2016 International Conference on Information, Communication Technology and System

The Impact Analysis of DDoS Attacks on

Government Electronic Procurement Service (LPSE)
and Mitigating DDoS Attacks Using Intrusion
Detection System and Honeypot
Salman Akbar1, Endroyono2, Adhi Dharma Wibawa3
1

Department of Electrical Engineering, Institute of

Technology Sepuluh Nopember,
Surabaya, Indonesia
(E-mail: salman14[at]mhs.ee.its.ac.id)

Department of Electrical Engineering, Institute of

Technology Sepuluh Nopember
Surabaya, Indonesia
(E-mail: endroyono[at]ee.its.ac.id)

Department of Multimedia and Network Engineering,

Institute of Technology Sepuluh Nopember,
Surabaya, Indonesia
(E-mail: adhiosa[at]te.its.ac.id )

Abstract The Internet has become increasingly important

to current society; it has changed our way of communication
and business models, The Electronic Procurement Services to
government agencies which is called LPSE has become a very
important part for central and local government agencies.
LPSE for an agency can be termed as one of the most
important assets in the process of regional development. As one
of the important assets, LPSE must be protected to ensure
continuity of services as well as to minimize the risk of service
interruption LPSE. Increasingly sophisticated information
systems and technology, the threat will become more
sophisticated. DDoS attacks are threat to the government
procurement service, based on the report of Indonesia Security
Incident Response Team on Internet and Infrastructure /
Coordination Center (Id-SIRTII / CC) in 2014, there were
40.446 DoS attacks from January to mid-December 2014 on
Indonesia internet infrastructure. In this paper, we evaluate
the impact of DDoS attacks on the existing network
infrastructure of government procurement service and also
evaluates the existing network defense mechanisms such
firewall router and web server and compare the existing
network with the implementation of Intrution Detection
system, firewall server based and honeypot in the network to
mitigate DDoS Attacks.
Keywords: LPSE, DDoS, Government Procurement Service,
IDS, Honeypot;

I.

INTRODUCTION (Heading 1)

With all the advantages of the Internet, there

are also some disadvantages. There is no absolute security
in the Internet world, and the hackers can use the Internet to
launch different types of attacks on a victim network, one
of which is known as a Distributed Denial of Service

(DDoS) attack [1]. A DDoS Attack is one of the most

common and major threat to the Internet in which the goal of
the attacker is to consume computer resources of the victim,
usually by using many computers to send a high volume of
seemingly legitimate traffic requesting some services from
the victim. As a result, it creates network congestion on the
target, thus disrupting its normal Internet operation [2]
With the implementation of the Electronic Procurement
Service (LPSE) nationally by Lembaga Kebijakan
Pengadaan Barang dan Jasa Pemerintah (LKPP) so that each
Ministry / Agency / Regional / Government Institution in
Indonesia required to implement the Electronic Procurement
System, which mean all operation of procurement is
operating under internet.
Implementation of information security governance is a
need and demand for government services to the public in
order to reflect the good governance that help achieve
business process therein. However, there are still many
government agencies that have less value in the index of
information security and implementation of information
security.
Based on the Report of Indonesia Security Incident
Response Team on Internet and Infrastructure / Coordination
Center (Id-SIRTII / CC) there were 40.446 DoS attacks in
January until mid-December 2014 on the Indonesia Internet
infrastructure which has level of severity 78% (High).[3]
In this paper, we study the impact of a UDP and Http
flood attacks on Request Rate of LPSE Web Server, CPU
and Memory Utilization on the Firewall, and Web Server.
This paper also evaluates the impact of network existing
defense mechanisms and compare with the implementation
of Intrusion Detection System, firewall Server and Honeypot
into the network as a mitigating solution to DDoS attack.

2016 International Conference on Information, Communication Technology and System

We hipothesized that the Existing Network is vulnerable to
DDoS Attacks and hopefully the new mitigating Topologi
with Intrusion Detection System and Honeypot could
mitigate DDoS Attack.
II.

