EVALUATION OF A

SERVER UNDER DDOS CYBER ATTACK

P R E S E N T E R : H AOT I A N TA N G S A M A D KO L A H I

Principle-

HTTP DDOS

Bot

Bot

Bot

Bot

HTTP Flood Traffic

HTTP Flood Traffic

HTTP Flood Traffic

HTTP Flood Traffic

…………

Legitimate user

Legitimate Request

Web Server

Web Server cannot respond the legitimate

request Bot

Bot

Bot

HTTP Flood Traffic HTTP Flood Traffic

HTTP Flood Traffic

Attacker Control server

Statistics

New Zealand:

•The number of cybersecurity events increased from 1,131 to 8,831 between 2017 and

2021[1]

•New Zealand (Certnz)--4,438 DDoS attacks during the third quarter of 2021 [2]

Worldwide:

•CloudflareQ2 2022, application layer DDoS attacks increased by 72% year-on-year. Most attacks targeted American organisations, then Cyprus, Hong Kong, and mainland China [3]

•DDoS Cyber-confrontations in the Russian- Ukrainian War in the first half of 2022. The top five most targeted businesses in Ukraine:

publishing, the Internet, online media, and television [3]

Figure 1. The number of Cyber incidents in New Zealand from 2017 to 2021 [1]

Figure 2. Number of DDoS in Q3 2021 [2]

Impact

•Direct financial loss: 5.3 million in 2017, jump to 14.1 million in 2018. In 2019, 2020, and 2021, at 16.7 million, 16.9 million, and 16.8 million, respectively [1]

• On 8 September 2021, ANZ, Kiwi Bank, NZ Post, MetService and the Ministry for Primary

Industries were hit by a DDoS attack, Online services interruption for half a day [4]

Figure 3. Financial losses caused by cyber security incidents [1]

Testbed settings

Attacker Kali Linux 2022.2

Computer Name: Attacker1 IP: 192.168.1.3/24

Gateway: 192.168.1.1

Attacker Kali Linux 2022.2

Computer Name: Attacker2 IP: 192.168.1.4/24

Gateway: 192.168.1.1

Victim

Ubuntu Linux 22.04 LTS Computer Name:Server1 IP: 192.168.2.2/24 Gateway: 192.168.2.1

Monitoring and legitimate user Windows 11

Computer Name:PC1 IP: 192.168.1.2/24 Gateway: 192.168.1.1

Router

Switch

E0: 192.168.1.1

E1: 192.168.2.1

Attacker Kali Linux 2022.2

Computer Name: Attacker3 IP: 192.168.1.5/24

Gateway: 192.168.1.1

Attacker Kali Linux 2022.2

Computer Name: Attacker4 IP: 192.168.1.6/24

Gateway: 192.168.1.1

Monitoring

Wireshark

Performance metrics

• HTTP Response time

The time a user's query takes to obtain a response from the server An essential measure of website performance

Five components: DNS lookup, connection time, redirection time, first byte, and last byte

• Request error rate

The proportion of requests with errors in a batch

An HTTP request is considered an error when the response time is delayed until the timeout

Performance metrics

•CPU utilization

As the traffic increases, the number of transactions processed by the web server increases, and the CPU will increase accordingly.

•Transactions Per Second (TPS)

The number of transactions (requests) processed by the web server per second. Reflects the throughput of the web server

•HTTP Network Throughput

•Reflects the network traffic sent and received by the client.

•As malicious traffic increases, the amount of legitimate traffic sent gradually decreases.

Result-TPS

10761.81

10762.69

7.63

6544.12

6135.40 6230.76 6234.60 6227.12

7.73

5237.53

3451.93 3356.33 3553.94 3883.71

7.70

7764.25 8510.94

3386.20

522.77

8.35 7.80

10734.50

6046.93

4444.33

756.09

8.92 8.40

0 2000 4000 6000 8000 10000 12000

0 0-6s 6-12s 12-18s 18-24s 24-30s After 30s

TPS (SECONDS)

TIME (SECONDS)

Transaction Per Second (Before/During Attack -- 2000 Threads and 200/600 Multiplication)

Before Attack Unde Attack (2000 Threads and 200 Multiplication) for 1 Attacker Unde Attack (2000 Threads and 200 Multiplication) for 4 Attackers Unde Attack (2000 Threads and 600 Multiplication) for 1 Attacker Unde Attack (2000 Threads and 600 Multiplication) for 4 Attackers

Result-Response time

8.00 9.00 9.00 9.00 9.00 9.00

15.60 15.60 15.73

17.30 27.30 30.90 28.30 26.25

11.80 9.90

22.80

293.78

14.38 14.75

98.50

12219.75 12025.13

1.00 10.00 100.00 1000.00 10000.00 100000.00

0-6s 6-12s 12-18s 18-24s 24-30s After 30s

AVE RESPONSE TIME (MS)

TIME (SECONDS)

AVE Response Time (Before/During Attack--2000 Threads and 200/600 Multiplication)

Before Attack Under Attack (2000 Threads and 200 Multiplication) for 1 Attacker Under Attack (2000 Threads and 200 Multiplication) for 4 Attackers Under Attack (2000 Threads and 600 Multiplication) for 1 Attacker Under Attack (2000 Threads and 600 Multiplication) for 4 Attackers

Reference

[1] CERTNZ, "CERT NZ 2021 Summary," 2021. [Online]. Available:

https://www.cert.govt.nz/assets/Uploads/Quarterly-report/2021-q4/Annual-report/cert-nz-2021-summary.pdf.

[Accessed 27 November 2022].

[2] Certnz, "Quarter Three Report 2021," Certnz, 2021. [Online]. Available:

https://www.cert.govt.nz/about/quarterly-report/quarter-three-report-2021/. [Accessed 15 November 2022].

[3] O. Yoachimik, "DDoS attack trends for 2022 Q2," Cloudfare, 7 July 2022. [Online]. Available:

https://blog.cloudflare.com/ddos-attack-trends-for-2022-q2/. [Accessed 14 November 2022].

[4] S. Edmunds, E. Taunton and T. Pullar-Strecker, "Government still gauging impact of Wednesday's denial-of-service attacks," Stuff, 8 September 2021. [Online]. Available: https://www.stuff.co.nz/business/300402182/government- still-gauging-impact-of-wednesdays-denialofservice-attacks. [Accessed 24 May 2022].