Network Security Tasks
Introduction
This assignment includes three parts:
1. Network Packet Analysis (25 pts).
2. TCP Reset Attack (35 pts).
3. DNS Poisoning Attack (40 pts).
In these tasks, you are asked to conduct the corresponding attack in simulated network environments. As the virtual environment is built via Docker, you will need to install Docker in a Linux system. Please refer to this link https://docs.docker.com/engine/install/ to check out how to install Docker in Linux system. If you are using Mac with an ARM CPU, we recommend installing OrbStack to run docker containers.
Scripting Cheat Sheet
As the attack script is asked to be written in Python to manipulate the network packets, here is a Python example for sniffing packets with Scapy.
Install Scapy Library:
Scapy will be used in the assignment for packet manipulation, you can install it via:
$ python3 -m pip install scapy
Packet Sniffing:
from scapy.all import * # Import anything from scapy library
target_src_ip = "1.2.3.4"
target_dst_ip = "5.6.7.8"
def send_rst(packet):
pass
sniff(iface="br-123456789", filter=f"tcp and host {target_src_ip} and
{target_dst_ip}", prn=send_rst)
Scapy’s `sniff` method can help us with sniffing the packet in given network interface with customized filter. For the above instance, three arguments are passed:
1. iface: The interface where the packets are captured. The interfaces ’ name can be viewed via `ifconfig -a` in Linux.
2. filter: It indicates what kind of packets will be captured. In this example, Scapy only captures the TCP packets with source ip address “ 1.2.3.4” and destination ip address “5.6.7.8”.
3. prn: Callback function for each captured packet. This function will be called for every captured packet.
The complete instruction of Scapy’s `sniff` function can be viewed here https://scapy.readthedocs.io/en/latest/usage.html.
Syn Flood Attack (25pts)
Description
In this task, you are required to perform and defense the syn flood attack using our provided environment..
Environment Setup
1. Decompressing the attachment and enter the corresponding folder based on your environment (Linux or Mac Arm).
2. Run `docker-compose up` in command line.
3. Run `docker ps -a` in command line to check the containers ’ status (all of the three containers should be “ up” at this step).
Then you can use `docker exec -it seed-attacker bash`, `docker exec -it victim-10.9.0.5 bash`, etc, to enter each container.
Questions
l (5 pts) In the attack’s container, we provide a script (/volume/synflood.c) that can send the attack packets to the victim machine. Learn and use one tool to capture, analyze the attack packets, and provide screenshots.
l (15 pts) In one user container, demonstrate that when the victim machine is under attack by running our original script, it can still receive normal connection sent out from the user machine using telnet, which means that the attack is unsuccessful. Explain why it is unsuccessful and find a way to launch a successful attack. Provide screenshots to include each necessary step and demonstrate a successful attack.
l (5 pts) Restart all the containers, learn and explain one defense technique of this attack, use it on the victim machine, and demonstrate that the original attack is successfully prevented with screenshots.
TCP Reset Attack (35 pts)
Description
Consider the following network graph:
User and server has built up a stable TCP connection via Telnet. As an attacker in this LAN, you are asked to maliciously shut down the connection using TCP reset attack.
Environment Setup
Please find the attachment “TCP-Reset-Attack.zip” . Before starting the attack, you should do the following first:
4. Decompress the zip file.
5. Change directory to where “docker-compose.yml ” is located.
6. Run `docker-compose up` in command line.
7. Run `docker ps -a` in command line to check the containers ’ status (all of the three containers should be “ up” at this step).
a) Please ensure all the three containers are successfully deployed before moving on.
8. Switch into “ user1-tcp-rst ” container via `docker exec -it user1-tcp-rst bash` and start
TCP connection to server via `telnet 10.7.0.2`.
a) You need to log in the telnet with username (user) and password (user).
9. If you log in successfully, you can execute any command in the telnet panel.
Questions
Please answer the following questions in your report:
1. (5 pts) How does TCP reset attack work?
2. (10 pts) After building up a successful TCP connection via Telnet between user and server (step 5 in Environment Setup), execute `cat /home/user/flag` to get the file content. You need to provide a screenshot for this question.
3. (15 pts) Write a Python script to conduct TCP reset attack and explain how the code’s
workflow is. Your code should be able to:
a) Automatically sniff the packets in the LAN.
b) Automatically generate the attack payload and send to ruin the TCP connection.
4. (5 pts) Suggestion an effective approach to detect and prevent TCP reset attack.
Tips:
l You should conduct the attack in the container `attacker-tcp-rst`.
l Your attack script. should be written in Python code,
l After all the containers are up, you can transfer the files between your host and `attacker - tcp-rst` in the shared `volumes`, which is located in `/volumes` in `attacker-tcp-rst`.
DNS Poisoning Attack (40 pts)
Description
In this task, you are an attacker that has already invaded into a network environment that hosts a DNS server. You are required to conduct the DNS poisoning to attack the DNS server to trick victims who query this server for domain addresses.
We provided a script. template, which currently monitors the current network to sniff all DNS packets and outputs their information to you.
You are required to complete the script to poison the DNS server and verify that, when a user queries a certain domain `www.example.com`, the DNS server would response with the address poisoned by the attacker (i.e., your script) instead of the correct address.
Environment Setup
Please find the attachment “DNS-Poisoning-Attack.zip” .
Decompress the zip file, change directory to where “docker-compose.yml ” is located and type `docker-compose up`. It starts several docker containers to simulate the DNS server’s machine, the victim user’s machine, and the attacker’s machine. Type Ctrl-C in the same terminal will stop the running containers.
Useful commands:
l `dig`: query a domain address, as taught in the class.
l Start a terminal to enter the user (victim)’s machine: `sudo docker exec -it victim-user bash`
l Start a terminal to enter the DNS server’s machine: `sudo docker exec -it local-dns - server bash`
n The only allowed operation on the DNS server’s machine is `rndc flush`, which clears the DNS server’s cache.
l Start a terminal to enter the attacker’s machine: `sudo docker exec -it attacker bash`
n Running the script. `python3 /volume/attack.py`
u Running the provided script directly would start to monitor the network for sniffing DNS packets.
n The script is placed in /volume in the attacker’s machine, which are also mapped to the volume/ folder outside the docker containers. You can modify the script in volume/ to complete the attack and run it in the container.
Questions
l (10 pts) Please start the original script in the attack’s machine, clear the cache in the DNS server’s machine, and enter the user’s machine to query the domain `www.example.com` by `dig`. When there is no attack, based on the script’s and `dig` output, observe and report the complete DNS query process step-by-step.
l (10 pts) Based on the query process above, please report the process of how to poison the DNS server by sending it forged network packets.
l (20 pts) Please complete the script to send forged packets to the DNS server, explain the code you written in the script (i.e., don’t have to modify the function `send_dns`, you should call it with proper arguments and explain them), and verify that the user has been tricked to visit a wrong address when querying for ` www.example.com `.