Submit two (2) files on Moodle only:The report, based on the answer template, called [StudentID]-report.docx.A ZIP file, called to [StudentID]-files.zip, containing all other files. Do not include your report in this ZIP file, and do not include any directories. Only include those files named in the questions. Do not use rar, 7z, tgz or other formats – only ZIP.The list of files to be included in the ZIP are:Question 1: [StudentID]-udp.pcapQuestion 1: [StudentID]-tcp.pcapQuestion 2: [StudentID]-summary1.txtQuestion 2: [StudentID]-summary2.txtQuestion 2: [StudentID]-summary3.txtQuestion 2: [StudentID]-summary4.txtQuestion 2: [StudentID]-summary5.txtQuestion 2: [StudentID]-summary1.sgnQuestion 2: [StudentID]-summary2.sgnQuestion 2: [StudentID]-summary3.sgnQuestion 2: [StudentID]-summary4.sgnQuestion 2: [StudentID]-summary5.sgnReplace [StudentID] with your actual student ID.
COIT20262 - Advanced Network Security, Term 1, 2019
Assignment 1 Questions
Due date: 5pm Friday 26 April 2019 (Week 6) ASSESSMENT
Weighting: 40% 1
Attempt all questions. This is an individual assignment, and it is expected students answer the questions themselves. Discussion of approaches to solving questions is allowed (and encouraged), however each student should develop and write-up their own answers. See CQUniversity resources on Referencing and Plagiarism. Guidelines for this assignment include:
• Do not exchange files (reports, captures, diagrams) with other students.
• Complete tasks with virtnet yourself – do not use results from another student.
• Draw your own diagrams. Do not use diagrams from other sources (Internet, textbooks) or from other students.
• Write your own explanations. In some cases, students may arrive at the same numerical answer, however their explanation of the answer should always be their own.
• Do not copy text from websites or textbooks. During research you should read and understand what others have written, and then write in your own words.
• Perform the tasks using the correct values listed in the question and using the correct file names.
File Names and Parameters
Where you see [StudentID] in the text, replace it with your actual student ID. If your student ID contains a letter (e.g. “s1234567”), make sure the letter is in lowercase.
Where you see [FirstName] in the text, replace it with your actual first name. If you do not have a first name, then use your last name. Do NOT include any spaces or other nonalphabetical characters (e.g. “-“).
Submit two files on Moodle only:
1. The report, based on the answer template, called [StudentID]-report.docx.
2. A ZIP file, called to [StudentID]-files.zip, containing all other files. Do not include your report in this ZIP file, and do not include any directories. Only include those files named in the questions. Do not use rar, 7z, tgz or other formats – only ZIP.
A separate spreadsheet lists the detailed marking criteria.
Question 1. Packet Capture and Analysis
For this question you must use virtnet (as used in the tutorials) to perform an interception attack. This assumes you have already setup and are familiar with virtnet. See Moodle and tutorial instructions for information on setting up and using virtnet. The tasks and subquestions are grouped into multiple phases. You must complete all phases, in order.
Phase 1: Setup
1. Create topology 5 in virtnet. node1 will be referred to as the client, node2 the router, and node3 the server.
2. The attacker has access to the router, and will run tcpdump to capture packets.
3. Users on the client and server will use applications to communicate. For this task, netcat will be used to generate the application traffic.
4. Server port numbers must be assigned based on the last three (3) digits of your student ID, xyz, as defined below. Examples are given for a student ID of 12345678.
• For netcat TCP server use port 8xyz. Example port: 8678
• For netcat UDP server use port 9xyz. Example port: 9678
Phase 2: Intercept UDP Application Traffic
The attacker should capture traffic on the router (node1) for the following UDP application traffic.
1. Start the netcat UDP server using the assigned port on the server (node3)
2. Start the netcat UDP client on the client (node1)
3. On the client, type the following (remember to use your actual student ID):
COIT20262 UDP press ENTER
My ID is [studentID] press ENTER
The attacker should then stop the capture, and save the file as:[StudentID]-udp.pcap
Phase 3: Intercept TCP Application Traffic
The attacker should capture traffic on the router (node1) for the following TCP application traffic.
1. Start the netcat TCP server using the assigned port on the server (node3)
2. Start the netcat TCP client on the client (node1)
3. On the client, type the following (use your actual first name):
COIT20262 TCP press ENTER
My first name is [FirstName] press ENTER
The attacker should then stop the capture, and save the file as:[StudentID]-tcp.pcap
Phase 4: Analysis
Answer the following sub-questions regarding the previous phases.
