jaydeltathree

Since vpnc is already up

I might as well take advantage and try to capture some of the stuff that's already oozing out of my grey matter. My partner and I talked about the project at length, and at the beginning, another classmate gave some suggestions. We came to the conclusion that NAT is not needed at all in the configuration that my partner is working towards because there will be a one-to-one ratio of IP addresses to virtual machines. If that changes, we need...something. Maybe NAT, maybe something else.

My partner defined 'dynamic instantiation' for the time being as basically turning a VM on and off. We also all agreed that there has to be some mechanism to capture state. Our classmate pointed out that the controller needs to know which VMs it needs to be acting on and when, and neither iptables nor Click as they are have the ability to pass on that type of information. So I was looking at netlink sockets, but now I'm looking at libipq, which I'm thinking is even better. It basically routes a packet from kernel space to user space. You can then make a decision on the packet and send it back to kernel space. I'm thinking I can make some additional network devices and have initial traffic routed to the devices associated with my libipq stuff, a type of first packet reader, then accepted packets are routed to whatever we use to route traffic, click or iptables or whatever.

I'm also looking at malware collection. That looks like it won't be so hard. There's information out there on how to save binaries in MySQL databases. Oh, and my classmate talked about VM introspection type stuff. He mentioned RegMon, FileMon and some other utility. They're for Windows, which we haven't really been using, but we will eventually, and I hadn't even thought about registry data. My partner's idea about mounting a vmdk file is something that I've actually been able to test on my laptop, unlike most VMware stuff. It didn't take long to perform a diff on the two mounted filesystems--I was working on a script to automate that process.

I'm sure that I've forgotten something, but oh well.

I finally

sent an update to my committee. Since I'm feeling particularly lazy, I'm going to paste it here and count that as a blog entry.

***

To my advisory committee:

I figured that now was as good as a time as any to give an update on my thesis.  For many weeks I have planned to give an update, and later decided against it because I didn't feel like I had accomplished anything significant.  I now realize that if I continue at this rate, I could go all the way to defense without having communicated with you.

Since a significant amount of time has passed since I spoke with most of you, there actually are very significant things to report.

During the summer my goal was to write an intrusion prevention module.  I later decided against this for several reasons, with one of the more significant ones being that I was not sure that I could actually accomplish this task.

I am taking one course this fall, a special topics course (CPSC 689-609) taught by Dr. Guofei Gu on Network Security.  The first topics in the class were botnets and honeypots, which I've also been interested in.  Based on this, I decided to change the project.  My goal is to create a small honeynet similar to ones I've read about in certain academic papers, and then compare the results to my own.  My expectation is that the vulnerabilities that were used to attract attackers two years ago will be less effective today.  The next step would be to modify/improve the techniques in order to make them more effective in attracting current botnets.  I am also submitting a variation of the project to the 689 class.

While on the surface this is a simpler project, getting it off the ground has been challenging.  The principal obstacle is gaining access to a network to place the honeynet in.  My current ISP blocks the ports that cause security risks, leaving my honeypots untouched.  I also need multiple IP addresses.  

Commercially, the service that would meet my requirements would require me to purchase business connections, and sign contracts that would cost around $1000 for six months of service.  I saw this as a last ditch effort.

Dr. Gu talked to Mr. Willis Marti, and he agreed to allocate IP space for use with this and subsequent projects, contingent upon us showing how we plan to mitigate the risk of attack within the campus network.  Dr. Gu has also allocated me a single server, and from reading on CSnet I understand that it is possible to bring in personal equipment.  Unfortunately, I am not sure when the IP space will be available, so in the mean time I am trying to be as productive as possible, continuing my research and trying to create a sound architecture.

My goal from here on out is to provide an update to you at the end of each week.  I appreciate any and all feedback.

Respectfully,

John Syers

Let's see. Yesterday I talked to the network head and he agreed to give me the address space I need for the project. I sent him my configuration file so that he could be sure that I wouldn't be attacking the network.

Today I figured out how to do some very basic things in click. What I'm trying to do now is how to do something like NAT with click. I've been having a lot more trouble trying to just print out basic stuff than I thought I would. Most of my problem is trying to do things the way I think they should work rather than the way the examples show.

Also shot off an email to my advisor asking for some additional hardware resources.

I'm embracing reality

Normally I get depressed when its time to blog because I feel like I haven't accomplished anything, or haven't accomplished enough. But I hadn't realized that even though I daily fail to meet my own expectations, I do accomplish things, and they do add up over time.

