The document summarizes a student project that aimed to demonstrate a security flaw in Authenticated Network Time Protocol (NTP). The project involved setting up a virtual network with two machines, one functioning as an NTP client and the other as a server. By capturing network traffic with Wireshark, the students planned to conduct a man-in-the-middle attack to brute force the 32-bit authentication cookie and spoof the client into accepting the attacker as a legitimate NTP server. This would allow the attacker to feed the client false time information and potentially disrupt systems relying on accurate time synchronization.
For enterprise software applications and related processes, highly accurate and synchronized time is a necessity. An inaccurate
computer clock can cause significant problems. A discrepancy of a minute or two could cause a significant and unacceptable margin of error, since many applications require that the time be kept accurate to the nearest second or less.
ADRISYA: A FLOW BASED ANOMALY DETECTION SYSTEM FOR SLOW AND FAST SCANIJNSA Journal
Attackers perform port scan to find reachability, liveness and running services in a system or network. Current day scanning tools provide different scanning options and capable of evading various security tools like firewall, IDS and IPS. So in order to detect and prevent attacks in the early stages, an accurate detection of scanning activity in real time is very much essential. In this paper we present a flow based protocol behaviour analysis system to detect TCP based slow and fast scan. This system provides scalable, accurate and generic solution to TCP based scanning by means of automatic behaviour analysis of the network traffic. Detection capability of proposed system is compared with SNORT and result proves the high detection rate of the system over SNORT.
Analytical Research of TCP Variants in Terms of Maximum ThroughputIJLT EMAS
This paper is comparative, throughput analysis, for
the TCP variants as for New Reno, Westwood & High Speed,
and it analyzes the outcomes in simulated environment for NS -3
(version 3.25) simulator with reference to multiple varying
network parameters that includes network simulation time,
router bandwidth, varying traffic source counts to observe which
is one of the best TCP variant in different scenarios. Analysis
was done using dumbbell topology to figure out the comparative
maximum throughput of TCP variants. The analysis gives result
as TCP Variant “NewReno” is good when low bandwidth is used,
while TCP Variant “HighS peed” is good in terms of using large
bandwidths in comparison to Westwood. Network traffic flow
was observed in NetAnim tool.
This document discusses different network steganography techniques, including tools developed to implement them. It describes using packet delay modification (Timeshifter) and packet content modification (Stegnet and BitStegNet) to covertly transmit messages. Timeshifter modifies ICMP packet delays. Stegnet modifies ICMP packet data fields. BitStegNet modifies the timestamps in μTP packet headers used by BitTorrent. The document outlines the goals, techniques tested, accomplishments and limitations of each tool, concluding future work could include testing in open networks and improving usability.
1) The document describes a proposed SDN-based system to detect and prevent DDoS attacks. It uses entropy calculations on traffic flow statistics to detect attacks. When an attack is detected, the controller installs rules to block traffic from bot IPs and the server uses CAPTCHAs to authenticate legitimate users.
2) The system was tested using iperf and attack tools on an emulation platform. Results showed it maintained high throughput even during attacks, unlike approaches that overload the controller. It also had lower false positives than other detection algorithms.
3) Future work could include expanding the system to detect attacks targeting different SDN layers and more servers. The approach provides an effective and scalable DDoS defense for
IRJET- DDOS Detection System using C4.5 Decision Tree AlgorithmIRJET Journal
This document proposes a machine learning model using the C4.5 decision tree algorithm to detect DDOS attacks. It trains the model on DDOS attack samples from the CICIDS2017 dataset, dividing the samples into training and test data. The Weka data mining tool is used to build the model with attribute filtering and 10-fold cross-validation. The trained model is then validated on the test data to accurately differentiate between benign and DDOS flooding traffic. This combined signature-based and anomaly-based detection approach can effectively detect complex DDOS attacks.
This document provides a summary of CLDAP reflection DDoS attacks observed by Akamai between October 2016 and January 2017. It details the attack methods, timelines, largest attacks observed, affected industries, source distributions by country and ASN, mitigation recommendations including filtering port 389, and conclusions regarding CLDAP reflection as an emerging DDoS vector.
Time-based DDoS Detection and Mitigation for SDN ControllerLippo Group Digital
This document proposes a method to detect and mitigate distributed denial of service (DDoS) attacks on software defined networking (SDN) controllers using time-based characteristics. The method considers not only the malicious packet destination but also the time needed to achieve high traffic rates and periodic attack patterns. The proposed solution architecture monitors packet rates over time windows to detect abnormal traffic increases. Future work includes optimizing detection thresholds, deeper analysis of DDoS attack time patterns, and evaluation of the method's performance in a simulation.
For enterprise software applications and related processes, highly accurate and synchronized time is a necessity. An inaccurate
computer clock can cause significant problems. A discrepancy of a minute or two could cause a significant and unacceptable margin of error, since many applications require that the time be kept accurate to the nearest second or less.
ADRISYA: A FLOW BASED ANOMALY DETECTION SYSTEM FOR SLOW AND FAST SCANIJNSA Journal
Attackers perform port scan to find reachability, liveness and running services in a system or network. Current day scanning tools provide different scanning options and capable of evading various security tools like firewall, IDS and IPS. So in order to detect and prevent attacks in the early stages, an accurate detection of scanning activity in real time is very much essential. In this paper we present a flow based protocol behaviour analysis system to detect TCP based slow and fast scan. This system provides scalable, accurate and generic solution to TCP based scanning by means of automatic behaviour analysis of the network traffic. Detection capability of proposed system is compared with SNORT and result proves the high detection rate of the system over SNORT.
Analytical Research of TCP Variants in Terms of Maximum ThroughputIJLT EMAS
This paper is comparative, throughput analysis, for
the TCP variants as for New Reno, Westwood & High Speed,
and it analyzes the outcomes in simulated environment for NS -3
(version 3.25) simulator with reference to multiple varying
network parameters that includes network simulation time,
router bandwidth, varying traffic source counts to observe which
is one of the best TCP variant in different scenarios. Analysis
was done using dumbbell topology to figure out the comparative
maximum throughput of TCP variants. The analysis gives result
as TCP Variant “NewReno” is good when low bandwidth is used,
while TCP Variant “HighS peed” is good in terms of using large
bandwidths in comparison to Westwood. Network traffic flow
was observed in NetAnim tool.
This document discusses different network steganography techniques, including tools developed to implement them. It describes using packet delay modification (Timeshifter) and packet content modification (Stegnet and BitStegNet) to covertly transmit messages. Timeshifter modifies ICMP packet delays. Stegnet modifies ICMP packet data fields. BitStegNet modifies the timestamps in μTP packet headers used by BitTorrent. The document outlines the goals, techniques tested, accomplishments and limitations of each tool, concluding future work could include testing in open networks and improving usability.
1) The document describes a proposed SDN-based system to detect and prevent DDoS attacks. It uses entropy calculations on traffic flow statistics to detect attacks. When an attack is detected, the controller installs rules to block traffic from bot IPs and the server uses CAPTCHAs to authenticate legitimate users.
2) The system was tested using iperf and attack tools on an emulation platform. Results showed it maintained high throughput even during attacks, unlike approaches that overload the controller. It also had lower false positives than other detection algorithms.
3) Future work could include expanding the system to detect attacks targeting different SDN layers and more servers. The approach provides an effective and scalable DDoS defense for
IRJET- DDOS Detection System using C4.5 Decision Tree AlgorithmIRJET Journal
This document proposes a machine learning model using the C4.5 decision tree algorithm to detect DDOS attacks. It trains the model on DDOS attack samples from the CICIDS2017 dataset, dividing the samples into training and test data. The Weka data mining tool is used to build the model with attribute filtering and 10-fold cross-validation. The trained model is then validated on the test data to accurately differentiate between benign and DDOS flooding traffic. This combined signature-based and anomaly-based detection approach can effectively detect complex DDOS attacks.
This document provides a summary of CLDAP reflection DDoS attacks observed by Akamai between October 2016 and January 2017. It details the attack methods, timelines, largest attacks observed, affected industries, source distributions by country and ASN, mitigation recommendations including filtering port 389, and conclusions regarding CLDAP reflection as an emerging DDoS vector.
Time-based DDoS Detection and Mitigation for SDN ControllerLippo Group Digital
This document proposes a method to detect and mitigate distributed denial of service (DDoS) attacks on software defined networking (SDN) controllers using time-based characteristics. The method considers not only the malicious packet destination but also the time needed to achieve high traffic rates and periodic attack patterns. The proposed solution architecture monitors packet rates over time windows to detect abnormal traffic increases. Future work includes optimizing detection thresholds, deeper analysis of DDoS attack time patterns, and evaluation of the method's performance in a simulation.
Client server computing in mobile environments part 2Praveen Joshi
Client server computing in mobile environments. Versatile, Message based, Modular Infrastructure intended to improve usability, flexibility, interoperability and scalability as compared to Centralized, Mainframe, time sharing computing.
Intended to reduce Network Traffic.
