DDoS ATTACK MITIGATION WITH INTRUSION DETECTION SYSTEM (IDS) USING TELEGRAM BOTS

− In the current IS/IT era, service to consumers is an absolute must to be prepared to survive in business competition. Physical and logical attacks with the aim of disrupting information technology services for individuals/agencies/companies or reducing the performance of IS/IT used. The development of IoT in the industrial revolution 4.0, which is all online, is a challenge in itself, from a negative point of view, all of them are able to carry out attacks on ISP servers, often carried out by hackers. DDoS (Distributed Denial of Service) attacks are the most common attacks. The development of software for DDoS attacks is very much on the internet, including UDP Unicorn software to attack very easily and can be done by anyone. Software for real-time monitoring of DDoS attacks, one of which is the Telegram bot. Telegram is a messaging system centered on security and confidentiality, while bots are computer programs that do certain jobs automatically. Telegram bot is free, lightweight and multiplatform. In the case study, this research contains 10 access points to the internet that will be mitigated from DDoS attacks. In this study, it was found that DDoS attacks caused traffic to become very high/congested by fulfilling upload traffic so that legitimate traffic users could not access the internet, connection to the internet was slow, the traffic was also unnatural, making it unable to connect to wireless devices and making Mikrotik loginpage becomes unable to appear. The purpose of this study is to mitigate DDoS attacks with the help of telegram bots so as to facilitate the notification of DDoS attacks in the event of an attack so that it is fast to deal with and find the perpetrators of the attack. The conclusion of this study is that DDoS attacks using UDP unicorn software resulted in a traffic spike of 53.5 Mbps on the upload traffic side, causing traffic for legitimate/authenticated users to slow down. By using telegram bots to know DDoS attacks occur in real time with a success rate of attack detection up to 100% notifications on telegram bots. Mitigation of DDoS attacks takes steps to track users using the torch feature on the routerboard interface menu, trace internet connection lines using wired or wireless transmission media, and ensure always monitoring the proxy interface from winbox.


