Detection of Reflected Cross-site Scripting
Attack
Pankaj Sahu, , A. K. Sarje
psahupec,sarjefec@iitr.ernet.in
Department of Electronics & Computer Engineering
Indian Institute of Technology, Roorkee
Roorkee, India-247667
Abstract—Network forensics is a new approach for the
incident investigation and emergence response, which also
enhances the network security from a different point of view.
With increasing cases of cyber crime network security and
network forensics have become a very important aspect of
Information Technology. Port scanning is commonly used by
attackers to find out vulnerabilities in computer networks. It is
a basic step in almost all kinds of attacks. In our paper we
propose an approach to detect port-scanning attacks. We used
tcpdump to capture packets, which were then analyzed. The
source ip of the attacks is identified. The software detects
suspicious IP addresses and lists them to the user. The system
was tested against NMAP tool which is a very common tool for
port scanning.
I. INTRODUCTION
Network Forensics is the field of tracking the source of attack
on a computer network by capturing, recording and analyzing
network events. Although network security can provide
various means to detect and prevent network attacks it cannot
locate the source of an attack, which is important from legal
point of view. Due to increasing attacks on the network, most
of the organizations today are interested “to reach the
attacker back after an attack happens in the organization”.
Network Forensics is “The use of scientifically proven
techniques to collect, fuse, identify, examine, correlate,
analyze, and document digital evidence from multiple,
actively processing and transmitting digital sources for the
purpose of uncovering facts related to the planned intent, or
measured success of unauthorized activities meant to disrupt,
corrupt, and or compromise system components as well as
providing information to assist in response to or recovery
from these activities” [1]. Network forensics is basically
about capturing and analyzing the network traffic and
investigating the actual attacker.
Various tools both open-source as well as commercial can be
used in network forensics. Tools like Wireshark ,Tcpdump,
and Snort are used in forensics analysis. They are used to
capture live packets which are further analyzed and presented
in an user understandable form.
A network forensics system has many uses[2]. It can be used
to detect anomalies in network traffic behavior and determine
if the anomaly is false or an actual attack. It can also be used

to track the source of the attack by determining the IP
address of the attacker, find out when the attack has been
done, find out if the IP is a spoofed one or not.
II.BACKGROUND
A. Port Scanning
It is a very basic attack and most attackers perform this
attack initially to determine which services are running on
the target machine and on which port. Sending a message to
each port sequentially performs this attack. The kind of
response received can indicate weather the port is open or not
and what kind of service is running. Using this an attacker
can create a list of potential weakness and vulnerabilities in
the open port leading to exploration and compromise of a
remote host. Various types of port scanning attacks are given
below[3][4].
ACK Scan
ACK scanning is one of the more unique scan types, as it
does not exactly determine whether the port is open or
closed, but whether the port is filtered or unfiltered. Simple
packet filtering will allow established connections (packets
with the ACK bit set), whereas a more sophisticated stateful
firewall might not.
An ACK scan operates by sending a TCP ACK frame to a
remote port. If there are no responses or an ICMP destination
unreachable message is returned, then the port is considered
to be "filtered”.
SYN Scan
SYN scan is the default and most popular scan option for
good reasons. It can be performed quickly, scanning
thousands of ports per second on a fast network not hampered
by restrictive firewalls.
Synscan is a flexible, scriptable TCP/IP test tool for
network testing and active OS fingerprinting. More
verbosely, synscan is a userend TCP/IP stack that can be used
to test many aspects and edge-conditions of a remote TCP
implementation and identify the operating system. By
modifying certain directives in the scripts, one can extract
different behavior from the remote implementation and use
this to identify it.
 B. TCPDUMP
Tcpdump is a common packet analyzer that runs under the
command line. It allows the user to intercept and display
TCP/IP and other packets being transmitted or received over
a network to which the computer is attached [5]. It is a very
useful tool for network forensics point of view; it provide the
ability to analyze network behavior, performance and
applications that generate or receive network traffic. In this
project, tcpdump has been used to capture the network traffic
from network interface because it is very easy to install and
requires relatively less memory.
Tcpdump is an open source packet sniffer which is capable
of capturing the network traffics and optionally logs those
captured traffic into some storage device. It provides the raw
input for network forensic analysis by sniffing the traffic
flowing through network devices such as switches and hubs.
Tcpdump sniffs the traffic from the Ethernet interface and
displays the headers of the traffic it has captured when it is
run in the sniffer mode.
system and destination port of the packet respectively. The
rest of second and third line above output gives the details
from the TCP header. The S shows the information about the
flags that which flag is set and which are not. In this case
only the S (SYN) flag is set which indicates that a connection
request is sent from source port of source IP to destination
port of destination IP. Rest of the line gives values of the
sequence number, acknowledgement number and window
size . <mss 1460> stands for Maximum Segment Size , which
the sender indicates to the receiver as 1460 bytes.
III. PROPOSED MECHANISM
The flow chart of Port scanning attack detection is given in
figure 1.

