Assignment Help - homework help

Assignment - secure communications cryptography tcpip


Assignment - Secure Communications & Cryptography TCP/IP Attacks

Attacks on TCP/IP Protocols

Project Overview - The learning objective of this project is for students to gain the first-hand experience on the vulnerabilities of TCP/IP protocols, as well as on attacks against these vulnerabilities. The vulnerabilities in the TCP/IP protocols represent a special genre of vulnerabilities in protocol designs and implementations; they provide an invaluable lesson as to why security should be designed in from the beginning, rather than being added as an afterthought. Moreover, studying these vulnerabilities help students understand the challenges of network security and why many network security measures are needed. Vulnerabilities of the TCP/IP protocols occur at several layers.

Lab Environment - Network Setup. To conduct this project, students need to have at least 3 machines. One computer is used for attacking, the second computer is used as the victim, and the third computer is used as the observer. Students can set up 3 virtual machines on the same host computer, or they can set up 2 virtual machines, and then use the host computer as the third computer. For this project, we put all these three machines on the same LAN, the configuration is described.

Operating System. This lab can be carried out using a variety of operating systems. The commands listed assume you're using a Linux machine and have all the required tools installed, some of the commands used in this lab description might not work or exist in other operating systems.

Tools. We need tools to send out network packets of different types and with different contents. You are free to use whatever tools or combination of tools you prefer; however higher marks will be rewarded for crafting your own packets using tools such as SCAPT or Hping3 versus using automated tools for a particular task.

It may however be useful to apply a stepped approach to each task and begin with the automated tool to ensure you understand the attack before trying to craft the attack yourself.

Wireshark Tool. You also need a good network-traffic sniffer tool for this lab.

NOTE: Students are expected to research the concepts of the attacks listed for this project, hence the detail of each attack is not included here.

Project Tasks -

Students need to conduct attacks on the TCP/IP protocols. They can use the any tools in the attacks. All the attacks are performed on Linux operating systems. However, you can also conduct the same attacks on other operating systems and compare the observations, if you want the highest grades. To simplify the "guess" of TCP sequence numbers and source port numbers, we assume that attacks are on the same physical network as the victims. Therefore, you can use sniffer tools to get that information. The following is the list of attacks that need to be implemented.

Task (1): ARP cache poisoning

The ARP cache is an important part of the ARP protocol. Once a mapping between a MAC address and an IP address is resolved as the result of executing the ARP protocol, the mapping will be cached. Therefore, there is no need to repeat the ARP protocol if the mapping is already in the cache. However, because the ARP protocol is stateless, the cache can be easily poisoned by maliciously crafted ARP messages. Such an attack is called the ARP cache poisoning attack.

In such an attack, attackers use spoofed ARP messages to trick the victim to accept an invalid MAC to IP mapping, and store the mapping in its cache. There can be various types of consequences depending on the motives of the attackers. For example, attackers can launch a DoS attack against a victim by associating a non-existent MAC address to the IP address of the victim's default gateway; attackers can also redirect the traffic to and from the victim to another machine, etc.

In this task, you need to demonstrate how the ARP cache poisoning attack work.

Task (2): ICMP Redirect Attack

The ICMP redirect message is used by routers to provide the up-to-date routing information to hosts, which initially have minimal routing information. When a host receives an ICMP redirect message, it will modify its routing table according to the message. Because of the lack of validation, if attackers want the victim to set its routing information in a particular way, they can send spoofed ICMP redirect messages to the victim, and trick the victim to modify its routing table.

In this task, you should demonstrate how the ICMP redirect attack works, and describe the observed consequence.

Task (3): SYN Flooding Attack

SYN flood is a form of DoS attack in which attackers send many SYN requests to a victim's TCP port, but the attackers have no intention to finish the 3-way handshake procedure. Attackers either use spoofed IP address or do not continue the procedure. Through this attack, attackers can flood the victim's queue that is used for half-opened connections, i.e. the connections that has finished SYN, SYN-ACK, but has not yet got a final ACK back. When this queue is full, the victim cannot take any more connection. Figure 1 illustrates the attack.

The size of the queue has a system-wide setting

We can use command "netstat -na" to check the usage of the queue, i.e., the number of half-opened connections associated with a listening port. The state for such connections is SYN-RECV. If the 3-way handshake is finished, the state of the connections will be ESTABLISHED.

In this task, you need to demonstrate the SYN flooding attack. You can use the Netwox tool to conduct the attack, and then use a sniffer tool to capture the attacking packets. While the attack is ongoing, run the "netstat -na" command on the victim machine, and compare the result with that before the attack. Please also describe how you know whether the attack is successful or not.