INTRODUCTION
The need for network security is very important in the world of information technology and information systems. In the current IS/IT era, service to consumers is an absolute must to be prepared to survive in business competition. There are times when irresponsible people make attacks on information technology systems and networks that are developed. The attack is in the form of physical and logical attacks with the aim of disrupting information technology services for individuals/agencies/companies or reducing the performance of information systems and information technology used.
The development of IoT (Internet of Things) in the industrial revolution 4.0 which is all online is a challenge in itself, everyone can access anything from the virtual world, from the negative side, everyone is able to attack a service on the internet. Several attacks on servers as internet service providers (ISPs) are often carried out by hackers with various purposes. DDOS (Distributed Denial of Service) attack is an attack that may often be found among other attacks.
The development of software to carry out DDoS attacks is also very widely spread on the internet, including UDP Unicorn software, which is a software that uses a very easy way to attack and can be done by anyone, and there are many more software to carry out DDoS attacks on the internet.
In monitoring computer networks when a DDoS attack occurs, there are many applications that can be used to monitor DDoS attacks in real time, one of which is the telegram bot. Telegram is a cross-platform messaging system centered on security and privacy, while bots are computer programs that do certain jobs automatically.
Telegram bot is a bot that is currently popularly used among the public because it is free, lightweight and multiplatform. Telegram also has a fairly complete and growing Bot API. The famous telegram bot is the telegrambot made by Yago Perez [1].
In the case study, this research contains 10 access points to the internet that will be mitigated from DDoS attacks. In this study, it was found that DDoS attacks caused traffic to become very high/congested by fulfilling upload traffic so that legitimate traffic users could not access the internet, connection to the internet was slow, the traffic was also unnatural, making it unable to connect to wireless devices and making Mikrotik loginpage becomes unable to appear.
The problem of this research how to mitigate DDoS attacks carried out by using a bot Unicorn UDP telegram. The purpose of this study is to mitigate DDoS attacks with the help of telegram bots so as to facilitate the notification of DDoS attacks in the event of an attack so that it is fast to deal with and find the perpetrators of the attack.
Research conducted by Nadila Sugianti et al with the title Detection of HTTP-Based Distributed Denial of Services (DDOS) Attacks Using the Fuzzy Sugeno Method. The purpose of this research is to create an application to detect HTTP-based DDOS attacks with good accuracy using the fuzzy Sugeno method. Based on the discussion that has been explained and the results of tests that have been carried out, HTTP-based DDOS attack detectors based on the number of users, the number of packets, the number of packets/users and the length of the data captured by fuzzy logic using the Sugeno method can be used as a detector in determining DDOS attacks based on HTTP with an accuracy rate of up to 90% [2].
Research conducted by Jodi Chris Jordan Sihombing et al with the title Implementation of Distributed Denial of Service (DDoS) Attack Detection and Mitigation System using SVM Classifier on Software Defined Network (SDN) Architecture. The research objective is to implement a system that can detect and mitigate DDoS attacks on the SDN architecture. Conclusions from the research 1) The DDoS attack detection and mitigation (SDMD) system using the SVM classifier can be applied to the SDN architecture.
2) The DDoS attack mitigation mechanism is carried out by adding a flow rule on the switch to filter packets that go to the victim host. After the flow rule is added to the switch's flow table, the switch will drop every packet originating from the attacker's source IP, but any packets originating from the legitimate host's source IP will be forwarded. 3) SDMD performance in detecting DDoS attacks is very good. The accuracy obtained in detecting DDoS attacks is 96.08%, 95.66%, and 98.76% for syn flooding, udp flooding, and icmp flooding, respectively [3].
Research conducted by Muhammad Aziz et al with the title Implementing Artificial Neural Networks to Detect DDoS Attacks in Network Forensics. The purpose of the study is to determine the accuracy of DDoS attacks for network forensic purposes, the proposed method to analyze and test DDoS attacks detected on IDS with datasets at the Research Laboratory of Masters in Informatics Engineering, Ahmad Dahlan University (LRis-MTIUAD) using artificial neural network (ANN) methods based on calculations statistics. The conclusion from the research is that the attack information that has been detected by signature-based IDS needs to be reviewed for accuracy using classification with statistical calculations. Based on the analysis and testing carried out by the artificial neural network method, it was found that the accuracy was 95.2381%. Artificial neural network methods can be applied in the field of network forensics in determining accurate results and helping strengthen evidence at trial [4].
Research conducted by Eddy Prasetyo Nugroho et al with the title Security Reporting System on Cloud Computing Networks Through Telegram bots using Intrusion Detection and Prevention System Techniques. The conclusion of the research is to build an intrusion detection system by producing output not only in the form of records of intrusion activities on the database but also notifications via instant messaging Telegram. The results of recording intrusion activities in the database are used as data to perform network forensic analysis regarding the identity of the source of incoming packets, as well as to analyze the level of IDS system responsibility both in detecting attacks and sending notifications to administrators [5].
The research conducted by Jefree Fahana et al with the title Using Telegram as an Attack Notification for Network Forensics Purposes. The purpose of the research is to help network administrators to make it easier to find attacks that are usually carried out manually. The conclusion of the study was that it was successful in detecting attacks by using Snort. Alerts work very well and are able to send information to the database which is then forwarded using the telegram instant messenger application in real time. The results show that there has been a ddos attack via ICMP based on the log analysis performed [6].

Intrusion Detection System (IDS)
Intrusion Detection System is a prevention system using software or hardware that works automatically to monitor the situation on a computer network and can analyze network security problems. IDS is a tool, method and resource that provides assistance in identifying, reporting on computer network activity [7].
The ability of the IDS is to provide an early warning to the Network Administrator when a certain activity occurs that the Administrator does not want. In addition to providing warnings, IDS is also able to track activities that harm a system. An IDS can monitor packets passing through the network and try to find out if there is any suspicious activity.
IDS functions to monitor unusual activities on the network so that the initial steps of the attackers can be known. Thus the Administrator can take precautions and be prepared for what might happen.
In recognizing attack patterns, there are several methods of how IDS works, namely: Signature Based IDS and Anomaly Based IDS.

a) Signature Based IDS
A signature-based IDS will monitor the packets in the network and compare these packets with the signature database owned by this IDS system. This method is almost the same as how antivirus applications work in detecting malware. The point is that there will be a delay between the detection of an attack on the internet and the signature used for detection which is implemented in the IDS database used. So it could be that the signature database used in the IDS system is not able to detect an attempted attack on the network because the information on this type of attack is not contained in the signature database of this IDS system. During this time delay, the IDS system cannot detect any new types of attacks.

