Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Intrusion Detection –Backscatter and Global
Analysis
Stefan Zota
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Introduction
How prevalent are DoS attacks?
Quantitative analysis
Long term predictions andrecurring patterns of attacks
Measurement and GlobalAnalysis
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Outline
Challenges
Methods for Measuring DoS attacks
Firewall Logs
Network Telescopes
Internet Sinks
Backscatter
Background Radiation
Conclusions
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Outline
Challenges
Methods for Measuring DoS attacks
Firewall Logs
Network Telescopes
Internet Sinks
Backscatter
Background Radiation
Conclusions
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Challenges
Attackers find ingenious ways of compromisingremote hostsAttackers give public access to the tools used sothe hacking community improvesThe size and complexity of the Internet makeimpossible to remove all vulnerabilitiesThe sharing of information between networks iscomplicated due to privacy issuesVery little understanding of intrusion activity on aglobal basisVery hard to detect the length of an attack orcombined protocol attacks
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Examples of FlowAnomalies
Barford and Plonka identify three categories:
Network Operation Anomalies
Flash Crowd Anomalies
Network Abuse Anomalies
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Network OperationAnomalies
Outages, configuration changes, environmentallimits
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Flash Crowd Anomalies
Rapid rise in traffic flows to a particulardestination with a gradual drop-off in time
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Network Abuse Anomalies
Identify DoS flowflood attacks andport scans
They may not beapparent in bit orpacket ratemeasurements
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Outline
Challenges
Methods for Measuring DoS attacks
Firewall Logs
Network Telescopes
Internet Sinks
Backscatter
Background Radiation
Conclusions
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Goals
Characterization of the “non-productive” ormalicious traffic
Develop a methodology for measuringintrusions
Filtering large traffic volume
Designing scalable flexible architectures
Building responders
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Overview of Methods ofMeasuring DoS attacks
Firewall LogsStarting from a dataset like DSHIELD
Network TelescopesLarge chunks of unused, globally routable IP space
Internet SinksUnsolicited traffic for unused addresses
Passive and Active Monitoring
BackscatterAnalysis of source addresses for attacks
Background RadiationTraffic to unused addresses (similar to Network Telescopes)
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
DSHIELD
Distributed Intrusion Detection System
An attempt to collect data about cracker activityfrom the Internet
Data contains:Tops of worst offenders
Port scans
Block lists
Port report
IP Info
Subnet Report
Easy to filter packets
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Network Telescopes
Chunk of globally routed IP address space
Little or no legitimate traffic
Unexpected traffic arriving at the networktelescope can imply remote network/securityevents
It contains a lot of statistical and random data
It is good for seeing explosions not small events
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Internet Sinks
Monitors unused or dark IP
Packets for those addresses may be dropped bygateways or border routers
The size of the address space monitored is veryimportant
Usually class A and B
Includes an active componentGenerates packets as response to incoming traffic
Extensible and scalable
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Backscatter
Most denial of service attacks select sourceaddresses at random for each sent packet
Shaft, TFT, Trinoo, Stackeldraht, Mstream, Trinity
It detects only attacks that use spoofed IP’s
A router or an intermediate device may generatean ICMP response to the attack
AssumptionThe victim responses are equi-probably distributed across theentire Internet space
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Backscatter
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Background Radiation
Monitor unused addresses
Detect non-productive trafficMalicious: flooding backscatter, scans, worms
Benign: misconfigurations
What is all this nonproductive traffic trying to do?
How can we filter and detect new types ofmalicious activity?
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Outline
Challenges
Methods for Measuring DoS attacks
Firewall Logs
Network Telescopes
Internet Sinks
Backscatter
Background Radiation
Conclusions
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Firewall Logs
Internet Intrusions: Global Characteristics andPrevalence
Data collected in 1600 networks in a 4 month period byDSHIELD.ORG
Each entry is recorded by firewalls and port scan logs recordedby NIDS (primarily Snort)
Asses the daily volume of intrusion attempts
Use the results to project intrusion activity in the entire Internet
Investigate utility of sharing intrusion detection information
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Scans
VerticalSequential or random scan of multiple ports (5 or more) of asingle IP from the same source during one hour periodSurvey of well-known vulnerabilities (strobe scans)
HorizontalScan from a single source to multiple IP on the same portLooking for the same vulnerability
CoordinatedScans from multiple sources (5 or more) aimed at a particularport of destinations in the same /24 during one hour periodAggressive, active collaborative peers
StealthLow frequency horizontal and vertical scans.Minimum threshold for average interscan distance
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Port Distribution
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Persistence of WormActivity
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Top Sources (1)
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Top Sources (2)
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Top Sources (3)
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Scan Types
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Stealth Scan Types
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Global Prevalence
Highly dynamic scanning patterns
How the volume of scans have changed over thelast year?
