Z1. Jurnal
Z1. Jurnal
Abstrak
Dinas Komunikasi dan Informatika Persandian dan Statistik (Diskominfo) Kota
Sumedang, merupakan organisasi pelayanan public yang bertanggung jawab menangani bidang
data dan jaringan komunikasi yang menghubungkan semua lembaga pemerintahan seperti
kelurahan, kecamatan, dan dinas-dinas yang terhubung ke server Diskominfo Sumedang. Tugas
server yaitu melayani semua perangkat jaringan, perlindungan sistem, data, dan peningkatan
kualitas keamanan jaringan, Melihat hal tersebut dibutuhkan sebuah sistem yang dapat
mendeteksi dan memblokir malware-malware yang berusaha masuk ke jaringan server
diskominfo Sumedang. Pada Proyek Akhir ini dirancang suatu sistem implementasi sensor
Maltrail (Malware Trail) dan Fail2Ban untuk mendeteksi dan mencegah serangan malware pada
jaringan server Diskominfo Sumedang dengan push notifikasi, yang merupakan solusi lain dari
permasalahan tersebut. Software yang digunakan untuk melakukan pendeteksian yaitu Maltrail.
Cara kerja dari software ini sebagai sensor yang memindai seluruh aktivitas trafik pada jaringan
server. Kemudian, software yang digunakan untuk melakukan blocking atau pencegahan dari
serangan malware, yaitu Fail2Ban. Sistem tersebut menggunakan bot telegram sebagai push
notifikasi jika ada serangan malware ke server. Dari hasil pengujian malware pada server,
terjadi penurunan throughput sebesar 56,28%, hasil implementasi sistem ini mampu mendeteksi
dan memblokir malware trafik pada jaringan. Kemudian sistem mampu mendeteksi serangan
selain malware yaitu scanning port dengan tingkat ancaman 2,7%. Sehingga sistem mampu
meminimalisir ancaman serangan dan mampu meningkatkan nilai throughput pada jaringan
server Diskominfo Sumedang dengan melihat perbandingan trafik malware sebelum dan sesudah
penerapan sistem.
Abstract
Diskominfo Sumedang is a public service organization that is responsible for data and
communications that connects all government institutions such as sub-districs, and offiecs that
are connected to the Diskominfo Sumedang Server. The server’s job is to server all devices
connected to the network, such as monitoring all network activity security, system protection,
data, and improving network security quality. Seeing this, the basic needs of Diskominfo
Sumedang, we need a system that can detect and block malware that tries to enter the server
network at Diskominfo Sumedang. In this final, a Maltrail (Malware Trail) sensor and Fail2Ban
1. INTRODUCTION
Figure 2 There is a log report reporting condition every hour. If the time shows the turn of
the hour (0 minutes), the system will print a monitoring result report. If not, the system will proceed
to the next stage, namely the change of day.
1. The system will update the repository. Otherwise, the Maltrail system will perform its main
task of monitoring every data packet that passes through the network.
2. Then, if the Maltrail system detects a malware package, Maltrail will record it in the form of
a log, then send the log to the Fail2Ban system to be executed using the IP address blocking
method. Then, the IP address containing the malware is reported to the administrator via
Telegram.
3. Next, if the server is still active, the system will loop or return to the initial stage, namely
checking the clock on the server. Meanwhile, if the server is disabled, the system will
automatically shut down.
Referring to Tables 1 and 2, malware testing was carried out by browsing access to these
domains. As a result, the domains morphed.ru, trololo.cu.cc, hhgg3.com, fqbtpehkp.org have been
suspected and detected as malware. Then, for the site facebook.com allegedly safe and not
detected as malware. Then for testing DDos attacks, port scanning and Syn flooding are carried
out to find out whether the system can detect and block attacks other than malware or not by
maximizing the system in order to prevent suspicious activities that enter the server. As with the
results of the Maltrail report in Figure 7.
Figure 9 is the result of the blocking report made by Fail2Ban to the Telegram
administrator. Based on Figure 9, the tire report is sent with a banning time of 180 seconds or 3
minutes. The results of the ban are also reported via the Telegram Bot administrator in real-time.
And if the banned IP address has reached 180 seconds, then Fail2Ban will automatically unban
it.
Figure 11 is the result of port scanning that was successfully detected by the Maltrail
sensor with an attack intensity of 2.7%, but failed to be blocked by Fail2Ban because of the low
threat level.
