docDocument 6531045
download 
Report Transcription
Document 6531045
Monosek API Calls and Sample Applications for Educational and Research Institutes nd th th Office: # 35,2 Floor, 8 Main, 16 Cross, Malleswaram , Bangalore – 560055 Telefax: 91- 80 – 23561866, Telephone: 91 – 80 – 41204434 www.ncs-in.com Table of Contents 1 Sample Applications 1.1 Detection of TCP SYN flooding 1.2 Detection of UDP Flooding 1.3 Detection of IP-Spoofing 1.4 Estimation of Throughput of the network 1.5 Filtering of Packets 1.6 Routing Protocol 1.7 Finding of Round Trip Time 1.8 DNS 2 Example API Functions 2.1 int is_TCP_SYN_pkt (char *pbuf) 2.2 int is_ICMP_pkt (char *pbuf) 2.3 int get_routing_protocl (char *pbuf) 2.4 int get_pkt_time (char *pbuf) 2.5 int get_dns_flag(char *pbuf) 2.6 A few other API Functions Purpose of this Document: This document lists a few typical applications that can be written by students in C or C++ around our Monosek card using C callable API functions provided by us. nd th th Office: # 35,2 Floor, 8 Main, 16 Cross, Malleswaram , Bangalore – 560055 Telefax: 91- 80 – 23561866, Telephone: 91 – 80 – 41204434 www.ncs-in.com Sample Applications 1.1 Detection of TCP SYN flooding A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system. A malicious client can skip sending this last ACK message. Or by spoofing the source IP address in the SYN, it makes the server send the SYN-ACK to the falsified IP address, and thus never receive the ACK. In both cases, the server will wait for the acknowledgement for some time, as simple network congestion could also be the cause of the missing ACK. In such cases, the server fails to respond to legitimate users as time and resource is used up, rather wasted on the malicious client. This leads to further congestion and the server can eventually breakdown. Our API calls can be called to identify if the packets are SYN packets or ACK packets etc. Also the time stamp returned by one of the API calls will indicate the periodicity of such packets from a given system. A combination of these and such other calls will help in identifying the Flooding 1.2 Detection of UDP Flooding A UDP flood attack could be initiated by sending a large number of UDP packets to random ports on a particular remote host. As a result, the distant host will: Check for the application listening at that port; See that no application listens at that port; Reply with an ICMP Destination Unreachable packet. Thus, for a large number of UDP packets, the victimized system will be forced into sending many ICMP packets, eventually leading it to be unreachable by other clients. This also leads to congestion and resource wastage at the host end Using protocols identification and time stamps etc from Monosek API, user can write a program to isolate such instances. 1.3 Detection of IP-Spoofing Returning an IP address that is different from the one that is actually assigned to the destination website. An attack method by which IP packets are sent with a false source address. An attack whereby a system attempts to illicitly impersonate another system by using its IP network address. IP spoofing refers to the creation of Internet Protocol (IP) packets with a forged source IP address, called spoofing, with the purpose of concealing the identity of the sender or impersonating another computing system. nd th th Office: # 35,2 Floor, 8 Main, 16 Cross, Malleswaram , Bangalore – 560055 Telefax: 91- 80 – 23561866, Telephone: 91 – 80 – 41204434 www.ncs-in.com This leads to an illegal use of the network and its resources. It could be more dangerous if the “man in the middle” injects virus into the network. Monosek’s API calls will help students in collecting statistics about the packet origin, which will enable detection of IP spoof. 1.4 Estimation of Throughput of the network It is the ratio of the effective data delivered to the total data sent/received over the communication link. Useful to determine the quality of the network Measured in “bits per second”. 1.5 Filtering of Packets Packets can be filtered based on IP address, TCP ports, application protocols, TCP flags, IP protocols etc. This facility is useful for a statistical study of network packets. 1.6 Routing Protocol User can study routing protocol details by finding out the routing protocols used by the router to route IP packets. It could be RIP, OSPF and BGP etc. 1.7 Finding of Round Trip Time User can find out the round trip time and thereby determine the congestion in the network. Our product creates a time stamp of arrival time for each packet and is available to the user through API calls. 1.8 DNS 1. Short for Domain Name System (or Service or Server), an Internet service that translates domain names into IP addresses. 2. A DNS query may be either a recursive query or a non-recursive query: A non-recursive query is one in which the DNS server provides a record for a domain for which it is authoritative itself, or it provides a partial result without querying other servers. A recursive query is one for which the DNS server will fully answer the query (or give an error) by querying other name servers as needed. DNS servers are not required to support recursive queries. We can find the number of Hops taken by the DNS resolver to get a particular domain, the type of query that the resolver is handling and the various types of resource records. The student can develop his own applications based on his knowledge, interest and expertise of TCP/IP networks. nd th th Office: # 35,2 Floor, 8 Main, 16 Cross, Malleswaram , Bangalore – 560055 Telefax: 91- 80 – 23561866, Telephone: 91 – 80 – 41204434 www.ncs-in.com Example API Functions Some of the API calls for the above mentioned applications are given below int is_TCP_SYN_pkt (char *pbuf): Returns TRUE if the packet is a TCP SYN packet, else returns FALSE. Description: Based on the number of SYN packets to a particular user (identified by IP address and TCP port number), the user can decide if there is a SYN flooding. int is_ICMP_pkt (char *pbuf): Returns TRUE if it is an ICMP packet, else returns FALSE. Description: Based on the number of ICMP packets from a single user (based on IP address), the user can decide if there is a UDP flooding. int get_routing_protocol (char *pbuf): Returns the routing protocol used for routing purpose. Description: The user can determine the routing protocol that is used to route IP packets. For this, it is important that the system is able to sniff packets from a router. int get_pkt_time (char *pbuf): Returns time stamp of the packets recived. Description: This can be very useful for various applications which require to know the time of arrival of a packet in the network. As an example, the user can get two values of time stamps of the incoming packets and determine the round trip delay int get_dns_flag(char *pbuf) : Returns value of the DNS flag Description: The DNS flag value indicates some paramters like type of query, message truncation status, etc. The user can use this flag to know the status of the packet. nd th th Office: # 35,2 Floor, 8 Main, 16 Cross, Malleswaram , Bangalore – 560055 Telefax: 91- 80 – 23561866, Telephone: 91 – 80 – 41204434 www.ncs-in.com A few other API Functions int get_packet_ size (); int get_src_mac_address (); int get_dst_mac_address (); int get_src_ip_address (); int get_dst_ip_address (); int get_ip_protocol (); int get_tcp_src_port (); int get_tcp_dst_port (); int get_udp_src_port (); int get_udp_dst_port (); int get_application_protocol (); get_domain_name( ) : gives the domain name of the packet. is_pckt_q( ) : checks the packet for the query. get_type_of_query( ) : give the type of the query. get_num_of_rsrc_rcrds( ) : gives the number of resource records present in the packet. get_tid( ) : gives the transaction ID of the packet. is_it_response( ) : checks the packet for response. get_dns_flags( ) : gives the DNS flags. get_q_class( ) : gives the class of the packet. is_pckt_errorfree( ) : checks the packet for error in the message. is_msg_trunctd( ) : checks the packet for truncation of the message. int create_filter(); int delete_filter(); int modify_filter(); int get_aggregation_table_size(); int get_aggregation_table(); nd th th Office: # 35,2 Floor, 8 Main, 16 Cross, Malleswaram , Bangalore – 560055 Telefax: 91- 80 – 23561866, Telephone: 91 – 80 – 41204434 www.ncs-in.com
