This essay has been submitted by a student. This is not an example of the work written by professional essay writers.
Uncategorized

Questions on network 

Admin 22 Apr 2024

Pssst… we can write an original essay just for you.

Any subject. Any type of essay. We’ll even meet a 3-hour deadline.

GET YOUR PRICE

writers online

Questions on network

Question 1: Analysis of Protocols with Wireshark

Ans:

netcat.pcap is uploaded in moodle. It contains both the TCP and UDP exchange trace between Node 1(client) and Node 3 (server).

Wireshark filter: tcp.port==8567 || udp.port==9567

 

 

 

Client

192.168.1.11

 

 

Server

192.168.2.21

 

 

TCP SYN

UDP

TCP SYN ACK

TCP ACK

TCP PSH ACK (DATA)

TCP ACK (Ack for data segment )

TCP PSH ACK (DATA)

TCP ACK (Ack for data segment )

TCP FIN, ACK

TCP FIN, ACK

TCP ACK

UDP (Data Segment)

 

UDP (Data Segment)

 

TCP connection persist for

Total TCP connection time can be obtained from Statistics -> Conversation

For my trace TCP duration is: 59.212972 sec or 59212 milliseconds

 

 

Delay between 1st UDP packet and 2nd UDP packet is: 35.832325 sec or 35832 millisecond

 

TCP port number is 44618 and UDP port number is 53574

 

Often security analyst learns about the type of the network traffic flow from the port number present in the packet, as server port number is fixed for most of the server application, for example port 80 for HTTP, port 22 for SSH, etc. This strategy may sometime mislead the analyst, as a malicious application may use a reserve port number to perform a malicious activity, using only port number tracking it is impossible to track such masquerading attack.

Very small amount of information is connived through client port number as for most of the application port number is not fixed. But using a known client port-number security analyst can track all the packets belong to that flow or in other word analyst can identify the server application which is communicating with the client.

 

 

Question 2. Web Application Attacks

a)

Action not performed manually

 

 

 

Time

Action

URL

0

Visit MyUni Grades website

www.myuni.edu/grades/

53

Clicked on “Login” link

www.myuni.edu/grades/login.php

81

Entered “steve” in user_name, “mysecret” in password field and pressed on “Login”

www.myuni.edu/grades/login.php

98

Clicked on “View Grades” link

www.myuni.edu/grades/query.php]

138

Clicked on “View Grades” link with following details

Form item: “id” = “s0000000”

Form item: “course” = “coit20262”

Form item: “submit” = “Submit”

http://www.myuni.edu/grades/view.php]

175

Clicked on “View Grades” link

www.myuni.edu/grades/query.php]

195

Clicked on “View Grades” link with following details

Form item: “id” = “s1234567”

Form item: “course” = “”

Form item: “submit” = “Submit”

http://www.myuni.edu/grades/view.php]

236

Visit FreeStuff website

www.freestuff.com/freestuff/]

271

Clicked on “View Grades” link

www.myuni.edu/grades/query.php]

287

Clicked on “View Grades” link with following details

Form item: “id” = ” s0000000″

Form item: “course” = “”

Form item: “submit” = “Submit”

www.myuni.edu/grades/view.php]

363

Clicked on “Logout” link

www.myuni.edu/grades/login.php

 

b)

List of the websites (domain name and IP addresses) visited by the Unit Coordinator is given bellow:

Domain

IP address

myuni.edu

192.168.2.21

freestuff.com

192.168.2.21

 

  1. c) To identify all domain names, I have filter the trace file by ‘http.request’. This filtering shows 13 outgoing HTTP request from the unit coordinator’s system. From that filtered trace we can identify the domain name from the ‘Host’ field present in ‘Hypertext Transfer Protocol’ segment of the trace.

 

  1. d) The attacker probably tries to update the marks in the examination database.

 

Probably the attacker belongs to the student with ID ‘s0000000’

 

Frame with serial number 127 (363 sec.) indicates the success of the attack.

‘Line-based text data: text/html’ fields indicates that the grade for coit20262 is HD, which was previously Fin packet 55 (139 sec.)

 

  1. e) To perform this attacker creates a fake website and it’s home page containsa’imgsrc’ tag that can generate a marks up-gradation query to myuni.org domain. To get some free stuff, unit coordinator tries to open that malicious web site after login in ‘myuni.org’ (i.e. cookies of myuni were present in the system). As a consequence, the up-gradation query gets triggered successfully.

 

Packet number 98 indicates that the attack is tacking place.

 

  1. f) Probably upgrade page supports GET method for data transfer; if that supports only the POST method, then we can avoid this kind of attack.

 

Question 3. Cryptographic Operations with OpenSSL

Required files are uploaded in the moodle

File uploading checklist:

keypair.pem

pubkey.pem

commands.bash

signature.bin

key.txt

ciphertext.bin

secretkey.bin

(c) Command for step (a), (b), (d), (e), (f) and (g) is listed in “commands.bash”. Commands are enlisted below.

openssl genrsa -F4 -out keypair.pem # -F4 for public exponent of 65537

openssl rsa -in keypair.pem -out pubkey.pem -outform PEM -pubout

openssl sha256 -out signature.bin commands.bash

openssl rand -hex 16 > key.txt

openssl enc -aes-128-cbc -salt -in commands.bash -out ciphertext.bin -pass file:key.txt -iv 0000000000000000 -p

#openssl aes-128-cbc -d -in ciphertext.bin -pass file:key.txt -iv 0000000000000000 -p -out secrets.txt.new #testing AES decryption

cat key.txt| openssl rsautl -encrypt -pubin -inkey steven-gordon-pubkey.pem > secretkey.bin

#testing: RSA encryption and decryption with my key

#cat key.txt| openssl rsautl -encrypt -pubin -inkey pubkey.pem > my_secretkey.bin

#openssl rsautl -decrypt -inkey keypair.pem -in my_secretkey.bin -out my_secret.key.new

 

 

 

Question 4. Network Attack Research

(a) DoS stands for Denial of Service attack. In this kind of attack, an attacker sends a bulk of fake service request to a particular system or in a server. The system or server get busy to serve those fake requests and in the mean while all legitimate users of the system get rejected by the system due to an overload condition.

