You are on page 1of 4

Detection of Reflected Cross-site Scripting


Pankaj Sahu, , A. K. Sarje

Department of Electronics & Computer Engineering
Indian Institute of Technology, Roorkee
Roorkee, India-247667
to track the source of the attack by determining the IP
Abstract—Network forensics is a new approach for the address of the attacker, find out when the attack has been
incident investigation and emergence response, which also done, find out if the IP is a spoofed one or not.
enhances the network security from a different point of view.
With increasing cases of cyber crime network security and
network forensics have become a very important aspect of II.BACKGROUND
Information Technology. Port scanning is commonly used by
attackers to find out vulnerabilities in computer networks. It is A. Port Scanning
a basic step in almost all kinds of attacks. In our paper we It is a very basic attack and most attackers perform this
propose an approach to detect port-scanning attacks. We used attack initially to determine which services are running on
tcpdump to capture packets, which were then analyzed. The the target machine and on which port. Sending a message to
source ip of the attacks is identified. The software detects
suspicious IP addresses and lists them to the user. The system
each port sequentially performs this attack. The kind of
was tested against NMAP tool which is a very common tool for response received can indicate weather the port is open or not
port scanning. and what kind of service is running. Using this an attacker
can create a list of potential weakness and vulnerabilities in
the open port leading to exploration and compromise of a
I. INTRODUCTION remote host. Various types of port scanning attacks are given
Network Forensics is the field of tracking the source of attack below[3][4].
on a computer network by capturing, recording and analyzing ACK Scan
network events. Although network security can provide
ACK scanning is one of the more unique scan types, as it
various means to detect and prevent network attacks it cannot
does not exactly determine whether the port is open or
locate the source of an attack, which is important from legal
point of view. Due to increasing attacks on the network, most closed, but whether the port is filtered or unfiltered. Simple
of the organizations today are interested “to reach the packet filtering will allow established connections (packets
attacker back after an attack happens in the organization”. with the ACK bit set), whereas a more sophisticated stateful
Network Forensics is “The use of scientifically proven firewall might not.
techniques to collect, fuse, identify, examine, correlate, An ACK scan operates by sending a TCP ACK frame to a
analyze, and document digital evidence from multiple, remote port. If there are no responses or an ICMP destination
actively processing and transmitting digital sources for the unreachable message is returned, then the port is considered
purpose of uncovering facts related to the planned intent, or to be "filtered”.
measured success of unauthorized activities meant to disrupt,
SYN Scan
corrupt, and or compromise system components as well as
providing information to assist in response to or recovery SYN scan is the default and most popular scan option for
from these activities” [1]. Network forensics is basically good reasons. It can be performed quickly, scanning
about capturing and analyzing the network traffic and thousands of ports per second on a fast network not hampered
investigating the actual attacker. by restrictive firewalls.
Various tools both open-source as well as commercial can be Synscan is a flexible, scriptable TCP/IP test tool for
used in network forensics. Tools like Wireshark ,Tcpdump, network testing and active OS fingerprinting. More
and Snort are used in forensics analysis. They are used to verbosely, synscan is a userend TCP/IP stack that can be used
capture live packets which are further analyzed and presented to test many aspects and edge-conditions of a remote TCP
in an user understandable form. implementation and identify the operating system. By
A network forensics system has many uses[2]. It can be used modifying certain directives in the scripts, one can extract
to detect anomalies in network traffic behavior and determine different behavior from the remote implementation and use
if the anomaly is false or an actual attack. It can also be used this to identify it.

