A Proactive Framework for Capturing FTP Brute Force and Application Level Flood Attacks

Abstract

Security, over the last decade, has become a huge priority for the network administrators. They dedicate lots of time to make sure that each network has the best and latest security patches, firewalls, and intrusion detection systems. Unfortunately, the security patches such as firewalls and intrusion detection systems are not as effective as they used to be due to the generation of large log files. Both the above mentioned techniques have information overload problems which can be solved using Honeypot. Honeypot interact with the attacker and collect the data that is thereafter analyzed. Honeypot are resources which are targeted by attackers and upon attack it logs data about the attacks. FTP server can be emulated on the honeypot and various scans can be done on the emulated service. The IP addresses trying to perform some malicious activity on ftp service can be caught and their data can be logged in the log file. Thus honeypot is a very good tool to find the vulnerabilities in the security system which are used by intruders. This thesis describes the various FTP attacks that are studied and prevented. Honeypot is used to emulate an ftp server which gives the attacker an illusion of existing ftp server. brute force attack is the most common attack which is implemented using metasploit. The brute force attack on ftp server can be prevented by limiting the number of attempts that the same IP address can try to logon to the server. On the other hand, if an attacker tries to flood the server with packets, the administrator can be informed about this activity. In brute force attack, Snort which is an IDS can be called when the user exceeds the threshold value of failed logon attempts. Snort in turn result in barring the further logon attempts from the same ip address. The stepwise approach to security is best suited integrated solution which is adopted in the thesis to learn attacks and thus coming up with remedies for the same at the earliest.