Communication is using RPC or SQL
This document describes a programming project to implement a fog computing topology using Java. It involves simulating a network of fog nodes that receive requests from IoT devices and process or forward the requests to neighboring nodes or to the cloud based on response time limits. Each fog node periodically exchanges queueing time information with neighbors and forwards requests to the neighbor with the shortest queue. The implementation will use threads to simulate parallel processing at fog nodes and include debugging information in request packets to trace the path through the fog network.
This document provides an overview of TCP performance modeling and network simulation using the ns-2 simulator. It begins with background on TCP congestion control algorithms like slow start, congestion avoidance, fast retransmit, and fast recovery. Two analytical models for TCP throughput - a simple model and a more complex model - are described. The document then provides instructions on installing and using the ns-2 network simulator and Otcl scripting language. It explains how to create network topologies in ns-2 including nodes, links, agents and applications. Tracing, monitoring and running simulations are also covered. The document concludes with an example simulation study comparing TCP throughput models to ns-2 results.
This document describes a programming project to implement a fog computing topology using Java. It involves simulating a network of fog nodes that receive requests from IoT devices and process or forward the requests to neighboring nodes or to the cloud based on response time limits. Each fog node periodically exchanges queueing time information with neighbors and forwards requests to the neighbor with the shortest queue. The implementation will use threads to simulate parallel processing at fog nodes and include debugging information in request packets to trace the path through the fog network.
The document proposes two new autonomous system (AS) traceback techniques to identify the AS of the attacker launching a denial-of-service (DoS) attack. The first technique, called Prevent Overwriting AS Traceback (POAST), marks packets with a dynamic probability and protects marked packets from being overwritten. It encodes the attacking AS number instead of router IP addresses. The second technique, called Efficient AS Traceback (EAST), is also described but not in detail. Both are evaluated to have better performance than existing probabilistic packet marking techniques for traceback by reducing the number of packets and routers required.
Information and network security 11 cryptography and cryptanalysisVaibhav Khanna
The purpose of cryptography is to hide the contents of messages by encrypting them so as to make them unrecognizable except by someone who has been given a special decryption key. The purpose of cryptanalysis is then to defeat this by finding ways to decrypt messages without being given the key
The document is a report on a Wireshark lab analyzing TCP and UDP network traffic.
For the TCP analysis:
- The client IP address is 192.168.1.102 and port 1161, the server is 128.119.245.12 on port 80.
- The SYN segment has a sequence number of 0 and identifies the segment with the SYN flag.
- The SYNACK from the server acknowledges 1 and has a sequence number of 0.
- The HTTP POST has a sequence number of 1.
For the UDP analysis:
- The UDP header has 4 fields - Source Port, Destination Port, Length, and Checksum.
- The checksum covers the pseudo header
This document proposes adding Diffie-Hellman key exchange and digital signatures to the TCP three-way handshake to provide assured identity continuity for TCP connections even when network address translation (NAT) is used. It aims to prevent IP spoofing attacks by allowing endpoints to validate each other's identities during a TCP connection. The proposal outlines adding the cryptographic operations to the TCP handshake in a way that is incrementally deployable and backwards compatible without requiring any pre-existing relationship between endpoints. It also discusses some proof-of-concept implementation issues regarding using iptables and packet manipulation to verify signatures on TCP payloads.
Security in Large Networks by Raja VelampalliRaja Velampalli
security
the state of being free from threats & attacks.
network
a group or system of interconnected people or things.
a network is collection of computers,servers or other devices connected to one another to allow sharing of data.
implict
suggested though not directly expressed
explicit
anything that is clear and easy to understand
Authentication
it is any process by which a system verifies the identity of a User who wishes to access it.
DDoS Attack Detection & Mitigation in SDNChao Chen
This document summarizes a presentation on detecting and mitigating distributed denial of service (DDoS) attacks in software-defined networks. It discusses using sFlow and the Floodlight controller to detect common DDoS attack types like ICMP floods, SYN floods, and DNS amplification. An application was developed in Python to classify attacks and push static flow entries to direct attack traffic to the sFlow collector for analysis. The scheme was tested in a Mininet virtual network and shown to successfully mitigate ICMP and SYN flood attacks. Future work includes testing DNS amplification and UDP floods, implementing adaptive sampling rates and thresholds, and designing an unblocking mechanism.
Chapter 3. sensors in the network domainPhu Nguyen
This chapter discusses network sensors and the data they generate. Examples of network sensors include NetFlow sensors on routers and packet capture tools like tcpdump. The chapter covers challenges of analyzing large network traffic data, and describes common data formats generated by sensors like NetFlow records and packet captures. It also discusses techniques for filtering large packet capture data, such as using rolling buffers, limiting packet snap lengths, and Berkeley Packet Filter rules.
This document proposes an Internet worm early warning system (WEW) that can detect worm outbreaks in their early stages. Unlike traditional approaches that monitor TCP SYN packets, WEW monitors TCP RESET packets to identify sources of failed connection attempts, which provides greater accuracy and less overhead. WEW is also designed to distinguish real scan sources from fake sources intended to generate false positives, through a stateless protocol using cookies. The system would allow early detection of worms to limit their damage and spread.
This document summarizes a research paper that simulates the Ad Hoc On-Demand Distance Vector (AODV) routing protocol under black hole attacks in mobile ad hoc networks (MANETs). The paper analyzes how black hole attacks affect key AODV routing metrics like packet delivery ratio and end-to-end delay. Through simulations with varying numbers of nodes, the paper finds that black hole attacks significantly reduce packet delivery ratios by diverting traffic to malicious nodes. The simulations provide insight into how AODV performance degrades under such attacks.
Virtual Machine Incorporated Sharing Model for Resource Utilizationidescitation
Cooperation and autonomy of virtual machines are
important features of virtualization where resources are
shared among virtual machines in a resource constrained
cloud environment. To facilitate resource sharing, this paper
proposes a resource sharing facility, called the VM Incorporated
RPC, that coordinates the remote procedure call (RPC) with
virtual machine based memory management. In this paper,
we present a process based resource sharing model in case of
collocated virtual machines. Evaluation of our algorithm
demonstrates that sharing of resources within collocated
virtual machines often results in utilizing almost 90% of the
resource potential when compared to inter machine sharing
which contributes a lesser amount of resource utilization.
This document analyzes the Patchwork targeted attack campaign, which infected an estimated 2,500 machines since 2015. The attackers used spearphishing emails containing malicious PowerPoint files to exploit CVE-2014-4114 and deploy first stage payloads. The investigation team used deception techniques to observe the attackers deploying second stage tools and pivoting through the network. Technical analysis of the payloads and command and control communications reveal the attackers copied code from online forums and targeted organizations working on military and political issues relating to Southeast Asia.
Nmap is a free and open source security scanning tool used to discover hosts and services on a computer network. It was originally written by Gordon Lyon and first published in 1997. Nmap uses raw IP packets to determine what hosts are available on the network, what services they offer, and what operating systems they are running. It has features like host discovery, port scanning, version detection, OS detection, and scriptable interaction. Nmap is commonly used for network inventory, auditing security, and identifying vulnerabilities, though some uses may be considered illegal without authorization.
The document discusses various topics related to distributed systems including clock synchronization, mutual exclusion, election algorithms, and fault tolerance. It provides details on:
1. Centralized and distributed clock synchronization algorithms including passive and active time server approaches and global and localized averaging algorithms.
2. Lamport's logical clocks for ordering events in a distributed system.
3. Mutual exclusion algorithms including centralized, distributed, and token passing approaches.
4. Traditional election algorithms like the Bully algorithm and ring algorithm.
5. Fault tolerance techniques using redundancy like replicating servers and majority voting.
This document discusses how the nmap scanner performs host discovery by default and explores customizing its behavior. It examines nmap's default discovery method which sends ICMP echo requests and TCP packets to target hosts and looks for responses. The document uses a DMZ network with varying firewall rulesets to demonstrate how the default method works in different scenarios. It shows that while the default method is sufficient when rules are very open, more specific rules may require customizing nmap's options to more accurately discover live hosts on the network.
The document summarizes new attacks against the WPA-TKIP protocol. It describes a denial of service attack that can disable a network by replaying two manipulated packets. It also outlines a fragmentation attack that uses predicted keystream bytes to inject packets onto the network, such as for port scanning. Finally, it proposes a MIC reset attack to decrypt packets by crafting a prefix that resets the MIC state. Proofs of concept are provided for the denial of service and fragmentation attacks.
Capistrano is a tool for automating tasks on remote servers. It executes commands in parallel on targeted machines and provides rollback of changes. Capistrano uses Net::SSH, Net::SFTP, and Net::SCP to automate tasks over SSH, and supports features like task chaining, streams, prompts, roles, and detecting/rolling back broken jobs.
Cup shup discussion materials_coupondunia case study_feb2015Sidharth Singh
From Stable of CupShup, a pioneer of Paper Cup Advertising in India, the campaign for Coupondunia was done in Mumbai. Paper Cup Advertising is one of the most effective medium of advertising. The campaign was a success creating brand awareness among working professionals of Mumbai through Paper cup advertising.
The Ubiz Mobile App Opportunity is gaining a lot of attention due to the industry numbers. Take a look at the Mobile trends. Look where the mobile industry is going.
