Rate based IPS for DDoS

Nowadays every organisation is connected to the Internet and more and more of the world population have access to the Internet. The development of Internet permits to simplify the communication between the people. Now it is easy to have a conversation with people from everywhere in the world. This popularity of Internet brings also new threats like viruses, worm, Trojan, or denial of services. Because of this, companies start to develop new security systems, which help in the protection of networks. The most common security tools used by companies or even by personal users at home are firewalls, antivirus and now even Intrusion Detection System (IDS). Nevertheless, this is not enough so a new security system has been created as Intrusion Prevention Systems, which are getting more popular with the time .This could be defining as the blend between a firewall and an IDS. The IPS is using the detection capability of the IDS and the response capability of a firewall. Two main types of IPS exist, Network-based Intrusion Prevention System (NIPS) and Host-based Intrusion Prevention System (HIPS). The thirst should be set-up in front of critical resources as a web server while the second is set-up inside the host and so protect only this host. Different methodologies are used to evaluate IPSs but all of them have been produced by constructors or by organisms specialised in the evaluation of security devices. This means that no standard methodology in the evaluation of IPS exists. The utilisation of such methodology permits to benchmark system in an objective way and so it will be possible to compare the results with other systems. This thesis reviews different evaluation methodologies for IPS. Because of the lack of documentation around them the analysis of IDS evaluation methodology will be also done. This will permit to help in the creation of an IPS evaluation methodology. The evaluation of such security system is vast; this is why this thesis will only focus on a particular type of threat: Distributed Denial of Service (DDoS). The evaluation methodology will be around the capacity of an IPS to handle such threat. The produced methodology is capable of generating realistic background traffic along with attacking traffic, which are DDoS attacks. Four different DDoS attacks will be used to carry out the evaluation of a chosen IPS. The evaluation metrics are the packet lost that will be evaluated on two different ways because of the selected IPS. The other metrics are the time to respond to the attack, the available bandwidth, the latency, the reliability, the CPU load, and memory load. All experiment have been done in a real environment to ensure that the results are the more realistic possible. The selected IPS to carry out the evaluation of the methodology is the most popular and open-source Snort, which has been set-up in a Linux machine. The results shows that system is effective to handle a DDoS attack but when the rate of 6 000 pps of malicious traffic is reach Snort start to dropped malicious and legitimate packets without any differences. It also shows that the IPS could only handle traffic lower than 1Mbps. The conclusion shows that the produces methodology permits to evaluate the mitigation capability of an IPS. The limitations of the methodology are also explained. One of the key limitations is the impossibility to aggregate the background traffic with the attacking traffic. Furthermore, the thesis shows interesting future work that could be done as the automation of the evaluation procedure to simply the evaluation of IPSs.