EXPERIMENTS AND METHOD

A. Existing Networks
Existing Network Topology
The test-bed diagram for site to site is displayed in Figure
1, is using all device and network topology from Existing
network of Government Procurement Service.
Figure
1: Existing
Network
Test-Bed.
The network
was setup
through
a direct
connection using
a standard category 5e cabling between device. The
firewall router was used to separate two networks, and used
to
monitor incoming and outgoing traffic between networks.
There were three workstations and two Servers in the testbed: Two workstations and one Server will act as attackers,
one Server is LPSE Web Server, and one of the Workstation
is used as a monitoring machine and act as a real client.
The workstations has Windows 7 installed, The Attacker
Server has a proxmox installed, and LPSE Web Server has a
Centos 6.5 installed. The hardware of workstations is an
Intel Core Intel Core i3 2.93 GHz processor with 2 GB
RAM, The Attacker server is Intel Xeon 2.6 GHz with 2 GB
RAM and LPSE Web Server is Intel Xeon 2.6 GHz with 2
GB RAM, and the Mikrotik RB 1200 is CPU PPC460GT
1000MHz with 512 MB RAM.

DDoS attacks follow the simple pattern illustrated in

Figure 2. On this method the Attackers send the DDoS
Attack with two type of DDoS which is UDP Flood and Http
Flood to LPSE Web Server, then The Mikrotik as a Firewall
analysing all Traffic trough the network, if the packet is
match with the rules or meet the packets cireteria of DDoS
then the firewall will Drop the packets and blacklist the
source ip, But if the packets is not match then the packets
will be forwarded to LPSE Web Server by the firewall.
B. Network Topology Design with IDS, Firewall and
Honeypot.
The test-bed diagram displayed in Figure 3 is using
devices of the Existing network by adding a Honeypot
Server and Replace Mikrotik Firewall Router with the
Firewall Server Based and Intrusion Detection System.

Existing DDoS Defense

Figure 2 illustrates the DDoS Defense method on The
Existing Network.

Figure 3: Network Topology with Firewall Server

Based-IDS and Honeypot.

In this network design, The Firewall Server was used to

separate two networks, and used to monitor all traffic
between networks and detect any packet that match DDoS
attack based on the rule of Intrusion Detection System. There
were three workstations and Four Servers in the test-bed:
Two workstations and one Server will act as attackers, and
the other Server was LPSE Web Server, Honeypot Server
and Firewall-IDS Server. One of the Workstation is used as a
monitoring machine and act as a real client. This network
topology setup through a direct connection using a standard
category 5e cabling between device.

Figure 2: Existing Network DDoS Defense Method.

The workstations has Windows 7 installed, The Attacker

Server has a proxmox installed, LPSE Web Server and
Honeypot has a Centos 6.5 and The Firewall-IDS has a
Debian 8.4.0 installed. The hardware of workstations is an
Intel Core Intel Core i3 2.93 GHz processor with 2 GB

2016 International Conference on Information, Communication Technology and System

RAM, The Attacker server is Intel Xeon 2.6 GHz with 2 GB
RAM, LPSE Web Server, Honeypot and Firewall-IDS is
Intel Xeon 2.6 GHz with 2 GB RAM.
DDoS Mitigation method
Figure 4 illustrates the DDoS mitigation on the new design
Network topology using IDS, server based Firewall and
Honeypot server.

will be run on the Attacker Server as a DDos UDP Flood

tool.
DDoS Attack-UDP Flood Parameter :
Loic At Attacker Workstations :
Target IP address = 192.168.9.2 and 10.10.1.2
Port
= 53
Attack Type
= UDP Flood
Threads
= 500
GCC UDP DDoS Script at Attacker Server:
Target IP address = 192.168.9.2 and 10.10.1.2
Port
= 53
Attack Type
= UDP Flood
Spoffed IP
= 9999999999999999
DDoS Attack-Http Flood Parameter :
Loic At Attacker Workstations :
Target IP address = 192.168.9.2 and 10.10.1.2
Port
= 80
Attack Type
= Http Flood
Threads
= 500
Timeout
= 2000

Figure 4: DDoS Mitigation Method with IDS, Firewall

Server Based and Honeypot

Mitigation Method in the Figure 4 that the Attackers send

the DDoS Attack with two types of DDoS which is UDP
Flood and Http Flood to LPSE Web Server, then Intrusion
Detection System Captured and Analyzed the traffic trough
the network, if the packet is match with the rules or meet the
packets crieteria of DDoS based on the rule of IDS then the
IDS create alerts and integrate to the firewall, next the
firewall will redirected the packets to the honeypot server,
But if the packets is not match with the rules of IDS then the
packets will be forwarded to LPSE Web Server by the
firewall.
III.