Ubiz Mobile app and the BizBiz opportunity is right with the trends of Mobile Marketing. We are looking for Merchants and representatives to help get the Ubiz App out. Contact me for more details. http://zAPP.mobi
Client server computing in mobile environments part 2Praveen Joshi
Client server computing in mobile environments. Versatile, Message based, Modular Infrastructure intended to improve usability, flexibility, interoperability and scalability as compared to Centralized, Mainframe, time sharing computing.
Intended to reduce Network Traffic.
Communication is using RPC or SQL
This document describes a programming project to implement a fog computing topology using Java. It involves simulating a network of fog nodes that receive requests from IoT devices and process or forward the requests to neighboring nodes or to the cloud based on response time limits. Each fog node periodically exchanges queueing time information with neighbors and forwards requests to the neighbor with the shortest queue. The implementation will use threads to simulate parallel processing at fog nodes and include debugging information in request packets to trace the path through the fog network.
This document provides an overview of TCP performance modeling and network simulation using the ns-2 simulator. It begins with background on TCP congestion control algorithms like slow start, congestion avoidance, fast retransmit, and fast recovery. Two analytical models for TCP throughput - a simple model and a more complex model - are described. The document then provides instructions on installing and using the ns-2 network simulator and Otcl scripting language. It explains how to create network topologies in ns-2 including nodes, links, agents and applications. Tracing, monitoring and running simulations are also covered. The document concludes with an example simulation study comparing TCP throughput models to ns-2 results.
This document describes a programming project to implement a fog computing topology using Java. It involves simulating a network of fog nodes that receive requests from IoT devices and process or forward the requests to neighboring nodes or to the cloud based on response time limits. Each fog node periodically exchanges queueing time information with neighbors and forwards requests to the neighbor with the shortest queue. The implementation will use threads to simulate parallel processing at fog nodes and include debugging information in request packets to trace the path through the fog network.
The document proposes two new autonomous system (AS) traceback techniques to identify the AS of the attacker launching a denial-of-service (DoS) attack. The first technique, called Prevent Overwriting AS Traceback (POAST), marks packets with a dynamic probability and protects marked packets from being overwritten. It encodes the attacking AS number instead of router IP addresses. The second technique, called Efficient AS Traceback (EAST), is also described but not in detail. Both are evaluated to have better performance than existing probabilistic packet marking techniques for traceback by reducing the number of packets and routers required.
Information and network security 11 cryptography and cryptanalysisVaibhav Khanna
The purpose of cryptography is to hide the contents of messages by encrypting them so as to make them unrecognizable except by someone who has been given a special decryption key. The purpose of cryptanalysis is then to defeat this by finding ways to decrypt messages without being given the key
The document is a report on a Wireshark lab analyzing TCP and UDP network traffic.
For the TCP analysis:
- The client IP address is 192.168.1.102 and port 1161, the server is 128.119.245.12 on port 80.
- The SYN segment has a sequence number of 0 and identifies the segment with the SYN flag.
- The SYNACK from the server acknowledges 1 and has a sequence number of 0.
- The HTTP POST has a sequence number of 1.
For the UDP analysis:
- The UDP header has 4 fields - Source Port, Destination Port, Length, and Checksum.
- The checksum covers the pseudo header
This document proposes adding Diffie-Hellman key exchange and digital signatures to the TCP three-way handshake to provide assured identity continuity for TCP connections even when network address translation (NAT) is used. It aims to prevent IP spoofing attacks by allowing endpoints to validate each other's identities during a TCP connection. The proposal outlines adding the cryptographic operations to the TCP handshake in a way that is incrementally deployable and backwards compatible without requiring any pre-existing relationship between endpoints. It also discusses some proof-of-concept implementation issues regarding using iptables and packet manipulation to verify signatures on TCP payloads.
Security in Large Networks by Raja VelampalliRaja Velampalli
security
the state of being free from threats & attacks.
network
a group or system of interconnected people or things.
a network is collection of computers,servers or other devices connected to one another to allow sharing of data.
implict
suggested though not directly expressed
explicit
anything that is clear and easy to understand
Authentication
it is any process by which a system verifies the identity of a User who wishes to access it.
DDoS Attack Detection & Mitigation in SDNChao Chen
This document summarizes a presentation on detecting and mitigating distributed denial of service (DDoS) attacks in software-defined networks. It discusses using sFlow and the Floodlight controller to detect common DDoS attack types like ICMP floods, SYN floods, and DNS amplification. An application was developed in Python to classify attacks and push static flow entries to direct attack traffic to the sFlow collector for analysis. The scheme was tested in a Mininet virtual network and shown to successfully mitigate ICMP and SYN flood attacks. Future work includes testing DNS amplification and UDP floods, implementing adaptive sampling rates and thresholds, and designing an unblocking mechanism.
Chapter 3. sensors in the network domainPhu Nguyen
This chapter discusses network sensors and the data they generate. Examples of network sensors include NetFlow sensors on routers and packet capture tools like tcpdump. The chapter covers challenges of analyzing large network traffic data, and describes common data formats generated by sensors like NetFlow records and packet captures. It also discusses techniques for filtering large packet capture data, such as using rolling buffers, limiting packet snap lengths, and Berkeley Packet Filter rules.
This document proposes an Internet worm early warning system (WEW) that can detect worm outbreaks in their early stages. Unlike traditional approaches that monitor TCP SYN packets, WEW monitors TCP RESET packets to identify sources of failed connection attempts, which provides greater accuracy and less overhead. WEW is also designed to distinguish real scan sources from fake sources intended to generate false positives, through a stateless protocol using cookies. The system would allow early detection of worms to limit their damage and spread.
This document summarizes a research paper that simulates the Ad Hoc On-Demand Distance Vector (AODV) routing protocol under black hole attacks in mobile ad hoc networks (MANETs). The paper analyzes how black hole attacks affect key AODV routing metrics like packet delivery ratio and end-to-end delay. Through simulations with varying numbers of nodes, the paper finds that black hole attacks significantly reduce packet delivery ratios by diverting traffic to malicious nodes. The simulations provide insight into how AODV performance degrades under such attacks.
Virtual Machine Incorporated Sharing Model for Resource Utilizationidescitation
Cooperation and autonomy of virtual machines are
important features of virtualization where resources are
shared among virtual machines in a resource constrained
cloud environment. To facilitate resource sharing, this paper
proposes a resource sharing facility, called the VM Incorporated
RPC, that coordinates the remote procedure call (RPC) with
virtual machine based memory management. In this paper,
we present a process based resource sharing model in case of
collocated virtual machines. Evaluation of our algorithm
demonstrates that sharing of resources within collocated
virtual machines often results in utilizing almost 90% of the
resource potential when compared to inter machine sharing
which contributes a lesser amount of resource utilization.
This document analyzes the Patchwork targeted attack campaign, which infected an estimated 2,500 machines since 2015. The attackers used spearphishing emails containing malicious PowerPoint files to exploit CVE-2014-4114 and deploy first stage payloads. The investigation team used deception techniques to observe the attackers deploying second stage tools and pivoting through the network. Technical analysis of the payloads and command and control communications reveal the attackers copied code from online forums and targeted organizations working on military and political issues relating to Southeast Asia.
Nmap is a free and open source security scanning tool used to discover hosts and services on a computer network. It was originally written by Gordon Lyon and first published in 1997. Nmap uses raw IP packets to determine what hosts are available on the network, what services they offer, and what operating systems they are running. It has features like host discovery, port scanning, version detection, OS detection, and scriptable interaction. Nmap is commonly used for network inventory, auditing security, and identifying vulnerabilities, though some uses may be considered illegal without authorization.
The document discusses various topics related to distributed systems including clock synchronization, mutual exclusion, election algorithms, and fault tolerance. It provides details on:
1. Centralized and distributed clock synchronization algorithms including passive and active time server approaches and global and localized averaging algorithms.
2. Lamport's logical clocks for ordering events in a distributed system.
3. Mutual exclusion algorithms including centralized, distributed, and token passing approaches.
4. Traditional election algorithms like the Bully algorithm and ring algorithm.
5. Fault tolerance techniques using redundancy like replicating servers and majority voting.
This document discusses how the nmap scanner performs host discovery by default and explores customizing its behavior. It examines nmap's default discovery method which sends ICMP echo requests and TCP packets to target hosts and looks for responses. The document uses a DMZ network with varying firewall rulesets to demonstrate how the default method works in different scenarios. It shows that while the default method is sufficient when rules are very open, more specific rules may require customizing nmap's options to more accurately discover live hosts on the network.
The document summarizes new attacks against the WPA-TKIP protocol. It describes a denial of service attack that can disable a network by replaying two manipulated packets. It also outlines a fragmentation attack that uses predicted keystream bytes to inject packets onto the network, such as for port scanning. Finally, it proposes a MIC reset attack to decrypt packets by crafting a prefix that resets the MIC state. Proofs of concept are provided for the denial of service and fragmentation attacks.
Capistrano is a tool for automating tasks on remote servers. It executes commands in parallel on targeted machines and provides rollback of changes. Capistrano uses Net::SSH, Net::SFTP, and Net::SCP to automate tasks over SSH, and supports features like task chaining, streams, prompts, roles, and detecting/rolling back broken jobs.
