Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS155: Computer and Network Security Programming Project 3 – Spring 2008 Craig Gentry, Naef Imam, Arnab Roy {cgentry, nimam, Thanks.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "CS155: Computer and Network Security Programming Project 3 – Spring 2008 Craig Gentry, Naef Imam, Arnab Roy {cgentry, nimam, Thanks."— Presentation transcript:

1 CS155: Computer and Network Security Programming Project 3 – Spring 2008 Craig Gentry, Naef Imam, Arnab Roy {cgentry, nimam, arnab} @stanford.edu Thanks to Arpit Aggarwal and Elizabeth Stenson

2 Project Overview 1) Learn to examine network packets to obtain useful information 2) Implement a router that performs a simple scan detection

3 Part 1: Packet traces We will use Wireshark to look at network packets. Available at: http://www.wireshark.org/http://www.wireshark.org/ Available for most platforms

4 Features useful for the project Individual Packet info Filtering Following TCP/UDP streams String search For the 2 nd part of the project you will need to capture network packets as well

5 Part 2 Scan Detection

6 Overview Write a simple intrusion detection system to identify SYN floods, port and host scans Understand what goes into building a basic network intrusion detection system Block diagram BrowserNetwork Router/ IDS

7 Setup We ’ ll be using a VNS system Sample topology and Routing table Sample Routing table 192.168.131.81 192.168.131.81 255.255.255.255 eth1 0.0.0.0 172.24.74.17 0.0.0.0 eth0

8 Setup(2) process_ip_packets() in process_ip.c is called for each IP packet protocol_headers.h and Network Sorcery website are good sources

9 SYN Floods SYN Floods are Denial of Service attack used to make certain services unavailable on the target machine Attacker sets up numerous connections to victim machine using specific port When a SYN packet is received, the victim allocates resources to this new connection – since these resources are finite, a large number of connections will make the port on the target unusable

10 Port Scans Port scans are used by attackers to see what ports and services are running on target machines E.g. use port scans to find that victim machine is running the notorious sendmail program! Consist of any packet that would generate a response from a receiver – ICMP echo requests, TCP packets (including SYN Packets – Note the difference from SYN Flood!) These packets are sent to large number of ports on a machine with the aim of finding processes and possible open ports. Often they get – ve responses.

11 Host Scans Similar methodology to port scans. Just does it over a large number of machines in the and checks them for the same open port

12 Assumptions Clients respond to data packets part of established flow You ’ re only working with TCP, UDP and ICMP Echo packets

13 What to do We are only implementing Port Scans Explain in your README, how you will expand your program to track host scans and SYN Floods, incl. discussion about various cases. You do not need to implement them. (Note) Track number of connection requests vs. Positive Responses for each originating host If this ratio exceeds 3 to 1, your router must issue a warning. (Note: print them to a file called scan_warning) source ip SCANNING For each negative response received (not timeouts) source ip NEG TYPE (where type can be RST, ICMP_UNREACH)

14 What to do (2) Connection Request Positive Response Negative Response TCP SYN Packet ICMP Echo Request UDP Packet (Traceroute) TCP SYN/ACK ICMP Echo Reply Timeout Other replies TCP RST, Timeout ICMP Port Unreachable, Timeout ICMP Host/Port Unreachable

15 Considerations Timeouts Between Packets – 1 second ( to make sure packet bursts don ’ t get unduly noted) Keepalive for each host – 30 seconds No false positives Consider cases like a buggy program making requests with – ve responses to a single port

16 Wrapup The hard part is figuring out how to parse the various layers of headers. You can find the header definitions at: Ethernet: /usr/include/net/ethernet.h IP: /usr/include/netinet/ip.h TCP: /usr/include/netinet/tcp.h The harder part is to create data structures to keep state info.

17 Wrapup(2) This whole assignment shouldn ’ t take more than a couple hundred lines of code However, it requires a good understanding of what ’ s happening on the network The programs seem simple, but they can take more time than anticipated Enjoy yourself – this is fun stuff!

