Information Assurance

Clay Shields


front | classes | research | personal | contact

Information Assurance

back to projects page


Because it is a public computer network, the internet carries raffic from everyone, all around the world. Most people never look, but if you do, you will find that machines all over the world are regularly examining computers attached to the network to determine if these machines have any obvious vulnerabilities that can be easily exploited.

For this project, we are going to take a look at what is going on in the network, and who is doing it.

Part 1 - Network Monitoring

For the first part of this project, you will install software on some computer that is connected to a public network. This software will monitor attempted connections to your system. If you have a computer and broadband access where you live, I strongly encourage you to perform this experiment there. Otherwise, talk to me and we can arrange for you to perform the experiment on a machine in one of the campus labs.

The software we will use will monitor attempted connections to your computer, and will create a log of those connections. There are a variety of products that are free and will work well. I suggest the following, though you are free to find others. In general, this software falls under the category of "Personal Firewalls" though if you are running Linux or some other Unix-like OS, there are a number of network security tools that will do the same thing. Of the tools below, I have only ever verified the first one in the list for each OS. Others are listed as suggestions to try out.

OS Software Possibilities
Windows Zone Alarm, Tiny Personal Firewall, Sygate Personal Firewall
Linux
IP Tables
Mac OS X
BrickHouse

If you have a router at home, it probably has a firewall built into it. Most will allow you to either log packets at the router, or to turn off the firewall temporarily to monitor probing. Note that if you turn off the firewall, you should make sure all machines behind it are patched first.

Goals
No matter which OS and software you use, our goal is the same. We want to monitor and record the IP addresses of machines that attempt to connect to your computer over at least a 24 hour period, though longer is better. You should configure whatever software you are using to record the IP addresses of machines that attempt to connect to your system and which ports they attempt to connect to. Details on how to do this will vary depending on what you are using.

Note: if you are not getting any probe traffic, for some reason, they you need to:

Part 2 - Probe Source Location


Once you have collected information about connections to your system, you will analyze the information.

Stuff you gotta do

Examine the connection attempts that you received in your log file. Try and determine which represent attacks, and which connections are erroneous or harmless.

For the connections that might be harmful, consider:

  • At what average rate did probes arrive to your computer?
  • What were the top 2 or 3 ports that were probed on your computer?
  • Why do you expect that the person scanning chose to look at these ports - in other words, what were they expecting to be able to do if the ports were open?
  • Now choose at least 5 of the addresses that scanned your computer. For each address determine the following:
  • In what country is the computer with this address located?
  • Who would you contact if you wanted to complain about being probed?
Below are some links to tools that may help you determine the above information. I haven't used most of these tools myself, and am interested in your feedback as to what worked for you.

OS
Software Possibilities
Windows
VisualRoute, WhereIsIP
Linux
VisualRoute, traceroute, whois, dig nslookup
Mac OS X
VisualRoute, Network Utility

Bonus Possibilities:

For potential bonus points, consider doing some of the following:

  • Actually contact some of the appropriate people about the probes. Find out how many respond and what they do.
  • Examine the probe connections more closely. See if you can identify what software sent them, particularly for worms or viruses. You might want to capture the full packet using something like TCPDump or Ethereal.
  • If you are able to record connections over a longer period of time, do an analysis of what areas of the world seem most active in terms of attackers.
What to turn in:

Your submission is due before or in class on the due date.  

Please submit the log you gathered or used in Part 1 by plain text e-mail attachment. Please print the analysis from Part 2 and bring it to class.