How to Start Firewall Attack Projects Using NS3

To start a firewall attack using NS3, we’ll need to make a network scenario in which malicious nodes try to bypass, disable, or overload a firewall system. Firewalls manage the incoming and outgoing traffic depends on the security rules, and attacks able to contain firewall rule evasion, DoS targeting the firewall, or to utilize misconfigured rules.

Following is a sequential strategy to start and simulate firewall attacks using NS3:

Steps to Start Firewall Attack Projects in NS3

  1. Set Up NS3
  • We should install and build NS3 on the system:

./waf configure

./waf build

  • Verify the installation:

./waf –run hello-simulator

  1. Understand Firewall Attacks
  • Types of Firewall Attacks:
    1. Rule Evasion: Make use of misconfigured or weak rules to avoid the firewall.
    2. Traffic Overloading: To devastate the firewall including high traffic volume such as DoS attack.
    3. Spoofing Attacks: Avoid IP-based filtering to utilize fake IPs or ports.
    4. Fragmentation Attacks: Utilize fragmented packets avoiding inspection.
  • Simulation Goals:
    • Design the firewall like a packet filter.
    • Replicate malicious traffic measuring the firewall efficiency.
  1. Define the Network Topology
  • We make a network including:
    • Internal Nodes: Hosts defended with the support of firewall.
    • Firewall Node: A node to perform like a packet filter.
    • External Node: The attacker trying to break the firewall.
  • Example Topology:

NodeContainer internalNodes, firewallNode, externalNode;

internalNodes.Create(2);    // Two internal nodes

firewallNode.Create(1);     // Firewall

externalNode.Create(1);     // External attacker

PointToPointHelper p2p;

p2p.SetDeviceAttribute(“DataRate”, StringValue(“10Mbps”));

p2p.SetChannelAttribute(“Delay”, StringValue(“2ms”));

// Connect nodes

NetDeviceContainer internalToFirewall = p2p.Install(NodeContainer(internalNodes, firewallNode.Get(0)));

NetDeviceContainer externalToFirewall = p2p.Install(NodeContainer(externalNode.Get(0), firewallNode.Get(0)));

  1. Assign IP Addresses
  • We need to install the Internet stack and then allocate an IP addresses.

InternetStackHelper stack;

stack.Install(internalNodes);

stack.Install(firewallNode);

stack.Install(externalNode);

Ipv4AddressHelper address;

address.SetBase(“10.1.1.0”, “255.255.255.0”);

address.Assign(internalToFirewall);

address.SetBase(“10.1.2.0”, “255.255.255.0”);

address.Assign(externalToFirewall);

  1. Simulate the Firewall
  • We should execute a simple packet filter on the firewall node to utilize callbacks.

5.1 Packet Filtering

  • For filtering packets, we can describe rules at the firewall:

void FirewallFilter(Ptr<const Packet> packet, Ptr<Ipv4> ipv4, uint32_t interface) {

Ipv4Header ipv4Header;

packet->PeekHeader(ipv4Header);

// Example rules: Allow traffic only from internal nodes

if (ipv4Header.GetSource() == Ipv4Address(“10.1.1.1”) ||

ipv4Header.GetSource() == Ipv4Address(“10.1.1.2”)) {

NS_LOG_UNCOND(“Firewall: Allowed packet from ” << ipv4Header.GetSource());

} else {

NS_LOG_UNCOND(“Firewall: Dropped packet from ” << ipv4Header.GetSource());

}

}

Ptr<Ipv4> firewallIpv4 = firewallNode.Get(0)->GetObject<Ipv4>();

firewallIpv4->TraceConnectWithoutContext(“Rx”, MakeCallback(&FirewallFilter));

5.2 Stateful Inspection (Optional)

  • We can prolong the firewall examining the connection states or certain ports.
  1. Simulate Normal Traffic
  • We insert legitimate traffic among the internal nodes and external servers.

uint16_t port = 80;

UdpEchoServerHelper echoServer(port);

ApplicationContainer serverApp = echoServer.Install(internalNodes.Get(0));

serverApp.Start(Seconds(1.0));

serverApp.Stop(Seconds(10.0));

UdpEchoClientHelper echoClient(Ipv4Address(“10.1.1.1”), port);

echoClient.SetAttribute(“MaxPackets”, UintegerValue(50));

echoClient.SetAttribute(“Interval”, TimeValue(Seconds(0.1)));

echoClient.SetAttribute(“PacketSize”, UintegerValue(512));