18 Goals of the assignment Get some hands-on experience attacking and defending networks DON ’ T end up in jail Never test your code outside of the VNS environment!

19 Good luck!

20 Addendum

21 Quick TCP/IP Review

22 TCP/IP Overview Basic knowledge of TCP/IP and DDOS with SYN Floods is required as discussed in class We assume a basic knowledge on the level of packets and ports If you ’ re not that comfortable with this, stop by office hours

23 Relevant Network Layers From http://www.erg.abdn.ac.uk/users/gorry/course/images/ftp-tcp-enet.gif

24 Cliffs Notes Version Each TCP packet that you see is actually a TCP packet wrapped inside of an IP packet wrapped inside of an Ethernet packet. Ethernet Header IP Header TCP Header Application Data

25 TCP Flags Synchronize flag [SYN] Used to initiate a TCP connection Acknowledgement flag [ACK] Used to confirm received data Finish flag [FIN] Used to shut down the connection

26 TCP Flags (2) Push flag [PSH] Do not buffer data on receiver side – send directly to application level Urgent flag [URG] Used to signify data with a higher priority than the other traffic I.e Ctrl+C interrupt during an FTP transfer Reset flag [RST] Tells receiver to tear down connection immediately

27 Connection setup “ Three-way handshake ” From http://www.cs.colorado.edu/~tor/sadocs/tcpip/3way.png

28 Connection termination Either side can initiate termination Note that the first FIN packet may still contain data! From http://homepages.feis.herts.ac.uk/~cs2_sn2/sn2-img62.png

Download ppt "CS155: Computer and Network Security Programming Project 3 – Spring 2008 Craig Gentry, Naef Imam, Arnab Roy {cgentry, nimam, Thanks."

Similar presentations

Router Implementation Project-2

Router Implementation Project-2
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
CISCO NETWORKING ACADEMY Chabot College ELEC 99.05 Transport Layer (4)

CISCO NETWORKING ACADEMY Chabot College ELEC Transport Layer (4)
TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.

TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.
NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar (http://www.insecure.org), it.

NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar ( it.
Fundamentals of Computer Networks ECE 478/578 Lecture #20: Transmission Control Protocol Instructor: Loukas Lazos Dept of Electrical and Computer Engineering.

Fundamentals of Computer Networks ECE 478/578 Lecture #20: Transmission Control Protocol Instructor: Loukas Lazos Dept of Electrical and Computer Engineering.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
CSE551: Computer Network Review r Network Layers r TCP/UDP r IP.

CSE551: Computer Network Review r Network Layers r TCP/UDP r IP.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.

1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
1 CS 4396 Computer Networks Lab Transmission Control Protocol (TCP) Part I.

1 CS 4396 Computer Networks Lab Transmission Control Protocol (TCP) Part I.
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Table of Contents 3 - IDS types 8 - Ethernet Frame 9 - IP frame 10 - TCP frame 11 - UDP frame 12 - ICMP Frame 13 - 3-way handshake 15 - TCP flags 16 -

Table of Contents 3 - IDS types 8 - Ethernet Frame 9 - IP frame 10 - TCP frame 11 - UDP frame 12 - ICMP Frame way handshake 15 - TCP flags 16 -
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
Transmission Control Protocol (TCP) Basics

Transmission Control Protocol (TCP) Basics
CS3505 The Internet and Info Hiway transport layer protocols : TCP/UDP.

CS3505 The Internet and Info Hiway transport layer protocols : TCP/UDP.
Chapter 7 – Transport Layer Protocols

Chapter 7 – Transport Layer Protocols
TRANSPORT LAYER  Session multiplexing  Segmentation  Flow control (TCP)  Connection-oriented (TCP)  Reliability (TCP)

TRANSPORT LAYER  Session multiplexing  Segmentation  Flow control (TCP)  Connection-oriented (TCP)  Reliability (TCP)
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems

Similar presentations

Ads by Google