Cup shup discussion materials_coupondunia case study_feb2015Sidharth Singh
From Stable of CupShup, a pioneer of Paper Cup Advertising in India, the campaign for Coupondunia was done in Mumbai. Paper Cup Advertising is one of the most effective medium of advertising. The campaign was a success creating brand awareness among working professionals of Mumbai through Paper cup advertising.
The Ubiz Mobile App Opportunity is gaining a lot of attention due to the industry numbers. Take a look at the Mobile trends. Look where the mobile industry is going.
Ubiz Mobile app and the BizBiz opportunity is right with the trends of Mobile Marketing. We are looking for Merchants and representatives to help get the Ubiz App out. Contact me for more details. http://zAPP.mobi
The Importance of a Quality Reporting Process in a Pay-for-Performance Enviro...Mallory Johnson
This document summarizes key factors for successful reporting in pay-for-performance healthcare programs. It discusses the growing push for pay-for-performance under the Affordable Care Act and in Medicaid programs. Successful reporting requires clearly defined processes, preparation and validation of reports, flexibility to adapt to changing requirements, using data to drive decision-making, and aligning organizational strategy with reporting needs. Reporting is important to demonstrate achievement of quality goals and access incentive payments.
Report annual event Linking students and NGOs 8 Oct 2015Rosanne Anholt
The document summarizes a meeting that brought together students, researchers, practitioners, and policymakers working in sexual and reproductive health and rights. It discusses presentations given on various research projects, a keynote speech from UNFPA on international policymaking in SRHR, and a concluding discussion on linking research to policy and practice. Participants discussed taking an intersectional approach, challenges in implementation, involving donors, and the role of universities in societally-relevant research.
Behavioral Conformance of Artifact-Centric Process ModelsDirk Fahland
A talk help by Boudewijn van Dongen at the 14th International Conference on Business Information Systems (BIS 2011) in Poznan, Poland, June 2011. We present the problem of checking whether an artifact-centric process model conforms to process behavior observed in reality.
This talk was given by Dirk Fahland and Hajo A. Reijers at the BPM Roundtable at TU Eindhoven in July 2011. We presented first insights into how people model and the modeling outcome.
The circulatory system is formed by blood vessels, the heart, and blood. It carries nutrients and oxygen from the lungs to tissues throughout the body, and carries carbon dioxide from the tissues back to the lungs. Arteries carry oxygenated blood away from the heart to the body, while veins return deoxygenated blood back to the heart. The heart pumps blood through this network of vessels to deliver nutrients and oxygen and remove waste from all parts of the body.
This document summarizes a research project exploring security flaws in the Network Timing Protocol (NTP). The project goals were to set up a virtual computer network with an NTP client and server, and demonstrate a man-in-the-middle attack by fooling the NTP client. The researchers set up virtual machines running Linux, configured one as an NTP server synchronized to an external time source, and monitored network traffic. They planned to use Ettercap to intercept NTP traffic through ARP poisoning, but ran out of time before completing the attack.
This document discusses how to protect PDF documents through digital signatures and encryption. It explains that digital signatures can ensure the integrity, authenticity, and non-repudiation of PDF documents. The document outlines how digital signatures work at a technical level, embedding a signature in the PDF file structure along with a certificate. It also discusses how to handle issues like signature revocation, timestamping, and long-term validation of signatures over time.
The Other Advanced Attacks: DNS/NTP Amplification and CaretoMike Chapple
This session gives you a list of things besides spearphishing to worry about. You may think DDoS is old hat, but there’s a new spin on how to do it every month, including (to take one example) spoofing packets sent to an amplification server. These attacks leverage misconfigured DNS and NTP services to exhaust all bandwidth available to a third party victim. We’ve also learned in the past few weeks about a threat - Careto - that has been waging cyberwar against the Internet for at least seven years. In this webcast, we explore those new threats and ways that you can better defend your organization.
This document outlines a 4-day training course on Red Hat System Administration III. The course covers topics such as package management with RPM, network monitoring, security, storage, web services, file sharing, and boot troubleshooting. Each day consists of multiple units that delve deeper into these areas and provide hands-on instruction on configuring and managing an enterprise Linux environment.
PRIVACY AND SECURITY POLICIES THAT ENCOURAGE EBUSINESSpattok
This document summarizes a presentation by Pavan Duggal on privacy and security policies that encourage e-business. It discusses how different countries treat privacy and security differently depending on their legal histories. In India, there is no comprehensive privacy law, and privacy is interpreted within the framework of existing laws. The Information Technology Act of 2000 addresses some privacy and security issues but does not comprehensively define these terms. Strengthening privacy and security laws and adopting a flexible approach is needed to promote these issues in India.
Este documento describe los servicios y recursos disponibles en las bibliotecas de la Universitat de València. Ofrece lugares para estudiar, acceso a libros, revistas y recursos electrónicos, así como personas que pueden ayudar a los estudiantes a encontrar información. Los estudiantes pueden sacar libros en préstamo, usar ordenadores e impresoras, y acceder a Internet. Las bibliotecas ofrecen adaptaciones para personas con discapacidad.
The document provides instructions for basic NTP configuration and monitoring. It recommends configuring at least two NTP servers, with one acting as primary and the other as backup. It also advises creating a drift file to help NTP learn the system clock's error rate. Various utilities like ntpq, ntpdc, ntptime and ntpdate can be used to check NTP synchronization and determine any offset from the remote server time.
In his previous talk, Paul talked about getting your system to work with SELinux. This involved setting the security on your files and directories so that they worked with SELinux. However, many people have customised their Linux installs and want SELinux to do what they say, not the other way around. Sysadmins in particular are not 'run of the mill' users, and they have different requirements to what typically comes out of the box. Situations such as serving web pages from NFS shares or non-standard directories, or installing applications in custom locations, need specialised configuration of SELinux in order to make it work with your needs.
This talk will deal with those situations. Fortunately for Sysadmins, much of the work in developing SELinux policies for Linux has focussed on their requirements. Paul will show you a few of the things behind
the scenes that make your job as a Sysadmin much easier and safer with SELinux.
DIFFERENT APPROACHES OF CONTENT ORGANIZATION IN SOCIAL SCIENCE Varshapadman
This document discusses the social science curriculum and principles of curriculum construction. It defines curriculum as the course of experiences given to learners in schools. The social science curriculum aims to develop understanding of human relations and society, impart knowledge, foster values, teach skills and tolerance, and develop citizenship. Principles for selecting content include being child-centered, objective-based, activity-focused, and preparing students for life. Approaches to organizing content discussed are the topic, spiral, and concentric approaches.
This presentation discusses time synchronization and the Network Time Protocol (NTP). It provides an introduction to time synchronization, explaining that NTP is an internet standard protocol used to synchronize computer clocks over networks. It then discusses how NTP works, describing its hierarchical structure and use of UDP port 123. The presentation also covers GPS time synchronization and evaluates NTP's accuracy compared to GPS.
This document summarizes research into the resilience of deployed TCP implementations to "blind" in-window attacks from off-path adversaries. The authors tested major operating systems and network infrastructure and found that:
1) Over 50% of web server connections were vulnerable to at least one blind in-window attack, with 44% accepting invalid data packets.
2) All routers and switches tested had some form of TCP vulnerability, despite more recent systems being resistant to SYN and reset attacks.
3) Ephemeral port selection on real systems remains predictable, potentially aiding attackers, though adoption of new operating systems may improve this over time.
The document provides an overview of time-triggered architecture (TTA) and communication protocols. TTA treats physical time as fundamental and provides a fault-tolerant global time base. It decomposes applications into clusters, nodes, and their interfaces. Communication is specified via global time and time-triggered protocols like TTP/C and FlexRay are used. TTA architecture consists of nodes with host and communication subsystems connected via a time-triggered bus.
NON-INTRUSIVE REMOTE MONITORING OF SERVICES IN A DATA CENTREcscpconf
Non-intrusive remote monitoring of data centre services should be such that it does not require
(or minimal) modification of legacy code and standard practices. Also, allowing third party
agent to sit on every server in a data centre is a risk from security perspective. Hence, use of
standard such as SNMPv3 is advocated in this kind of environment. There are many tools (open
source or commercial) available which uses SNMP; but we observe that most of the tools do not
have an essential feature for auto-discovery of network. In this paper we present an algorithm
for remote monitoring of services in a data centre. The algorithm has two stages: 1) auto
discovery of network topology and 2) data collection from remote machine. Further, we
compare SNMP with WBEM and identify some other options for remote monitoring of services
and their advantages and disadvantages.
The document summarizes experiments analyzing VMware's hypervisor-based fault tolerance mechanism for virtualized environments. It finds that the mechanism handles I/O-intensive and CPU-intensive applications well, with negligible performance degradation when fault tolerance is enabled. Experiments subjecting applications and a service composition engine to failures demonstrated transparent failover without exceptions or errors. While CPU-bound applications saw higher overhead, performance improved when removing unnecessary system calls. The fault tolerance mechanism provided robust protection against hardware failures in virtualized environments.