TOOLS AND MEASUREMENT

A. DDoS Tools
The LOIC is based DDoS attack tool that releases
flooding in the server. This flooding apparently results from
the large volume of HTTP and UDP traffic.[4] this tools will
be run on the Attacker Workstations. Attack that targets the
application layer is the Slowloris attack taking advantage of
webservers by keeping connections open using partial
Hypertext Transfer Protocol (HTTP) requests, again
overwhelming server resources with few resources required
on the attackers side [5], and The UDP DDoS script that
compiled with GNU Compiler Collection in Linux based

Slowloris at Attacker Server:

Target IP address = 192.168.9.2 and 10.10.1.2
Port
= 80
Attack Type
= Http Flood
Timeout
= 2000
Num
= 500
Tcpto
=5
B. Intrusion Detection System And Firewall
In this Paper Suricata v2.01 will be used as Intrusion
Detection System, Suricata has a high processing overhead
compared to Snort, due to Suricatas multithreaded design
[6]. Suricata detection using 2 method which is :

Based On Signature
Rule/List based on Signature is the detection
method by matching the content of traffic on the
network traffic with the Rule/List contained in
Intrusion Detection System, this rule/list is the
result of an analysis of the security analyst,
Based on Behaviour
Based on behaviour detection method is the
detection by marking based on certain anomalies
package (suspicious) on network traffic by
combining IDS with Plugin algorithms AIEngine .
In this paper Iptables v1.6.0 will be used as a firewall and
also compatible with intrusion detection system Suricata.

2016 International Conference on Information, Communication Technology and System

C. Measurement
In This Paper we also measure the performance of LPSE
Web Server before and aftter DDoS Attack using Httperf
with the two different Network Topology. Httperf is a tool
for measuring web server performance, A web system under
testing consists of a web server, a number of clients and a
network that connects the clients to the server[7]. The CPU
and Memory Utilization of the Servers collected detailed
information regarding CPU, RAM, measured by the Sysstat
v11.2.0[6].
IV.

During DDoS Attack-UDP Flood

Figure 6 illustrates the Web Performance of LPSE Web
Server on two different network defense topology during
DDoS Attack-UDP Flood.

EXPERIMENTAL RESULTS

The experiments were conducted to evaluate and compare

Request Rate of LPSE Web Server, CPU and Memory
Utilization of LPSE Web Server, Mikrotik, Firewall Server
and Honeypot server before and during the attack between
two different network topology.
A. Web Performance
Before Attack
Figure 5 illustrates the Web Performance of LPSE Web
Server on two different network topology before attack.

Rate Step

Figure 5: Request Rate, Response Time and Error (E and N) E=

Existing Network, N= New Topology with IDS-Firewall and
Honeypot before attack
The test was run with Httperf, ten times, with parameter :
Target Port
= 80
Target Host IP address = 192.168.9.2 and 10.10.1.2
Minimum Request Rate = 50
Rate Step
= 50
Maximum Request Rate = 500
Numm Conns
= 500
Timeout
= 5 Second
the result show no different request rate, but in the response
time overall existing topology have less reponse time than
new topology, for example at the 250 request existing
topology has only 0,70 ms response time compare with new
topology which has 1,90 ms. The two network topology has
no error request on test.

Rate Step

Figure 6: Request Rate, Response Time and Error (E and N) E=

Existing Network, N= New Topology (with IDS-Firewall and
Honeypot) Under DDoS Attack UDP Flood.

Figure 6 shows request rate at every rate step on existing

network topology is less then requested, for examples at the
50 request only has 15 request could be processed and at 500
request only 30 could be processed compare to new topology
that has 50 request at 50 request rate and 499 request at 500
request rate. The Response time on existing topology is
much longer compare to new topology which has 262 ms at
request rate 50 and has 116 ms at 500 request rate and new
topology has 1,30 ms at 50 request rate and 1,10 ms at 500
request rate. On the Existing topology has error every rate
step for examples at 50 request there was 35 error and at the
500 request there was 470 error than new topology only have
1 error at 450 request and 1 error at 500 request. Overall
New topology with Intrusion Detection System, Server
Based Firewall and Honeypot Server was much better on
handling DDoS Attack-UDP Flood Compare To Existing
Network Topology.
During DDoS Attack-Http Flood
Figure 7 illustrates the Web Performance of LPSE Web
Server on two different network defense topology under
DDoS Attack-Http Flood.