SYN Cookie Countermeasure: If your attack seems unsuccessful, one thing that you can investigate is whether the SYN cookie mechanism is turned on. SYN cookie is a defense mechanism to counter the SYN flooding attack. The mechanism will kick in if the machine detects that it is under the SYN flooding attack.

Please run your attacks with the SYN cookie mechanism on and off, and compare the results. In your report, please describe why the SYN cookie can effectively protect the machine against the SYN flooding attack, you can find how the SYN cookie mechanism works through your research.

Task (4): TCP RST Attacks on telnet and ssh Connections

The TCP RST Attack can terminate an established TCP connection between two victims. For example, if there is an established telnet connection (TCP) between two users A and B, attackers can spoof a RST packet from A to B, breaking this existing connection. To succeed in this attack, attackers need to correctly construct the TCP RST packet.

In this task, you need to launch an TCP RST attack to break an existing telnet connection between A and B. After that, try the same attack on an ssh connection. Please describe your observations. To simply the lab, we assume that the attackers and the victims are on the same LAN, i.e., attackers can observe the TCP traffic between A and B.

Task (5): TCP RST Attacks on Video Streaming Applications

Let us make the TCP RST attack more interesting by experimenting it on the applications that are widely used in nowadays. We choose the video streaming application in this task. For this task, you can choose a video streaming web site that you are familiar with (we will not name any specific web site here). Most video sharing websites establish a TCP connection with the client for streaming the video content. The attacker's goal is to disrupt the TCP session established between the victim and video streaming machine.

To simplify the task, we assume that the attacker and the victim are on the same LAN. In the following, we describe the common interaction between a user (the victim) and some video-streaming web site:

- The victim browses for a video content in the video-streaming web site, and selects one of the videos for streaming.

- Normally video contents are hosted by a different machine, where all the video contents are located.

After the victim selects a video, a TCP session will be established between the victim machine and the content server for the video streaming. The victim can then view the video he/she has selected.

Your task is to disrupt the video streaming by breaking the TCP connection between the victim and the content server. You can let the victim user browse the video-streaming site from another (virtual) machine or from the same (virtual) machine as the attacker. Please be noted that, to avoid liability issues, any attacking packets should be targeted at the victim machine (which is the machine run by yourself), not the content server machine (which does not belong to you).

Task (6): ICMP Blind Connection-Reset and Source-Quench Attacks

ICMP messages can also be used achieve the connection-resetting attack. To do this, attackers send an ICMP error message that indicates a "hard error" to either of the two endpoints of a TCP connection. The connection can be immediately torn down as RFC 1122 states that a host should abort the corresponding connection when receiving such an ICMP error message. RFC 1122 defines "hard errors" as ICMP error messages of type 3 (Destination Unreachable) with code 2 (protocol unreachable), 3 (port unreachable), or 4 (fragmentation needed and DF bit set).

The ICMP source quench message is used by the congested routers to tell the TCP senders to slow down. Attackers can forge such messages to conduct the denial of services attacks on TCP senders.

In this task, you need to launch the ICMP blind connect-reset attacks and the ICMP source quench attacks. You need to be noted that some systems may reasonably ignore this type of ICMP errors in certain TCP state. You need to describe your observations in the project report.

Task (7): TCP Session Hijacking

The objective of the TCP Session Hijacking attack is to hijack an existing TCP connection (session) between two victims by injecting malicious contents into this session. If this connection is a telnet session, attackers can inject malicious commands into this session, causing the victims to execute the malicious commands. We will use telnet in this task. We also assume that the attackers and the victims are on the same LAN.

Lab Report - You should submit a lab report. The report should cover the following sections:

- Design: The design of your attacks, including the attacking strategies, the packets that you use in your attacks, the tools that you used, etc.

- Observation: Is your attack successful? How do you know whether it has succeeded or not? What do you expect to see? What have you observed? Is the observation a surprise to you?

- Explanation: Some of the attacks might fail. If so, you need to find out what makes them fail. You can find the explanations from your own experiments (preferred) or from the Internet. If you get the explanation from the Internet, you still need to find ways to verify those explanations through your own experiments. You need to convince us that the explanations you get from the Internet can indeed explain your observations.

- I'd expect an 'A' project to be about 10000 words (Very rough guestimate), this will vary hugely depending on how many and which of the tasks you attempt and complete.

- This project is worth 25%, there are 7 tasks and the first 3 tasks are 3 % each and the final 4 tasks are worth 4% each.

Attachment:- Assignment File - TCP-IP Attacks.rar

Solution Preview :

Prepared by a verified Expert
Computer Network Security: Assignment - secure communications cryptography tcpip
Reference No:- TGS02765753

Now Priced at $50 (50% Discount)

Recommended (91%)

Rated (4.3/5)