Tcpdump can be run from command line to read traffic

from the network interface, log the data to a file or database,
based on the option provided. Tcpdump has a rich set of
command-line options. Some of the most common used
command-line options are [6]:
• -A: Print each packet in ASCII format.
• -c : Exit after receiving count packets.
• -f : Print `foreign' IPv4 addresses numerically
rather than symbolically.
• -i : Listen on interface.
• -e : Print the link-level header on each dump
line.
• -l : Make stdout line buffered. Useful if you want
to see the data while capturing it..
• -v : Verbose option to display the TCP and IP
headers.
When we run Tcpdump with the –v (verbose) option, the
output of Tcpdump will look like the following structure:
17:27:03.315185 IP (tos 0x0, ttl 52, id 36117, offset 0,
flags [none], proto TCP (6), length 44) 192.168.209.1.36481
> pankaj-laptop.local.51510: S, cksum 0x9a8d (correct),
301755535:301755535(0) win 1024 <mss 1460>
E..,....4..a...........6..l.....`...........
17:27:03.315214 IP (tos 0x0, ttl 64, id 0, offset 0, flags
[DF], proto TCP (6), length 40) pankaj-laptop.local.51510 >
Fig. 1. Flow Chart of Port Scanning Attack Detection
192.168.209.1.36481: R, cksum 0xb636 (correct), 0:0(0) ack
301755536 win 0.
The above output shows the headers of two packets that
Tcpdump saw, separated by E..,....4..a...........6..l.....`.... line A. Capturing The Network Traffic
separator. The first few bytes of the output 17:27:03.315185
We are capturing the network traffic by following
is the time the packet was captured . The rest of the first line,
Tcpdump command
IP (tos 0x0, ttl 52, id 36117, offset 0, flags [none], proto TCP
Tcpdump –l –f –i eth0 tcp -> output file
(6), length 44) gives details of the IP header. It shows the the
tos(type of service), ttl (Time to Live) value, the IP B. Extracting Relevant Traffic
identification number, protocol used, length of IP header, and The task of this module is to extract the traffic that is
whether the DF (Do Not Fragment) bit is set or not. relevant for further analysis; here the strategy to extract the
The second line 192.168.209.1.36481 > pankaj- traffic as relevant may vary while investigating the source of
laptop.local.51510 gives source IP, source port, destination different kind of attacks. This strategy is limited to the port
scanning method and will be able to trace the attacker only if
attacker has used TCP-SYN method for port scanning. We then loading the data to the table is done by following
are using a python program to extract the relevant traffic command:
[10]. The reason behind choosing Python is given below. load data infile 'filename .txt' into table <table name>
If we see the pattern of network traffic at a glance: fields terminated by ' ' lines terminated by '\n'
23:44:28.426813 IP 192.168.111.3.52646 > pankaj- after this data in the table will be...
laptop.local.42718: S 4276666393:4276666393(0) win 2048 23:44:28|192.168.111.3.52646|pankaj-laptop.local.42718: | S
<mss 1460> 23:44:28 |pankaj-laptop.local.42718|192.168.111.3.52646: | R
23:44:28.426862 IP pankaj-laptop.local.42718 >
192.168.111.3.52646: R 0:0(0) ack 4276666394 win 0
D. Analyzing Data Using MYSQL
Here the data that we need is 23:44:28.426813 (time
stamp), 192.168.111.3.52646 (source ip address and port This module analyzes the table stored in the Mysql by the
number) ,pankaj-laptop.local.42718( destination address and capture module, in order to discover the source of network
port number) and S(syn packets). So we have to extract only attacks.
these details. In this module we have to find only those IP addresses and
If we have to make a program in C then we have to use port numbers that have sent S (syn) packets to the host
pattern matching which is complex. To avoid from this we machine for a given time stamp. For this I have created a
are implementing this in Python [7]. The program is given view which is given below:
below: create view <view name> as ( select a2 from <table
import sys name> where a4 ='S' and a1 > time ('t1') and a1 < time('t2'));
# using sys module to get script arguments
tr = sys.argv[1] Now have to count the number of S (syn) packets that have
# sys.argv list contains the command-line arguments sent from source IP address and port number.
f = open(tr,'r'); For this I am creating a view to count the number of syn
# open a file for read only packets send by various IP address and Port numbers.
s = f.read();
# read a file's contents select a2, count(*) from <view name> group by a2;
f.close();
# close file’s contents
s = s.split("\n");
# split a string into words
for lines in s:
# using for loop
words = lines.split(" ");
print words[0] , words[2] , words[4], words[5];
#printing first ,third, fifth and sixth word.
The output of the python script is given in Fig. 2.

