability number of the affected objects.
DoS attack keep on growing in this era, and an intruder comes with new techniques to reduce the performance of the internet. There are many types of seizures in the internet system; therefore, the different methods to avoid, prevent, or to detect these attacks must deal with numerous techniques [26].
Gairola and Singh (2016a) Gairola and Singh (2016b) proposed two ways to identify the denial of service or DoS attacks by performing a Cumulative Sum algorithm (CUSUM). In this algorithm, the first techniques are to discover if the new IPs acts as the source of DDoS attacks by initializing the procedure with a designed monitoring IP address. The second method referred to as the technique takes place upon the occurrence of DDoS attacks, and the next process is to find out the actual attackers. Here, [29] proposed a method of preprocessing and covariance analysis (PCA) to divide historical data of the network. This method can also predict the behavior of future data in the system to respond best to predict attack threats-other techniques utilized to predict attacks. Besides, created a set of rules to anticipate attacks and built these sets [29].

METHOD
The attacker uses different techniques to flood malicious packets to the targeted web server. In this case, the user used Low Orbit Ion Cannon (LOIC) DoS attacking tool to create pattern attacks. This section describes the methods used while conducting current research. The technique consists of two main phases, data collection, identification and analyzes features of an attacker. By identifying the behavior of attacks, two nodes are used, one acting as an attacker machine, and another computer acts as the victim with an installed a tool for capturing all network traffic coming into the network environment. The occurrence of strange malicious decreases network performance that prohibits users from accessing online services. This method to captures ongoing packets using packet sniffing, identifies, and analyses the behaviour of attacks, explained in the next section.

Data collection
The tool offers a variety of features such as filters, color-coding, and so forth that lets user analyze network road and investigate any individual packets. Besides that, this tool gives a simple way in network identification, load, frequency, and latency between specific hops. The TCP, UDP, and ICMP are likely to be the most common packets on the network system. The data collection phase will be capturing all packets from an attacker such as UDP and TCP traffic flood, using a packet sniffer. After catching UDP, HTTP and TCP from captured packets, the user identifies the behaviour of pattern attacks. The Quartile used to identify the level of attacks. The total number of captured allows calculating the quartile, Q1, Q2, Q3, and Q4 to identify the level of attacks.

Attacking Scheme
The attacker uses different techniques to flood malicious packets to the targeted web server. The identification of signatures attack is significant; this permits user to find the way of DoS attack detection. The method proposed two separate machines, and an attacker simulator is physically located on one of the devices. It can perform several attack types on the target machine: one machine used as an attacker to flood the malicious packet to the server machine where there is the tool for monitoring and capturing efficiency all traffics in real-time. For more details, it displayed below in the standard architecture of the DoS attack in Figure 1.

TCP SYN Flood Packet Attacks
One of the most adverse types of DoS attacks is the TCP SYN flood. When clients & servers need to communicate their first establish connectivity by performing three-way hand sharke, "SYN-SYN-ACK and ACK". In this case, attacks try to be trusted client and the servers keep waiting for acknowledging until TCP timeout. These attacks were made to cunsume server equipment such as firewalls and communication tools. Figure 2. shows the captured and analyzed TCP using Wireshark. The packet's behavior of TCP flooding of (DDoS) attacks, the packets are sent to the victim server. By seeing the information details of malicious packets, you simply select them from the menu "Statistics,">> Flow Graph, you can see the packet sequence graphically. This tool permits you to trace the TCP connections and behavior, as described in Figure 3.  Figure 3., time is in second (s), the IP address of the source is 192.168.1.138, and the port number is random from 53861 to 53868 p (port). The IP address of the destination is 192.168. 1.198, and the destination port number is 80 p (port). Here the source sends the attack packets, which have an unfixed port number. The client IP (192.168.1.138) establishes a TCP connection with the IP (192.168.1.198) called as a server. Network engineers, through Wireshark traces, could recognize some suspicious downloads (PSH ACK and TCP DUP ACK) as they belong to abnormal packets. For example, the hacker can apply PSH ACK to formulate a similar attack like TCP ACK attacks.

