Information Assurance

Clay Shields

front | classes | research | personal | contact

Information Assurance

Because it is a public computer network, the internet carries raffic from everyone, all around the world. Most people never look, but if you do, you will find that machines all over the world are regularly examining computers attached to the network to determine if these machines have any obvious vulnerabilities that can be easily exploited.

For this project, we are going to take a look at what is going on in the network, and who is doing it.

Part 1 - Network Monitoring

For the first part of this project, you will install software on some computer that is connected to a public network. This software will monitor attempted connections to your system. If you have a computer and broadband access where you live, I strongly encourage you to perform this experiment there. Otherwise, talk to me and we can arrange for you to perform the experiment on a machine in one of the campus labs.

The software we will use will monitor attempted connections to your computer, and will create a log of those connections. There are a variety of products that are free and will work well. I suggest the following, though you are free to find others. In general, this software falls under the category of "Personal Firewalls" though if you are running Linux or some other Unix-like OS, there are a number of network security tools that will do the same thing. Of the tools below, I have only ever verified the first one in the list for each OS. Others are listed as suggestions to try out.

OS	Software Possibilities
Windows	Zone Alarm, Tiny Personal Firewall, Sygate Personal Firewall
Linux	IP Tables
Mac OS X	BrickHouse

If you have a router at home, it probably has a firewall built into it. Most will allow you to either log packets at the router, or to turn off the firewall temporarily to monitor probing. Note that if you turn off the firewall, you should make sure all machines behind it are patched first.

Goals

No matter which OS and software you use, our goal is the same. We want to monitor and record the IP addresses of machines that attempt to connect to your computer over at least a 24 hour period, though longer is better. You should configure whatever software you are using to record the IP addresses of machines that attempt to connect to your system and which ports they attempt to connect to. Details on how to do this will vary depending on what you are using.

Note: if you are not getting any probe traffic, for some reason, they you need to:

Try to determine why no probe traffic is arriving
If you can't get it working, you may use one of the following logfiles, just make sure you describe what you tried to do, what happened, why you are using one of these, and which one you are using.
- Logfile 1
- Logfile 2
- Logfile 3
- Logfile 4
- Logfile 5
- Logfile 6
- Logfile 7
- Logfile 8
- Logfile 9
- Logfile 10
- Logfile 11
- Logfile 12
- Logfile 13
- Logfile 14
- Logfile 15
- Logfile 16
- Logfile 17
- Logfile 18
- Logfile 19

Part 2 - Probe Source Location

Once you have collected information about connections to your system, you will analyze the information.

Stuff you gotta do

Examine the connection attempts that you received in your log file. Try and determine which represent attacks, and which connections are erroneous or harmless. A useful link about what to consider is here.

For the connections that might be harmful, consider:

At what average rate did probes arrive to your computer?
What were the top 2 or 3 ports that were probed on your computer?
Why do you expect that the person scanning chose to look at these ports - in other words, what were they expecting to be able to do if the ports were open?
Now choose at least 5 of the addresses that scanned your computer. For each address determine the following:

In what country is the computer with this address located?
Who would you contact if you wanted to complain about being probed?

Below are some links to tools that may help you determine the above information. I haven't used most of these tools myself, and am interested in your feedback as to what worked for you.

OS	Software Possibilities
Windows	VisualRoute, NetInfo, ipWhere, NetTrace, WhereIsIP
Linux	VisualRoute, traceroute, whois, dig nslookup
Mac OS X	VisualRoute, Network Utility

Bonus Possibilities:

For potential bonus points, consider doing some of the following:

Actually contact some of the appropriate people about the probes. Find out how many respond and what they do.
Examine the probe connections more closely. See if you can identify what software sent them, particularly for worms or viruses. You might want to capture the full packet using something like TCPDump or Ethereal.
If you are able to record connections over a longer period of time, do an analysis of what areas of the world seem most active in terms of attackers.

What to turn in:

Your submission is due before or in class on the due date.

Please submit the log you gathered or used in Part 1 by plain text e-mail attachment. Please print the analysis from Part 2 and bring it to class.