The times shown are relative to the beginning of the video. Time Description ---- ----------- 0:00-1:35 Logging into ManHunt and demonstrating that an interface connected to a hub is monitored. 1:35-2:50 This demonstrates how the experiment being described as a script of timed events gets pasted into the master server console which then begins to execute the commands on the individual test-bed machines. During this segment, the mouse is used to highlight the parts of the script that describe the role of the attackers. Two nodes are instructed to execute a broadcast of ACK packets to random destinations; however, the source field is the victim, hence resulting in a flood of RST packets going to the victim. Our slides give the full experiment description, including the topology, BGP routers, Webstone clients, etc. 2:50-3:41 This demonstrates that indeed one of the attackers is sending out ACK packets that can be seen on the attacker's first hop router. 3:41-4:23 This shows that the node on which the ManHunt sensor resides indeed sees a lot of RST packets being directed at the Apache Web server (victim) node. 4:23-5:14 This demonstrates that Webstone is still running. At the very end of this segment, a second attack: a UDP square wave attack begins. The RST reflection has already finished at this point. 5:14-7:05 In this segment, it is shown that Symantec ManHunt correctly sees the UDP square wave attack. ManHunt identifies the attack as a PortScan and an ICMP flood, due to a side effect caused by the attack: the attack results in a lot of ICMP packets informing spoofed hosts that no UDP services are running on ports that were selected at random. (The RST flood was not identified as a threat.) 7:05-7:18 At this point, Webstone has completed and a callback event was used to inform the master server to process the rest of the experiment, such that the collected data is copied to a central location. 7:18-7:47 The Webstone results file is shown here. The total throughput and number of pages read are much lower than they usually are with no attack present. 7:47-9:00 The data is copied to a Purdue machine and we run a script to produce graphs for visualization of the results. 9:00-9:05 This shows the total number of BGP updates for all the routers in the test network. 9:05-end The other graphs show Bytes Per Second/CPU utilization/ established connections/packets per second. Only the bytes and packets per second are interesting in this case, though the other graphs would be interesting for attacks like SYN and NAPTHA attacks. Note that the required human intervention is minimal. The user only runs the script at the master server, and then just simply waits for the experiment completion, so that the data can be analyzed.