COIT20262 advanced network security
Attempt all questions.
Submit the following on Moodle:
- Answers: A Microsoft Word document containing answers to the questions.
- File for Question 1: pcap
- Files for Question 3: pem, pubkey.pem, commands.bash, signature.bin, key.txt, ciphertext.bin, secretkey.bin
This is an individual assignment, and it is expected students answer the questions themselves. Discussion of approaches to solving questions is allowed (and encouraged), however each student should develop and write-up their own answers. See CQUniversity resources on Referencing and Plagiarism. Guidelines for this assignment include:
- Do not exchange files (reports, captures, diagrams) with other students.
- Complete tasks with virtnet yourself – do not use results from another student.
- Draw your own diagrams. Do not use diagrams from other sources (Internet, textbooks) or from other students.
- Write your own explanations. In some cases, students may arrive at the same numerical answer, however their explanation of the answer should always be their own.
- Do not copy text from websites or textbooks. During research you should read and understand what others have written, and then write in your own words.
Question 1. Analysis of Protocols with Wireshark [12 marks]
Objective: Gain a good understanding of common Internet protocols as well as using packet capture software (Wireshark)
For this question you must use virtnet (as used in the workshops) to study Internet applications with Wireshark. This assumes you have already setup and are familiar with virtnet. See Moodle and workshop instructions for information on setting up and using virtnet, deploying the website, and performing the attack.
Your task is to:
- Create topology 5 in virtnet where:
o node1 will be referred to as the client o node2 will be the router o node3 will be the server
- Start capturing packets using tcpdump on the router (node2) While capturing, perform the following operations in order:
- Start netcat TCP server using assigned port on the server (node3) 2. Start netcat TCP client on the client (node1) 3. On the client (node1) type:
COIT20262 TCP<press ENTER>
My ID is <type in your actual student ID><press ENTER>
- Start netcat UDP server using assigned port on the server (node3) 5. Start netcat UDP client on the client (node1) 6. On the client (node1) type:
COIT20262 UDP<press ENTER>
My name is <type in your actual name><press ENTER>
- Stop the capture and save the file as netcat.pcap
Server port numbers must be assigned based on the last three (3) digits of your student ID, xyz, as defined below. Examples are given for a student ID of s1234567.
- For netcat TCP server use port 8xyz. Example port: 8567
- For netcat UDP server use port 9xyz. Example port: 9567
After performing and understanding the above steps, answer the following sub-questions
- Submit your capture file as pcap on Moodle. The single file must contain all packets of both the TCP and UDP exchange using your assigned ports and using your ID and name. [4 marks]
- Draw a message sequence diagram that illustrates all the TCP and UDP packets generated by using netcat (do not draw any packets generated by other applications or protocols, such as ARP, DNS or SSH). A message sequence diagram uses vertical lines to represent events that happen at a computer over time (time is increasing as the line goes down). Addresses of the computers/software are given at the top of the vertical lines. Horizontal or sloped arrows are used to show messages (packets) being sent between computers. Each arrow should be labelled with the protocol, packet type and important information of the message. Examples of message sequence diagrams are given in workshops. Note that you do not need to show the packet times, and the diagram does not have to be to scale. [4 marks]
- Based on your capture, how many milliseconds was the TCP connection (that is, from very first packet of the connection to very last packet of the connection)? [1 mark]
- Based on your capture, how many milliseconds from between when the user pressed
ENTER following the first line (“COIT20262 ...”) until the user pressed ENTER following the second line (“My ...”) when using UDP? [0.5 mark]
- What were the port numbers of the TCP client and UDP client? [0.5 mark]
- Often a security analyst can learn the type of application being used based on the port number used by a server application. For example, if the server port is 80, the analyst assumes the application is HTTP or web browsing. What is the limitation of this approach of identifying applications? [1 mark]
- What can a security analyst learn from knowing the port number of a client application? [1 mark]
- The capture file must be specific to the student, and contain all the necessary packets to obtained 3 marks. Missing packets will result in 0 or 1 mark. Files identical to other students or without student specific port numbers and messages will receive 0 marks.
- All packets clearly shown: 3 marks: Minor mistakes: 2 mark. Multiple packets wrong and/or multiple mistakes: 0 or 1 marks.
- through to (g): Full marks for correct answer. 0 marks for incorrect.
Question 2. Web Application Attacks [12 marks]
Objective: Understand how real web application attacks work, and methods for mitigating them.
The file a1-q2-capture.pcap on Moodle contains packets captured in an exchange between several computers. One of those computers was the Unit Coordinator’s (Steve) and has IP address 192.168.1.11. One action the Unit Coordinator was performing during the capture was viewing the grades of students on the university web site http://www.myuni.edu/grades/. No other users were accessing any of the websites during capture.
Answer the following questions based on the packet capture.
- Complete the following table that shows the actions the Unit Coordinator performed on his web browser. Note that the actions are only those performed by the human user, such as:
- Clicked on “XXX” link
- Entered “YYY” in ZZZ field and pressed Submit
Give the time rounded to the nearest second. As a hint, the first two rows and the last row are already completed for you, and you do not need to insert/delete rows from the table. [4 marks]
Visit MyUni Grades website
Clicked on “Login” link
Clicked on “Logout” link
- For all websites visited by the Unit Coordinator, give the domain name and corresponding IP address of the web server. [1 mark]
- How did you find the domain name of each website? That is, what specific part of the capture (e.g. which packet?, which field?) did you find the domain name? [1 mark]
- An attack was performed during the capture. What was the purpose of the attack, who was the likely attacker, and what part of the capture indicates the attack was successful (refer to specific packets)? [2 marks]
- Explain how the attack was performed, including what the attacker did (either in advance of the capture or during the capture) and which packets in the capture indicate the attack taking place. [3 marks]
- Explain one method you (as the grading system web developer) could take to prevent this attack in the future. [1 mark]
- Each correct row is worth 0.5 mark.
