Recent Changes - Search:

Instructor

  • who: Michael Swift
  • where: Room 7369
  • when: Monday 11-12, Thursday 1:30-2:30
  • email: swift 'at' cs.wisc.edu
  • TAs

Lecture:

HomePage

Resources

edit SideBar

Homeworks /

HW4

CS 642: Computer Security - Homework Four

This homework assignment covers topics in network security. You must work with a partner. There are four parts; all are required; there is no extra credit portion for this assignment. It is due Thursday, May 2 at 9 pm.

Note:

The assignment was extended with a second part on Friday, April 19. Both parts are due at the same time.

Part 1

In hw4.zip, you will find four packet traces (pcap files) that can be read by the WireShark tool (among other tools). You will need to investigate these traces to answer the questions below. To get started you will want to understand how to use WireShark's filtering capabilities. Your solution will be a file solutions.txt with answers to the questions below.

Trace 1: HTTP

  1. Give three websites (domain name and IP addresses) visited from source IP address 192.168.0.100.
  2. Give three search queries and the domain of the site for each query made from source IP address 192.168.0.100.

Trace 2: FTP

FTP is the file transport protocol. There is a lot of information about it on the internet.

  1. What is the username and password used to connect to the FTP server?
  2. List any (and all) files that were downloaded from the FTP server.
  3. List the full path for two files (in different directories) on the FTP server that were NOT downloaded.

Trace 3: Traceroute

traceroute is a tool used to determine the route between two IP addresses. You can find information about on the internet. Wikipedia has a nice introduction: https://en.wikipedia.org/wiki/Traceroute.

  1. Briefly describe how the traceroute tool works including which network protocols are in use.
  2. Give the source IP address that issued the traceroute command and the destination IP address.
  3. List the IP addresses on the route between source and destination.

Trace 4: POP

The post-office protocol (POP) is used for email.

  1. What is the POP username and password?
  2. How many emails are in the user’s mailbox?
  3. Give the contents of from, to, subject, and date for one email message.
  4. What email client (application) and operating system is this person using to send and receive email?

Part 2

In this part, you will write a simple intrusion detection system to detect potential attacks or dangerous behavior in network activity.

Here are three pcaps with example attacks attack.zip:

  1. arpspoofing.pcap includes an ARP spoof attack. IP address 192.168.0.100 advertises the wrong MAC address for 192.168.0.1.
  2. portscan.pcap includes a TCP SYN port scan.
  3. tcpflood.pcap includes a TCP SYN flood.

Your job is to write a software IDS (a Python script named scanner.py) that takes as input a pcap trace and looks for such malicious behavior. The local network you are protecting is configured with two machines (192.168.0.100 with MAC address 7c:d1:c3:94:9e:b8 and 192.168.0.103 with MAC address d8:96:95:01:a5:c9) and a router (192.168.0.1 with MAC address f8:1a:67:cd:57:6e). Your scanner should:

  1. (2 points) Detect ARP spoofing attempts. Output a warning including the offending MAC address and the packet number of the offending packet. The format of your output should be: 
     ARP spoofing!
     MAC: XX:XX:XX:XX:XX:XX
     Packet number: XX
  1. (2 points) Detect port scans. A port scan is defined to occur whenever TCP SYNs or UDP packets are sent to a 100 or more different ports on a target system. The scanner should output a warning including the victim destination IP address, and the offending packet numbers. The format of your output should be: 
     Port scan!
     IP: XX.XX.XX.XX
     Packet number: XX, XX, XX, XX
  1. (2 points) Detect TCP SYN floods. Your tool should detect when the number of TCP SYNs to a particular destination (that are not associated with completed handshakes) exceeds 100 per second. The scanner should output a warning including the victim destination IP address, and the offending packet numbers. The format of your output should be: 
     SYN floods!
     IP: XX.XX.XX.XX
     Packet number: XX, XX, XX, XX

Your program should take as input the filename of a pcap file that contains captured network packets, for example: 

 python scanner.py example.pcap

The output of your program will be the warning messages as described above. Please also write a README to explain how to run your code. Check that your scanner runs properly on the CS lab machines before turning it in.

We will test your program on new pcap files other than the three we provide.

Resources:

We recommend using dpkt and scapy library for reading pcap files and scanning through different packet headers. Follow the instructions mentioned in the documentation to get the packages installed in your machines.

Deliverables

  1. You must create a file called ID which contains, on each line: <netid of Person 1>,<CS login>,<Last Name>,<First Name>. Two lines, one for each group member.
  2. Put all the files (solutions.txt, ID) in a directory named “solution” and package them into a tarball with the following command: 
     tar -cf hw4.tar solution/*
To submit, copy hw4.tar to your handin directory:
From a department managed machine: 
     cp hw4.tar ~cs642-1/handin/<cslogin>/hw4
From another machine 
     scp hw4.tar emperor-01.cs.wisc.edu:~cs642-1/handin/<cslogin>/hw4
As a team, only one person should submit the homework tarfile.

Grading

Each sub-question in part 1 is worth up to 1 point for a total of 12 points. Part 2 is worth up to 6 points. There is no extra credit for this assignment.

Edit - History - Print - Recent Changes - Search
Page last modified on April 19, 2019, at 04:18 PM