b) Anomaly Based IDS
This type will monitor the traffic in the network and compare the traffic that occurs with the average traffic (stable). The system will identify what is meant by a "normal" network in the network, how much bandwidth is usually used on the network, what protocols are used, what ports are usually interconnected with each other in the network and alert the administrator. when detected something is not normal.
The anomaly-based IDS method offers advantages over the signature-based IDS, which is that it can detect new forms of attacks that are not yet included in the IDS signature database. The downside is that this type often emits false positive messages. So that the Administrator's task becomes more complicated, by having to sort out which is the real attack from the many false positives that appear.

Distributed Denial of Service
According to Mousavi (2014), Distributed Denial of Service attack (DDoS) is an attack carried out on all the bloat or computer network by sending the dense traffic [8]. DDoS attacks start from attackers who distribute attacks using machines. During an attack, all traffic is directed to the victim's computer or server to consume the victim's resources. DDoS attacks will often use IP spoofing with the aim of flooding the target with high traffic while masking the identity of the original source to prevent mitigation efforts. If the source IP address is spoofed and continues to be scrambled, attempts to block attacks will become difficult. According to Kumarasamy (2012), there are several types of DDoS attacks [9] including the following : 1. TCP SYN Flooding: Is a type of attack that exploits the 3 way handshake mechanism in the TCP protocol, the attacker sends a large number of SYN packets to overload the target being attacked. 2. UDP Flooding: Is a type of attack that exploits the UDP protocol, the attacker has a list of broadcast addresses to send fake UDP packets to. This packet delivery mechanism is sent to a random port and then changes the target location unexpectedly. 3. Ping (ICMP) Flooding: Is a type of attack against the ICMP protocol with the aim of depleting the victim's computer resources by flooding it through requests from ICMP echo or also known as the ping command.

Firewall Mikrotik
A firewall is a hardware device or software system or group of systems (routers, proxies, gateways) designed to allow or deny network transmissions based on a set of security rules and regulations to enforce control between two networks to protect the "inside" network from the "outside" network. Firewall acts as a filter between internal and external computers. The firewall performs control based on the source IP address, source and destination TCP/UDP ports, destination IP address, and header information stored in data packets [10].

Traffic Monitoring Mikrotik
Traffic Monitor is a feature in Mikrotik that is rarely used. This traffic monitor can be used to monitor traffic running on an interface on the router and can determine a traffic threshold value. If the traffic has reached the specified threshold, then Traffic Monitor can execute a script. Thus can use this feature for various needs by determining what scripts will be executed. Steps to activate Traffic Monitor in the required interface with the steps on the Tools menu → Traffic Monitor [11].

Telegram
The main attraction of Telegram is that it can run on various devices and operating systems, not only mobile phones, but also computers, smartphones and others. Telegrams and bots can make everyday life easier without having to just stare at the computer. At the beginning of the development of the bot world on Telegram, almost all bots were created using telegram-cli and lua. The telegram-cli bot works like a personal account, it can even log in as a telegram-cli bot account and do what normal accounts can do. The benefits of this bot were also acknowledged by Telegram, which then launched a bot API so that many people could build bots using the programming language they mastered without having to deal with Telegram-cli or MTProto. Bot API is a bot account, there are certain things that normal accounts can do that bot accounts can't, for example creating groups, adding people to groups and removing people from groups [12].

II. RESEARCH METHODOLOGY 2.1 Research Flow
The flow of this research is as follows : Figure 1. Research Flow Figure 1. Shows the flow of the research carried out. The first step is data collection, which collects data on the form and DDoS attacks that are carried out. The second step is data analysis which performs analysis and techniques to prevent DDoS attacks. the third step is the design and configuration of the system which designs and implements DDoS attack mitigation techniques with telegram bots as notifications in the event of an ongoing attack. The fourth step is the results and system testing which is doing testing to find out whether the DDoS attack mitigation system runs smoothly as expected.

