-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathcorrelation.html
More file actions
225 lines (201 loc) · 14.4 KB
/
correlation.html
File metadata and controls
225 lines (201 loc) · 14.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
<html>
<head>
<title>Correlation and Mitigation using SDN Lab</title>
<link rel='stylesheet' style='text/css' href='css/skeleton.css' media='screen'/>
<link rel='stylesheet' style='text/css' href='css/skeleton.css' media='print'/>
<script src='js/jquery.js'></script>
<script src='js/main.js'></script>
</head>
<body>
<div class="container">
<center>
<div id='header'>
<div id='header_info'>
<h1 id='logo_cyber'>Cyberpaths</h1>
</div>
</div>
<div id='site_body'>
<div id='actual_content'>
<div id ='main_title'><h5>- Correlation and Mitigation using SDN Lab -</h5></div><br>
</center>
<br><div class='title_bg'><h3>Lab Goals</h3><hr></div>
<div class='subcontent'>
<ol class='instructions'>
<li>To get you acquainted with Software Defined Networking (SDN) concepts</li>
<li>To analyze Snort alerts in real time. </li>
<li>To study traffic flow rules and understand them.</li>
</ol>
</div>
<br><div class='title_bg'><h3>Quick introduction to Software Defined Networks (SDN)</h3><hr></div>
<div class='subcontent'>
<ol class='instructions'>
This lab is using a powerful network architecture, Software Defined Networking (SDN). SDN is a flexible, agile, and fully programmable network paradigm. Openflow is the framework that offers this standardization and programmability for the software swiches that are used in SDN architectures.
In the SDN architecture the network and controle plane are separated, offering a logically centralized controller that can be easily programmable
and as you can see in the lab that follows can instruct the Openflow Virtual Switch to change configurations in real time.
In our case the controller instructs the switch to drop the malicious flow of the Denial of Service attack. Furthermore, the controller can offer
useful information about the network, i.e., information about the flows that are going through the switch that includes source and destination IP addresses, source and destination MAC addresses, ports, and other useful statistics. The following videos give a good introduction on SDN and Openflow:
<ul>
<li><a href='https://www.youtube.com/watch?v=DiChnu_PAzA' target='_blank'>Intro to SDN</a> </li>
<li><a href='https://www.youtube.com/watch?v=rYW7kQRyUvA' target='_blank'>Intro to OpenvSwitch</a></li>
<li><a href='https://www.youtube.com/watch?v=l25Ukkmk6Sk' target='_blank'>Intro to OpenFlow</a></li>
<li><a href='https://www.youtube.com/watch?v=FyV4MoQ3T0I' target='_blank'>OpenFlow Flow Entries</a></li>
</ul>
We have performed a <a href='http://www.cs.unc.edu/Research/geni/geniEdu/v08-Dos.html' target='_blank'>webinar</a> that explains in detail the code and research behind this lab. You are strongly encouraged to watch this webinar.
</ol>
</div>
<br><div class='title_bg'><h3>Preliminary steps, RSpec, and Python code you will need for this lab</h3><hr></div>
<div class='subcontent'>
<ul class='instruction'>
<li>Complete the <a href='http://mountrouidoux.people.cofc.edu/CyberPaths/intrusiondetectionsystem_v2.html' target='_blank'>Intrusion Detection Lab</a></li>
<li><a href='http://mountrouidoux.people.cofc.edu/CyberPaths/files/IDS_Lab_Hard_rspec.txt' target='_blank'>RSpec</a></li>
<li><a href='http://mountrouidoux.people.cofc.edu/CyberPaths/files/analyze.py' target='_blank'>analyze.py</a></li>
<li><a href='http://mountrouidoux.people.cofc.edu/CyberPaths/files/correlate.py' target='_blank'>correlate.py</a></li>
<li><a href='http://mountrouidoux.people.cofc.edu/CyberPaths/files/mitigate.py' target='_blank'>mitigate.py</a></li>
</ul>
</div>
<br><div class='title_bg'><h3>Part 1: analyze.py - Installing, Understanding and Running</h3><hr></div>
<div class='subcontent'>
<ol class='instructions'>
<li><b>Installing analyze.py</b></br></br>
<ul>
<li>Connect to the "Monitor" node through SSH</li>
