LAB ASSIGNMENT 12 – Intrusion Detection
Part A: Using Distributed IDS Attack Information – Dshield (http://www.dshield.org/) is an organization that
gathers log files from users around the world and prepares reports that those
users can analyze in order to determine if their networks have encountered
intrusion attempts.
1) From the front page of DShield,
test to see if your computer is “cracked”. What was the result?
2) Which port is listed as the most attacked? What
service uses that port? Describe one of the vulnerabilities for this port.
3) Which
countries are listed among the top 10 offenders according to the DShield database?
Part B: Anomaly-based
intrusion detection puts a burden on a network administrator to determine
whether an anomaly deviates from “normal” behavior severly
enough to warrant investigation. Use the user profile from an
anomaly-based IDS in the table below to answers the following questions:
User |
Behavior |
Date |
Time |
Bob |
Network Login |
M-F |
|
|
Login to E-mail Account |
M-F |
|
|
Login to File Server |
M-F |
|
a. Describe how you would respond upon receiving an
alert notifying you that Bob logged in at
b. Describe two possible causes (one legitimate, one
suspicious) for the following series of events: You receive an alert stating
that Bob had logged on at
c. Describe a suitable response to the discovery that
the scenario described in Step ii. Was repeated every day during the previous
week.
d. Explain how you could determine whether or not Bob
was actually logging on at
Part C: View The Code Room: Breaking Into Las Vegas. http://www.thecoderoom.com/vegas/