Protecting energy industry web resources from dos attacks

. This article is devoted to the development of a set of protective measures for detecting and countering DoS (Denial of Service) attacks on web services in the energy industry. The article consists of four sections. In the "Introduction" section, the relevance of the topic is substantiated, which is due to the high importance of the uninterrupted operation of enterprises in the energy industry. The "Materials and Methods" section provides a classification of common DoS attacks, algorithms, and recommendations for countering these attacks in energy industry information systems. In the "Results and Discussion" section, the main results of the research are formulated. In the "Conclusion" section, the possibilities of implementing the developed algorithms and perspectives are analyzed.


Introduction
There are many different types of DoS attacks implemented using inter-network communication protocols.
The basic concepts of cybersecurity are accessibility, integrity, and confidentiality.Denial of service attacks affect the availability of information resources.A denial of service is considered successful if the data resource becomes unavailable as a result [1][2][3][4][5][6][7][8][9][10][11][12][13][14][15].The success of the attack and the impact on the target resources differ in that the impact damages the victim, for example, if an online store is attacked.A prolonged denial of service can cost the company financial losses, in each case DoS actions can cause direct harm or create potential threats and risks.Of particular interest to intruders are energy facilities [6][7], since the disruption of their functioning leads to large destructive consequences.Therefore, the study of applied aspects of protecting web services of energy industry enterprises seems to be very relevant.
The simplest form of traffic is an HTTP request.Visitors interact with the site through a browser.The request depends on the HTTP header.
HTTP headers are fields describing the type of resource being requested, such as URL, form, or JPEG.HTTP headers also tell the web server which type of resource the browser is using.
HTTP(S) GET request -this method allows you to request from the server an image, text, or file of any format available to the client.The requested data is contained directly in the header.It takes some time for the server to respond to each request.If an attacker sends a large number of such requests to the server, the server will eventually stop responding to them due to lack of resources.Such an attack is called HTTP(S) GET flood [12].
An HTTP(S) POST request is a method that involves transmitting data directly in the request body, and not in the header, as in the case of a GET request.This method is considered more secure and is used to transfer sensitive data or large amounts of data.This type of requests can be used to organize a DoS attack of the HTTP(S) POST flood type.In such an attack, a large number of POST requests are sent to the server from one or more attacking machines [12].DoS attacks implemented using the HTTPS protocol are more effective, since the server must first decrypt the entire request stream, which creates an additional load on the victim's server [12].
SYN flood attacks use the features of the TCP protocol.When establishing a connection, a SYN packet is sent from the client to the server, to which the server must respond with a SYN-ACK packet and establish a connection.After that, the client sends a response to the server with an ACK packet.This process is called a triple handshake.When conducting a SYN flood type attack, a handshake is impossible because the attacker does not respond to the SYN-ACK of the victim server and the connection remains half open until the timeout expires.There is an overflow of the connection queue and the new client cannot connect to the server [10,14].
ICMP flood is a DoS attack method that uses ICMP messages to overload the network channel.These attacks are aimed at increasing the computing costs of the server for processing ICMP requests, as well as saturation of bandwidth with parasitic traffic [11].
Let's look at ways to protect a website from various types of DoS attacks.The fight against parasitic traffic during HTTP flood attacks is complicated by the fact that the contents of the packets in this case are not abnormal, i.e., the requests are quite legitimate, they just arrive in large numbers.If the attack is not distributed and requests come from a single IP address, then an effective means of countering is blocking an IP address whose number of requests exceeds a specified threshold.This can be done manually or write a script that implements this action.INPUT -input packets; -s -source (specified ip address); -j -the action performed on the packages (in our case, reset, without notifying the client).
To combat the HTTP flood attack, a log file analysis algorithm can be implemented.The analysis determines the user from whom suspicious traffic is coming and it is blocked.Figure 1 shows the algorithm for viewing the log file and blocking the user.This algorithm provides for the formation of a dictionary in which each client IP address corresponds to the number of requests at a certain time, then the number of requests is compared with an acceptable value: if the threshold is exceeded, traffic from the corresponding IP-address is blocked.
To protect against distributed HTTP flood attacks, the real means of protection will be the use of cloud services based on artificial intelligence technologies that analyze request contexts and are able to distinguish real users' traffic from malicious traffic and block it before it gets to the attacked server.The number of TCP-packets from one IP-address per unit of time is limited by introducing the following filtering rule: iptables -A INPUT -p tcp -m state --state NEW -m recent --update --seconds {time} --hitcount {quntity} -j DROP, where -A -adding a rule to the end of the filter list; -p -protocol name; -m -key followed by explicit filtering criteria; --state -connection status; --seconds -time interval (specified in seconds); --hitcount -number of packages; -j -action taken on the connection.
Filtering by the set value MSS is done by introducing the rule: iptables -t mangle -I PREROUTING -p tcp -m tcp --dport 80 -m state --state NEWm tcpmss !--mss 536:65535 -j DROP, where -t -table; -I -add to the beginning of the table; PRETOUTING -the chain through which the packet passes; -p -the key followed by the protocol; -m -key followed by explicit filtering criteria; --dport -port of destination; --mss -range of values MSS; -j -action on packages.
In distributed attacks, SYN cookies protection can be an effective tool.It is especially useful when a SYN flood attack uses spoofing -replacing the source IP addresses of packets with fictitious ones.You can enable this mechanism with the command: sysctl -w net.ipv4.tcp_syncookies=1where sysctl -software utility designed to read and change the attributes of the system kernel; -w -value setting key; net.ipv4 -network parameters key; tcp_syncookies -parameter that enables/disables the SYN cookies.To protect against ICMP flood attacks, you can completely disable responses to ICMP echo requests: sysctl -w net.ipv4.icmp_echo_ignore_all=1,where icmp_echo_ignore_all -parameter that allows/disables echo requests.However, this method reduces the functionality of the server, so you can use temporary blocking of ICMP traffic.Figure 2 shows the algorithm for detecting and blocking abnormal ICMP traffic.The algorithm assumes the creation of a separate log file for tracking ICMP requests.If the number of requests per unit of time the specified threshold value, ICMP traffic is blocked for a specified time interval.