B. TCPDUMP system and destination port of the packet respectively. The
Tcpdump is a common packet analyzer that runs under the rest of second and third line above output gives the details
command line. It allows the user to intercept and display from the TCP header. The S shows the information about the
TCP/IP and other packets being transmitted or received over flags that which flag is set and which are not. In this case
a network to which the computer is attached [5]. It is a very only the S (SYN) flag is set which indicates that a connection
useful tool for network forensics point of view; it provide the request is sent from source port of source IP to destination
ability to analyze network behavior, performance and port of destination IP. Rest of the line gives values of the
applications that generate or receive network traffic. In this sequence number, acknowledgement number and window
project, tcpdump has been used to capture the network traffic size . <mss 1460> stands for Maximum Segment Size , which
from network interface because it is very easy to install and the sender indicates to the receiver as 1460 bytes.
requires relatively less memory.
Tcpdump is an open source packet sniffer which is capable The flow chart of Port scanning attack detection is given in
of capturing the network traffics and optionally logs those figure 1.
captured traffic into some storage device. It provides the raw
input for network forensic analysis by sniffing the traffic
flowing through network devices such as switches and hubs.
Tcpdump sniffs the traffic from the Ethernet interface and
displays the headers of the traffic it has captured when it is
run in the sniffer mode.

Tcpdump can be run from command line to read traffic

from the network interface, log the data to a file or database,
based on the option provided. Tcpdump has a rich set of
command-line options. Some of the most common used
command-line options are [6]:
• -A: Print each packet in ASCII format.
• -c : Exit after receiving count packets.
• -f : Print `foreign' IPv4 addresses numerically
rather than symbolically.
• -i : Listen on interface.
• -e : Print the link-level header on each dump
• -l : Make stdout line buffered. Useful if you want
to see the data while capturing it..
• -v : Verbose option to display the TCP and IP
When we run Tcpdump with the –v (verbose) option, the
output of Tcpdump will look like the following structure:
17:27:03.315185 IP (tos 0x0, ttl 52, id 36117, offset 0,
flags [none], proto TCP (6), length 44)
> pankaj-laptop.local.51510: S, cksum 0x9a8d (correct),
301755535:301755535(0) win 1024 <mss 1460>
17:27:03.315214 IP (tos 0x0, ttl 64, id 0, offset 0, flags
[DF], proto TCP (6), length 40) pankaj-laptop.local.51510 >
Fig. 1. Flow Chart of Port Scanning Attack Detection R, cksum 0xb636 (correct), 0:0(0) ack
301755536 win 0.
The above output shows the headers of two packets that
Tcpdump saw, separated by E..,....4..a...........6..l.....`.... line A. Capturing The Network Traffic
separator. The first few bytes of the output 17:27:03.315185
We are capturing the network traffic by following
is the time the packet was captured . The rest of the first line,
Tcpdump command
IP (tos 0x0, ttl 52, id 36117, offset 0, flags [none], proto TCP
Tcpdump –l –f –i eth0 tcp -> output file
(6), length 44) gives details of the IP header. It shows the the
tos(type of service), ttl (Time to Live) value, the IP B. Extracting Relevant Traffic
identification number, protocol used, length of IP header, and The task of this module is to extract the traffic that is
whether the DF (Do Not Fragment) bit is set or not. relevant for further analysis; here the strategy to extract the
The second line > pankaj- traffic as relevant may vary while investigating the source of
laptop.local.51510 gives source IP, source port, destination different kind of attacks. This strategy is limited to the port
scanning method and will be able to trace the attacker only if
attacker has used TCP-SYN method for port scanning. We then loading the data to the table is done by following
are using a python program to extract the relevant traffic command:
[10]. The reason behind choosing Python is given below. load data infile 'filename .txt' into table <table name>
If we see the pattern of network traffic at a glance: fields terminated by ' ' lines terminated by '\n'
23:44:28.426813 IP > pankaj- after this data in the table will be...
laptop.local.42718: S 4276666393:4276666393(0) win 2048 23:44:28||pankaj-laptop.local.42718: | S
<mss 1460> 23:44:28 |pankaj-laptop.local.42718| | R
23:44:28.426862 IP pankaj-laptop.local.42718 > R 0:0(0) ack 4276666394 win 0
D. Analyzing Data Using MYSQL
Here the data that we need is 23:44:28.426813 (time
stamp), (source ip address and port This module analyzes the table stored in the Mysql by the
number) ,pankaj-laptop.local.42718( destination address and capture module, in order to discover the source of network
port number) and S(syn packets). So we have to extract only attacks.
these details. In this module we have to find only those IP addresses and
If we have to make a program in C then we have to use port numbers that have sent S (syn) packets to the host
pattern matching which is complex. To avoid from this we machine for a given time stamp. For this I have created a
are implementing this in Python [7]. The program is given view which is given below:
below: create view <view name> as ( select a2 from <table
import sys name> where a4 ='S' and a1 > time ('t1') and a1 < time('t2'));
# using sys module to get script arguments
tr = sys.argv[1] Now have to count the number of S (syn) packets that have
# sys.argv list contains the command-line arguments sent from source IP address and port number.
f = open(tr,'r'); For this I am creating a view to count the number of syn
# open a file for read only packets send by various IP address and Port numbers.
s =;
# read a file's contents select a2, count(*) from <view name> group by a2;
# close file’s contents
s = s.split("\n");
# split a string into words
for lines in s:
# using for loop
words = lines.split(" ");
print words[0] , words[2] , words[4], words[5];
#printing first ,third, fifth and sixth word.
The output of the python script is given in Fig. 2.

