Problem:
The purpose of this lab is to practice examining traffic using a protocol analyzer and recognize a SYN attack.
The SYN flood attack is one of the common Denial of Service (DoS) attacks in the Internet. In the SYN flood attack, an attacker sends a large number of SYN packets to the server, ignores SYN/ACK replies and never sends the expected ACK packet. Basically, the attacker overwhelms the server with many half-established connections and exhausts the server resources, and hence the attack is known as a DoS attack.
The tool you will be using is known as Wireshark, a well-known open source packet analyzer. The exercise will demonstrate that recognizing an attack requires sophisticated tools (such as Wireshark), hard work (what you are about to put in) and knowledge of the domain (TCP/IP network).
Assignment
You can perform this exercise either using Wireshark on your machine or a remote lab supplied by UMUC. I encourage that you carry out the exercise using the remote Lab. The instructions to use the remote UMUC machine is provided in the Accessing Remote Virtual Lab using VPN module under Course Content.
If you want to perform the exercise on your home computer, download wireshark from http://www.wireshark.org. Select all installation options. (Note: These files are about 20 MB and may take a long time to download on a slow link.) You may also download the documentation.
Wireshark can both capture packets and read trace files of packets that have already been captured. However, this is not a packet capturing exercise. This is a packet analysis exercise of packets that were previously captured.
1. Obtain trace files of the TCP handshake process.
- Get the files: "tcpshake.cap" (TCP: Handshake Process) and "tcp-syn-attack.cap" (TCP: TCP SYN Attack) from the LEO Lab 2 assignment folder. (If you are using the UMUC remote facility, the files are in the Lab2Folder on the desktop.) The .cap files are the ones you really need in this exercise. The .cap files are in the proprietary Sniffer format and can be read only with Wireshark.
- There are also two other files, ending in .prn in the LEO Lab 2 folder. The two .prn files are text files corresponding to the respective .cap files; you can read it with Notepad or Wordpad.
2. Read the tcpshake.cap trace file. This trace file captured three packets of a successful connection handshake. Become familiar with Wireshark's interface.
- Run Wireshark from the shortcut that is now on your desktop.
- Click File|Open to open tcpshake.cap and uncheck all the name resolution options at the bottom of the dialog box.
- Explore the trace in the three panes of the analyzer. These three panes are standard to most analyzers. They are the summary pane, the protocol tree pane, and the hex pane.
- Explore the preferences and configuration options in Wireshark.
3. Read the tcp-syn-attack.cap file and answer the following 10 questions (10 points each):
- Is this a two-way conversation?
- Are there any ACK's?
- How long is the data portion of each packet? Why?
- Why is the sequence number zero () in every packet?
- Why do the port numbers change in every packet?
- Look at the "Time" column in the summary pane. Explain the various options it supports?
- Click the "View" menu and select "Time Display Format". "Seconds since beginning of capture" is checked. Select "Seconds since Previous Captured Packet". How frequently are these packets being sent?
- Where in the protocol tree pane would you find the protocol "Type" field?
- Look in the flags section of the transport layer (Transmission Control Protocol" in the protocol tree section for one of the packets. What flags are set?
- How does a SYN attack deny service?