Document 268601

Monosek API Calls and Sample Applications for
Educational and Research Institutes
nd
th
th
Office: # 35,2 Floor, 8 Main, 16 Cross, Malleswaram , Bangalore – 560055
Telefax: 91- 80 – 23561866, Telephone: 91 – 80 – 41204434
www.ncs-in.com
Table of Contents
1
Sample Applications
1.1 Detection of TCP SYN flooding
1.2 Detection of UDP Flooding
1.3 Detection of IP-Spoofing
1.4 Estimation of Throughput of the network
1.5 Filtering of Packets
1.6 Routing Protocol
1.7 Finding of Round Trip Time
1.8 DNS
2 Example API Functions
2.1 int is_TCP_SYN_pkt (char *pbuf)
2.2 int is_ICMP_pkt (char *pbuf)
2.3 int get_routing_protocl (char *pbuf)
2.4 int get_pkt_time (char *pbuf)
2.5 int get_dns_flag(char *pbuf)
2.6 A few other API Functions
Purpose of this Document:
This document lists a few typical applications that can be written by students in C or C++
around our Monosek card using C callable API functions provided by us.
nd
th
th
Office: # 35,2 Floor, 8 Main, 16 Cross, Malleswaram , Bangalore – 560055
Telefax: 91- 80 – 23561866, Telephone: 91 – 80 – 41204434
www.ncs-in.com
Sample Applications
1.1 Detection of TCP SYN flooding
A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of
SYN requests to a target's system. A malicious client can skip sending this last ACK message.
Or by spoofing the source IP address in the SYN, it makes the server send the SYN-ACK to the
falsified IP address, and thus never receive the ACK. In both cases, the server will wait for the
acknowledgement for some time, as simple network congestion could also be the cause of the
missing ACK. In such cases, the server fails to respond to legitimate users as time and resource
is used up, rather wasted on the malicious client. This leads to further congestion and the server
can eventually breakdown.
Our API calls can be called to identify if the packets are SYN packets or ACK packets etc. Also the
time stamp returned by one of the API calls will indicate the periodicity of such packets from a
given system. A combination of these and such other calls will help in identifying the Flooding
1.2 Detection of UDP Flooding
A UDP flood attack could be initiated by sending a large number of UDP packets to
random ports on a particular remote host. As a result, the distant host will:
Check for the application listening at that port;
See that no application listens at that port;
Reply with an ICMP Destination Unreachable packet.
Thus, for a large number of UDP packets, the victimized system will be forced into sending
many ICMP packets, eventually leading it to be unreachable by other clients. This also leads
to congestion and resource wastage at the host end
Using protocols identification and time stamps etc from Monosek API, user can write a
program to isolate such instances.
1.3 Detection of IP-Spoofing
Returning an IP address that is different from the one that is actually assigned to
the destination website.
An attack method by which IP packets are sent with a false source address.
An attack whereby a system attempts to illicitly impersonate another system by using
its IP network address.
IP spoofing refers to the creation of Internet Protocol (IP) packets with a forged source IP
address, called spoofing, with the purpose of concealing the identity of the sender or
impersonating another computing system.
nd
th
th
Office: # 35,2 Floor, 8 Main, 16 Cross, Malleswaram , Bangalore – 560055
Telefax: 91- 80 – 23561866, Telephone: 91 – 80 – 41204434
www.ncs-in.com
This leads to an illegal use of the network and its resources. It could be more dangerous if the
“man in the middle” injects virus into the network.
Monosek’s API calls will help students in collecting statistics about the packet origin, which will
enable detection of IP spoof.
1.4 Estimation of Throughput of the network
It is the ratio of the effective data delivered to the total data sent/received over
the communication link.
Useful to determine the quality of the network
Measured in “bits per second”.
1.5 Filtering of Packets
Packets can be filtered based on IP address, TCP ports, application protocols, TCP flags,
IP protocols etc. This facility is useful for a statistical study of network packets.
