Network Intrusion Detection

Submission Deadline:

The goals of this exercise are to:

  1. Create a network intrusion detection system
  2. Gain first-hand insight into dealing with IDS evasion

NIDS Specification

Using any library of your choice, implement a network intrusion detection system that can process PCAP files. Your NIDS must be able to detect three attacks:

  1. ARP cache poisoning
  2. Oversize fragmented IPv4 packets
  3. TCP reset injection (graduates only)

Your NIDS should support:

  • IPv4 and TCP checksum verification
  • IPv4 fragment reassembly, including overlapping and out-of-bounds fragments respecting configured endpoint behavior

Your detector must take a single parameter representing the path to a configuration file. The configuration file must be in YAML, and have the following format:

pcap_path: "/data/dump.pcap"        # A path to a PCAP file
ipv4_fragment_reassembly: "first"   # Or "last", "linux"

Detections must be printed to stdout. The format of a single detection is as follows:

---
timestamp: 1600890293               # UNIX timestamp
source:
  mac_address: "00:11:22:33:44:55"  # Source MAC address
  ipv4_address: "10.0.0.1"          # Source IPv4 address, or null if none
  tcp_port: 34567                   # Source TCP port, or null if none
target:
  mac_address: "66:77:88:99:aa:bb"  # Target MAC address
  ipv4_address: "10.0.0.2"          # Target IPv4 address, or null if none
  tcp_port: 1234                    # Target TCP port, or null if none
attack: "arp_cache_poisoning"       # Or, "oversize_ipv4_fragments", "tcp_reset_injection"

Ensure that no other data is written to stdout aside from a stream of detection messages, since writing other data will break YAML parsing. If you need to output debugging messages, send those to stderr.

You can use the container image gcr.io/netsec-2020-fall/assignments/01-nids-verifier to check that your detection output is well-formatted. For instance, given detections in /tmp/detections.yaml:

$ podman run -it --rm -v /tmp:/data gcr.io/netsec-2020-fall/assignments/01-nids-verifier /data/detections.yaml

To test your attacks, you can use the PCAPs provided in previous labs.

Submission Instructions

Package your solution as a gzipped TAR archive. Your solution should have the following basic structure:

$ tree -F 01-nids
01-nids
├── Containerfile
└── src/

In particular, the root directory must be named 01-nids, and the source code to your solution should be contained in src/. Your Containerfile should produce an image that runs your solution with a provided configuration file. For instance, given a configuration at config.yaml in the current working directory:

$ podman run -it -v $(pwd):/data ${image_name} /data/config.yaml

must execute your detector configured using /data/config.yaml.

Submit the solution archive to Canvas.