Replay of Malicious Traffic in Network TestbedsDETER-Project
In this paper we present tools and methods to integrate attack measurements from the Internet with controlled experimentation on a network testbed. We show that this approach provides greater fidelity than synthetic models. We compare the statistical properties of real-world attacks with synthetically generated constant bit rate attacks on the testbed. Our results indicate that trace replay provides fine time-scale details that may be absent in constant bit rate attacks. Additionally, we demonstrate the effectiveness of our approach to study new and emerging attacks. We replay an Internet attack captured by the LANDER system on the DETERLab testbed within two hours.
Data and tools from the paper are available at: http://montage.deterlab.net/magi/hst2013tools
Also read the LANDER Blog entry at: http://ant.isi.edu/blog/?p=411
Command Transfer Protocol (CTP) for Distributed or Parallel Computationpaperpublications3
Abstract: In this paper, an improved version of a new networking protocol CTP for distributed or parallel computations is presented. In common, it is suitable just for fast, reliable and feature full interchange of small messages. CTP is a transport level API which helps in incrementing the speed of interchange. CTP is designed to allow general configurability, enabling its use in a wide range of general purpose and specialized applications. CTP covers a number of layers, from transport layer to application layer, proves that the area of its responsibility starts from relatively low level and goes to a high one.
Synchronization For High Frequency Trading Networks: A How To Guidejeremyonyan
For many financial institutions, high frequency trading volume is growing at an accelerating pace and demanding new requirements on their IT infrastructure. Drivers in their business such as pricing of equities moving from decimal to penny resolution and the growing need for markets to provide improved liquidity are resulting in huge opportunities for financial gain. Taking advantage of these opportunities is, in part, dependent on the care taken in the network’s time synchronization and the management of latency. Wall Street firms who were involved in the early phases of High Frequency Trading have been early adopters of high performance timing solutions utilizing a variety of signals including GPS, IRIG, 1PPS, NTP and now the Precision Time Protocol (PTP) which allows for precision time transfer on Ethernet networks. The implementation of specific timing solutions depends on the trading infrastructure and the network topology. Through a combination of hardware, software, and careful network management, it is reasonable to expect microsecond level time-transfer from traceable time sources to Linux applications.
The document discusses network time servers and synchronization. It describes how most electronic clocks in devices are inaccurate and drift over time, causing issues for file systems, billing, security, and more. It recommends using a dedicated time server running NTP behind a firewall to provide the most accurate and secure synchronization for a local network. It also discusses Meinberg as a leading manufacturer of NTP servers and their LANTIME M1000 time and frequency synchronization platform.
A network behavior analysis method to detect this writes about a method to ...Thang Nguyen
This document proposes a network behavior analysis method to detect reverse remote access trojans (RATs) using machine learning. It extracts 4 network behavior features from TCP sessions: out-in-bytes ratio, PSH flag ratio, early stage packet number, and heartbeat flag. Six machine learning classifiers are tested on a dataset of real RAT and normal traffic. Random forest achieves the best performance with an accuracy of 0.957 and AUC of 0.979, indicating the method can effectively detect encrypted reverse RAT connections by analyzing network behavior features.
This document discusses the implementation and simulation of Precision Time Protocol (PTP) stacks. PTP is used to synchronize clocks over Ethernet networks with less than 1 microsecond accuracy. It works by exchanging timing messages between a master and slave clock to determine offsets. The document outlines the basic components and message types of PTP including synchronization, delay request, delay response, and boundary clocks. It also discusses analyzing network packets between the master and slave using a protocol analyzer. The goal of the research is to design an implementation of PTP that can achieve sub-microsecond accuracy on an FPGA by building the protocol stack and simulating message passing.
This document summarizes a survey and analysis of various host-to-host congestion control proposals for TCP data transmission. It discusses the basic principles that underlie current host-to-host algorithms, including probing available network resources, estimating congestion through packet loss or delay, and quickly detecting packet losses. The document then analyzes specific algorithms like slow start, congestion avoidance, and fast recovery. It also examines calculating retransmission timeout and round-trip time, congestion avoidance and packet recovery techniques, and data transmission in TCP. The overall goal of these proposals is to control congestion in a distributed manner without relying on explicit network notifications.
Network protocols allow connected devices to communicate regardless of differences. A protocol is a set of rules that govern all aspects of communication between peers. Common network protocols include TCP, UDP, ICMP, and HTTP. TCP establishes connections to reliably deliver data. UDP prioritizes speed over reliability. ICMP reports network errors while HTTP transfers web page content. Together these protocols enable the functioning of the internet.
Improved SCTP Scheme To Overcome Congestion Losses Over ManetIJERA Editor
Transmission control conventions have been utilized for data transmission process. TCP has been pre-possessed
for information transmission over wired correspondence having diverse transfer speeds and message delays over
the system. TCP gives correspondence utilizing 3-handshake which sends RTS and ACK originate from server
end and information message has been transmitted over the data transmission gave. This does not give security
over flooding assault happened on the system. TCP gives correspondence between distinctive hubs of the wired
correspondence however when multi-spilling happens in a system TCP does not gives legitimate throughput of
the framework which is significant issue that happened in the past framework. In the proposed work, to beat this
issue SCTP and Improved SCTP transmission control convention has been executed for the framework
execution of the framework. SCTP gives 4-handshake correspondence in the message transmit and improved
SCTP gives the performance when the queue length comes to its full value then it divides the message to other
nodes because of which security element get expansions and this likewise gives correspondence administrations
over multi-spilling and multi-homing. Numerous sender and recipients can impart over wired system utilizing
different methodologies of correspondence through same routers, which debases in the TCP convention. In last
we assess parameters for execution assessment. Here, we composed and actualized our proving ground utilizing
Network Simulator (NS-2.35) to test the execution of both Routing conventions.
The white paper discusses precision clock synchronization using IEEE 1588 (Precision Time Protocol, or PTP). PTP allows distributed clocks connected via Ethernet networks to synchronize with sub-microsecond accuracy. It describes PTP's applications in automation, measurement, and other fields. PTP achieves high accuracy through boundary clocks in switches, hardware time stamping, and two-way delay measurement between master and slave clocks. Accuracies below 100 nanoseconds have been achieved in tests.
Monitoring of traffic over the victim under tcp syn flood in a laneSAT Publishing House
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology
This document describes the development of several tools for covert communication via network protocol modification. It begins with Timeshifter, which modifies the timing of ICMP packets at the network layer. Stegnet was then created to modify ICMP packet contents at the network layer. BitStegNet was finally developed to modify μTP packet headers within BitTorrent traffic at the transport layer, providing covert communication at a higher protocol level. The document outlines the implementation of each tool on virtual and physical test networks to successfully transmit hidden messages via timing or content modifications of network packets.
This project aims to analyze and emulate anomaly detection techniques for low-rate TCP denial of service attacks using the DETERLab testbed. The researchers plan to design an extensive anomaly checkpoint detection methodology. They propose a modified likelihood ratio algorithm to detect changes in network traffic statistics. The algorithm will be tested on legitimate and attack traffic in DETERLab while analyzing detection statistics and congestion windows. Results will help evaluate the ability to rapidly detect attacks while limiting false alarms.
1. AndrewMcGarry
Daniel Lopresti
LehighinIreland2014
August9, 2014
Demonstrating a Security Flaw in Authenticated NTP
Abstract:
Thisreportdetailsa projectwhose central goal wasto explore anddemonstrate asecurityflaw
inAuthenticatedNetworkTime Protocol. The particularexploitwhichthisprojectfocusedoninvolvesa
Man-in-the-Middle (MitM) attackwhere the attackermasqueradesasa legitimate NTPserverafter
brute forcinga 32-bit cookie generatedduringthe initialauthenticationprocess.Once the correct
cookie hasbeenguessed,the attackercanthenconductan AddressResolutionProtocol (ARP)poisoning
attack to directNTP trafficdestined forthe legitimate NTPservertoa target of hisor herchoice (usually
the attacker’sownmachine).Thisthenallowsthe attackertofeedthe NTPclientfalse timing
information,leadingtoa numberof adverse effectswhichrange frommisrepresentationof the current
time to systemfailure.Control systems,suchasthose whichwouldbe usedtomonitorpowerusage ina
smart grid,can be made blindif enoughmeasuringdevicesare deprivedof apropersense of time,
potentiallyleadingtocatastrophicfailures. Todemonstrate thisexploit,ourgroupdecidedtosetupa
small virtual computernetworkandthenconductthisattackon an AuthenticatedNTPsession
establishedbetweentwoof the machines.
Introduction:
Duringthe 1980’s, as control andmeasurementapplicationsbecameincreasinglycomplex and
computationallydemanding,theregrewaneedfora technologycapable of synchronizingtime between
disparate computingdevices.Several solutionstothisproblem weredeveloped,includingGPStime
synchronization,reference broadcastsynchronization,andNetworkTime Protocol.AlthoughGPSand
reference broadcastsynchronizationare excellentsourcesof time,NetworkTime Protocol (NTP) isby
far the most broadlyapplicablesince itcanoperate overthe wired andwirelessinternetprotocol
networkscommonlyincorporatedintobuildings.Radiowavesdonotpropagate well throughdense
materials,makingGPSandreference broadcastsynchronizationproblematicinbuildings andurban
environments.