- Correct answer is worth 1 mark.
- Correct answer is worth 1 mark.
- Clear and accurate explanation: 2 marks. Some aspects unclear: 1 mark. Many aspects unclear or incorrect. 0 marks.
- Clear and accurate explanation: 3 marks. Some aspects unclear: 2 marks. Many aspects unclear or incorrect. 0 marks.
- Clear and accurate explanation: 1 mark. Some aspects unclear: 0.5 mark. Many aspects unclear or incorrect. 0 marks.
Question 3. Cryptographic Operations with OpenSSL [8 marks]
Objective: understand and apply different cryptographic primitives, use common encryption software (OpenSSL), and demonstrate secure procedures for key management.
Your task is to use OpenSSL to perform a set of cryptographic operations. When performing cryptographic operations you must be very careful, as a small mistake (such as a typo) may mean the result is an insecure system. Read the instructions carefully, understand the examples, and where possible, test your approach (e.g. if you encrypt a file, test it by decrypting it and comparing the original to the decrypted).
Perform the following steps:
- Generate your own RSA 2048-bit key pair. Use the public exponent of 65537. Save your key pair as pem.
- Extract your public key and save it as pem.
- Create a Bash shell script that contains all OpenSSL commands you used on the terminal in the previous steps, as well as the following steps, and save them in a text file called bash. You should copy-and-paste the actual commands you used from the terminal as they may be used to test your submission. As this script contains commands from steps (a), (b), (d), (e), (f) and (g), you should run those commands first and then put them in your script file, then do them again using the final script.
- Sign your Bash shell script using SHA256, saving the signature as bin.
- Generate a 128 bit random value using OpenSSL. This value will be used as a secret key. Store the key as a 32 hex digit string in a file txt.
- Encrypt your Bash shell script using AES-128-CBC and the key generated in step (e).
Use and IV of all 0’s (that is, 16 0’s). Save the ciphertext as ciphertext.bin.
- Encrypt your txt file using RSA so that only the Unit Coordinator can view the contents. Save the encrypted key as secretkey.bin.
Multiple files are output from the above steps. You must submit the following on Moodle:
- txt ciphertext.bin
The file names must be exactly as listed above. Use lowercase for all files and double-check the extensions (be careful that Windows doesn’t change the extension).
Examples of the OpenSSL operations needed to complete this task, as well as a Bash script, are on Moodle.
Once files are submitted, they will be decrypted/verified using the reverse operations of what you were expected to do.
- If your files successfully decrypt/verify, and the commands (bash) submitted are correct, then you will receive 8 marks.
- If your files successfully decrypt/verify, but the commands contain errors, then you will receive between 5 and 7 marks, depending on the severity of the errors (e.g. small typo vs wrong command).
- If your files do NOT successfully decrypt/verify, then your commands will be reviewed to determine what mistakes you made. You will receive between 0 and 6 marks, depending on the severity of the errors.
- Up to 5 marks may be deducted for incorrect submissions (e.g. not all files submitted, additional files submitted, wrong files submitted, wrong filenames).
Question 4. Network Attack Research [8 marks]
Objective: research real network attacks and gain an understanding of the techniques used in the attacks and countermeasures
Distributed Denial of Service (DDoS) attacks can cause significant damage to organisations. Your tasks is to study how DDoS attacks work, who performs them and what are the mitigation techniques. You must write a short report on DDoS attacks that answer the following questions:
- What is a DoS attacks? DDoS? What are the differences between DoS and DDoS? Explain the difference between attacks that consume network resources vs consuming server resources (e.g. RAM, CPU). Use the examples of TCP SYN flooding and ICMP (Ping) flooding attacks in your explanation.
- Draw a network diagram that illustrates a typical (but simplified) DDoS attack involving: attacker, zombies or bots, (command and) control servers and target. Explain your diagram, including what is the role of zombies/bots and control servers.
- Describe an example of a recent DDoS attack, including who was targeted, what amount of resources were consumed (e.g. how many Gb/s), when was the attack, and the likely perpetrators.
- What are at least two methods for detecting, preventing and/or mitigating DDoS attacks?
You should structure your report into a section for each of the above parts.
There is no minimum/maximum length of the report. As a guide 1/4 to 1/2 pages of text for each of the above parts may be appropriate. Part (c) MUST be a diagram drawn by yourself (you cannot use a diagram from another source, including others students). Including pictures from other sources, or including pictures that do not help with the explanation will not gain marks and may lead to reduced marks.
You may assume the audience of the report has similar background on network security as you. You should refer to techniques and concepts covered in the unit, and give sufficient technical detail to demonstrate you understand DDoS attacks.
2 marks will be given for each of the five (5) topics/issues ((a) to (e)) if they are clearly and correctly explained. Partial or no marks will be given if the explanations are unclear, incorrect or irrelevant.