Project #3: Part 2, Scan Detection

The trace files needed for this project are available here.

Overview

In this part of the assignment,you will be play the part of a network defender.You will be writing code that detects 'scanning' given a trace file representing traffic traversing the network.

The trace file given to you has been generated using Wireshark as in Part 1 of the project. Wireshark's native network trace file format is the libpcap format supported by libpcap and WinPcap. Your code will use the Packet Capture library to read the pcap packets from the trace file to detect scanning. For each incoming source your code will maintain a ratio of the number of connections requests over the number of positive responses. If this value is over some threshold for a given source, you will assume the source is scanning and print a warning.

Project Details:

For this assignment you will make use of routines provided as part of the Packet Capture Library. Start by looking at the pcap man page. You should be familiar with the TCP/IP stack and network packet structures to effectively decode the pcap packets that you read and parse them to extract source IP addresses,destination IP addresses of TCP packets and similar interesting fields.

Getting Started

The pcap packet,as it comes in,is essentially a big blob of bits. The first thing you might want to do, is to cast it into a usable structure. You can do this by casting the appropriate parts to structs representing TCP and IP headers. Doing this is demonstrated below:

 
struct ip* ip_hdr = (struct ip*) packet;
struct tcp* tcp_hdr = (struct tcp*) (packet + ip_hdr->ip_hl * 4);

The struct pointers can then be used to read specific interesting fields of the packet. Your job is to read these packets and perform scan detection. You will report warnings of suspicious scans along with the IP addresses of the sources performing the scanning and the IP addresses of the targets.

Assignment Details

Your code is required to keep track of the following network events:

Connection requests:

TCP SYN

Postive Responses:

TCP SYN/ACK

For each sending source, keep track of the number of connection requests vs. positive responses. If this ratio exceeds 3 to 1, your code must issue a warning.

In addition you need to include in your README a write-up on how you will extend the above solution to include:

1. Host Scans

2. Syn Floods.

Including data structures that need to be updated/added, states that need to be maintained and algorithm you use to flag it as one of the above.

Deliverables

You are expected to submit your scan dectection code along with a file (README.2) that describes your implementation.Your code should only print out the warnings with the associated IP addresses and nothing else. Your writeup is expected to be brief, no more than a page, but should describe how you implemented caching of pending events before you added them to the ratio.Your code will be tested against our test trace files as well for grading.