As a resultof thisshortcoming, NTPhasbeenanextremely commonmeansof synchronizing
time across computernetworksformore thana decade,anditsapplicationscontinue toevolve.The
recentpushtowardssmart gridtechnology,forexample,will see the introductionof NTPintoa new
domain:critical infrastructure.Smartgridtechnology promisestoimprove the efficiencyandreliability
of the UnitedStatespowergridthroughthe additionof internet-enabledsensors.Ensuringthatthe
varioussensorsandcontrol systemsall keepthe same time opensupawhole new range of capabilities
for powergridengineers,andbecause manyof these deviceswill be internet-enabled,usingNTPto
synchronize time acrossthe gridisan attractive option.
It isnot however,asafe option.NTPinitsbase formhas no authenticationschemetoverify
clientsorlegitimate serversandhasbeenusedasthe basisforseveral distributeddenial of service
2. (DDoS) attacks overthe yearsbecause of it.The additionof Autokey,anauthenticationmechanism,lead
to the adventof AuthenticatedNTP.The factthatNTP can now be setup withan authentication
mechanismmakesita bettercandidate foruse incritical infrastructure,yeteventhismeasure hasnot
made NTP invulnerabletoexploitation.Recentscholarshiphasuncoveredseveral attackvectors,or
meansof exploitation,relatingtoAuthenticatedNTP.These discoverieshave kickedoff awave of
investigationintosecurityimprovementsforAuthenticatedNTPwiththe ultimate goal of preparingit
for use incritical infrastructure.
ProjectGoals:
The main goal of thisprojectwasto explore anddemonstrateasecurityflaw associatedwith
AuthenticatedNTP.
Withregards to exploration,mypartnerandI setout tolearnabout NetworkTime Protocol,its
importance andhowit functions.Inaddition,we wishedtolearnhow toutilize toolscommonlyusedin
computerscience researchwhilealsointroducingourselvestocomputernetworkingandnetwork
security.
The demonstrationportionof ourprojectinvolvedatwo-stage approach.Stage 1 wasto consistof a
computernetworkfeaturinganNTPclient/serverrelationshipandthe capabilitytomonitornetwork
traffic.InStage 2, we wouldconducta Man-in-the-Middle(MitM) attackwithin thisnetworkwiththe
goal of spoofinganNTPclientintoacceptingthe attackeras a legitimate NTPserver.
NetworkTime Protocol:
NetworkTime Protocol (NTP) isanapplication-layerprotocol which allowscomputingdevicesto
synchronize theirclockstoreliabletime sourcesoveranetworkconnection. NTPoperatesasahierarchy
of levels,knownasstratum.The lowestlevel,Statum0,referstonational time sourcestowhichStratum
1 servers are directlyconnectedviasatellite,radio,ortelephone modem.Stratum2servers receive their
timinginformationfromStratum1 servers,Stratum3 serversfromStratum2 servers,andso on.
The goal of NTP isto synchronize all participatingcomputingdevicestowithinafew
millisecondsof the CoordinatedUniversal Time (UTC) timescale,atimingstandardobservedbymany
national laboratories.Itdoesnothowever,inherentlyaccountforregional timedifferences,so
differencesintime zonesmustbe accountedforona per-userbasis.Leapsecondsare accounted for
and occur approximatelyevery18months.
As forthe architecture of the protocol,NTPreliesonpacketexchangesbetweenclientsand
serversusingitsownsetof on-wire protocols. A dual setof poll andpeerprocessesgovernswhensuch
packetsare sentandwhat happenswhentheyare received.The poll processsendsNTPpacketsata
rate of one every8 secondsto 36 hoursin orderto maximize accuracyandminimize networkload.If the
packetpassesa sanitycheck,the peerprocessrunsthe on-wire protocol whichreliesonfour
timestamps.
The timestampsare:
T1 : The time of departure of the requestpacketfromthe client
T2 : The time of arrival of the requestpacketatthe server
T3 : The time of departure of the replypacketfromthe server
3. T4 : The time of arrival of the replypacketatthe client
NTP calculatesseveral values toassessthe accuracyof the time itexports basedonthese
timestamps:offset,delay,jitter, frequencyerror,andstability. Perhapsthe mostimportof these four
statistical valuesisthe offset,whichmeasuresthe asymmetryof the roundtriptime.If the offsetistoo
high,NTPpreventsthe clientfromsynchronizingwiththe targetserver.
In orderto continue toreceive timinginformationfromanNTPserver,an NTP clientmustfirst
synchronize withthe server.The synchronizationprocessisaseriesof five request/receive exchanges.In
each exchange,the clientfirstqueriesthe serverforthe currenttime bysendingouta UDP/IP packet
containingatimestampdenotingthe time of departure(T1).Assoonasthe packetis received,the server
marks downthe time at whichthe packetwasreceivedinatimestamp(T2) andadds itto the packet.
The serverthenaddsan NTPtimestampcontainingthe time atwhichthe replypacketwillbe sent(T3) to
the packet,and finally,the clientthenrecordsthe time atwhichthe replypacketarrives(T4) ina final
timestamp.Once the clienthasreceivedandgeneratedall fourtimestamps,itcanthenperforma sanity
checkon the exchange.If the testispassed,anotherexchange isallowedtooccur.Afterfive successful
exchangesandsanitychecks,synchronizationisachievedandanyfurthertimestampsreceivedfromthe
NTP serverare usedto setthe client’sclock.
Normal operationforNTPisverysimilartothe synchronizationprocess.NTPusesUDP/IP
packetsexclusivelyforinformationtransferandhasdesignatedport123 as the official NTPport. The
clientandserveruse the same request/receive formatasdetailedabove,withboththe clientandserver
addingNTPtimestampstothe packetuntil theyare all finallycollectedbythe client.After
synchronizationthough,the offsetvalue calculatedusingthe timestampsisrunthroughanalgorithm
and thenusedtoadjustthe systemclockandfrequency of the client.The onlyotherimportant
difference betweensynchronizationandnormal operationisthatinnormal operation,the frequencyof
exchangesdecreaseswitheachsuccessfulexchange untileventually,exchangesoccuronlyonce every
36 hours.
In orderto make use of NTP,all that isrequiredforclientsisthattheydownloadthe currentNTP
distribution.The distributioninstallsseveral programs,the mostimportantof whichare ntpd (NTP
daemon), ntpq (NTPquery),and ntpdate. ntpd isanoperatingsystemdaemonwhichdealswiththe
regularoperationof NTP,namelysynchronizationandnormal operationpollingintervals.Itiscapable of
settingthe systemclockandfrequencyafterithassuccessfullysynchronizedwithan NTPserver. ntpq is
a utilityprogramusedmainlytocheckthe status of an NTP connectionanddiagnose connectionissues.
Finally, ntpdateisusedtoretrieve the date fromanNTP serverandsetthe systemclockwithouthaving
to go throughthe synchronizationprocess.Onlyone query/replyexchange isrunby ntpdate,andthe
resultof the queryisautomaticallyusedtosetthe systemclock. ntpdate,like ntpq,ismainlyusedfor
debuggingpurposes.
AuthenticatedNTP:
AuthenticatedNTPwasintroducedin ordertoensure the securityof timinginformationacross
computernetworks.Manycontrol systemshave verysmall toleranceswhenitcomestotime
synchronization,soevensmall discrepanciesbetweenthe variousdevices’timescancause catastrophic
failure.Since the onlyformof securitywhichthe base formof NTPoffersisprotectionfrompacketloss
4. and replays,AuthenticatedNTPwasaddedasan additiontoNTP inorderto provide some measure of
security.
The main advantage of usingAuthenticatedNTP isthe incorporationof anAutokeypublickey
algorithm. The Autokeyauthenticationschemeinvolvesthe use of digital certificatestoverifyachainof
verifiedNTPserversandapublickeycryptographyscheme.Atthe start of everyAuthenticatedNTP
session,clientsrequestaseriesof digital certificates.The chainof certificatesstartswithaTrustedHost
(TH),usuallyaStratum 1 server.The TH’scertificate isself-signed,andsorepresentsthe startof the
certificate chain. AnyStratum2 servers connectedtoa TH in turnreceive acertificate signedbythe TH.
Stratum3 serversreceive certificatessignedbythe Stratum2 serverstheyare connectedto,and so on.
NTP clientsreceive acopyof each certificate inthe chainleadingbacktothe TH fromwhichthe timing
informationisderived.
Once the certificate chainhasbeenresolved,NTPclientsrequestacookie fromthe server.
Cookiesare 32 bitsequencesgeneratedusingaclient’spublickeyanda server’sprivate key andare
usedto authenticate packetssentfrom the client.Inadditiontousingitsownprivate keytogenerate
the cookie,serversuse asequence calledthe serverseedinthe formationof the cookie.The serverseed
isnot sharedwiththe publicandso representsasecretknown onlytothe server. Thisfact is important
because itmeansthe serverseed isthe onlypiece of information usedtoauthenticatepackets which
cannot be gatheredsimplybymonitoringnetworktrafficbetweenanNTPclientandanNTP server.
