📄 Also available in Español
This lab aims to simulate a Denial-of-Service (DoS) attack and port scanning from one Linux virtual machine (VM) to another. The goal is to generate telemetry using two bash scripts: one that sends ICMP ping floods (DoS simulation) and another that performs multiple Nmap scans. The target VM, configured with Suricata (in IDS mode) and iptables, will detect and log both types of activity for analysis and potential integration with SIEM/SOAR tools.
- Two Linux-based VMs (Debian-based recommended)
- iptables (pre-installed on most Debian-based distros)
- suricata (previously installed and updated since we'll be using the Internal Network adapter)
- Bash script for DoS attack (ping flood)
- Bash script for port scanning (nmap usage)
- Static IP configuration for both VMs
The following table shows where the configuration and script files from this repository should be placed in your virtual machines to ensure the lab functions correctly.
DoS-Simulation-Lab/
├── attacker/
│ ├── flood_script.sh
│ └── scanning_script.sh
├── target/
│ ├── firewall.sh
│ ├── suricata.yaml
│ └── rules/
│ ├── ping-flood.rules
│ └── port_scanning.rules
├── logs/
│ ├── fast.log
│ └── eve.json
├── README.md
└── README.es.md
| Repository File | VM Destination Path | Purpose |
|---|---|---|
target/firewall.sh |
/etc/iptables/rules/firewall.sh |
Custom iptables script |
target/suricata.yaml |
/etc/suricata/suricata.yaml |
Suricata configuration file |
target/rules/ping-flood.rules |
/etc/suricata/rules/custom_rules/ping-flood.rules |
Rules to detect ICMP ping flood |
target/rules/port_scanning.rules |
/etc/suricata/rules/custom_rules/port_scanning.rules |
Rule to detect Nmap scans |
logs/fast.log |
/var/log/suricata/fast.log (auto-generated) |
Suricata's real-time alert log |
logs/eve.json |
/var/log/suricata/eve.json (auto-generated) |
Detailed JSON event log from Suricata |
attacker/flood_script.sh |
Desktop/ |
Ping Flood attack Script |
attacker/scanning_script.sh |
Desktop/ |
Port Scanning Script |
| Role | IP Address | Description |
|---|---|---|
| Target VM | 10.0.8.80/24 |
Suricata + iptables |
| Attacker VM | 10.0.8.56/24 |
Bash attack scripts |
- Assign static IPs on both VMs using the 10.0.8.0/24 subnet.
- Use ip a to confirm the IP addresses are set correctly.
- Test connectivity using ping from one VM to the other.
Instead of setting each iptables rule manually, we'll create a script that contains all the firewall rules. This provides centralized control and easier modification in the future. The script will be stored inside the /etc/iptables/rules directory.
Note: The rules allow traffic to flow into the VM so Suricata can inspect packets. In a real scenario, stricter filtering should be applied.
Create a dedicated folder inside the directory /etc/suricata/rules/custom_rules and the files ping-flood.rules and port_scanning.rules, then we edit the suricata.yaml file to add the path for both rules.
We can create both scripts inside the Desktop directory, in this case it doesn't matter where we store them since this machine will only send the "attacks".
On the Target VM: Open two terminals
-
Terminal 1 – Start Suricata
-
Terminal 2 – Monitor Logs (You can also use tools like jq or grep on eve.json to parse detailed alerts.)
Run the scripts one by one and observe the detections:
-
Script 1 - sudo flood_script.sh 10.0.8.80
-
Script 2 - sudo scanning_script 10.0.8.80
And we can see how the target VM captures or trigger the alerts in real-time for each case.
This simple lab helps visualize how traffic inspection tools like Suricata work with basic firewall configurations to detect and log suspicious activity like DoS attacks or port scans. While minimalistic, the setup is ideal for extending into SIEM/EDR/SOAR integrations or deeper network forensics.
Img 1: Static Target IP
Img 2: Terminal Verification
Img 3: Firewall Script
Img 4: Iptables Rules
Img 5: Iptables Executable
Img 6: Checking Firewall
Img 7: Saving the Firewall Configurations
Img 8 & 9: Updating Suricata and the Sources
Img 10: Suricata Rules
Img 11 & 12: Ping Flood and Port Scanning Rules
Img 13 & 14: Adding the Rules to the suricata.yaml file and running Suricata on Test Mode
Img 15: Static Attacker IP
Img 16: Terminal Verification
Img 17: Ping-Flood Script
Img 18: Port-Scanning Script
Img 19: Making both Scripts executable
Img 20: Running Suricata and checking logs in real-time
Img 21: Executing Port-Scanning Script
Img 22: SYN Alert Triggered
Img 23: FIN Alert Triggered
Img 24: NULL Alert Triggered
Img 25: XMAS Alert Triggered
Img 26: UDP Alert Triggered
Img 27 & 28: Executing Ping-Flood Script
Img 29 & 30: ICMP and Ping-Flood Alert Triggered
Img 31: Checking Firewall Captured Traffic
All activities demonstrated in this project are strictly confined to a virtual lab environment, under full control and with no connection to external networks or systems. This project simulates malicious behaviors such as DoS attacks and port scanning solely for the purpose of learning how to detect, analyze, and respond to such events using defensive tools like Suricata and iptables.
As an aspiring cybersecurity professional, I adhere to the principles of ethical hacking:
- I do not perform unauthorized testing or scanning on live networks or systems.
- I believe in the responsible use of knowledge to improve the security posture of systems, not exploit it.
- My goal is to learn, share knowledge, and contribute to a safer and more secure digital world.
If you plan to reuse or adapt this lab, ensure you do so within an isolated environment and never target systems without explicit permission.
This project is intended solely for educational and research purposes. All simulations, including DoS and port scanning attacks, are conducted in a controlled lab environment using virtual machines.
Do not use these techniques on systems or networks you do not own or have explicit permission to test. Unauthorized scanning or disruption of services may be illegal and against ethical guidelines.
The author is not responsible for any misuse of the information provided in this repository.