<li>Execute the following command:
<code>cd /opt/</code></li>
</li>
<li>Now you will open the file analyze.py that was provided to you using a text editor (such as Notepad, Notepad++, etc...), then go ahead and edit the line that contains "<b>HOST = '<b style='color:red;'>172.17.2.2</b>'</b>" (line 71, to be exact) and set the constant HOST to the IP of your Controller (The one you figured out on the set-up portion of the Lab).<br><br>Then, you will create the file analyze.py by executing the following command:
<ul>
<li><code>sudo nano analyze.py</code></li>
<li>Your terminal should look like this:</br><center><img class="u-max-full-width" src='img/screenshots/Screenshot_33.png'></center></li>
<li>Now copy everything from the analyze.py you have in the text editor (where you modified the constant HOST), and paste it in your terminal (To paste in the terminal simply use Right Click). Your terminal should now look like this:</br><center><img class="u-max-full-width" src='img/screenshots/Screenshot_34.png'></center></li>
<li>Now press Ctrl + X</li>
<li>Press Y</li>
<li>Press Enter</li>
</ul>
</li>
</ul>
</li>
<li><b>Understanding what analyze.py does</b></br></br>
<ul>
<li>Read the python code. What do you think this script is doing? What are its main parts?</li>
<li>How does the script read a tcpdump (copy paste the command)? What information does it extract? </li>
<li>Copy paste in your report the line of code that sends information to the correlator. What does the monitor send to the correlator? Why do you think it sends this information?</li>
</ul>
</li>
<li><b>Running analyze.py - Execute the following commands:</b></br></br>
<pre><code>cd /opt/
sudo python analyze.py</code></pre>
That is how you make analyze.py run!
</li>
<ol>
</div>
<br><div class='title_bg'><h3>Part 2: correlate.py - Installing, Understanding and Running</h3><hr></div>
<div class='subcontent'>
<ol class='instructions'>
<li><b>Installing</b></br></br>
<ul>
<li>Connect to the Controller node through SSH</li>
<li>Execute the following commands:</br></br></li>
<pre><code>cd /opt/</br>sudo nano correlate.py</code></pre>
<li>Now open on a text editor, like you did for part one, the correlate.py file that was provided to you. Edit the line that contains<code><b>ovsAddress = '<b style='color:red;'>172.17.2.16</b>'</b></code> and set the variable to the IP of the OVS (You can figure this out by running "ifconfig" on the OVS, and the IP that shows on eth0 will be the IP of the OVS)</br><center><img class="u-max-full-width" src='img/screenshots/Screenshot_36.png'></center></li>
<li>Copy everything from the text editor, and paste it on the terminal (Like you did for part one)</li>
<li>Now press Ctrl + X</li>
<li>Press Y</li>
<li>Finally, press Enter</li>
</ul>
</li>
<li><b>Understanding</b></br></br>
<ul>
<li>The correlator script starts by setting up an initial flow table of the network by running a flow dump on the OVS IP address. Copy paste the code that is creating this flow table. </li>
<li>Next, the script checks the information from the monitor by first making sure the incoming information is indeed an alert. Copy paste this code. What else does the script look for in the data sent from the monitor? Why? </li>
<li> How does the correlator verify if an attack has occured? Is there any case the monitor sent a false alert? Explain your answer.</li>
<li>The script then verifies that each flow from the flow dump correlates with what is already established within our flow table.</li>
<li>If the script finds an inconsistency within our flow table and the flow dump, the script either calls the mitigator script, mitigate.py (if the port number from the flow dump is associated with a different IP address), or adds the new flow to our flow table (if the port number from the flow dump is not in our flow table).</li>
</ul>
</li>
<li><b>Running - Execute the following commands:</b></br></br>
<pre><code>cd /opt/
sudo python correlate.py</code></pre>
That is how you make correlate.py run!
