CS448- Assignment 2: Introduction to Information Security, KAIST Solved

1           True-False Questions
True or false: The KAIST IT Department may not notice when there exist a certificate for the KAIST web domain that is never issued by KAIST.True, (B) False
True or false: The use of cipher suites in TLS that offer perfect forward secrecy guarantees the secrecy of session keys that will be generated in the future.True, (B) False
True or false: DNS-over-HTTPS prevents DNS recursive resolvers from learning the queried domains but cannot handle DNS spoofing attacks.True, (B) False
True or false: Unlike Bitcoin’s proof-of-work that uses a single common puzzle for all, DDoS defense puzzles must be different for different clients.True, (B) False
True or false: We can fix the UDP servers, which are exploited for amplification DDoS attacks, by preventing them from returning more bits than they receive.True, (B) False
True or false: DDoS threats would disappear in a hypothetical world where a system admin can increase his server capacity indefinitely.True, (B) False
1

Figure 1: VM setup for amplification attacks. Only the non-NAT network adapters (i.e., blue-shaded parts) need to be manually configured. The rest has been already configured in their vdi images.

In p1_S_20210001.txt file:

A

B

A

B

A

B

Include this text file into the final tar file of your amplification DDoS attack; see the next section.

2           Amplification DDoS Attacks 
In this section, you will setup a new network topology with the provided virtual machines (VMs) that enables you to launch small-scale amplification DDoS attacks.

Warning. Do not test your attack scripts against services running on the Internet as it could lead to real DDoS attacks in the real world. Always make sure that all your attack activities stay within the virtual environment prepared for this assignment.

VM images. You will download the four required VM images from the following link: https://drive. google.com/drive/folders/1gTzcEvHWgg5NVyScObHVMPGV8gXpewkb. Please download all four vdi files to your local machine. To run these VM images, you need to use VirtualBox (https://www.virtualbox.org/).

2.1         Network Setup
The four VMs are standalone Ubuntu servers and their local network settings (e.g., IP addresses) have already been configured. However, you are responsible for their interconnection and create the topology in Figure 1. The following steps explain the topology setup in VirtualBox.

In VirtualBox Manager (i.e., the main GUI panel), create ‘New’ virtual machine. Use appropriate names (e.g., Attacker, Router) and choose Linux for the type and Ubuntu (64-bit) for the version. When choosing the hard disk option, choose ‘Use an existing virtual hard disk file’ and select one of the vdi files you have downloaded. Then, finally ‘create’ the VM.
2

After creating the four VMs needed for this assignments, take a look at Figure 1. Notice that Router is connected to all the three VMs and each of their connections is distinguished by the name of their internal network. For example, Attacker and Router is connected through ‘intnet-1,’ Router and Amp through ‘intnet-2,’ and Router and Victim through ‘intnet-3.’
Go to ‘Setting’ of Attacker VM. Go to ‘Network.’ You will see that only Adapter 1 is enabled with the NAT option. You need to enable Adapter 2 with ‘Internal Network’ option and the name ‘intnet-1.’
Go to ‘Setting’ of Amp VM. Go to ‘Network.’ You need to enable Adapter 2 with ‘Internal Network’ option and the name ‘intnet-2.’
Go to ‘Setting’ of Victim VM. Go to ‘Network.’ You need to enable Adapter 2 with ‘Internal Network’ option and the name ‘intnet-3.’
Go to ‘Setting’ of Router VM. Go to ‘Network.’ You need to enable three additional adapters: enable Adapter 2 with ‘Internal Network’ option and the name ‘intnet-1,’ Adapter 3 with ‘Internal Network’ option and the name ‘intnet-2,’ and Adapter 4 with ‘Internal Network’ option and the name ‘intnet-3.’
All done. Start all four VMs. Then, they will be automatically form the topology with the assigned IP addresses as shown in Figure 1.
Login credentials. You will need to access the Attacker VM to design and launch your own attacks. You will also need to access the Victim VM to verify the effectiveness of your attack. Use the following login credentials for both servers:

username: cs448 password: cs448

The Router or Amp VMs have different login credentials and you are not supposed to access them.

2.2         Launching Amplification Attacks
Overview. The goal of the attack is to exploit the amplification (or Amp) server and make it send large traffic volume to the victim server (i.e., Victim). The effectiveness of the attack is measured by the ratio of the attack traffic volume received by Victim to the volume generated by Attacker.

You are asked to write your own attack scripts. You will provide the script and the attack demonstration. You may use some common libraries that come with typical Linux distributions for your attack scripts; however, you are not supposed to use highly automated tools, such as scapy. If you are not sure whether particular libraries are allowed or not, post a question on the github issues or KLMS Q&A.

Amplification Attacks. As discussed in the lecture, the amplification DDoS attack is one of the most widely used DDoS attack vectors for two main reasons: (1) attacker’s machine (e.g., Attacker in our setup) is not directly visible to the victims as the amplification servers send attack traffic on be half of the attackers; and (2) attack traffic volume is significantly (e.g., from 10x to 1000x) amplified and thus large-scale attacks can be launched with a low attack cost.

For amplification attacks, several UDP based protocols are often exploited. An adversary first generate UDP request packets with source IP address spoofed with the victim’s IP address. The UDP request packets are often carefully crafted to create large response packet from the amplification servers. When the amplification servers receive the spoofed UDP packets, they respond with the response UDP packets and send them to the victim’s IP address.

Vulnerability Scanning. Your first task is to find one or more of UDP based services running on the Amp server that can be exploited for amplification attacks. You may use any tool of your choice (e.g., nmap) to perform this.

IP Spoofing. As shown in Figure 1, the victim server’s IP is 192.168.30.1. Thus, in your UDP request packet, you should spoof the source IP with 192.168.30.1.