The Autokey authenticationprocessisdetailedinthe figure below:
5. As previouslymentioned,the cookieisa32 bitsequence generatedusingthe clientpublickey,
the serverprivate key,andthe serverseed.Ithasthe followingformat:
Cookie = MSBs32 (H (Client-IP||Server-IP|| 0 || ServerSeed)),e.g.
Cookie = EClient(MSBs32 (H (Client-IP||Server-IP|| 0 || ServerSeed)))
Remark:|| = Concatenation,H= hashfunction(MD5 or SHA1)
Remark:The serverisstatelessandhastorecalculate cookie wheneveraclientcontacts it
Remark:The ServerSeedis32 bitlong.It issharedfor all clientcookiesandchangedevery24 hrs.
Duringnormal NTP operation,the cookie isincorporatedinto the NTPpacketinorderto
authenticate the source:
NTP Packet = NTP-Payload|| KeyId || MAC
Remark:the NTP payloadisnotencryptedandis easilyreadable
Message AuthenticationCode (MAC) = H (Autokey|| NTP-Payload)
KeyIdis128 bitslongand pickedbythe clientat the start of everyNTPsession.
Autokeyis128 bitlongand calculatedasfollows:
Autokey= H (Sender-IP||Receiver-IP||KeyID || Cookie)
The Autokeyauthenticationschemeisnotinvulnerable.One particularexploitwhichwas
discoveredbycomputerscience academicsrecentlytakesadvantage of the factthatthe cookie,which
containsthe onlybitof informationwhichcan’tbe collectedbyobservingnormal NTPtraffic,isonly32
bitslong.Anattacker whoattemptsto brute force thissequence bybombardingthe serverwithbogus
requestscansuccessfullyguessthe cookie inabout10 minutes. Demonstratingthisparticularexploit
was the subjectof our projectsoI will describe how suchanattack isconducted.
In thisattack, we assume thatan NTP connectionhasbeenestablishedbetweenaclientanda
server,thatthe Autokeyauthenticationsequence hasalreadyoccurred,andthatthe clientisalready
synchronizedtothe server.WhenaMitM entersthe scene andbeginstosniff the packets being
exchangedbetweenthe clientandserver,three piecesof informationare readilyavailable tohim.By
justsniffingthe UDPpacketsexchangedbythe clientandserver,the MitMcan determinethe client’sIP
address,the server’sIPaddress,andthe keyID. Since the ultimate goal of the MitMis to convince the
clientthatit isthe legitimate NTPserversothat itcan feedthe clientfalse timinginformation,the only
piece of informationthe MitMneedsatthispointinorder to masquerade asthe serveristhe cookie.
The cookie isnot easilyreadable bythe MitMbecause itis runthrougha hashfunctiontocreate the
Autokeysequence andthenthroughanotherhashfunctiontocreate the MAC. Since hashfunctionsare
one-directioncalculations,itwouldtake atremendousamountof efforttodetermine the cookiefrom
the MAC.
However,the cookie isonly32 bitslong.Knowingthis,the MitMcan use the informationhe’s
alreadygatheredthroughsniffingnetworktraffictoforge NTPclientrequestsforthe currenttime.The
MitM’s goal at thispointisto keepsendingforgedclientrequestsuntil he brute forces,orguesses
6. correctlythroughtrial and error,the cookie sequence. Itwasestimatedbymyadvisorthatthe process
of brute forcingthe cookie wouldonlytake about10 minutes.
Once the attacker managesto determinethe correctcookie sequence,the onlythinglefttodo
isto performan ARPpoisoningattacksothat all requestsaimedatthe legitimate NTPserverare instead
directedatthe attacker’smachine.There are manyapplicationsreadilyavailable onthe webtoperform
ARPpoisoningattacks,sothisisnot a particularlydifficultfeat.However,once the ARPpoisoningattack
iscomplete,the MitMisfree to feedthe NTPclientwhatevertiminginformationhe wantstoand
therebywrecksystemswhichrelyonaccurate time synchronization.
A diagramof thiskindof attack isgiven below:
Stage 1:
Duringthe initial planningstagesof thisproject,ourgroupdecidedthat the projectwouldbe
brokenupintotwo distinctstages,Stage 1 andStage 2. The objective of Stage 1was to setup a testing
environmentinwhichwe couldlaterexecuteaMitMattack whichdemonstratedthe securityflaw in
AuthenticatedNTPdetailedpreviously.
7. I was responsible
for planningoutand
completingStage 1.My
initial planforStage 1
involvedestablishingan
NTP connectionbetween
twovirtual machinesand
thenmonitoringthe NTP
trafficpassingbetween
themusingWireshark,a
packetsniffingprogram,
installed onthe hostOS
(see diagramat right).
My decisionto
use virtual machinesforStage 1 was influencedbythree factors.First,Ihave hada greatdeal of
experience settingupandusingvirtual machinesinmypreviousinternships,soIwasconfidentinmy
abilitytosetStage 1 up quickly.Second,Iwantedtocontainthe projectentirelywithinmylaptopso
that my partnerand I couldworkon the projectwithouthavingtoworryaboutwhenthe labswere
open.Third,I knewfrompreviousexperience thatvirtual machinesare veryeasytomanipulate andthe
abilitytocreate snapshotsof theircurrentstate wouldallow ustorecoveraftererrors far more quickly
than if we had usedseparate computersforeachof the elementsinStage 1.
To create the virtual machinesandthe virtual networkwhichwouldbindStage 1together,I
useda piece of software calledVMWare.VMWare allowsuserstocreate virtual machines(VMs)from
diskimagesandmanage themwithvarioustoolsandfeatures.The mostimportantmanagementtool
for our purposeswasthe snapshottool,whichallowedustosave the currentstate of the virtual
machine andrecoverback to previousonesif anerrorarose.VMWare alsoprovidesthe capabilitytoset
up virtual networks.Three defaultvirtual networksare createdbyVMWare uponinstallation:ahost-
onlynetwork,aNATnetwork,anda bridgednetwork.WhenaVMis created,the usercan choose which
virtual networktoconnectthe VMto. VMWare will automaticallycreate avirtual networkadapter
connectingthe VMtothe desiredvirtual network once the installationprocessiscomplete. VMWare
alsocreatesa virtual DHCP serverforeach of the three networkstoassignIPaddressestoall machines
participatingineachnetwork.
In the VMWare documentation,itsaysthatwheneveraVMisconnectedtoone of the three
defaultvirtual networks,the VMisautomaticallyconnectedtothe virtual switchassignedtothat
network.However,IfiguredoutearlyonthroughresearchingVMWare thatthe virtual switchthe
documentationsaysitconnectsVMsto inrealityoperateslike avirtual hub.Thisisbecause like ahub,
thisvirtual switchautomaticallycopiesall incomingpacketsandsendsacopyout to all of the machines
connectedtoit.This isimportantto note since itplaysa keyrole inthe operationof Stage 1.
I chose to set upStage 1 on the defaultNATnetworksince itwasthe onlydefaultnetwork
whichwouldallowVM’stohave access tothe external networkandtothe host OS.In the default
bridgednetwork,the hostOSisnot givenavirtual networkadapter,andsocannot be accessedbythe
VMs participatinginthe network.The host-onlyvirtualnetworkisalsolimitedinthatitcuts off VMs
8. fromthe external network. Since NTPserversmustreceivetiminginformationthroughaserverchain
leadingbackto a Stratum1 server,the NTPserverwhichIwouldsetup had to have accessto the
external network.Bridgednetworkingwasrejectedbecause Ididnotwantto have to create more VM’s
than necessary,sothe defaultvirtual NATnetworkwasthe onlyoptionleft.
Once it wasset up,Stage 1 wouldconsistof twovirtual machinesandthe hostoperating
system.One of the virtual machineswouldrunthe NTPserverapplicationandreceive timing
informationfromanestablishedNTPserveratNational Universityof IrelandGalway(NUIGalway) by
accessingthe external networkthroughthe NATdevice.The secondVMwouldbe setupas an NTP
client,andreceive timinginformationfromthe otherVM.Wiresharkwouldthenbe installedonthe host
OS and would monitorall networktrafficonthe virtual network.The reasonthatWiresharkwouldbe
able to see all trafficonthe virtual networkisbecause the virtual hubatthe centerof the network
wouldcopyeverypacketroutedthroughitto the host OS,effectivelyallowingWirehsharkto“see”the
trafficbetweenthe NTPclientandthe NTPserver.
Thissetupwouldserve asa jumpingoff pointforStage 2 since,if Wiresharkcouldindeedseeall
of the networktrafficonthe virtual network,thenwe couldeventuallyreplace WiresharkwithaMitM-
style attacker.The exploitdescribedearlieronlyrequiresthatthe attackerbe able to sniff the NTP
packetstravellingbetweenthe clientandserverandbe able toinjectpacketsintothe network.If
Wiresharkcouldsee the packetsanattacker wouldwantto sniff,thenwe couldeventuallyreplace
Wiresharkwiththe attacker.
Stage 2:
In Stage 2, our group wouldmodifyStage 1and demonstrate the AuthenticatedNTPexploit
detailedinthe “AuthenticatedNTP”section.Thoughwe didnotultimatelycompleteStage 2,I
researchedhowitcouldbe achieved.
