(and comments that could be posed as questions with little effort ..)

Part 1

  • The host: HTTP header is truncated in the trace file, what gives? Yes, the packet traces are truncated to 96 bytes. You are going to have to be a bit more clever when trying to figure out the domain names of the HTTP queries (hint, you have all the DNS traffic ...)

    Part 2

  • The stub code won't compile The stub code only compiles on Linux. Be sure to use one of the campus Linux clusters

  • If an attacker sends to packets to a non-existent host is that one or two events? It's one. You should only count events between a sending/receiving pair once. The same goes for ports on a host.

  • If an attackers sends a TCP or UDP packet to a single host, how many events is it? It's one (you don't double count the port). So if a host sends two packets to IP:port it is one event, a third to IP:port + 1, it is two events and IP2:port it is three events

  • How can you implement guarantees on timeouts in the absence of packets? The correct answer to this is use timers (man setitimer) or threads (man pthread_create). Solutions that do this will profoundly impress the TAs (a good thing). However it is not required, and a solution can get full points assuming packets arrive with enough frequency to guarantee accurate timeouts.

  • Can you print that a source is scanning multiple times? Yes, you are only required to print the warning once, but multiple times is OK.

  • How do I know when my scan detection is sufficient? If your router can reasonably handle the following:

  • The topology only defines one server in our network. Do we have to design our IDS for only this network? The topologies provided to you are simple for the ease of understanding . You should in no way hardcode any IP address or ethernet address. Moreover you should design and implement a system for multiple sources from the internet connecting to multiple servers inside your network as we will be testing on such a topology.

  • While timeout is a -ve response for other packets, it is a positive response for a UDP packet. What gives? UDP is a stateless protocol and does not have an ACKing mechanism or explicit replies. Hence, we consider a Timeout as a positive response. In particular for our assignment the only UDP requests we are considering are only from Traceroute.

  • What to include in the README? Your readme should include a description of implementation of port scan detection mechanism. In addition you need to include a write-up on how you will extend the above solution to include: 1. Host Scans 2. Syn Floods. Including data structures that need to be updated/added, states that need to be maintained and algorithm you use to flag it as one of the above.

    You're good to go. Wrap it up, submit, profit ..