</li>
</ol>
</br>
</div>
<br><div class='title_bg'><h3>Part 3: mitigator.py - Installing, Understanding and Running</h3><hr></div>
<div class='subcontent'>
<ol class='instructions'>
<li><b>Installing</b></br></br>
<ul>
<li>Open another SSH connection to the Controller</li>
<li>Execute the following commands:</br>
<pre>
<code>cd /opt/
sudo nano mitigate.py</code></pre>
</li>
<li>Open in a text editor the mitigator.py file you were provided, and edit the line that contains <code><b>ovsAddress = '<b style='color:red;'>172.17.2.16</b>'</b></code> (Line 10). Set the variable to the IP of your OVS (The one you found in the previous part of the lab)</li>
<li>Copy everything from the mitigator.py file that you edited on the text editor</li>
<li>Then, paste it on the terminal by making a Right Click</li>
<li>Use Ctrl + X</li>
<li>Press Y</li>
<li>Hit Enter</li>
</ul>
</li>
<li><b>Understanding</b></br></br>
<ul>
<li>What is the function of the mitigator script? Research the Openflow commands that are used in the script and explain what they do.</li>
</ul>
</li>
<li><b>Running mitigator.py</b></br></br>
<ul>
<li>You do <b style='color:red;'>not</b> need to run any commands for mitigator.py, given that it is executed automatically by correlate.py through the next line of code
<pre><code>os.popen('sudo python mitigate.py ' + str(targetPort) + ' ' + str(targetIP), shell=True)</code></pre></li>
</ul>
</li>
</ol>
</div>
<br><div class='title_bg'><h3>Part 4: Experimenting - Running an Internal Attack</h3><hr></div>
<div class='subcontent'>
<ol class='instructions'>
An internal attack means that the attack is coming from machines connected directly to the network switch. We will be running such an attack in order to see how correlation and mitigation takes place on an internal attack.</br></br>
In order to see correlation and mitigation in action, we must first start duplicating traffic from our controller on our topology to our monitor. This allows our monitor to view the traffic of the network.</br></br>
<li>To duplicate the traffic you need to first, figure out the corresponding interface (like eth1, eth2 ...) of the <b>Monitor</b> in the <b style='color:red;'>OVS</b> (You can use the GENI topology visualizer and "ifconfig" for this) and then execute the following commands on the <b>Controller</b> to start the duplication:</br></br>
<pre><code>cd pox
./pox.py --verbose DuplicateTraffic --duplicate_port=<b style='color:red;'><interface on the OVS that corresponds to the monitor></b></code></pre>
</li>
<li>
Now to start Snort you need to first figure out the interface of the OVS in the Monitor, you can figure this out by running "ifconfig" on the Monitor and comparing the IPs with the node between the Monitor and OVS, once you have figured out this, execute the following command on the Monitor's terminal:</br></br>
<ul>
<pre><code>sudo snort -c /etc/snort/snort.conf -A fast -i <b style='color:red;'><interface on the Monitor that corresponds to the OVS></b></code></pre>
</ul>
</li>
<li>Now, we need to simulate normal traffic on our network to have something to which we can compare the DDoS attack. To simulate traffic on the network we will use <a href='https://www.iperf.fr'>iPerf</a>. iPerf requieres a Sever and a Client to generate traffic, so we will use the Victim as the Server and the User as the Client to simulate traffic.
To start the server on the <b style='color:red;'>Victim</b> execute the following command:<pre><code>iperf -s</code></pre>
Now go ahead and start the scripts that you installed in Part 2, so whenever snort detects a DDoS attack these mitigate such. Start the scripts in the following order: correlate.py (On the controller) and then analyze.py (On the monitor). For instructions on how to start these scripts, refer to the Part 2 on the respective "Running" portion.</br></br>
To start the traffic simulation, now we need to make the iperf client start communicating with the Server. We will start a communication that will last two minutes (120 seconds) with the following command on the <b style='color:red;'>User</b>:</br></br>
<ul>
<pre><code>iperf -c victim -t 120</code></pre>
</ul></li>
<li>
Finally time to run the attack! To run the attack go to the terminal of the Attacker and execute the following command:</br></br>
<ul>
<pre><code>sudo timeout -sHUP 20s hping3 -i ul -S --flood --rand-source -p 80 victim</code></pre>
</ul>
</li>
<li><b>Trust but verify!</b></br></br>
<ul>
<li>First you will need to verify if there were messages send from the monitor to the correlator. How can you verify this? Think creatively, look at analyze.py and consider the data that will prove that the monitor sent an alert.</li>
<li>Next, you should verify if the correlator received anything. Again think about the traffic, the correlate.py and how you can use code and networking tool to verify everything has worked. </li>
<li> Finally, you will need to verify if the attacker was blocked. You need to place all the above evidence (screenshots, logs, code changes) in your report. </li>
</ul>
</li>
</ol>
</div>
<!--div class='title_bg'><h3>Survey</h3></div>
<div class='subcontent'>
<ol class='instructions'>
</ol>
</div-->
</div>
</div>
</div>
</body>
</html>