1.6 Routing Protocol
User can study routing protocol details by finding out the routing protocols used by the router
to route IP packets. It could be RIP, OSPF and BGP etc.
1.7 Finding of Round Trip Time
User can find out the round trip time and thereby determine the congestion in the network.
Our product creates a time stamp of arrival time for each packet and is available to the user
through API calls.
1.8 DNS
1. Short for Domain Name System (or Service or Server), an Internet service that
translates domain names into IP addresses.
2. A DNS query may be either a recursive query or a non-recursive query:
A non-recursive query is one in which the DNS server provides a record for a
domain for which it is authoritative itself, or it provides a partial result without
querying other servers.
A recursive query is one for which the DNS server will fully answer the query
(or give an error) by querying other name servers as needed. DNS servers are not
required to support recursive queries.
We can find the number of Hops taken by the DNS resolver to get a particular
domain, the type of query that the resolver is handling and the various types
of resource records.
The student can develop his own applications based on his knowledge, interest and expertise of
TCP/IP networks.
nd
th
th
Office: # 35,2 Floor, 8 Main, 16 Cross, Malleswaram , Bangalore – 560055
Telefax: 91- 80 – 23561866, Telephone: 91 – 80 – 41204434
www.ncs-in.com
Example API Functions
Some of the API calls for the above mentioned applications are given below
int is_TCP_SYN_pkt (char *pbuf):
Returns TRUE if the packet is a TCP SYN packet, else returns FALSE.
Description: Based on the number of SYN packets to a particular user (identified by IP
address and TCP port number), the user can decide if there is a SYN flooding.
int is_ICMP_pkt (char *pbuf):
Returns TRUE if it is an ICMP packet, else returns FALSE.
Description: Based on the number of ICMP packets from a single user (based on IP address),
the user can decide if there is a UDP flooding.
int get_routing_protocol (char *pbuf):
Returns the routing protocol used for routing purpose.
Description: The user can determine the routing protocol that is used to route IP packets.
For this, it is important that the system is able to sniff packets from a router.
int get_pkt_time (char *pbuf):
Returns time stamp of the packets recived.
Description: This can be very useful for various applications which require to know the time of
arrival of a packet in the network. As an example, the user can get two values of time stamps
of the incoming packets and determine the round trip delay
int get_dns_flag(char *pbuf) :
Returns value of the DNS flag
Description: The DNS flag value indicates some paramters like type of query,
message truncation status, etc. The user can use this flag to know the status of the
packet.
nd
th
th
Office: # 35,2 Floor, 8 Main, 16 Cross, Malleswaram , Bangalore – 560055
Telefax: 91- 80 – 23561866, Telephone: 91 – 80 – 41204434
www.ncs-in.com
A few other API Functions
int get_packet_ size ();
int get_src_mac_address (); int get_dst_mac_address ();
int get_src_ip_address (); int get_dst_ip_address (); int get_ip_protocol ();
int get_tcp_src_port (); int get_tcp_dst_port ();
int get_udp_src_port (); int get_udp_dst_port ();
int get_application_protocol ();
get_domain_name( ) : gives the domain name of the packet.
is_pckt_q( ) : checks the packet for the query.
get_type_of_query( ) : give the type of the query.
get_num_of_rsrc_rcrds( ) : gives the number of resource records present in the packet.
get_tid( ) : gives the transaction ID of the packet.
is_it_response( ) : checks the packet for response.
get_dns_flags( ) : gives the DNS flags.
get_q_class( ) : gives the class of the packet.
is_pckt_errorfree( ) : checks the packet for error in the message.
is_msg_trunctd( ) : checks the packet for truncation of the message.
int create_filter();
int delete_filter();
int modify_filter();
int get_aggregation_table_size();
int get_aggregation_table();
nd
th
th
Office: # 35,2 Floor, 8 Main, 16 Cross, Malleswaram , Bangalore – 560055
Telefax: 91- 80 – 23561866, Telephone: 91 – 80 – 41204434
www.ncs-in.com