UDP Flood Attack
The second popular DDoS attack method goes to the UDP flood as it exploits UDP services by flooding malicious packets to ports on the server to determine which ports are exposed as victims. In this method, the user need to type "UDP" in a filter zone or other protocols the results will display on user interface. A flood consists of massive volumes of sent spoofed UDP packets to various ports from a single server, and the server together with ICMP responds to all requests as "destination unreachable'" notification, stating that the sources are overwhelmed. captured traffics and analyzed using Wireshark, as seen in Figure 4.

Packets analysis and identify the length of attacks
After capturing all packets needed from day one up to day three, users used Ms. Excel to identify the behavior of pattern attacks; this helps them to process and analyze all the packets captured at different times using Wireshark. Ms. Excel provides excellent information to identify the packets user captured in particular total time and the length of the packet. The impact of attacks is measured by differentiating the attack's sizes, either small or big.
All data collected from an attacker was processed using Ms. Excel by identifying the average of all data to categorize the level of attacks, such as low, medium, and high, as described in Figure 5.   Table 1. describes the times the flood packets were collected: Periods (seconds), Length (s), Quartile (s), and Attack levels. Referring to the identification of quartiles and range ( 1, 2, 3, and 4), the user can easily identify the level of attacks such as low, medium, and high.
In all levels, they achieve goals by stopping a legitimate user from accessing the essential services. The table above illustrates the level of attacks. The intruders can attack a system using small packets with many loads; these attackers cause the targeted system to consume too much network bandwidth resources and make services unavailable to legitimate traffic. By analyzing the attack time and length of all data collected in three days, users can identify the level of attacks from Q1, Q2, and Q4 scaling systems. The average of attacks Q1 seems to be a low attack, whin means the impact is not quickly put down the server, Q2 is medium attacks where the volume of attack is upper to Q1; finally, Q4 the higher than others level attacker sent a huge of fake packets to the victim server to make source unavailable to legitimate users.

Results and Discussion
Nowadays, in the technology world, networking security is paramount for people. Mainly, the network allows users to communicate and access resources easily. All user's necessity of the internet to serve as a global information source, so the availability of the internet is crucial. Because of the services, it provides to the users, the main target of attacks is to make services unavailable. Initially, after an attacker compromising essential services such as emails, websites, and other online interactions, users are prevented from having access when a machine or the entire network connection is entirely under sabotage.
Hackers can increase the attack's level of DoS by carrying out these attacks in a distributed manner called a Distributed Denial of Service (DDoS). In a DDoS attack, a multitude of compromised machines projecting ordered strikes against a single victim [30]. An attacker sends a different type of attack, whereby multiple UDP and TCP packets with various packets of the amount at the time are sent to the victim's machine. As a result, the tool successfully monitors and captures the network packets sent by an attacker. The UDP and TCP flood attacks are considerably faster in exhausting server resources as it consumes all network bandwidth on the server's network link by denying access to legitimate users.

Conclusion
The availability of the internet is critical as it serves global information sources for all users; due to those advantages, the internet became the subject of attackers. One of the key challenges is to identify the DoS attack in the user network system. In this research, the researcher created DoS attacks using the LOIC tool, whereby attackers flooded unwanted packets to the victim server.
A sniffing technique is used to capture and analyze the pattern attacks (DoS) by sniffing all incoming network traffic sent by attackers to the targeted server such, as TCP, UDP, and HTTP packets. After collecting the patterns, the user identifies the packets and understands the behavior of attackers by comparing them with regular data communication. The user utilizes Ms. Excel to identify the length of data sent at different times and know the classification of attacks level by using Quartile to measure the low, medium, and high attacks.
The first example of aggressive behavior is when the attack's home base does not care whether the response from the victim is received or not yet still attacking its target with an abundance of ineffective packets.
Second, an attacker can be identified based on packet header and contents. In order to identify malicious traffic from their behaviors, the receiver first determines where the incoming packet belongs to by analyzing its tuple (source IP address, source port number, destination IP address, destination port number).
Generally, the client and web servers perform a three-way handshake to establish communication, but when the attacker transfers enormous TCP and UDP requests to the victim server, corresponding SYN-ACK replies do not exist as it consumes computer resources.
An attack is mostly intended to stop the legitimate user from accessing essential services. The level of attack varies based on their class, ranging from Q1, Q2, and Q4.