ITX8080 Archived

Allikas: Lambda

This is a historic version for archival purposes

General Information

Schedule

Lecture TH 12:00 - 13:30

Practice FR 14:00 - 17:30

Communication

Discussinons will be held at: itx8080 atatat googlegroups.com

Send e-mail to hannesa at-no-spam-please gmail.com for an invitation.

The lecturers can be reached via the course coordinator:

antti.andreimann only-people-please eesti.ee

Points awarded so far

Arnis : 3 points - ab testing solution, best countermeasure proposed for scenario 4, best snort rules proposed for scenario 6

Igor : 3 points - wordpress virtualization solution, lab 3 report, IDS testing solution

Kaarel : 2 points - lab 1 report and conclusions, lab 3 solution

Märt : 3 points - wordpress testing procedure, best wordpress optimization (wp-cache + php-apc), best lab 2 report.

Roland: 2 points - best Lab 4 report, IDS testing solution

Hannes: 1 point - best lab 6 report

Siim: 1 point - most popular scenario 7 solution

Urmas: 2 points - lab 5 report, the set of viruses used in lab 7

Martti: 1 point - best lab 7 report

Stefan: 1 points - best solutions developed during lab 8-1

Jeremy: 1 point - best solution developed during lab 8-2

Christopher: 1 point - best lab 8-1 report

Alexandra: 1 point - best lab 8-2 report.

Scenarios

Scenario 1

There is a Wordpress based blog.

The client is worried: How many visitors can they handle before they die.

Establish a baseline: How many page displays per second AT LEAST we can handle. Disruption of the site operation is NOT acceptable.

Minimal budget!

Be as detailed and technical as You possibly can.

Post to the discussion group the following information:

  1. Detailed description of the simulation of the site. eg. if You're going to virtualize it then how? If You are running it as a process, then how You separate it from the real machine?
  2. Detailed description of the attack / benchmark tools picked. Where You are going to run them? What tools? How many copies? How you are going to collect the results?!!!

Proposals

Benchmarking:

Simulation of the system:

  • VirtualBox - Roland, Jérémy
  • VMWare ESX - Igor
  • VMWare Player - Marina
  • Amazon EC2 - Märt
  • KVM - Siim
  • Original hardware - Hannes

Lab 1

We will need to create two different virtual machines, one is going to be the wordpress server and the 2nd one is the client which is used to attack the server. It's probably easiest to install only one image and then clone it.

Hard disk image cloning is best done with

Linux:

VBoxManage clonehd FirstUbuntu.vdi SecondUbuntu.vdi

Windows:

"C:\Program Files\Oracle\VirtualBox\VBoxManage.exe" clonehd FirstUbuntu.vdi SecondUbuntu.vdi

After cloning the image create another virtual machine and attach the 2nd disk to that machine. As the result there will be two different virtual machines with two different virtual hard disks.

To be able to connect between the two virtual machines, You need to add an additional network adapter to both hosts. It can be either "Host Only" or "Internal" type.

To enable the new adapters in Ubuntu edit the file: /etc/network/interfaces

Scenario 2

Design a method for evaluating any speedup solutions for the wordpress. A repeatable process to evaluate the claims. Whatever optimizations. The process must be detailed enough so that somebody else can get the same results when applying that. The "other person" is expected to have IT knowledge sufficient to install and run a Linux desktop. The method must specify the level performance at which the site is considered DEAD. Budget requirements: Low - Dedicated machine + dedicated tester.

Lab 2

  • Get Virtual machine disk image and instructions from: http://www.tud.ttu.ee/~anttix/lab2/
    NB! DO NOT DOWNLOAD IMAGE FROM THE LINK NOTED IN INSTRUCTIONS PDF, IT WILL BE SLOW
  • Fix bug in image (see below)
  • Measure the effect of these wordpress plugins:
  • Devise Your own optimizations for the site
Bug in image: the ip address of the VM is saved in WP database as 192.168.56.3
It is advised tu run the Target VM first and run the "sudo dhclient" command first in Target VM.
Then check active IP of target by command "ifconfig".  If it is not 192.168.56.3, then situation can be fixed by running:

In Target VM: "sudo ifconfig eth2 192.168.56.3"
In Client VM: "sudo ifconfig eth2 192.168.56.4"

A note to Windows users

Use this command line to access VBoxManage program

"C:\Program Files\Oracle\VirtualBox\VBoxManage.exe"

Wordpress Admin access

Username: admin
Password: QIaTemvskSeM


Note to Ubuntu users

VirtualBox with WiFi Does NOT work properly http://ubuntuforums.org/showthread.php?t=782936

Scenario 3

Your client is worried about some stuff posted on a blog. They ask You to take care of it. They have a throwaway "script kiddie" in a third world country, who will mount the attack so You don't need to worry about hiding the attackers identity.

Devise a way to attack a wordpress (default installation) based site to render it unusable (page view times over 60 seconds).

Attack resources: one PC, a script kiddie, internet connection of 2Mbit/s.

How are we going to evaluate the solutions?

  • Easy to use instructions
  • The most efficient use of available resources

Defacing will count, IF it works for the latest version of wordpress.

Lab 3

Possible attacks:

  • Brute force overload (AB or other benchmark), bang the slowest page possible.
  • Connection flood (slowloris)
  • SYN Flood (eg. with hping)
  • Banging expensive operations (eg. adding big comments)
  • etc.

Scenario 4

Develop countermeasures for the attacks simulated in Lab 3.

Limitations:

  • No additional hardware
  • No reactive measures

Lab 4

Evaluate the countermeasures against attacks. The countermeasures must not have negative effects on "normal usage pattern".

Normal usage pattern is defined as:

  • Bursts of 10 connections per IP address in 1 second
  • Page load times not over 20 seconds

Scenario 5

Create a solution and instructions for testing IDS systems against the wordpress site and attacks tried in lab 3.

A repeatable process to evaluate vendor claims. Whatever passive IDS system delivered as a VM or a dedicated box.

Creating the IDS system itself is out of scope.

The process must be detailed enough so that somebody else can get the same results when applying that. The "other person" is expected to have IT knowledge sufficient to install and run a Linux desktop.

Budget requirements: Modest - 2 Dedicated machines + dedicated tester + networking equipment to connect these together.

The process must test at least the following:

  • Port scan
  • SYN flood
  • slowloris/pyloris
  • Ab overwhelming attack

Lab 5

Instructions for installing Snort IDS and its web GUI called 'acidbase': https://help.ubuntu.com/community/SnortIDS

Scenario 6

Develop/download/find/whatever a SNORT configuration (rulesets, preprocessors, whatever) that performs better than the default configuration in lab 5 tests. By better we mean:

  • Less false positives
  • Less false negatives
  • The objectives are contradictory so the rule of thumb is one false negative per 10 false positives eg. solution with 10 false positives and 2 false negatives is better than the solution with 100 false positives and 1 false negatives, but the solution with 10 false positives and 1 false negative is better than the solution with 1 false positive and 2 false negatives.
  • Attack is defined by a single invocation of the test script.

Scenario 7

There is a new remote vulnerability in Windows. You became aware of a new virus that targets this vulnerability at 7 PM. The antivirus vendor has released an updated virus database, but it's probably not installed on all of the computers yet. Your company has 500 employees, with half of them running on laptops. You have to decide in 12 hours, if You need to collect all the employee's laptops in the morning.

Collecting the laptops has a high cost in lost employee productivity: There will be a queue of laptops waiting to be inspected. You can assume that all of the laptops can be inspected in half a day.

Limits: You can not mitigate the risk by changing the network configuration, You do not know how many laptops are still in the building. You can not take the servers offline.

Resources: 5 workers, some networking equipment, real servers (you can not disrupt those), "samples" of existing systems: a few spare workstations, a few spare laptops,

What do You know about the virus?

  • It disables antivirus software
  • It disables automatic software updates
  • It can be cleaned up only manually in about 1 manhour

You need to develop an action plan:

  • What You test in those scarce 12 hours?
  • How?
  • How do You weigh the results to make the decision?
  • The plan itself must be short and easy to understand so You can write it on a whiteboard.
  • Justifications for the specific actions go to a separate file/document.

