Transcript CS155: Computer and Network Security

CS155: Computer and
Network Security
Programming Project 3 – Spring 2008
Craig Gentry, Naef Imam, Arnab Roy
{cgentry, nimam, arnab} @stanford.edu
Thanks to Arpit Aggarwal and Elizabeth Stenson
Project Overview
1)
2)
Learn to examine network packets to
obtain useful information
Implement a router that performs a
simple scan detection
Part 1: Packet traces

We will use Wireshark to look at
network packets.


Available at: http://www.wireshark.org/
Available for most platforms
Features useful for the project





Individual Packet info
Filtering
Following TCP/UDP streams
String search
For the 2nd part of the project you will
need to capture network packets as
well
Part 2
Scan Detection
Overview



Write a simple intrusion detection system to identify
SYN floods, port and host scans
Understand what goes into building a basic network
intrusion detection system
Block diagram
Browser
Router/
IDS
Network
Setup


We’ll be using a VNS system
Sample topology and Routing table
Sample Routing table
192.168.131.81
0.0.0.0
192.168.131.81
172.24.74.17
255.255.255.255 eth1
0.0.0.0
eth0
Setup(2)


process_ip_packets() in process_ip.c is called for each IP packet
protocol_headers.h and Network Sorcery website are good sources
SYN Floods



SYN Floods are Denial of Service attack used to make
certain services unavailable on the target machine
Attacker sets up numerous connections to victim
machine using specific port
When a SYN packet is received, the victim allocates
resources to this new connection – since these
resources are finite, a large number of connections
will make the port on the target unusable
Port Scans

Port scans are used by attackers to see what ports
and services are running on target machines



E.g. use port scans to find that victim machine is running the
notorious sendmail program!
Consist of any packet that would generate a response
from a receiver – ICMP echo requests, TCP packets
(including SYN Packets – Note the difference from
SYN Flood!)
These packets are sent to large number of ports on a
machine with the aim of finding processes and
possible open ports. Often they get –ve responses.
Host Scans

Similar methodology to port scans. Just
does it over a large number of
machines in the and checks them for
the same open port
Assumptions


Clients respond to data packets part of
established flow
You’re only working with TCP, UDP and
ICMP Echo packets
What to do




We are only implementing Port Scans
Explain in your README, how you will expand your program to track
host scans and SYN Floods, incl. discussion about various cases. You do
not need to implement them. (Note)
Track number of connection requests vs. Positive Responses for each
originating host
If this ratio exceeds 3 to 1, your router must issue a warning.
(Note: print them to a file called scan_warning)


source ip<tab>SCANNING
For each negative response received (not timeouts)
source ip<tab>NEG<tab>TYPE (where type can be RST, ICMP_UNREACH)
What to do (2)
Connection
Request
Positive
Response
Negative
Response
TCP SYN Packet
TCP SYN/ACK
ICMP Echo
Request
ICMP Echo Reply
TCP RST, Timeout
ICMP Port
Unreachable,
Timeout
UDP Packet
(Traceroute)
Timeout
Other replies
ICMP Host/Port
Unreachable
Considerations

Timeouts



Between Packets – 1 second ( to make
sure packet bursts don’t get unduly noted)
Keepalive for each host – 30 seconds
No false positives

Consider cases like a buggy program
making requests with –ve responses to a
single port
Wrapup

The hard part is figuring out how to
parse the various layers of headers.

You can find the header definitions at:




Ethernet: /usr/include/net/ethernet.h
IP: /usr/include/netinet/ip.h
TCP: /usr/include/netinet/tcp.h
The harder part is to create data
structures to keep state info.
Wrapup(2)

This whole assignment shouldn’t take more
than a couple hundred lines of code



However, it requires a good understanding of
what’s happening on the network
The programs seem simple, but they can take
more time than anticipated
Enjoy yourself – this is fun stuff!
Goals of the assignment


Get some hands-on experience
attacking and defending networks
DON’T end up in jail

Never test your code outside of the VNS
environment!
Good luck!
Addendum
Quick TCP/IP Review
TCP/IP Overview


Basic knowledge of TCP/IP and DDOS with
SYN Floods is required as discussed in class
We assume a basic knowledge on the level of
packets and ports

If you’re not that comfortable with this, stop by
office hours
Relevant Network Layers
From http://www.erg.abdn.ac.uk/users/gorry/course/images/ftp-tcp-enet.gif
Cliffs Notes Version

Each TCP packet that you see is actually
a TCP packet wrapped inside of an IP
packet wrapped inside of an Ethernet
packet.
Ethernet Header
IP Header
TCP Header
Application Data
TCP Flags

Synchronize flag [SYN]


Acknowledgement flag [ACK]


Used to initiate a TCP connection
Used to confirm received data
Finish flag [FIN]

Used to shut down the connection
TCP Flags (2)

Push flag [PSH]


Do not buffer data on receiver side – send directly
to application level
Urgent flag [URG]

Used to signify data with a higher priority than the
other traffic


I.e Ctrl+C interrupt during an FTP transfer
Reset flag [RST]

Tells receiver to tear down connection immediately
Connection setup

“Three-way handshake”
From http://www.cs.colorado.edu/~tor/sadocs/tcpip/3way.png
Connection termination

Either side
can initiate
termination

Note that the
first FIN
packet may
still contain
data!
From http://homepages.feis.herts.ac.uk/~cs2_sn2/sn2-img62.png