CS155: Computer and Network Security

Programming Project 3 – Spring 2008

Craig Gentry, Naef Imam, Arnab Roy{cgentry, nimam, arnab} @stanford.eduThanks to Arpit Aggarwal and Elizabeth

Stenson

Project Overview

1) Learn to examine network packets to obtain useful information

2) Implement a router that performs a simple scan detection

Part 1: Packet traces We will use Wireshark to look at

network packets. Available at:

http://www.wireshark.org/ Available for most platforms

Features useful for the project Individual Packet info Filtering Following TCP/UDP streams String search

For the 2nd part of the project you will need to capture network packets as well

Part 2

Scan Detection

Overview Write a simple intrusion detection system to

identify SYN floods, port and host scans Understand what goes into building a basic

network intrusion detection system Block diagram

Browser NetworkRouter/IDS

Setup We’ll be using a VNS system Sample topology and Routing table

Sample Routing table192.168.131.81 192.168.131.81 255.255.255.255 eth1

0.0.0.0 172.24.74.17 0.0.0.0 eth0

Setup(2) process_ip_packets() in process_ip.c is called for each IP

packet protocol_headers.h and Network Sorcery website are good

sources

SYN Floods SYN Floods are Denial of Service attack used

to make certain services unavailable on the target machine

Attacker sets up numerous connections to victim machine using specific port

When a SYN packet is received, the victim allocates resources to this new connection – since these resources are finite, a large number of connections will make the port on the target unusable

Port Scans Port scans are used by attackers to see what ports

and services are running on target machines E.g. use port scans to find that victim machine is running

the notorious sendmail program!

Consist of any packet that would generate a response from a receiver – ICMP echo requests, TCP packets (including SYN Packets – Note the difference from SYN Flood!)

These packets are sent to large number of ports on a machine with the aim of finding processes and possible open ports. Often they get –ve responses.

Host Scans Similar methodology to port scans.

Just does it over a large number of machines in the and checks them for the same open port

Assumptions Clients respond to data packets

part of established flow You’re only working with TCP, UDP

and ICMP Echo packets

What to do We are only implementing Port Scans

Explain in your README, how you will expand your program to track host scans and SYN Floods, incl. discussion about various cases. You do not need to implement them. (Note)

Track number of connection requests vs. Positive Responses for each originating host

If this ratio exceeds 3 to 1, your router must issue a warning.(Note: print them to a file called scan_warning)

source ip<tab>SCANNING For each negative response received (not timeouts) source ip<tab>NEG<tab>TYPE (where type can be RST,

ICMP_UNREACH)

What to do (2)Connection Request

Positive Response

Negative Response

TCP SYN Packet

ICMP Echo Request

UDP Packet (Traceroute)

TCP SYN/ACK

ICMP Echo Reply

TimeoutOther replies

TCP RST, TimeoutICMP Port Unreachable, Timeout

ICMP Host/Port Unreachable

Considerations Timeouts

Between Packets – 1 second ( to make sure packet bursts don’t get unduly noted)

Keepalive for each host – 30 seconds No false positives

Consider cases like a buggy program making requests with –ve responses to a single port

Wrapup The hard part is figuring out how to

parse the various layers of headers. You can find the header definitions at:

Ethernet: /usr/include/net/ethernet.h IP: /usr/include/netinet/ip.h TCP: /usr/include/netinet/tcp.h

The harder part is to create data structures to keep state info.

Wrapup(2) This whole assignment shouldn’t take

more than a couple hundred lines of code However, it requires a good understanding

of what’s happening on the network The programs seem simple, but they can

take more time than anticipated Enjoy yourself – this is fun stuff!

Goals of the assignment

Get some hands-on experience attacking and defending networks

DON’T end up in jail Never test your code outside of the

VNS environment!

Good luck!

Addendum

Quick TCP/IP Review

TCP/IP Overview Basic knowledge of TCP/IP and DDOS

with SYN Floods is required as discussed in class

We assume a basic knowledge on the level of packets and ports If you’re not that comfortable with this, stop

by office hours

Relevant Network Layers

From http://www.erg.abdn.ac.uk/users/gorry/course/images/ftp-tcp-enet.gif

Cliffs Notes Version Each TCP packet that you see is

actually a TCP packet wrapped inside of an IP packet wrapped inside of an Ethernet packet.

Ethernet Header

IP Header

TCP Header

Application Data

TCP Flags Synchronize flag [SYN]

Used to initiate a TCP connection Acknowledgement flag [ACK]

Used to confirm received data Finish flag [FIN]

Used to shut down the connection

TCP Flags (2) Push flag [PSH]

Do not buffer data on receiver side – send directly to application level

Urgent flag [URG] Used to signify data with a higher priority

than the other traffic I.e Ctrl+C interrupt during an FTP transfer

Reset flag [RST] Tells receiver to tear down connection

immediately

Connection setup “Three-way handshake”

From http://www.cs.colorado.edu/~tor/sadocs/tcpip/3way.png

Connection termination

Either side can initiate termination Note that

the first FIN packet may still contain data!

From http://homepages.feis.herts.ac.uk/~cs2_sn2/sn2-img62.png