Figure 13 is an initial view of Wireshark to capture traffic data packets on the server
which is used to measure the results and analysis of malware testing to analyze network
performance. This measurement needs to be done to determine the traffic intensity on the server
when capturing data packets that are indicated as malware.
Throughput Decrease =
(2821+7080+6167+4339+5758)−(4118+10000+9787+8324+7886)
(2821+7080+6167+4339+5758)
𝑥 100% = 53,32%
The first scenario was carried out to determine whether Maltrail and Fail2Ban
were able to prevent malware data packets on the server by measuring the throughput of
bits per second (bit/s or kbps). In this case, a comparison is made between abnormal
traffic and when Maltrail and Fail2Ban systems are applied. It can be seen in Tables 3, 4,
5 and 6, respectively, the results of the throughput comparison before and after the
implementation of the prevention system.
Throughput Decrease =
(8816+6903+5632+5933+4512)−(11000+7062+8557+7770+5891)
(8816+6903+5632+5933+4512)
𝑥 100% = 26,68%
Then for all the results of testing for malware types, each experiment is the same,
namely 10–50 attacks without Maltrail and Fail2Ban systems, after that experiments are
applied with Maltrail and Fail2Ban.
Throughput Decrease =
(4048+6039+5274+6209+4679)−(4873+8266+8684+10000+9198)
(4048+6039+5274+6209+4679)
𝑥 100% = 56,28%
Throughput Decrease =
(4089+4862+4985+3486+4069)−(12000+8523+6991+7031+6683)
(4089+4862+4985+3486+4069)
𝑥 100% = 52,13%
6000
4000
2000
0
1 2 3 4 5
Pengujian
6000
4000
2000
0
1 2 3 4 5
Pengujian
Figure 16 shows a large comparison of the average throughput for five traffic states on a
network with andromeda malware attacks. This type of andromeda malware has capabilities like
trojan malware, which is able to download other types of malware from the control server side
and has a high threat level. This results in a significant decrease in throughput on the server
network
6000
4000
2000
0
1 2 3 4 5
Pengujian
10000
Kbps
5000
0
1 2 3 4 5
Pengujian
Table 7 shows a comparison of CPU utilization without using Maltrail and Fail2Ban,
aiming to find out whether the system is able to reduce the impact of attacks on CPU usage on
the server.
Table 8 shows a comparison of CPU utilization using Maltrail and Fail2Ban, it can be
seen in the table above that the system is able to reduce the impact of attacks on CPU usage on
the server.
Based on Table 9 shows the comparison of CPU utilization with attacks other than
malware, CPU utilization will continue to increase to 100% if there is an attack with a very high
threat level.
Table 10 is the percentage decrease in malware throughput on the server network, the
result is a decrease in throughput of 56.28%. Meanwhile, malware traffic has a fairly low
throughput of 26.68%. The decrease in throughput by a large percentage will cause congestion to
network traffic. The results of the implementation of the Maltrail and Fail2Ban systems are able
to minimize malware attacks by looking at the comparison of throughput values before and after
system implementation.
Table 11 is a summary of the results of monitoring and securing attacks on the server for
3 types of attacks. Of the three attacks, Maltrail System only managed to detect port scanning and
Fail2Ban did not block it because the attack rate was quite low.
4. CONCLUSION
Based on the results of the design, testing and analysis that has been done, some
conclusions can be drawn as follows:
1. Based on the results of functionality testing on the features on the implemented system,
such as displaying graphs, malware logs, printing monitoring data results, for the success
rate of Maltrail and Fail2Ban systems have succeeded in detecting and blocking malware
attacks. It can be concluded that all functions are 100% running well as they should.
2. From the results of testing the attack category other than malware, the results of the DDos
attack test are 0%, Syn Flooding 0%, and the Maltrail system successfully detects port
scanning with a threat level of 2.7%. Maltrail software is currently unable to detect attacks
other than malware such as DDos attacks and Syn flooding.
3. Based on the results and analysis of the measurement of the traffic malware intensity on
the server network, the largest throughput decline in the shadowserver sinkhole malware
type reached 56.28%. While the throughput value of malware with a fairly low value
obtained 26.8%. From these results, the impact of malware on traffic intensity has
decreased considerably throughput value, but the results of the implementation of Maltrail
and Fail2Ban systems have succeeded in preventing attacks by comparing throughput
values before and after system implementation. so the system will increase security and
network throughput on the server.
REFERENCE