Results and discussion
Thus, within the framework of this work, an of typical DoS attacks was carried out, algorithmic support for detecting and countering DoS attacks on a website was developed, which allows detecting HTTP flood and ICMP flood attacks and blocking malicious traffic.Practical recommendations have also been developed to protect the website from HTTP flood, SYN flood and ICMP flood attacks.

Conclusion
The algorithms and recommendations developed in this work can be implemented as a separate program that protects web services from DoS attacks.Also, these algorithms can be implemented as part of the software and hardware complex for information security of the energy company's web server.
This algorithmic support has prospects and in the future its functionality can be expanded with additional features.

Fig. 1 .
Fig. 1.Scheme of the algorithm for automatic blocking of IP addresses The lock is performed by executing the following command: iptables -I INPUT -s {ip} -j DROP, where -I -adding a rule to the beginning of the filtering table;INPUT -input packets; -s -source (specified ip address); -j -the action performed on the packages (in our case, reset, without notifying the client).To combat the HTTP flood attack, a log file analysis algorithm can be implemented.The analysis determines the user from whom suspicious traffic is coming and it is blocked.Figure1shows the algorithm for viewing the log file and blocking the user.This algorithm provides for the formation of a dictionary in which each client IP address corresponds to the number of requests at a certain time, then the number of requests is compared with an acceptable value: if the threshold is exceeded, traffic from the corresponding IP-address is blocked.To protect against distributed HTTP flood attacks, the real means of protection will be the use of cloud services based on artificial intelligence technologies that analyze request contexts and are able to distinguish real users' traffic from malicious traffic and block it before it gets to the attacked server.

E3S
Web of Conferences 458, 09001 (2023) EMMFT-2023 https://doi.org/10.1051/e3sconf/202345809001Protectionagainst SYN flood attacks is performed by two methods: limiting the number of TCP-packets from one IP-address per unit of time and filtering by the set MSS (Maximum segment size) value.Valid value range is 536 to 65535.

Fig. 2 .
Fig. 2. Scheme of the algorithm for detecting and blocking abnormal ICMP traffic