ApplicationContainer clientApps = echoClient.Install(externalNode.Get(0));

clientApps.Start(Seconds(2.0));

clientApps.Stop(Seconds(10.0));

  1. Simulate Firewall Attacks

7.1 Rule Evasion

  • Transmit packets including spoofed IPs or ports:

void SpoofedTraffic(Ptr<Node> attacker, Ipv4Address targetAddress, uint16_t port) {

Ptr<Socket> socket = Socket::CreateSocket(attacker, TypeId::LookupByName(“ns3::UdpSocketFactory”));

InetSocketAddress remote = InetSocketAddress(targetAddress, port);

socket->Connect(remote);

Ptr<Packet> spoofedPacket = Create<Packet>((uint8_t*)”SpoofedData”, 10);

socket->Send(spoofedPacket);

}

Simulator::Schedule(Seconds(3.0), &SpoofedTraffic, externalNode.Get(0), Ipv4Address(“10.1.1.1”), 80);

7.2 Traffic Overloading (DoS)

  • Now, overflow the firewall including packets:

void FloodTraffic(Ptr<Node> attacker, Ipv4Address targetAddress, uint16_t port) {

Ptr<Socket> socket = Socket::CreateSocket(attacker, TypeId::LookupByName(“ns3::UdpSocketFactory”));

InetSocketAddress remote = InetSocketAddress(targetAddress, port);

socket->Connect(remote);

for (int i = 0; i < 1000; ++i) {

Simulator::Schedule(MicroSeconds(i * 100), [=]() {

Ptr<Packet> packet = Create<Packet>(1024);

socket->Send(packet);

});

}

}

Simulator::Schedule(Seconds(4.0), &FloodTraffic, externalNode.Get(0), Ipv4Address(“10.1.1.1”), 80);

7.3 Fragmentation Attack

  • To transmit fragmented packets avoiding the firewall:

void FragmentedTraffic(Ptr<Node> attacker, Ipv4Address targetAddress, uint16_t port) {

Ptr<Socket> socket = Socket::CreateSocket(attacker, TypeId::LookupByName(“ns3::Ipv4RawSocketFactory”));

InetSocketAddress remote = InetSocketAddress(targetAddress, port);

socket->Connect(remote);

for (int i = 0; i < 5; ++i) {  // Send 5 fragments

Ptr<Packet> fragment = Create<Packet>(256);  // Fragment size

Ipv4Header ipv4Header;

ipv4Header.SetFragmentOffset(i * 256);

ipv4Header.SetFlags(Ipv4Header::MF);

fragment->AddHeader(ipv4Header);

socket->Send(fragment);

}

}

Simulator::Schedule(Seconds(5.0), &FragmentedTraffic, externalNode.Get(0), Ipv4Address(“10.1.1.1”), 80);

  1. Enable Packet Tracing
  • For offline analysis, seize packets within Wireshark to utilize PCAP:

PointToPointHelper p2p;

p2p.EnablePcapAll(“firewall-attack”);

  1. Run the Simulation
  • We should compile and then run the simulation:

./waf –run firewall-attack

  1. Analyze the Attack
  • Go to the .pcap files within Wireshark:

wireshark firewall-attack-0-0.pcap

  • Search:
    • Dropped packets depend on the filtering rules.
    • Malicious traffic, which bypassed the firewall.
  1. Implement Mitigation
  • Improved Rules:
    • Detect the suspicious traffic patterns to utilize stateful inspection.
  • Traffic Rate Limiting:
    • From a single source, we can identify and stop excessive traffic.

void RateLimiter(Ptr<const Packet> packet) {

static std::map<Ipv4Address, int> packetCounts;

Ipv4Header ipv4Header;

packet->PeekHeader(ipv4Header);

packetCounts[ipv4Header.GetSource()]++;

if (packetCounts[ipv4Header.GetSource()] > 100) {

NS_LOG_UNCOND(“Rate limiter: Blocking traffic from ” << ipv4Header.GetSource());

}

}

Using NS3 environment, we conducted comprehensive simulation approach with examples for Firewall Attack Projects, which was simulated, with the capacity to provide more information related to this topic if needed.

Our team is here to help you brainstorm and come up with the best project ideas and topics. If you’re having trouble figuring out how to kick off Firewall Attack Projects using the NS3 tool, you can count on the researchers at phdprojects.org to handle your projects effectively and with top-notch quality. We also focus on firewall rule evasion and DoS attacks aimed at firewalls.