Fig. 3. The MYSQL view showing number of SYN packets

sent by each ip
E. Classifying Data
Any IP address is categorized as suspicious if it sends
minimum number of SYN packets that are greater than a
Fig. 2. Output of the python Script given threshold in a given timestamp[8].
Here we made a program in C to define a threshold. If any
C. Storing The Network Traffic
IP address sends minimum number of SYN packets that are
The task of this module is to store the extracted traffic into greater than a given threshold in a given timestamp , it is
hard disk of the host system for further analysis. This module categorized as suspicious otherwise normal. Here the value
is pertaining only to store the reduced traffic that have been of threshold may vary for other host machine, it should be
used for port scanning attack. This leads the amount of chosen based on the observation.
storage required to be low as compared to the normal
technique that is just to capture all the packets passing
through network interface and store it to the host system.
Now we are loading all the data to Mysql for the further
analysis. For this first we have made a table in Mysql.
The command for making a table in Mysql is given below:
create table <table name> (a1 time, a2 varchar (50), a3
varchar(50), a4 varchar(50));
 2010 IEEE 2nd International , vol., no., pp.310-315, 19-20 Feb.
2010.
[9] Nmap,www.nmap.org.

Fig. 4. Final results showing nodes as suspicious

IV. CONCLUSIONS AND FUTURE WORKS

The A network forensics system is definitely a valuable
investigation tool to discover the source of network attacks
and to attribute the attacker. The following points can be
concluded from this project:
1. A system is proposed and proved to be useful by
implementing it for one specific network attack called port
scanning.
2. The result discussed above shows the resultant
improvement in the storage space required to store the log
file of captured traffic by capturing only the traffic those are
relevant for the analysis of port scanning attack.
3. The result also shows that our implementation worked
well and discovered the details of the attacker who scanned
the ports of host machine using Port Scanning tool Nmap[9].

In the future, We are planning to extend the proposed

mechanism by investigation module, which will trace the
actual attacker if the IP discovered by the proposed
architecture, is spoofed one. Further, we also plan to
implement the proposed system architecture to trace the
source of each kind of network attacks such as
DDOS(distributed denial of service) attack, Cross-scripting
attack and Buffer overflow etc. Our implementation worked
slowly in the heavy traffic so the future work can be to
implement the proposed system architecture in multi
processing environment using CUDA etc.

REFERENCES
[1] W. Ren and H. Jin, “Modeling the network forensics behaviors,”
Proc.1st Int’l Conf. Security and Privacy for Emerging Areas in.
Communication Networks (SecureComm 2005), Sept., 2005, pp. 1–8
[2] R. Chnadran, “Network Forensics”, in Know Your Enemy:
Learning about Security Threats, Ed. L. Spitzner, Second Edition,
Addison Wesley Professional, 2004, pp 281 – 325.
[3] A white paper on, “Examining port scan methods- Analyzing Audible
Techniques”. Internet:
http://www.windowsecurity.com/whitepapers/Examining_port_scan_me
thods__Analyzing_Audible_Techniques_.html.[Last accessed: March
30, 2011].
[4] Portscanningmethods[online]avalilablehttp://nmap.org/book/man-
port-scanning-techniques.html [Last accessed: March 5, 2011].
[5] Wikipedia website [online] available:
http://en.wikipedia.org/wiki/Tcpdump [Last accessed: March 30, 2011].
[6] Tcpdump , www.tcpdump.org.
[7] Python tutorial, www.tutorialspoint.com/python/index.html.

[8] Kaushik, A.K.; Pilli, E.S.; Joshi, R.C.; , "Network forensic system
for port scanning attack," Advance Computing Conference (IACC),