2016 International Conference on Information, Communication Technology and System

web Server is a litle high because of the startup applications
like Apache and SPSE (Sistem Pengadaan Secara
Elektronik).

Figure 7: Request Rate, Response Time and Error (E and N) E=

Existing Network, N= New Topology (with IDS-Firewall and
Honeypot) During DDoS Attack Http Flood.
The result shows request rate at every rate step on existing
network topology is less then requested, for examples at the
50 request only has 45 request could be processed and at 500
request only 87 could be processed compare to new topology
that has 50 request at 50 request rate and 500 request at 500
request rate. The Response time on existing topology is
much longer compare to new topology which has 590,4 ms
at request rate 50 and has 574 ms at 500 request rate than
new topology has 0,80 ms at 50 request rate and 0,80 ms at
500 request rate. The Existing topology has error every rate
step for examples at 50 request there was 5 error and at the
500 request there was 413 error than new topology has no
error on test. Overall New topology with Intrusion Detection
System, Server Based Firewall and Honeypot Server was
much better on handling DDoS Attack-Http Flood Compare
To Existing Network Topology.

During DDoS Attack-UDP Flood

Figure 9 illustrates the CPU and Memory Utilization of the
devices on two different network topology During DDoS
attack UDP Flood.
CPU and Memory Utilization (%)

Rate Step

On the new topology CPU Usage of Firewall-IDS was

constant 0,5% to 0,19%, Ram of Firewall-IDS was constant
2,28% to 2,38%, CPU Usage of LPSE Web ServerE was
constant 0,03% to 0,09% Ram of LPSE Web ServerE was
constant 55,70% to 55,75%, Just like on the existing
topology the Ram usage of LPSE web Server is a litle high
because of the startup application like us Apache and SPSE
(Sistem Pengadaan Secara Elektronik), CPU Usage of
Honeypot was constant 0,15% to 0,28%, Ram of Honeypot
was constant 24,94% to 25,39% the Ram usage of Honeypot
Server is a litle high because of the startup application which
was Apache. However
these data illustrates normal
condition before attack on two different network topology.

Time (Minutes)

CPU and Memory Utilization (%)

B. CPU and Memory Utilization

Before Attack
Figure 8 illustrates the CPU and Memory Utilization of the
devices on two different network topology before attack.

Time (Minutes)

Figure 8: CPU and Memory Utilization (E and N) E= Existing

Topology, N= New Topology before Attack.

The result shows on the existing topology CPU Usage of

Mikrotik was constant 1% to 5%, Ram of Mikrotik was
constant 0,96% to 0,97%, CPU Usage of LPSE Web Server
E was constant 0,01% to 3,15% Ram of LPSE Web ServerE
was constant 41,86% to 55,96%, the Ram usage of LPSE

Figure 9: CPU and Memory Utilization (E and N) E= Existing

Topology, N= New Topology During DDoS Attack UDP Flood

The result shows on the existing topology, that CPU Usage

of Mikrotik went up 11% and 22% at the second and third
minute, afterwards it remained at 100%, Ram usage of
Mikrotik was constant 0,96% to 0,97%, CPU Usage of LPSE
Web Server was constant 0,01% to 0,02% Ram usage of
LPSE Web Server was constant 55,70% to 55,76%.
On the new topology CPU Usage of Firewall-IDS went up
approximately 1% and 4 % at the Third and fourth minute,
afterwards it remained steady at 14,25% to 15,22%, Ram
usage of Firewall-IDS was constant 9,09% to 9,15%, CPU
Usage of LPSE Web Server was constant 0,03% to 0,15%,
Ram Usage of LPSE Web Server was constant 56,00% to
56,12%, CPU Usage of Honeypot went up approximately
1% at the fourth and fifth minute afterwards it remained
steady at 6,31% to 6,96%, Ram usage of Honeypot was
constant 25,16% to 25,24%. Overall the Devices on new
topology consume less CPU and memory during DDos
Attack UDP Flood compare to Existing Topology.

2016 International Conference on Information, Communication Technology and System

CPU and Memory Utilization (%)

During DDoS Attack-Http Flood

Figure 10 illustrates the CPU and Memory Utilization of the
devices on two different network topology During DDoS
attack Http Flood.