 

DDoS stand for Distributed Denial of Service[1] attack. This is similar to DoS attack, but it is much more vulnerable than DoS. In this kind of attack multiple system launch a DoS attack on a system concurrently. Identifying and nullifying this kind of attack is much more difficult than DoS as malicious requests appear concurrently in the system from different networks. To launch this kind of attack, attacker spreads malicious program over the internet. All infected systems from a Botnet which act as a platform for the attacker.

 

DoS

DDoS

Attacker System Count

Single system get involved in the attack

A set of infected node, known as botnet performs the attack.

Level of vulnerability

The level of vulnerability comparatively less as detection is easy.

The level of vulnerability comparatively high as detection is difficult.

 

DoS and DDoS attacks either try to consume network bandwidth or it targets RAM and CPU clock cycles. In the 1st case, legitimate nodes get disconnected for the network due to network contestation and in the second case service providing servers loses CPU cycle of RAM space due to the attack and it denies to serves a request for the legitimate node. ICMP (Ping) flooding attacks belong to the 1st category where a storm of ICMP packets cut-down the network bandwidth. On the other hand, TCP SYN flooding belongs to the second category, as botnet send a large number of SYN request a server and those request remain un-responded by the botnet. These open connections consume lots off resource (RAM and CPU cycle). Due to the lack of resource, effected server gets overloaded very soon and causes denial of service for legitimate users.

 

(b)Figure 1: DDoS Attack Scenario

Control Server

Bot

BotNet

Victim / Target

 

 

Basic components of the DDoS attack scenario are depicted in Figure 1 with a rough network diagram. In the diagram, a botnet is present between the control server and victim machine. Botnet is consisting of several infected machines known as zombies or bot. All the bot may present geographically and network wise different place but they obey the order of the control server, which actually makes them infected by the malicious software. The entire botnet act as a platform for DDoS where an attacker can launch a DDoS attack on any arbitrary server or system by providing instruction through the control server. During attack all the element of the botnet sends fictitious traffic on the victim system which either consumes processing resource or bandwidth of the connection link to make to overloaded, this causes the denial of services for the legitimate users of the victim’s system. These DDoS attacks are potential threats for any business as it may reduce customer faith on a particular system.

 

 

  1. c) In recent past BBC website faced on of the biggest DDoS attack of the earth. The attack us reported on New-year eve of 2015 (31st Dec 2015)[2]. New World Hackers group take the responsibility of this attack. Their aim was to victimize all ISIS affiliated website, on BBC, comes under the co-lateral damage of that processes. The attack consumed approximately 600-gigabit-per-second and the number use significantly high. It makes the BBC website down for 3 hours, and its after effect persists for the entire day.

 

 

 

  1. d) Advanced DDoS attack detection is one of the open challenges for the network security designer as bots may present in the different network, and they can perfectly mimic the behaviors of human users. Still, there is dew strategy by with we can identify basic DDoS attack scenario. As DDoS is hard to identify, so its prevention or mitigation is also difficult. In the following paragraph, two DDoS detection technique and prevention technique is enlisted.

 

Detection Strategy

Machine learning based user pattern identification[3] is one of the efficient ways to detect DDoS attack. This technique identifies all the requests from the bots and just discard those request and block those IP in the server.

Entropy detection based DDoS detection[4]. In this approach, flow-based entropy calculation is done, based on the entropy system identify a particular request as a man-made request or bot-based request.

Prevention Strategy

Firewall based prevention: We can set a limit on a number of request from an IP on the system, it is useful to limit the effect of the DDoS in the system.

By limiting the number of TCP open connection, we can prevent TCP SYN attack.

 

References

  1. Ranjan, R. Swaminathan, M. Uysal, and E. W. Knightly, “Ddos-resilient scheduling to counter application layer attacks under imperfect detection” in INFO COM. Citeseer, 2006.

http://www.bbc.com/news/technology-37728015

  1. He, T. Zhang and R. B. Lee, “Machine Learning Based DDoS Attack Detection from Source Side in Cloud,” 2017 IEEE 4th International Conference on Cyber Security and Cloud Computing (CSCloud), New York, NY, USA, 2017, pp. 114-120.
  2. Qin, T. Xu and C. Wang, “DDoS Attack Detection Using Flow Entropy and Clustering Technique,” 2015 11th International Conference on Computational Intelligence and Security (CIS), Shenzhen, 2015, pp. 412-415.

  Remember! This is just a sample.

Save time and get your custom paper from our expert writers

 Get started in just 3 minutes
 Sit back relax and leave the writing to us
 Sources and citations are provided
 100% Plagiarism free
GET CUSTOM ESSAY
Copyright © 2019
error: Content is protected !!
×
Hi, my name is Jenn 👋

In case you can’t find a sample example, our professional writers are ready to help you with writing your own paper. All you need to do is fill out a short form and submit an order

Check Out the Form
Need Help?
Dont be shy to ask