CS155: Computer and Network Security

1
CS155 Computer and Network Security

• Programming Project 3 Spring 2008
• Craig Gentry, Naef Imam, Arnab Roy
• cgentry, nimam, arnab _at_stanford.edu
• Thanks to Arpit Aggarwal and Elizabeth Stenson

2
Project Overview

• Learn to examine network packets to obtain useful
  information
• Implement a router that performs a simple scan
  detection

3
Part 1 Packet traces

• We will use Wireshark to look at network packets.
• Available at http//www.wireshark.org/
• Available for most platforms

4
Features useful for the project

• Individual Packet info
• Filtering
• Following TCP/UDP streams
• String search
• For the 2nd part of the project you will need to
  capture network packets as well

5
Part 2

• Scan Detection

6
Overview

• Write a simple intrusion detection system to
  identify SYN floods, port and host scans
• Understand what goes into building a basic
  network intrusion detection system
• Block diagram

Router/ IDS
Browser
Network
7
Setup

• Well be using a VNS system
• Sample topology and Routing table

Sample Routing table 192.168.131.81
192.168.131.81 255.255.255.255 eth1 0.0.0.0
172.24.74.17 0.0.0.0 eth0
8
Setup(2)

• process_ip_packets() in process_ip.c is called
  for each IP packet
• protocol_headers.h and Network Sorcery website
  are good sources

9
SYN Floods

• SYN Floods are Denial of Service attack used to
  make certain services unavailable on the target
  machine
• Attacker sets up numerous connections to victim
  machine using specific port
• When a SYN packet is received, the victim
  allocates resources to this new connection
  since these resources are finite, a large number
  of connections will make the port on the target
  unusable

10
Port Scans

• Port scans are used by attackers to see what
  ports and services are running on target machines
• E.g. use port scans to find that victim machine
  is running the notorious sendmail program!
• Consist of any packet that would generate a
  response from a receiver ICMP echo requests,
  TCP packets (including SYN Packets Note the
  difference from SYN Flood!)
• These packets are sent to large number of ports
  on a machine with the aim of finding processes
  and possible open ports. Often they get ve
  responses.

11
Host Scans

• Similar methodology to port scans. Just does it
  over a large number of machines in the and checks
  them for the same open port

12
Assumptions

• Clients respond to data packets part of
  established flow
• Youre only working with TCP, UDP and ICMP Echo
  packets

13
What to do

• We are only implementing Port Scans
• Explain in your README, how you will expand your
  program to track host scans and SYN Floods, incl.
  discussion about various cases. You do not need
  to implement them. (Note)
• Track number of connection requests vs. Positive
  Responses for each originating host
• If this ratio exceeds 3 to 1, your router must
  issue a warning.
• (Note print them to a file called scan_warning)
  
• source iplttabgtSCANNING
• For each negative response received (not
  timeouts)
• source iplttabgtNEGlttabgtTYPE (where type can be
  RST, ICMP_UNREACH)

14
What to do (2)
15
Considerations

• Timeouts
• Between Packets 1 second ( to make sure packet
  bursts dont get unduly noted)
• Keepalive for each host 30 seconds
• No false positives
• Consider cases like a buggy program making
  requests with ve responses to a single port

16
Wrapup

• The hard part is figuring out how to parse the
  various layers of headers.
• You can find the header definitions at
• Ethernet /usr/include/net/ethernet.h
• IP /usr/include/netinet/ip.h
• TCP /usr/include/netinet/tcp.h
• The harder part is to create data structures to
  keep state info.

17
Wrapup(2)

• This whole assignment shouldnt take more than a
  couple hundred lines of code
• However, it requires a good understanding of
  whats happening on the network
• The programs seem simple, but they can take more
  time than anticipated
• Enjoy yourself this is fun stuff!

18
Goals of the assignment

• Get some hands-on experience attacking and
  defending networks
• DONT end up in jail
• Never test your code outside of the VNS
  environment!

19
Good luck!
20
Addendum
21
Quick TCP/IP Review
22
TCP/IP Overview

• Basic knowledge of TCP/IP and DDOS with SYN
  Floods is required as discussed in class
• We assume a basic knowledge on the level of
  packets and ports
• If youre not that comfortable with this, stop by
  office hours

23
Relevant Network Layers
From http//www.erg.abdn.ac.uk/users/gorry/course/
images/ftp-tcp-enet.gif
24
Cliffs Notes Version

• Each TCP packet that you see is actually a TCP
  packet wrapped inside of an IP packet wrapped
  inside of an Ethernet packet.

Ethernet Header
IP Header
TCP Header
Application Data
25
TCP Flags

• Synchronize flag SYN
• Used to initiate a TCP connection
• Acknowledgement flag ACK
• Used to confirm received data
• Finish flag FIN
• Used to shut down the connection

26
TCP Flags (2)

• Push flag PSH
• Do not buffer data on receiver side send
  directly to application level
• Urgent flag URG
• Used to signify data with a higher priority than
  the other traffic
• I.e CtrlC interrupt during an FTP transfer
• Reset flag RST
• Tells receiver to tear down connection
  immediately

27
Connection setup

• Three-way handshake

From http//www.cs.colorado.edu/tor/sadocs/tcpip/
3way.png
28
Connection termination

• Either side can initiate termination
• Note that the first FIN packet may still contain
  data!

From http//homepages.feis.herts.ac.uk/cs2_sn2/sn
2-img62.png