(and comments that could be posed as questions with little effort ..)
The host: HTTP header is truncated in the trace file, what gives? Yes, the
packet traces are truncated to 96 bytes. You are going to have to be
a bit more clever when trying to figure out the domain names of the
HTTP queries (hint, you have all the DNS traffic ...)
The stub code won't compile The stub code only compiles on
Linux. Be sure to use one of the campus Linux clusters
If an attacker sends to packets to a non-existent host is that
one or two events? It's one. You should only count events between a
sending/receiving pair once. The same goes for ports on a host.
If an attackers sends a TCP or UDP packet to a single host, how
many events is it? It's one (you don't double count the port). So
if a host sends two packets to IP:port it is one event, a third to
IP:port + 1, it is two events and IP2:port it is three events
How can you implement guarantees on timeouts in the absence of
packets? The correct answer to this is use timers (man setitimer)
or threads (man pthread_create). Solutions that do this will profoundly
impress the TAs (a good thing). However it is not required, and a
solution can get full points assuming packets arrive with enough
frequency to guarantee accurate timeouts.
Can you print that a source is scanning multiple times? Yes, you are only required
to print the warning once, but multiple times is OK.
How do I know when my scan detection is sufficient? If your
router can reasonably handle the following:
- correctly parse and interpret all packet types on the web-page?
- does it detect port scans
- avoid false positives from a normal TCP stream
- does it catch a simple host scan (e.g. using the port trick mentioned above)
The topology only defines one server in our network. Do we have to design our IDS for only this network?
The topologies provided to you are simple for the ease of understanding . You should in no way hardcode any IP
address or ethernet address. Moreover you should design and implement a system for multiple sources from the internet
connecting to multiple servers inside your network as we will be testing on such a topology.
While timeout is a -ve response for other packets, it is a positive response for a UDP packet. What gives?
UDP is a stateless protocol and does not have an ACKing mechanism or explicit replies. Hence, we consider a
Timeout as a positive response. In particular for our assignment the only UDP requests we are considering are
only from Traceroute.
What to include in the README?
Your readme should include a description of implementation of port scan detection mechanism.
In addition you need to include a write-up on how you will extend the above solution to include:
1. Host Scans
2. Syn Floods.
Including data structures that need to be updated/added, states that need to be maintained and algorithm you
use to flag it as one of the above.
You're good to go. Wrap it up, submit, profit ..