(a) Add [StudentID]-udp.pcap to [StudentID]-files.zip.
(b) Add [StudentID]-tcp.pcap to [StudentID]-files.zip.
(c) Draw a message sequence diagram that illustrates all the TCP packets generated by using netcat in phase 3. Do not draw any packets generated by other applications or protocols, such as ARP, DNS or SSH, and do not draw the UDP packets. Only draw TCP packets. A message sequence diagram uses vertical lines to represent events that happen at a computer over time (time is increasing as the line goes down). Addresses of the computers/software are given at the top of the vertical lines. Horizontal or sloped arrows are used to show messages (packets) being sent between computers. Each arrow should be labelled with the protocol, packet type and important information of the message. Examples of message sequence diagrams are given in tutorials. Note that you do not need to show the packet times, and the diagram does not have to be to scale. You must draw your own diagram; you cannot use the diagram generated by Wireshark.
(d) As the attacker you can learn information from intercepting the packets. Based on the packet capture files only, answer the following questions.
i. The user pressed ENTER twice when using the TCP client application. What was the time between pressing the ENTER key? Give your answer in seconds, but to the nearest millisecond. That is, three decimal points, e.g. 5.123 seconds.
ii. For the question above (the time between pressing ENTER ) what packet(s) did you use to find the answer? Give the packet number as listed by tcpdump or Wireshark.
iii. What was the IP address and port number that the UDP client used? iv. What was the MAC address that the UDP server used?
v. An attacker can sometimes learn useful information from knowing when a TCP connection occurs, relative to other TCP connections. TCP senders optionally include timestamps in all packets. For the first TCP packet sent by the client in the connection, what is the hexadecimal value of the timestamp?
vi. Attackers often create fake IP packets, e.g. with fake source addresses. To do so, the checksum must be calculated. What is the hexadecimal value of the IP checksum in the UDP data packet containing COIT20262 UDP?
(e) Assume you can modify the source code of netcat, creating a new program netcat2. What mechanisms or features would you implement so that the attacker on node2 could not determine the messages being sent between node1 and node2? E.g. the attacker would not know that the first messages contained “COIT20262 UDP”. Refer to specific algorithms you would implement.
In the previous questions the attacker on node2 was passive. Now assume that the attacker can perform active attacks.
(f) If the attacker performs a modification attack on the UDP exchange, changing the unit code from COIT20262 to COIT20263, then will the server (node3) know that an attack may have occurred? Explain why or why not. Also explain a technique that could be used so that the server (node3) is certain the message was not modified.
(g) If the attacker performs a replay attack on the TCP exchange, replaying the messages without any modification, then will the server (node3) know that an attack may have occurred? Explain why or why not.
Question 2. Cryptography
For this question you must use openssl to perform a set of cryptographic operations. When performing cryptographic operations you must be very careful, as a small mistake (such as a typo) may mean the result is an insecure system. Read the instructions carefully, understand the examples, and where possible, test your approach (e.g. if you encrypt a file, test it by decrypting it and comparing the original to the decrypted). It is recommended you use virtnet to perform the operations.
The tasks and sub-questions are grouped into multiple phases. You must complete all phases.
Phase 1: Download
Normally in public key cryptography you generate your own public/private key pair. However in this assignment to simplify the tasks, the Unit Coordinator has generated a key pair for you. Your key pair will be available to you on Moodle to download, with filename:
In addition to your key pair, a number of files will be available to all students on Moodle to download. Each file starting with [StudentID] must be downloaded by you. You may also need to download files with other student’s IDs (see the next phase).
The download URL will be published on Moodle.
Phase 2: Read the Messages
The files for download have been created by another student, denoted as the sender:
1. Sender student created a message to you [StudentID]-message[N].txt, where [N] is an integer, e.g. 1, 2, 3, …
2. The sender signed the message to produce [StudentID]-message[N].sgn.
3. The sender wrote their student ID into a text file [StudentID]-sender[N].txt.
4. The sender signed the sender file to produce [StudentID]-sender[N].sgn.
5. The sender used openssl to generate a random 256-bit secret key, in Hex, and saved it in [StudentID]-key[N].txt.
6. The sender generated a random Initialisation Value (IV), in Hex, and saved it in [StudentID]-iv[N].txt.
7. The sender encrypted the message using symmetric key encryption, the random secret key, and the random IV, producing [StudentID]-message[N].enc.
8. The sender encrypted the random secret key file using public key encryption, producing [StudentID]-key[N].enc.
9. The sender encrypted the IV file using public key encryption, producing [StudentID]-iv[N].enc.
The sender then sends to you the necessary files from above.