Data collection
Data collection with the tested parameters is to determine the target IP address, determine the packet size to be sent (flood), the path that is passed (threads), the socket path that is passed (sockets per thread) and the test time for 10 seconds ago. UDP unicorn software is run, then monitoring is carried out from the mikrotik routerboard interface.    Figure 4. Shows UDP unicorn software by entering the server's IP address in the target column and providing the value of the packet size to be sent then clicking start unicorn to run a DDoS attack on the target

Unicorn UDP Attack Form
The forms of UDP Unicorn software attacks when used to carry out DDoS attacks are as follows :  Figure 5. Unicorn UDP Attack Figure 5. Shows an attack from the UDP unicorn software by filling up the upload traffic so that legitimate user traffic cannot access the internet. When an attack occurs, the monitored download traffic is 1278.3kbps while the monitored upload traffic is 53.5Mbps. An increase in unnatural upload traffic on this interface causes the internet connection to be slow, unable to connect to wireless devices, loginpage cannot appear.  . Shows the BotFather telegram that will be used as a telegram bot machine by writing the commands "/start" and "/newbot" to create a bot script. . Shows confirmation of the name of the bot, namely "ddosbrembuk_bot" which will be created to get a token to access the HTTP API telegram. Fifure 9. Trafiic Monitor <tmon102> Figure 9. Shows the existing monitor traffic on the proxy feature. With this traffic monitor it helps manual work when monitoring a DDoS attack that makes traffic very high. This monitor traffic menu is found in the Mikrotik tools when opening Winbox. The name column fills in the name tmon102 in order to provide a different name. The interface column selects the interface to be monitored. The traffic column uses received with the aim of monitoring traffic only on uploads. The trigger column uses always with the aim of always reporting all monitoring traffic activities. The threshold column provides a value of 3Mbps with the aim that if the upload traffic exceeds 3Mbps, it will report to the Telegram bot. The on event column adds a telegram bot script by entering the telegram bot token that has been obtained in the previous stage. The script will display a notification in real time on telegram with the message "An attack occurred on Line 102" Figure 10. Traffic Monitor List Figure 10. Shows a list of monitor traffic. In the picture there are 10 internet access sharing lines that will be monitored for upload traffic to mitigate ongoing DDoS attacks. The results of this script will immediately make a real-time notification to Telegram in the event of a DDoS attack. In the name column, fill in the name and adjust it to the monitored path so that it provides a different name and in the threshold column it adjusts to the maximum desired upload speed.

III. RESULTS AND DISCUSSION
The results and discussion of DDoS attack mitigation using telegram are as follows : Figure 11. Script On Event Figure 11. shows this script generated with BotFather from the telegram bot by forwarding the url and chat_id links embedded in the script, as follows: url=https://api.telegram.org/bot18951410:AAHK7Mfs eIs8kIsP6-G7OoWzbw, chat_id=645211. Then give a comment or notification in the form of text = An attack occurred on line 102.  If there is data traffic that exceeds the value above 3Mbps, a notification will be sent to the Telegram application according to the 3Mbps upload/threshold value setting in Figure 9. If there are notifications that enter the Telegram application more than 10 times within one second, it means that a DDoS attack has occurred.
After knowing which internet connection line is being attacked, the first step is to immediately take action by tracing the user using the torch feature on the Mikrotik routerboard interface menu.  . Shows the torch feature, with this feature it is easy to see data traffic (Tx/Rx) which can be sorted from the largest to the smallest. To see the attacker by looking at the source address and sorting the upload data traffic (Rx) from the largest to the smallest.
Then with the second step, trace the internet connection path using wired or wireless transmission media by removing the RJ45 connector connected to each computer network device, and ensuring always monitoring the Mikrotik interface from Winbox.

IV. CONCLUSION
The conclusion of this research is: 1) There was a DDoS attack using UDP unicorn software which resulted in a traffic spike of 53.5 Mbps on the upload traffic side which resulted in slow traffic of legitimate/authenticated users. 2) By using telegram bots to know DDoS attacks occur in real time with a success rate of attack detection up to 100% notifications on telegram bots. Mitigation of DDoS attack mitigation as soon as possible take steps a) take action to track users using the torch feature on the Mikrotik routerboard interface menu by clicking the interface menu where the attack occurred and then clicking the Torch feature. b) trace the internet connection path using wired or wireless transmission media by removing the rj45 connector connected to each computer network device (router/switch), as well as ensuring always monitoring the proxy interface from winbox.