Simulating DoS Attacks for Log Generation - jastit00/IT-Sec-Projekt GitHub Wiki

Author: Vincent K

This article describes how a Denial-of-Service (DoS) attack was simulated in a controlled environment using the IRF1401 firewall to generate realistic audit log files for backend incident detection functionality.

Purpose

The simulation was designed to:

  • Generate log entries that mimic DoS attack patterns.
  • Validate the detection logic of the backend system under realistic traffic conditions.

Firewall Configuration

A packet filter was configured on the IRF1401 firewall with Audit-Log enabled for all packets passing through the firewall. This ensured that both legitimate and malicious traffic were recorded in the audit logs.

Here is the IP configuration of the LAN and WAN interfaces on the firewall:

And here is a screenshot of the configured packet filter rule:

Traffic Simulation

SYN Flood

The DoS attack was simulated using hping3 from a separate host. The command sent a SYN flood to overwhelm the target service:

sudo hping3 -S --flood -p 80 TARGET_IP
  • -S: Send SYN packets.
  • --flood: Send packets as fast as possible.
  • -p 80: Target port 80 (HTTP).
  • TARGET_IP: IP address of the machine behind the firewall.

HTTP Request Flood

To simulate legitimate high-volume HTTP traffic, ApacheBench (ab) was also used to do HTTP requests to the target:

ab -n 10000 http://TARGET_IP:8000/
  • -n 10000: Number of requests to perform.
  • TARGET_IP:8000: Address and port of the HTTP server.

Target HTTP Server

A simple HTTP server (Flask + Waitress) was running on the target machine:

from flask import Flask
app = Flask(__name__)

@app.route('/')
def index():
    return "test"

if __name__ == '__main__':
    from waitress import serve
    serve(app, host='0.0.0.0', port=8000)

Traffic Statistics

The following shows the traffic statistics on the WAN interface during the simulation:

Setup Diagram

Here is the diagram of the simplified setup:

Untitled Diagram drawio

Produced Example Log File

The following are example entries from the generated audit log file during the simulation:

...
type=NETFILTER_PKT msg=audit(1747246515.310:49415): mark=0x0 saddr=172.16.0.2 daddr=192.168.0.88 proto=6
type=NETFILTER_PKT msg=audit(1747246515.310:49416): mark=0x0 saddr=172.16.0.2 daddr=192.168.0.88 proto=6
type=NETFILTER_PKT msg=audit(1747246515.310:49457): mark=0x0 saddr=172.16.0.2 daddr=192.168.0.88 proto=6
...