IA Project 1

Project 4
Network Probe Monitoring
COSC 352 - Information Assurance
Spring 2003
Due April 3, 2003, by e-mail before class

Because it is a public computer network, the internet carries raffic from everyone, all around the world. Most people never look, but if you do, you will find that machines all over the world are regularly examining computers attached to the network to determine if these machines have any obvious vulnerabilities that can be easily exploited.

For this project, we are going to take a look at what is going on in the network, and who is doing it.

Part 1 - Network Monitoring

For the first part of this project, you will install software on some computer that is connected to a public network. This software will monitor attempted connections to your system. If you have a computer and broadband access where you live, I strongly encourage you to perform this experiment there. Otherwise, talk to me and we can arrange for you to perform the experiment on a machine in one of the campus labs.

The software we will use will monitor attempted connections to your computer, and will create a log of those connections. There are a variety of products that are free and will work well. I suggest the following, though you are free to find others. In general, this software falls under the category of "Personal Firewalls" though if you are running Linux or some other Unix-like OS, there are a number of network security tools that will do the same thing. Of the tools below, I have only ever verified the first one in the list for each OS. Others are listed as suggestions to try out.

OS	Software Possibilities
Windows	Zone Alarm, Tiny Personal Firewall, Sygate Personal Firewall
Linux	TCP Wrappers, IP Tables
Mac OS X	BrickHouse

Goals

No matter which OS and software you use, our goal is the same. We want to monitor and record the IP addresses of machines that attempt to connect to your computer over a 24 hour (or longer) period. you should configure whatever software you are using to record the IP addresses of machines that attempt to connect to your system. Details on how to do this will vary depending on what you are using.

Note: if you are not getting any probe traffic, for some reason, they you need to:

Determine why no probe traffic is arriving,
Contact the instructor for a log file to work with.

Part 2 - Probe Source Location

Once you have collected information about connections to your system, you will analyze the information. For your analysis, please answer the following questions:

At what average rate did probes arrive to your computer?
What were the top 2 or 3 ports that were probed on your computer?
Why do you expect that the person scanning chose to look at these ports - in other words, what were they expecting to be able to do if the ports were open?
Choose at least 5 of the addresses that scanned your computer. For each address determine the following:

In what country is the computer with this address located?
What organization is in charge of the computer doing the scanning?

Below are some links to tools that may help you determine the above information. I haven't used most of these tools myself, and am interested in your feedback as to what worked for you.

OS	Software Possibilities
Windows	VisualRoute, NetInfo, ipWhere, NetTrace, VisualLookout,WhereIsIP
Linux	VisualRoute, traceroute,whois, nslookup
Mac OS X	VisualRoute, Network Utility

What to turn in:

Your submission is due by e-mail before class on the due date.

Please submit the log you gathered in Part 1, and the analysis perfomed in Part 2. Attachments are fine, but please use plain text or PDF rather that some proprietary file format.

Project 4 Network Probe Monitoring COSC 352 - Information Assurance Spring 2003 Due April 3, 2003, by e-mail before class

Project 4
Network Probe Monitoring
COSC 352 - Information Assurance
Spring 2003
Due April 3, 2003, by e-mail before class