CS155: Computer and Network Security Programming Project 3 – Spring 2008 Craig Gentry, Naef Imam, Arnab Roy {cgentry, nimam, Thanks to Arpit Aggarwal and Elizabeth Stenson

Project Overview 1) Learn to examine network packets to obtain useful information 2) Implement a router that performs a simple scan detection

Part 1: Packet traces We will use Wireshark to look at network packets. Available at: Available for most platforms

Features useful for the project Individual Packet info Filtering Following TCP/UDP streams String search For the 2 nd part of the project you will need to capture network packets as well

Part 2 Scan Detection

Overview Write a simple intrusion detection system to identify SYN floods, port and host scans Understand what goes into building a basic network intrusion detection system Block diagram BrowserNetwork Router/ IDS

Setup We ’ ll be using a VNS system Sample topology and Routing table Sample Routing table eth eth0

Setup(2) process_ip_packets() in process_ip.c is called for each IP packet protocol_headers.h and Network Sorcery website are good sources

SYN Floods SYN Floods are Denial of Service attack used to make certain services unavailable on the target machine Attacker sets up numerous connections to victim machine using specific port When a SYN packet is received, the victim allocates resources to this new connection – since these resources are finite, a large number of connections will make the port on the target unusable

Port Scans Port scans are used by attackers to see what ports and services are running on target machines E.g. use port scans to find that victim machine is running the notorious sendmail program! Consist of any packet that would generate a response from a receiver – ICMP echo requests, TCP packets (including SYN Packets – Note the difference from SYN Flood!) These packets are sent to large number of ports on a machine with the aim of finding processes and possible open ports. Often they get – ve responses.

Host Scans Similar methodology to port scans. Just does it over a large number of machines in the and checks them for the same open port

Assumptions Clients respond to data packets part of established flow You ’ re only working with TCP, UDP and ICMP Echo packets

What to do We are only implementing Port Scans Explain in your README, how you will expand your program to track host scans and SYN Floods, incl. discussion about various cases. You do not need to implement them. (Note) Track number of connection requests vs. Positive Responses for each originating host If this ratio exceeds 3 to 1, your router must issue a warning. (Note: print them to a file called scan_warning) source ip SCANNING For each negative response received (not timeouts) source ip NEG TYPE (where type can be RST, ICMP_UNREACH)

What to do (2) Connection Request Positive Response Negative Response TCP SYN Packet ICMP Echo Request UDP Packet (Traceroute) TCP SYN/ACK ICMP Echo Reply Timeout Other replies TCP RST, Timeout ICMP Port Unreachable, Timeout ICMP Host/Port Unreachable

Considerations Timeouts Between Packets – 1 second ( to make sure packet bursts don ’ t get unduly noted) Keepalive for each host – 30 seconds No false positives Consider cases like a buggy program making requests with – ve responses to a single port

Wrapup The hard part is figuring out how to parse the various layers of headers. You can find the header definitions at: Ethernet: /usr/include/net/ethernet.h IP: /usr/include/netinet/ip.h TCP: /usr/include/netinet/tcp.h The harder part is to create data structures to keep state info.

Wrapup(2) This whole assignment shouldn ’ t take more than a couple hundred lines of code However, it requires a good understanding of what ’ s happening on the network The programs seem simple, but they can take more time than anticipated Enjoy yourself – this is fun stuff!

Goals of the assignment Get some hands-on experience attacking and defending networks DON ’ T end up in jail Never test your code outside of the VNS environment!

Good luck!

Addendum

Quick TCP/IP Review

TCP/IP Overview Basic knowledge of TCP/IP and DDOS with SYN Floods is required as discussed in class We assume a basic knowledge on the level of packets and ports If you ’ re not that comfortable with this, stop by office hours

Relevant Network Layers From

Cliffs Notes Version Each TCP packet that you see is actually a TCP packet wrapped inside of an IP packet wrapped inside of an Ethernet packet. Ethernet Header IP Header TCP Header Application Data

TCP Flags Synchronize flag [SYN] Used to initiate a TCP connection Acknowledgement flag [ACK] Used to confirm received data Finish flag [FIN] Used to shut down the connection

TCP Flags (2) Push flag [PSH] Do not buffer data on receiver side – send directly to application level Urgent flag [URG] Used to signify data with a higher priority than the other traffic I.e Ctrl+C interrupt during an FTP transfer Reset flag [RST] Tells receiver to tear down connection immediately

Connection setup “ Three-way handshake ” From

Connection termination Either side can initiate termination Note that the first FIN packet may still contain data! From