What I just finished doing was getting the USB ethernet adapter I bought to work. I was just looking into what to do with my new multi-homed host. I'd been thinking 'router', but then, what do I want it to route? I guess I'm thinking about it more closely now. I'd lost sight of what this thing is for--the project. And for the project, what I need is a honeywall. My understanding of a honeywall is that its a reverse firewall--it only lets certain traffic out.

Now for just everyday use...well, I guess I really don't need it for everyday use, do I? I need to take the time and figure out what I want the home network to look like, what services I'm going to run, and what network appliances I need to run them.

I talked to Verizon and Suddenlink about the addresses I need. Suddenlink charges around $90 for service with 5 IP addresses, with $15 for each IP over that. Verizon charges $80 for 1 IP address, and each block of 5 IP addresses cost $20. For some reason I'd forgotten that Suddenlink charged per IP for over 5 until just now, so I was thinking Suddenlink was the way to go. And they still are, if I want to stick with 5 IPs. But I was thinking to start with 5, and eventually work my way up to 15. With Suddenlink that would cost me $150 extra, while with Verizon it would cost $40 extra. Darn it. I'd better call them back and ask about fees. Verizon charges a $99 setup fee and $99 for the modem, so that has to factor in too.

....

Just got off the phone with Suddenlink. The fees depend on the contract. If I go with a 1 year contact, installation and modem are $170. With the two year, installation is $60 and the modem is 'free.' With a three year contract, installation is $10.

Insignificant?

It doesn't seem like I accomplished much today. We turned in our proposal for CPSC 689, but some of the conversation that went on with the project proposal was enlightening. The professor is saying that hardware is available but not IP addresses. He did not give any definite timetable and mentioned me using equipment at the other institution. This tells me that I need to work on my own setup for the thesis. I'm thinking that I may look at the local ISP for bandwidth before I talk to the phone provider. This also further cements my thinking that there may be a bigger difference between the project and the thesis than I originally thought, but now I find that I don't really have a problem with that.

I really am going to get this...

By that I mean actually doing daily logs. As a matter of fact, I'm going to make myself a reminder right after I finish this blog. No, I'm going to do it RIGHT NOW...

...DONE. That didn't take long, did it? Okay, so this weekend, I was preoccupied with turning in the (late) homework. Late this week, I was reading the Honeypot books I got from the library. This week, I read some of the papers that the professor sent. By "some of," I mean I read some of each of them. The masters' thesis was encouraging, because it didn't seem too complicated.

I spent a ridiculous amount of time trying to connect with Dave via IM. We have done some communication. He did most of the work on putting together a proposal. At first, what we had down on file seemed like something we wouldn't even have done before it was time for me to graduate. But we scaled back, and the professor kind of okayed that before we even told him about it. So that's good.

I'm getting a better and better feel for what I want to do for my thesis. It may or may not line up totally with the project. I downloaded a couple of interesting things. I was beginning to think about what an uphill battle I could have trying to write my thesis on OpenOffice with the potential compatibility issues, because as I understand it, the thesis has to be just so. I considered the possibility of doing it in Latex for a second, then dismissed that as crazy. I reconsidered when I found a Latex thesis template on the thesis website. Its for EE though. I need to confirm with the thesis office that I can use it. That alone reminded me that the initial format doesn't matter, just the end result, which I'm betting is .pdf.

I also downloaded the proposal submission information again. For a minute there I though all we needed to submit was what the proposed title of the thesis, but the instructions give the actual info. I should probably go talk to someone in the thesis office sooner rather than later. And I think I'll ask Daniel how his experiences with the office have been.

Next step?

So things have taken a dramatic turn. Dr. Pooch okayed the new direction. Dr. Gu sent an email that said, "Please give me a (relatively concrete) design plan ASAP after you read all necessary materials (so that we can split and allocate resources to begin the work)." Now I was already starting to put the cart before the horse and trying to come up with a design plan before I read the materials. I'd better gather the materials and read them and then come up with something. The thing is, since the solid idea in my head has to do with recreating the experiment in A Multifaceted Approach to Understanding the Botnet Phenomenon , I'm thinking I just need to replicate whatever they did. But then again, "do whatever they did" is not really a plan.

Drat. I just remembered I need to write the mini-review for next class. Well, technically I have until Monday at 5PM, but I don't want to wait.