Project daily scans to entire InternetAverage scans per IP * Total Number of IP
Assumption: uniformity
Daily scan rates 25B/day
Relatively steady rates for port 80 scans (decreasing)
Relatively steady rates for non-worm scans (increasing 25%)
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Implications of SharedInformation
Refinement extent provided by additional data
Relative entropy
Marginal utility metricReduction of uncertainty resulting from the next experimentadded to the aggregate set
Offline/Online
Experiments to evaluate the marginal utility ofintrusion detection log sharing for worst offendersand port identification
Select randomly days and logs from dataset andtry to estimate the gain in aggregation
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Marginal Utility (1)
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Marginal Utility (2)
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Summary
1M – 3M scans per day
Widely distributed sources
Power law distribution for the number of events
Large amounts of scans for port 80
60-70% of non-worm scans are horizontal
A lot of daily vertical scan episodes
Coordinated worst offenders are responsible for asignificant fraction of all scanning activity
The collaboration benefit is sensitive to the sizeand diversity of the peering group
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Outline
Challenges
Methods for Measuring DoS attacks
Firewall Logs
Network Telescopes
Internet Sinks
Backscatter
Background Radiation
Conclusions
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Network Telescopes (1)
Assumerandom IPgenerationscanning
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Network Telescopes (2)
Size of the telescope is important for:Detect events that generate fewer packets
Better accuracy in determining the attack interval
The probability of detecting events increases withthe size of the telescope
Increase the size by using distributed telescopes
Advantages:Reduces dependency on reaching a single block
Traffic load may be distributed over multiple sites
May avoid being skipped by some IP generation algorithms
DisadvantagesSynchronization
Data distribution
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Network Telescopes Size(1)
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Network Telescopes – CodeRed
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Daily Non-Worm Scan Rate
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Daily Port 80 Scan Rate
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Outline
Challenges
Methods for Measuring DoS attacks
Firewall Logs
Network Telescopes
Internet Sinks
Backscatter
Background Radiation
Conclusions
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Internet Sinks
iSink capabilities:Trace packets
Respond actively
Masquerade as several applications
Fingerprint source hosts
Sample packets
Monitor 4 class B and one class A for 4 monthsStateless and sampling increases the scalability
B classes - holes between active subnets
Main objectivea highly interactive scalable backplane for filtering attacks,misconfigurations and attacks
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Architecture
3 main camponents:Argus - Passive Monitor• generic libpcap based on IP network auditing tool
• flow level monitoring of sink traffic
Click - Active Sink• Poll device
• IP Classifier for routing ARP, ICMP and TCP packets
• Windows Responder
NAT Filter• Reduce traffic responder generated traffic volume
• Routes requests to appropriate responders
• Filter requests – connections to first N destinations IPs targeted bythe source
VMware Honeynets – commodity VMware systems
NIDS – evaluate packet logs collected at the filter
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Architecture
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
iSink Deployment
Campus Enterprise Sink (CES)iSink received unsolicited traffic for 100,000 IP
Configure a “black-hole” intra-campus router to advertise theclass B aggregate routes into the intra-campus OSPF
iSink has not participated to intra-campus routing
iSink is a destination of a static route
Unsolicited traffic falls to /16 routes, iSink
Occasionally traffic for used addresses may fall to iSinkbecause of inexistent routes
Service Provider Sink (SPS)Unsolicited traffic for 16 million IP (class A)
ISP advertised class A via BGP to
SNMP measurements at switch ports for computing Arguspacket loss
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
CES Inbound Traffic
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
SPS Inbound Traffic
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Backscatter Packets
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Unique Periodic Probes
TCP flow periodicity can be isolated to sourcesscanning port 139 (Server Message Block overNetBIOS) and port 445 (SMB)
Scans involve 256 IP from a /24
Probes have an one hour period
Small scale periodicity super imposed over a daily periodicity
They have built responders for NetBIOS and SMBThe scanning process was done by LovGate worm• Email propagation, at execution, it copies itself to kernel66.dll,