The CPU and Memory Usage During DDoS Attack UDP

Flood from the devices of existing network topology was
higher compare to the devices at the new network topology,
for examples the Mikrotik that act as a firewall and router
has 100% CPU Usage and the impact was connections
between two networks on the existing network topology was
unstable furthermore the real client could not accessed the
LPSE Web Server. During DDoS Attack Http Flood, the
result showed The CPU and Memory Usage of the devices
from new network topology has less CPU and Memory
usage compare to the devices on existing network topology.
These all experimental results showed that the Government
Electronic Procurement Service (LPSE) that stand on the
network insfrastructure such as the existing network
topology were vulnerable to DDoS attacks and could interupt
the services of LPSE. However the new network topology
and infrasrutcture that using Intrusion Detection System,
Firewall Server Based and Honeypot has a better results in
mitigating these kinds and size of DDoS attacks UDP and
Http Flood types.

Time (Minutes)

Figure 10: CPU and Memory Utilization (E and N) E= Existing

Topology, N= New Topology, During DDoS Attack Http Flood

REFERENCES
[1]

The result showed on the existing topology, the CPU of

Mikrotik has random usage every minute from 1,0% to 60%,
Ram usage of Mikrotik was constant 0,96%, CPU Usage of
LPSE Web Server decreases every minute from 12,66% to
0,13%, Ram usage of LPSE Web Server was increases every
minute from 41,67% to 71,86%.
On the new topology CPU Usage of Firewall-IDS was
constant 0,19% to 0,71%, Ram usage of Firewall-IDS was
increases every minute from 10,98% to 12,18%, CPU Usage
of LPSE Web Server was constant 0,02% to 0,67%, Ram
Usage of LPSE Web Server was constant 54,53% to 54,99%,
CPU Usage of Honeypot was constant 0,02% to 0,12%, Ram
usage of Honeypot was constant 31,76% to 32,42%. Overall
the Devices on new topology consume less CPU and
memory during DDos Attack Http Flood compare to Existing
Topology.
V.

CONCLUSION

The web performance of LPSE Web Server before attack on

the existing network topology take less response time on the
request rate compare to new network topology, the difference
was not significant. However during DDoS attack UDP
Flood, every request rate step to LPSE Web Server on the
existing network topology is less then requested and has
more error request at every request rate step to the LPSE
Web Server compare to the new network topology. During
DDoS attack Http Flood on the existing network topology
has more error requests to the LPSE Web Server compare to
the new network topology that has no error, furthermore
every request rate step to LPSE Web Server on the was less
then requested at every request rate step to the LPSE Web
Server compare to the new network topology.

[2]
[3]
[4]

[5]

[6]

[7]

[8]

Kolahi .S, Treseangrat .K, Sarrafpour .B, Analysis of UDP DDoS

Flood Cyber Attack and Defense Mechanisms on Web Server with
Linux Ubuntu 13 Department of Computing, Unitec Institute of
Technology, Auckland, New Zealand, 978-1-4799-6532-8/15/$31.00
2015 IEEE.
B. Gupta, C. Joshi, and M. Misra. Distributed Denial of Service
Prevention Techniques IJCEE, vol. 2, no. 3, 2010, pp. 268-276.
ID-SIRTII/CC, Monitoring and Intrusion Detection, Jakarta:
Activity Progress Reports, 2014.
Alomari .E, Manickam .S, Gupta B. B, Karuppayah .S, Alfaris .R,
Botnet-based Distributed Denial of Service (DDoS) Attacks on Web
Servers: Classification and Art international Journal of Computer
Applications (0975 8887) Volume 49 No.7, July 2012.
Harris .B, Konikoff .E, Petersen .P, Breaking the DDoS Attack
Chain Institute for Software Research Carnegie Mellon University
Pittsburgh, CMU-ISR-MITS-2 2013.
Pihelgas .M, A Comparative Analysis Of Opensource Intrusion
Detection
Systems
Masters
Thesis,
ITI70LT
Department of Computer Science, Chair of Network Software,
Tallinn University Of Technology, Estonia, 2012.
Jae Jung .S, Bae .Y, Wooyoung .S, Web Performance Analysis of
Open Source Server Virtualization Techniques Dept. of Computer
Engineering, Hannam University, Korea, International Journal of
Multimedia and Ubiquitous Engineering Vol. 6, No. 4, October, 2011.
Grozev .N, and Buyya .R, Performance Mo delling and Simulation
of Three-Tier Applications in Cloud and Multi-Cloud Environments
Department of Computer Science and Information Systems, The
University of Melbourne, Parkvil le, Australia 2013.