Experiment Planning

[diego-lopez8]

We need to plan the experiments and figure out which attack types we think are realistically doable, while also being relevant to our research

For normal, we can include traffic such as:

• Globus (big data transfers)
• Web traffic
• Normal SSH
• ???

For attacks:

• Port Scanning
• DoS
• SSH Brute Force
• ???

We can also try to include some L7 attacks, my intuition is that the network data will be of low resolution to accurately detect these, we can verify it.

[Zihang-Xia]

• ssh bruteforcing: hydra or metasploit
• port scan: nmap (especially nmap NSE scripts)
• distributed port scan: TBD
• DoS:
  • SYN flood(L4): metasploit, MHDDoS
  • ICMP: I don't think they are still relevant today
  • HTTP(L7): metasploit, MHDDoS
• other metasploit:
  • we can try running a few common CVEs on the victim (scanning the whole subnet for eternal blue?)
  • try staged and stageless payloads (reverse shells)
  • database related modules?
  • I think we don't even have to succeed, just the bruteforce traffic should be detected
• MITM: bettercap?
• fuzzing: wfuzz (for webapps), scapy (for protocol)

[diego-lopez8]

The SSH bruteforce was run yesterday, March 4 7:02 PM - 7:20 PM

We need to verify the data is there.

Diego to run Port Scan attack today and report results

[diego-lopez8]

Zihang to Setup a simple NGINX server and do SYN flood

Optimistically to be done tonight

[diego-lopez8]

Port Scan TCP and UDP ran yesterday

[Zihang-Xia]

I have created a google sheet recording the attacks so we can evaluate the models. https://docs.google.com/spreadsheets/d/1T_P_RC7njI2cI79xY-qCPvgVJXroRfmv57wleiN6qTI/edit?usp=sharing

[Zihang-Xia]

Zihang to Setup a simple NGINX server and do SYN flood

Optimistically to be done tonight

Finished setting up the NGINX server, will conduct syn flood when I have time.

[diego-lopez8]

diego to run full port scan