marco

teaching » 2010 » Network Security » Homework 2

Menu:

• home
• publications
• teaching
• service
• projects
• blog

Homework 2

The deadline for this homework assignment is Wednesday, February 9, 2011, at 11:59pm GMT Monday, February 14, 2011, at 11:59pm GMT. You must use the BOSS system for the submission.

Note: read and understand the submission instructions carefully! Failing to comply with the instructions will prevent the grading software to process your assignment.

Part 1

You have to implement a tool, called arpdespoof which detects ARP spoofing attacks. The tool sniffs the network (or reads from a pcap file containing network traffic) looking for ARP traffic. It detects an attack when it identifies an ARP request that, within a given time window (configurable by the user, see below), received multiple replies that are different from each other.

When an attack is detected, the tool prints the following alert on the standard output (all on one line):

DETECT: who-has <target-ip>, R1: <ethernet1>, R2: <ethernet2>, TS: <secs.usecs>

For example, if an ARP request for 172.16.48.130 receives two replies, one claiming that 172.16.48.130 is-at 00:0c:01:01:01:01 and the other that 172.16.48.130 is-at 00:0c:02:02:02:02, the tool should output (assuming that the second reply was received at the timestamp 1296003035.190345):

DETECT: who-has 172.16.48.130, R1: 00:0c:01:01:01:01, R2: 00:0c:02:02:02:02, TS: 1296003035.190345

The tool can print debug messages that start with the string "DEBUG:". It should produce no other output on the standard output.

The tool must accept the following command line options:

• -i DEV, specifies the network interface to sniff on;
• -r FILE, reads network traffic from a pcap file, instead of from the network card;
• -t SECONDS, specifies the time window to be used in the detection (if not specified, the time window should be 5 seconds)

The tool can be implemented in C (strongly recommended) or Java:

Instructions for C

The tool reads network traffic using the libpcap library. The tool must be implemented as a single file, called arpdespoof.c. This file must compile using the following command:

$ gcc arpdespoof.c -o arpdespoof -lpcap -lnet

Submit the arpdespoof.c file using BOSS.

Instructions for Java

The tool reads network traffic using the jNetPcap or the Jpcap library. The tool must be implemented as a single file, called ArpDespoof.java. You must create a jar file containing your code called ArpDespoof.jar. It must be possible to run the tool by (assuming that libs contains the jNetPcap and Jpcap libraries):

$ java -classpath ArpDespoof.jar:libs/* netsec.hw2.ArpDespoof

Submit the ArpDespoof.java file and the ArpDespoof.jar file using BOSS.

Testing: for testing purposes, you can use the following network traces:

• trace 1: expected output
• trace 2: expected output

Marking: part 1 is worth 70%.

Part 2

You have to implement a tool, called antiscan, that thwarts ICMP-based scanning. In particular, the tool is able to simulate a non existent-host, called the target, at both the Ethernet and IP level. When an attacker sends an ICMP echo request message to target (to verify that it is up), the tool generates a corresponding ICMP echo reply, thus fooling the attacker's scan attempt.

Note that you will have to spoof ICMP messages as well as the ARP packets that are needed to simulate the presence of the target host.

Suppose that antiscan is configured to simulate the presence of 172.16.48.1. Then, pinging the target host should have a result similar to:

$ ping -c 1 172.16.48.1
  PING 172.16.48.1 (172.16.48.1) 56(84) bytes of data.
  64 bytes from 172.16.48.1: icmp_seq=1 ttl=64 time=2.48 ms

  --- 172.16.48.1 ping statistics ---
  1 packets transmitted, 1 received, 0% packet loss, time 0ms
  rtt min/avg/max/mdev = 2.483/2.483/2.483/0.000 ms
  

The tool must accept the following command line options:

• -i DEV, specifies the network interface to sniff on;
• -t TARGET, specifies the target to simulate

The tool can be implemented in C (strongly recommended) or Java:

Instructions for C

The tool reads network traffic using the libpcap library. The tool must be implemented as a single file, called antiscan.c. This file must compile using the following command:

$ gcc antiscan.c -o antiscan -lpcap -lnet

Submit the antiscan.c file using BOSS.

Instructions for Java

The tool reads network traffic using the jNetPcap or the Jpcap library. The tool must be implemented as a single file, called AntiScan.java. You must create a jar file containing your code called AntiScan.jar. It must be possible to run the tool by (assuming that libs contains the jNetPcap and Jpcap libraries):

$ java -classpath AntiScan.jar:libs/* netsec.hw2.AntiScan

Submit the AntiScan.java file and the AntiScan.jar file using BOSS.

Testing: an isolated network is being set up to test this program. I'll announce when it is available.

Marking: part 2 is worth 30%.