Note that the files were actually created by the Unit Coordinator, but in this assignment you can assume they were created by a student. The “sending” of files to you is performed by the sender (Unit Coordinator) uploading them to Moodle, and you downloading them from Moodle.
Your task is, for every message, decrypt and verify the files. Be careful: there may have been attacks on some messages!
The algorithms used in this question are:
• Public key: RSA, 2048 bit
• Symmetric key: AES-256-CBC
• Hash: SHA256
Phase 3: Report Your Results
After downloading, decrypting and verifying all messages, you need to create a summary of the results for each message. The summary must be in a text file called [StudentID]summary[N].txt. The summary must contain exactly two lines, of the format:
where ResultType is one of the following strings:
• Success – means all files successfully decrypted and successfully verified.
• FailDecryptKey – means the decryption of secret key was unsuccessful.
• FailDecryptMessage – means the decryption of message was unsuccessful.
• FailVerifySender – means the verification of sender file was unsuccessful.
• FailVerifyMessage – means the verification of message was unsuccessful.
If ResultType is Success, then include the contents of the message on the next line. If ResultType is another value, then include “NoMessage” on the next line. Examples of possible summary files are: Example 1:
Example 3: FailVerifySender
You must sign each summary file, producing [StudentID]-summary[N].sgn.
Phase 4: Analysis
(a) Add all summary text files, e.g. [StudentID]-summary1.txt, [StudentID]summary2.txt, [StudentID]-summary3.txt, ... to [StudentID]-files.zip.
(b) Add all summary signature files, e.g. [StudentID]-summary1.sgn, [StudentID]summary2.sgn, [StudentID]-summary3.sgn, … to [StudentID]-files.zip.
In this question the Unit Coordinator created your public/private key pair. For the following sub-questions, assume you create your own key pair on your own computer.
(c) Consider two methods in which you could inform all other students in this unit of your public key: 1. Include as a (email) signature at the bottom of all emails you send. 2. Post to a Moodle forum. For both methods, discuss the security issues, including possible attacks. Your discussion should be at a level that demonstrates a good understanding of key distribution security issues and attacks.
(d) Propose a more secure public key distribution method that can use your local tutor to sign your public key and then distribute via the Moodle website (assuming tutors have the permission to add content to the Moodle website). Present the design of the scheme in detail, e.g. what are the steps, what cryptographic mechanisms should be used.
(e) Discuss the security of your proposed scheme above, including why is it more secure than the methods in (c), what attacks it prevents, but also what attacks may still be possible.
Question 3. Denial of Service Attack Research
Distributed Denial of Service (DDoS) attacks can cause significant damage to organisations. Your tasks is to study how DDoS attacks work, who performs them and what are the mitigation techniques. You must write a short report on DDoS attacks with the following sections.
While there are no mandatory lengths, the suggested lengths give you an idea of the amount of detail needed. However a satisfactory answer may be shorter or longer than the suggested lengths. References are not necessary (although the normal rules of academic integrity are expected).
(a) Overview of DDoS Attacks
A high level explanation of what are DoS attacks, what are DDoS attacks (and how DoS and DDoS differ), and the difference between attacks targeting network resources vs server resources.
Assume the audience of this section is the general public (non-technical). Suggested length is approximately ½ page of text. Do not use pictures/figures in this part. If you use dot points/lists, then you must still include normal paragraphs introducing/summarising the lists.
(b) Entities in DDoS Attacks
Draw a diagram illustrating the entities involved in DDoS attacks, and list the entities, with an explanation of their role in DDoS attacks. One example entity is the “target”, which can be explained as “the network or server that is the target of the attack”. Other entities may include: zombies, command and control servers, attacker computer, reflectors.
This part only needs a diagram and the list of entities with explanation. No other text is necessary. The diagram should be clear and self-explanatory to people with technical knowledge (e.g. other students in this unit). You must draw your own diagram. You cannot use diagrams from the Internet, books or other students.
(c) Ping Flooding Attack
While no longer a practical DDoS attack, a Ping flooding attack demonstrates many features of DDoS attacks today. Provide a technical description of how a Ping flooding attack occurs. You must include a diagram illustrating an attack scenario (the diagram may be a modification of that used in the previous section), and provide a written explanation of the attack. You are expected to refer to the protocols used, steps of a successful attack, entities involved, and what resources are targeted.
(d) Mitigating Ping Flooding Attack
Discuss methods that can be used to reduce the impact of Ping flooding attacks.