Lab 7

Measure the time it takes for the virus to penetrate the machines. Note if virus scanner was able to catch the virus even if the underlying flaw in windows wasn't patched. Test if the SP3 version is immune to attacks originating from the network, even when virus scanner is not installed.

Scenario 8

Find a solution to simulate a network of 300 PC-s in a single corporate environment, accessing a software update service at once.

Determine the load on primary internet connection and the router. Assume that updates server will be able to keep up.

Tools to consider

Additional resources

Lab 8

OMNet++ (Free for academic use only)

Install OMNeT++
  1. Compile OMNet++ using these instructions: http://omnetpp.org/doc/omnetpp41/InstallGuide.pdf
  2. Run omnetpp IDE
  3. Choose Tutorials->Tic-toc tutorial from welcome page to open Tutorial documentation. Welcome page can be accessed from Help menu if You have accidentally closed it.
  4. Choose Go to workbench
  5. Click on tictoc in "Project Explorer" (on left hand pane)
  6. Choose Project->Open Project
  7. Choose Project->Build All
Install OMNeT++ INET framework
  1. Download https://github.com/downloads/inet-framework/inet/inet-20100723-src.tgz
  2. Create a directory named omnetpp-workspace and unpack inet-20100723-src.tgz in that directory.
  3. Switch Eclipse workspace to the newly-created directory: File -> Switch Workspace and select omnetpp-workspace.
  4. Follow instructions in omnetpp-workspace/inet/INSTALL file in the "If you are using the IDE" section

NS-3 (GPL Licensed)

Install all dependencies according to instructions here and here

NB! Do not clone or compile anything yet

Clone NS-3 repositories

hg clone http://code.nsnam.org/ns-3-allinone
cd ns-3-allinone
./download.py -n gjc/ns-3.9-pyviz

Build NS-3

./build.py

Read the introduction slides during the build :)

If You are unable to install the stuff, You may get an Ubuntu VM with all of the stuff preinstalled from

http://www.tud.ttu.ee/~anttix/lab8/ubuntu10.04-omnetpp_ns3.vdi

Run Example visualizations

cd ns-3.9-pyviz
./waf --pyrun examples/flowmon/wifi-olsr-flowmon.py
./waf --run "examples/wireless/wifi-wired-bridging --viz=1"
./waf --run "examples/wireless/wifi-ap --viz=1"

Get itx8080 samples from: http://www.tud.ttu.ee/~anttix/lab8/ns3-tty-v2.tar.gz

Run the samples

./waf --run "examples/tty/lecture1 --viz=1"
./waf --run "examples/tty/lecture2 --viz=1"
./waf --run examples/tty/lecture5

Look at the generated files: wantraffic*

Now create a new simulation that uses TCP networking instead of UDP. Refer to examples in examples/tcp.

Scenario 9

Simulate a DDoS attack against a network of web servers.

  • 2 types of attacks
    • SYN Flood
    • "AB" style attack

Assumptions:

  • 1000 "infected" hosts performing the attack
  • 10 web servers, located in 5 locations
  • The infected host only attacks one server
  • The target to attack is selected randomly
  • Assume that servers can keep up with the flood
  • Data transferred during each connection is about 500kb

Objectives:

  • Assess the bandwidth these attacks consume in each location

You can only implement a subset of constraints and assumptions. Do as much as You can, maybe others have done even less :D

Lab 9

Start by implementing proper network topology:

  • Create a CSMA(ring) network for each location (5 networks in total)
  • Set the speed to 100Mbit/s
  • Create 3 nodes for each location (2 servers, 1 router)
  • Connect nodes to their respective networks
  • Create another CSMA(ring) network to mimic the internet core
  • Create 6 nodes to act as core routers on that network
    • one for each simulated location
    • an "extra" router that all attackers will be connected to
  • Set the speed of the internet core to 10Gbit/s
  • Connect location routers to respective core routers via Point-to-Point links
  • Set the speed of those Point-to-Point links to 10Mbit/s
  • Create 20 attacker nodes (just to speed up testing and development, You can increase that number to 1000 later)
  • Connect all attacker nodes to the "extra" core router with point-to-point links
  • Set the speed of attacker links to 1Mbit/s