View
218
Download
1
Category
Preview:
Citation preview
CS155: Computer and Network Security
Programming Project 3 – Spring 2008
Craig Gentry, Naef Imam, Arnab Roy{cgentry, nimam, arnab} @stanford.eduThanks to Arpit Aggarwal and Elizabeth
Stenson
Project Overview
1) Learn to examine network packets to obtain useful information
2) Implement a router that performs a simple scan detection
Part 1: Packet traces We will use Wireshark to look at
network packets. Available at:
http://www.wireshark.org/ Available for most platforms
Features useful for the project Individual Packet info Filtering Following TCP/UDP streams String search
For the 2nd part of the project you will need to capture network packets as well
Part 2
Scan Detection
Overview Write a simple intrusion detection system to
identify SYN floods, port and host scans Understand what goes into building a basic
network intrusion detection system Block diagram
Browser NetworkRouter/IDS
Setup We’ll be using a VNS system Sample topology and Routing table
Sample Routing table192.168.131.81 192.168.131.81 255.255.255.255 eth1
0.0.0.0 172.24.74.17 0.0.0.0 eth0
Setup(2) process_ip_packets() in process_ip.c is called for each IP
packet protocol_headers.h and Network Sorcery website are good
sources
SYN Floods SYN Floods are Denial of Service attack used
to make certain services unavailable on the target machine
Attacker sets up numerous connections to victim machine using specific port
When a SYN packet is received, the victim allocates resources to this new connection – since these resources are finite, a large number of connections will make the port on the target unusable
Port Scans Port scans are used by attackers to see what ports
and services are running on target machines E.g. use port scans to find that victim machine is running
the notorious sendmail program!
Consist of any packet that would generate a response from a receiver – ICMP echo requests, TCP packets (including SYN Packets – Note the difference from SYN Flood!)
These packets are sent to large number of ports on a machine with the aim of finding processes and possible open ports. Often they get –ve responses.
Host Scans Similar methodology to port scans.
Just does it over a large number of machines in the and checks them for the same open port
Assumptions Clients respond to data packets
part of established flow You’re only working with TCP, UDP
and ICMP Echo packets
What to do We are only implementing Port Scans
Explain in your README, how you will expand your program to track host scans and SYN Floods, incl. discussion about various cases. You do not need to implement them. (Note)
Track number of connection requests vs. Positive Responses for each originating host
If this ratio exceeds 3 to 1, your router must issue a warning.(Note: print them to a file called scan_warning)
source ip<tab>SCANNING For each negative response received (not timeouts) source ip<tab>NEG<tab>TYPE (where type can be RST,
ICMP_UNREACH)
What to do (2)Connection Request
Positive Response
Negative Response
TCP SYN Packet
ICMP Echo Request
UDP Packet (Traceroute)
TCP SYN/ACK
ICMP Echo Reply
TimeoutOther replies
TCP RST, TimeoutICMP Port Unreachable, Timeout
ICMP Host/Port Unreachable
Considerations Timeouts
Between Packets – 1 second ( to make sure packet bursts don’t get unduly noted)
Keepalive for each host – 30 seconds No false positives
Consider cases like a buggy program making requests with –ve responses to a single port
Wrapup The hard part is figuring out how to
parse the various layers of headers. You can find the header definitions at:
Ethernet: /usr/include/net/ethernet.h IP: /usr/include/netinet/ip.h TCP: /usr/include/netinet/tcp.h
The harder part is to create data structures to keep state info.
Wrapup(2) This whole assignment shouldn’t take
more than a couple hundred lines of code However, it requires a good understanding
of what’s happening on the network The programs seem simple, but they can
take more time than anticipated Enjoy yourself – this is fun stuff!
Goals of the assignment
Get some hands-on experience attacking and defending networks
DON’T end up in jail Never test your code outside of the
VNS environment!
Good luck!
Addendum
Quick TCP/IP Review
TCP/IP Overview Basic knowledge of TCP/IP and DDOS
with SYN Floods is required as discussed in class
We assume a basic knowledge on the level of packets and ports If you’re not that comfortable with this, stop
by office hours
Relevant Network Layers
From http://www.erg.abdn.ac.uk/users/gorry/course/images/ftp-tcp-enet.gif
Cliffs Notes Version Each TCP packet that you see is
actually a TCP packet wrapped inside of an IP packet wrapped inside of an Ethernet packet.
Ethernet Header
IP Header
TCP Header
Application Data
TCP Flags Synchronize flag [SYN]
Used to initiate a TCP connection Acknowledgement flag [ACK]
Used to confirm received data Finish flag [FIN]
Used to shut down the connection
TCP Flags (2) Push flag [PSH]
Do not buffer data on receiver side – send directly to application level
Urgent flag [URG] Used to signify data with a higher priority
than the other traffic I.e Ctrl+C interrupt during an FTP transfer
Reset flag [RST] Tells receiver to tear down connection
immediately
Connection setup “Three-way handshake”
From http://www.cs.colorado.edu/~tor/sadocs/tcpip/3way.png
Connection termination
Either side can initiate termination Note that
the first FIN packet may still contain data!
From http://homepages.feis.herts.ac.uk/~cs2_sn2/sn2-img62.png
Recommended