1 / 28

CS155: Computer and Network Security

Understand and implement a router that detects SYN floods, port, and host scans. Learn to analyze network packets and build intrusion detection systems. Guidelines and information provided for creating effective security measures.

iwallace
Download Presentation

CS155: Computer and Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CS155: Computer and Network Security Programming Project 3 – Spring 2008 Craig Gentry, Naef Imam, Arnab Roy {cgentry, nimam, arnab} @stanford.edu Thanks to Arpit Aggarwal and Elizabeth Stenson

  2. Project Overview • Learn to examine network packets to obtain useful information • Implement a router that performs a simple scan detection

  3. Part 1: Packet traces • We will use Wireshark to look at network packets. • Available at: http://www.wireshark.org/ • Available for most platforms

  4. Features useful for the project • Individual Packet info • Filtering • Following TCP/UDP streams • String search • For the 2nd part of the project you will need to capture network packets as well

  5. Part 2 Scan Detection

  6. Overview • Write a simple intrusion detection system to identify SYN floods, port and host scans • Understand what goes into building a basic network intrusion detection system • Block diagram Router/ IDS Browser Network

  7. Setup • We’ll be using a VNS system • Sample topology and Routing table Sample Routing table 192.168.131.81 192.168.131.81 255.255.255.255 eth1 0.0.0.0 172.24.74.17 0.0.0.0 eth0

  8. Setup(2) • process_ip_packets() in process_ip.c is called for each IP packet • protocol_headers.h and Network Sorcery website are good sources

  9. SYN Floods • SYN Floods are Denial of Service attack used to make certain services unavailable on the target machine • Attacker sets up numerous connections to victim machine using specific port • When a SYN packet is received, the victim allocates resources to this new connection – since these resources are finite, a large number of connections will make the port on the target unusable

  10. Port Scans • Port scans are used by attackers to see what ports and services are running on target machines • E.g. use port scans to find that victim machine is running the notorious sendmail program! • Consist of any packet that would generate a response from a receiver – ICMP echo requests, TCP packets (including SYN Packets – Note the difference from SYN Flood!) • These packets are sent to large number of ports on a machine with the aim of finding processes and possible open ports. Often they get –ve responses.

  11. Host Scans • Similar methodology to port scans. Just does it over a large number of machines in the and checks them for the same open port

  12. Assumptions • Clients respond to data packets part of established flow • You’re only working with TCP, UDP and ICMP Echo packets

  13. What to do • We are only implementing Port Scans • Explain in your README, how you will expand your program to track host scans and SYN Floods, incl. discussion about various cases. You do not need to implement them. (Note) • Track number of connection requests vs. Positive Responses for each originating host • If this ratio exceeds 3 to 1, your router must issue a warning. (Note: print them to a file called scan_warning) • source ip<tab>SCANNING • For each negative response received (not timeouts) source ip<tab>NEG<tab>TYPE (where type can be RST, ICMP_UNREACH)

  14. What to do (2)

  15. Considerations • Timeouts • Between Packets – 1 second ( to make sure packet bursts don’t get unduly noted) • Keepalive for each host – 30 seconds • No false positives • Consider cases like a buggy program making requests with –ve responses to a single port

  16. Wrapup • The hard part is figuring out how to parse the various layers of headers. • You can find the header definitions at: • Ethernet: /usr/include/net/ethernet.h • IP: /usr/include/netinet/ip.h • TCP: /usr/include/netinet/tcp.h • The harder part is to create data structures to keep state info.

  17. Wrapup(2) • This whole assignment shouldn’t take more than a couple hundred lines of code • However, it requires a good understanding of what’s happening on the network • The programs seem simple, but they can take more time than anticipated • Enjoy yourself – this is fun stuff!

  18. Goals of the assignment • Get some hands-on experience attacking and defending networks • DON’T end up in jail • Never test your code outside of the VNS environment!

  19. Good luck!

  20. Addendum

  21. Quick TCP/IP Review

  22. TCP/IP Overview • Basic knowledge of TCP/IP and DDOS with SYN Floods is required as discussed in class • We assume a basic knowledge on the level of packets and ports • If you’re not that comfortable with this, stop by office hours

  23. Relevant Network Layers From http://www.erg.abdn.ac.uk/users/gorry/course/images/ftp-tcp-enet.gif

  24. Cliffs Notes Version • Each TCP packet that you see is actually a TCP packet wrapped inside of an IP packet wrapped inside of an Ethernet packet. Ethernet Header IP Header TCP Header Application Data

  25. TCP Flags • Synchronize flag [SYN] • Used to initiate a TCP connection • Acknowledgement flag [ACK] • Used to confirm received data • Finish flag [FIN] • Used to shut down the connection

  26. TCP Flags (2) • Push flag [PSH] • Do not buffer data on receiver side – send directly to application level • Urgent flag [URG] • Used to signify data with a higher priority than the other traffic • I.e Ctrl+C interrupt during an FTP transfer • Reset flag [RST] • Tells receiver to tear down connection immediately

  27. Connection setup • “Three-way handshake” From http://www.cs.colorado.edu/~tor/sadocs/tcpip/3way.png

  28. Connection termination • Either side can initiate termination • Note that the first FIN packet may still contain data! From http://homepages.feis.herts.ac.uk/~cs2_sn2/sn2-img62.png

More Related