My planwasto downloadapiece of software calledScapyontothe hostOS. Scapyis a program
capable of packetsniffingaswell ascustompacketcreationandinjection. UsersinteractwithScapy
throughPython code,allowingthe usertofine tune itsfunctions.A pythonscriptcouldtheoreticallybe
writtentoperformall of the functionsof the attacker,such as sniffingthe NTPtrafficbetweenthe client
and serverto pick upeasilyavailableinformationandcraftingbogusrequestsinordertobrute force the
cookie.Toperformthe ARPpoisoningattackfollowingthe determinationof the cookie,anotherpieceof
opensource software,Ettercap,couldbe used.Ettercapis a network security tool withawide range of
featuresforconductingMitMattacks onlocal area networks.One suchfeature allowsuserstoquickly
performARPpoisoningattacksandtherebyredirectnetworktrafficdestinedforone machine to
another.
Once the cookie wasdeterminedusingScapyandan ARPpoisoningattackconductedusing
Ettercap,we couldthenuse Scapyto feedthe NTPfalse timinginformation.Thiswouldbe achievedby
craftingNTP packetsusingthe publicinformationdeterminedearlier, the knownAutokeyhash
functions,the cookie,andwhateverNTPpayloadwe chose.The clientwouldthensetitsclockusingthe
falsifiedtiminginformation,markingthe successful completionof the MitMattack.
Progress:
9. Duringthe firstweekanda half of the project,DeclanandI performedagreat deal of research
and I attemptedtogetStage 1 up andrunning.Since Declanhadn’tbeenexposedtocomputer
networkingpreviously,Idevelopedalistof topicsincomputernetworkingwhichhe couldinvestigatein
orderto helphimunderstandourproject.While he workedonthatforthe firstweekanda half,Itook
charge of planninghowStage 1 wouldworkand plannedouthow Iwouldsetit up.I familiarizedmyself
withVMWare,especiallyhowthe virtual networksitcreateswork,anddidsome preliminaryresearch
intohowNTP worksto informmyplanning.
Once I had begunto setup Stage 1 however,Ibegantorun intothe bugsthat would plague me
for weeksafterwards.Manyof these issueswere resolvedbylearninghow toadd andmodifyrulesin
Fedora19’s kernel firewall,knownasiptables,andhow toaddexceptionstoWindowsFirewall.This
researchgot me to the pointwhere bothof the Fedora19 virtual machinesIhadsetup were able to
pingone another, andboth of the VMswere able to pingthe hostOS.
The real trouble beganwhenIattemptedtosetupan NTP serveronone of the VMs.As
previouslymentioned,NTPhasa hierarchical structure,meaningthatall NTPserversare connectedback
to a Stratum 1 serverthrougha chainof servers.My firstattemptsat synchronizingmyservertoan
establishedNUIGalwayNTPserverdidnotsucceed,forcingme todelve deeperintothe NTP
documentation.Ispentaweeklearninghow todiagnose NTPconnectionswiththe ntpq andntpdate
commands,butstill couldnotfigure outwhyI was unable tosynchronize myserverwiththe NUIGNTP
server.
At thispoint,IcalleduponMichael Schukatforadvice. He theorizedthatmyNTP serverwas
unable toreceive repliesfromthe NUIGalwayNTPserverbecause theirNTPserverexistedoutside the
universityfirewall.The replieswhichthe NUIGalwayNTPserversentbackto myserverwere being
interceptedbythe firewall.Tofix this,Michael broughtdownacellularrouterwhichwould allowmy
laptopto connectto the internetoverthe local cellularnetwork.Thisway,Icouldbypassthe university
firewall andcontactthe NUIG serverdirectly.
The use of the cellularrouterallowedmyservertosuccessfullysynchronize withthe NUIG
serverafterseveral daysof trial anderror. However,thiswasnota long-termsolutionsince Michael had
onlypurchasedone gigabyte of datafor the cellularrouterandI wasfast approachingthe limitduring
testing.HughMelvinsteppedinatthatpoint and setup an NTPserverwithinthe NUIGfirewall withthe
hopesthatI couldsynchronize withthatoverthe NUIG campuswifi withoutworryingaboutthe campus
firewall.
SynchronizationbetweenmyNTPserverandHugh’sNTPserverdidnotoccur overthe next
weekof testing.Michael wasawaythatweekandHugh Melvinhadpressingmatterstoattendto so I
was lefttotry to debugthe issue myself.Several daysof testingvariousNTPconfigurationfilesetups
and trawlingthe internetforanswersleadtoan importantdiscovery.Once Ihadbeguntoexplore the
variousoptionswhichcouldbe appendedontothe ntpq andntpdatecommands,IdiscoveredthatIwas
able to retrieve the date fromHugh’sNTPbyspecifyingthatthe requestbe sentoveranunrestricted
port. Anyportnumberabove 1024 isconsideredunrestrictedandanyportnumberbelow orincluding
1024 restricted.Since NTPnormallysendsrequestsfromport123, addingthe –u optionto the ntpdate
commandforcedthe requesttobe sentonan unrestricted portnumber,andforan unknownreason,
that allowedme toretrieve the date.AfterconsultingbothHughMelvinandProfessorChuahaboutthis,
I was leadtobelieve thatthe issue laysomewhere inVMWare’ssetupof the virtual network.
10. I studiedthe VMWare documentationandinternetforumsforseveraldaysbutcouldnotfindan
answer.Idid howeverlearnhowthe NATdevice whichallowedthe VM’stoconnectto the external
networkworked,andevenlearnedhowtoaddcustomrulesto the NAT device.Whenaddingcustom
rulesfailedtoproducedresults,Iresignedtothe factthat the VMWare documentationwasnotdetailed
enoughformy purposesandthatI wouldhave to rethinkhow Iwas goingto setup Stage 1.
My newplanforStage 1 involvedswitchingthe rolesof the VM’sand the hostOS. Insteadof
tryingto synchronize anNTPserverona VMto an NUIG NTPserver,I decidedinsteadtosetupan NTP
serveronmy hostOS and thenhave one of the VM’sreceive timinginformationfromthat.Ihad
discoveredthatwhile the VM’swere havingdifficultysynchronizingtothe NUIG NTPservers,myhost
OS wasable to synchronize withHugh’sserverwithnodifficultywhatsoever.Thisfindinginconjunction
combinedwiththe discoveryof apiece of opensource software whichwassupposedtofix time
synchronizationissuesacrossNATdevicesleadme tobelieve thatthissetupwouldwork.
The role of the attacker wouldtherefore be switchedovertothe secondVMsince itwouldbe
able to monitorall of the networktrafficbetweenthe NTPclientVMandthe hostOS justas easilyasthe
hostOS was able tomonitorthe trafficbetweenthe twoVM’s.A diagramof thissetupisincluded onthe
here:
Aftera twodays of tweakingandtroubleshooting,Imanagedtosynchronize the NTPclientVM
withmyhost OS,and runningWiresharkinside the secondVMprovedthatitcouldindeedsee the NTP
trafficpassingbetweenthe NTPclientVMandthe hostOS. Stage 1 was now complete.
The setupof Stage 1 tookuntil the 15th
of July,leavinguswithlessthanaweekto workon Stage
2. With the remainingtime,Iresearchedwhatpiecesof software wouldbe necessarytocomplete Stage
2 and howto create customnetworkpackets.Ididnot ultimatelyfinishStage 2,but I hada veryfirm
ideabythe endof howI wouldcomplete it.
11. As a final note onthe workthat I didthis summer,Ialsotookresponsibilityforplanningoutthe
final presentationwhichDeclanandIgave to Michael Schukatand Hugh Melvinandwrote tenof the
thirteenslidesinvolvedinthe PowerPoint,includingtwoexplanatorydiagrams.
Summary:
Duringthe sevenweeksspentworkingonthisproject,mypartnerandI put ina greatdeal of
efforttowardsachievingourprojectobjectives.Thoughwe didnotultimatelyrealizeourgoal of
demonstratingasecurityflawinAuthenticatedNTP,we made importantgainsinmanyareas.Both
Declanand I learnedagreat deal aboutNetworkTime Protocol,computernetworking,andvarious
software toolsduringthe course of the project.The longand arduoustroubleshootingprocessIwent
throughto complete Stage 1 leftme withanin-depthunderstandingof how the NTPprogramsworks,
howVMWare’svirtual networksare setup,and how to diagnose networkconnectionissues.Inaddition,
I was alsoexposedtothe innerworkingsof AuthenticatedNTPandplannedouthow ourgroupwouldgo
aboutperformingaMitM-style attack.
Thanksto all of the supportwe receivedfromMichael Shukat,HughMelvin,andProfessor
Chuah,Declanand I were able toshowcase a functional Stage 1at the endof the summerand
demonstrate afirmunderstandingof how the systemworked.We have alsoleftthe projectinsucha
waythat it can be continuedinthe future byNUIGalwaystudents.Futureworkonthe projectbysuch
studentswill mostlikelyinclude the completionof Stage 2, so thoughour time withthe projecthas
come to a close,the workthatwe have done will helptoeducate the computerscience students which
followbehindus.