Fig. 3. The MYSQL view showing number of SYN packets

sent by each ip
E. Classifying Data
Any IP address is categorized as suspicious if it sends
minimum number of SYN packets that are greater than a
Fig. 2. Output of the python Script given threshold in a given timestamp[8].
Here we made a program in C to define a threshold. If any
C. Storing The Network Traffic
IP address sends minimum number of SYN packets that are
The task of this module is to store the extracted traffic into greater than a given threshold in a given timestamp , it is
hard disk of the host system for further analysis. This module categorized as suspicious otherwise normal. Here the value
is pertaining only to store the reduced traffic that have been of threshold may vary for other host machine, it should be
used for port scanning attack. This leads the amount of chosen based on the observation.
storage required to be low as compared to the normal
technique that is just to capture all the packets passing
through network interface and store it to the host system.
Now we are loading all the data to Mysql for the further
analysis. For this first we have made a table in Mysql.
The command for making a table in Mysql is given below:
create table <table name> (a1 time, a2 varchar (50), a3
varchar(50), a4 varchar(50));
2010 IEEE 2nd International , vol., no., pp.310-315, 19-20 Feb.
[9] Nmap,

Fig. 4. Final results showing nodes as suspicious


The A network forensics system is definitely a valuable
investigation tool to discover the source of network attacks
and to attribute the attacker. The following points can be
concluded from this project:
1. A system is proposed and proved to be useful by
implementing it for one specific network attack called port
2. The result discussed above shows the resultant
improvement in the storage space required to store the log
file of captured traffic by capturing only the traffic those are
relevant for the analysis of port scanning attack.
3. The result also shows that our implementation worked
well and discovered the details of the attacker who scanned
the ports of host machine using Port Scanning tool Nmap[9].

In the future, We are planning to extend the proposed

mechanism by investigation module, which will trace the
actual attacker if the IP discovered by the proposed
architecture, is spoofed one. Further, we also plan to
implement the proposed system architecture to trace the
source of each kind of network attacks such as
DDOS(distributed denial of service) attack, Cross-scripting
attack and Buffer overflow etc. Our implementation worked
slowly in the heavy traffic so the future work can be to
implement the proposed system architecture in multi
processing environment using CUDA etc.

[1] W. Ren and H. Jin, “Modeling the network forensics behaviors,”
Proc.1st Int’l Conf. Security and Privacy for Emerging Areas in.
Communication Networks (SecureComm 2005), Sept., 2005, pp. 1–8
[2] R. Chnadran, “Network Forensics”, in Know Your Enemy:
Learning about Security Threats, Ed. L. Spitzner, Second Edition,
Addison Wesley Professional, 2004, pp 281 – 325.
[3] A white paper on, “Examining port scan methods- Analyzing Audible
Techniques”. Internet:
thods__Analyzing_Audible_Techniques_.html.[Last accessed: March
30, 2011].
[4] Portscanningmethods[online]avalilable
port-scanning-techniques.html [Last accessed: March 5, 2011].
[5] Wikipedia website [online] available: [Last accessed: March 30, 2011].
[6] Tcpdump ,
[7] Python tutorial,

[8] Kaushik, A.K.; Pilli, E.S.; Joshi, R.C.; , "Network forensic system
for port scanning attack," Advance Computing Conference (IACC),