DADA Week 6 Writeup

This week was about Network Security. We had 2 labs and some homework. Our speakers were Ram Venugopalan and Geoffrey Cooper.

Network Security is an incredibly important part of the defense against dark arts. The internet is becoming a more and more important and populated place everyday, millions of users connect to it daily, uploading and downloading. We need this form of security to keep our data safe from external sources(that don’t need to see it), and keep the baddies away from us. There are tons of network based threats out there.

  • Viruses and worms are downloaded onto computers via the internet most of the time. They are programs that contain harmful code that will try to hurt your system and try to steal your data.
  • Trojan horses are very common pieces of malware that try to act like they do one thing, but actually just want access to your stuff. I very often see fake virus scanners that are actually viruses themselves.
  • Botnets are infected computers that act without their owner’s consent to do bad things on the internet. Also called “zombie” computers.

We learned about a few ways that Network traffic can be exploited or messed with. The one subject that stood out to me the most was the Denial of Service attack(DOS). This is when some user’s network becomes unstable and interrupts the user’s access. The most popular version of this is the Distributed Denial of Service attack, where a bunch of computers/systems spam one network with packets/traffic to where the network will lag or straight up go down due to stress. I knew about this before this class because I know a lot of video game servers become targets of DDoS attacks because they’re pretty simple to do while being hard to defend against. Usually it’s done to crash a multiplayer game or for trolling/malicious reasons. Unintentional DDoS can happen when tons of people try to visit a webpage at once, which is what can happen when a popular thread takes off on Reddit and millions of Redditors try to view/access a linked webpage in the thread.

Ways of defending against this include firewall proxies, checking for spoofed addresses, and traffic scrubbing centers, which prevent illegitimate traffic from pinging/accessing the target network.

Lab 2:

Geoffrey designed this lab as a way for us to get acquainted with sorting through network traffic and analyzing what we could get without actually looking at packets. We were provided a virtual machine running some distro of Linux along with some python and perl scripts. Two CSV(comma separated value) files were provided with tons of packet info like source and destination ip, ports, etc. One file is R.csv and the other was O.csv. Apparently by looking at patterns seen in the occurrences of each IP and port would provide us with a look into what these packets came from and what they were for. While I understand what he was trying to get at, this ended up being more of a Python learning experience than network security.

The most common ports for TCP were 139 for R and 137 for UDB. O had 25 for TCP and 5001 for UDB. The services file in the /etc/ directory specifies what each specific port number is used for. R’s TCP and UDP ports was most likely related to a network service, NETBIOS, which is used by computers to connect to the local area network(LAN). The O ports were probably from a SSH protocol and some sort of Yahoo messenger vulnerability exploit.

The next section wants to “investigate IP addresses”. R’s most used ipsrc was 10.5.63.230, which was counted 43338 times, with 234.142.142.142, seen 42981 times, for the ipdst. The network prefix that seems to be seen the most is class A. In O, 192.245.12.221 was seen 169,643 times for the ipsrc, and 192.245.12.221 with a count of 118,662 for the ipdst. O’s dominant class is class C.

The next sections wanted to identify which ip addresses used the IP protocols: generic routing encapsulation(GRE), internet protocol security(IPSEC) and open shortest path first routing protocol(OSPF). To do this, we have to sort through the output from previous code and find the protocol number corresponding to each protocol, which are 47, 51 and 89 respectively. R had no occurrences, and O has a few, GRE has 2626, IPSEC is 1484, and OSPF had 24. This info confirms that the network is most likely some sort of casual home network due to the small amount of IP’s.

We used Wireshark, a network packet reader to examine some packets between a guy and a woman who were apparently exchanging sensitive info. We were tasked to find their meeting day, and where it would take place.

lab1-q1

Looking at their IRC chat, we can see that they wanted to meet Wednesday.

Our hint was to find a Truecrypt file and uncover its contents. A TCP conversation contained a 81200 byte file. I made the type into .tc so we could run the Truecrypt program on it, but it had a password. Another message from the women contained the password. It is shown below.

lab1-q2

Opening the .tc file showed two files, an image and a .txt. I was totally surprised it actually worked.

lab1-q2-3

Apparently they were planning to meet in Vegas. No specific location in Vegas was mentioned, but this was probably all we needed to find.

lab1-q2-2

Lastly, someone clicked a malicious link, and the packets were captured. We were to find the source. It ended up being a piece of  Javascript that originated from some malicious website named paimai or something like that.

lab1-q3

Homeworks: Robustness and Web Policies

We were asked to highlight this principle on network software written 35 years ago. Red for what we disagreed with and green for what still holds today.

robusthw

We were asked to “create the policy for the zone diagram” shown below. Was pretty confusing since we didn’t go over it much in class and I had to just google every possibility.

6-hw2

6-hw

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s