iexplore.exe etc, Backdoor (dropping a trojan) waiting on port20168
• Dictionary attack
Setup a controlled experimentDeterministic scanning
Small periods of synchronization
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
SMTP Host-spot
One IP attracting large number of SMTP scans4,5 million scans from 14,000 unique IP in 10 days
Uncommon TCP SYN fingerprint
All were DSL and cable modem hosts
They have setup a SMTP responder
The source was a misconfigured wireless router
Uninitialized garbage value converted to IPaddress
They have looked for the printed ASCII version ofthe IP address and it in all versions of firmwarefor the device
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Scalability
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Sampling
Reduced bandwidth
Improved scalability
Simplified data management and analysis
Adaptation of “Heavy hitters” sampling
Subnet selection
Memory constrained Sample and HoldIdentifies flows larger threshold
Random sampling (uniform class A traffic)
Hash containing flow id and byte count
Sampling rate based on empirical observation oftraffic
Larger blacklists easier to estimate
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Summary
Clear evidence of well documented worms
New worm detection
Different overall characteristics between class Band A
iSink commodity PC hardware has the ability tomonitor and respond to 20,000 connectionrequests per second (peek class A traffic)
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Outline
Challenges
Methods for Measuring DoS attacks
Firewall Logs
Network Telescopes
Internet Sinks
Backscatter
Background Radiation
Conclusions
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Backscatter
Random source selection for each packet
Attack tools: Shaft, TFN, trinoo, Stackeldraht,mstream, Trinity
Equi probable distribution of victim responsesacross all the Internet space
AssumptionsAddress uniformity
Reliable delivery
Backscatter hypothesis
Ingress filtering
Reflector attacks
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Flow Based Classification
Classification for individual attacks
Fixed flow lifetime (5 minutes interval)Conservative timeout suggests fewer longer attacks
Shorter timeout suggests a large number of shorter attacks
Discard all flows with less 100 packets and aduration less than 60seconds
Used to avoid random Internet misconfigurations?
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Event Based Classification
Used for highly variable attacks
Examine time-domain qualities on the victim IPNumber of simultaneous attacks
Distribution of attack rates
Divide the trace in one minute periods
An attack event = victim emits 10 backscatterpackets during a minute
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Breakdown of responseprotocols
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Breakdown of victim portnumbers
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Cumulative distributions ofestimated attack rates
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Attack Impact
No dominant mode for address distributionA2 testing may be prevented
500 SYN packets overwhelm a server38% of uniform random attacks
46% of event attacks
14,000 SYN packets overwhelm a specializedfirewall
0.3% of uniform random attacks
2.4% of event attacks
They cannot asses the victim connectivity loss
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Cumulative Distribution ofAttack Durations
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Probability Density ofAttack Durations
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Victim Classification
Significant fraction directed against homemachines (IRC channels)
2-3% target network infrastructure (name servers)
1-3% target routers
.net, .com and .ro are the main TLD attacked
Uniform AS distribution, more variation than TLD
95% of the victims were attacked less than 5times
A couple of victims were attacked more than 50times
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Outline
Challenges
Methods for Measuring DoS attacks
Firewall Logs
Network Telescopes
Internet Sinks
Backscatter
Background Radiation
Conclusions
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Methodology ofBackground Radiation
Filtering138 hosts scan more than half of LBL IP’s
Can we include all unsuccessful connections?
Separating unwanted traffic from benign or transientfailure traffic
Goal: provide a complete characterization of radiation=> construction of classifiers
Active RespondersEngage hosts
Elicit particular intentions from remote sources
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Taming Traffic Volume
Scalability for responses on the order ofbillions of addresses
Source Connection FilteringKeep first N connections initiated by each source
Source Port FilteringKeep N connections for each source/destination portpair
Source Payload FilteringKeep one instance for each type of activity per source
Source/Destination FilteringKeep N connections per each source/destination pair
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Application LevelResponders
Data Driven Approach
Responders for the most common form oftraffic
HTTP
NetBIOS
CIFS/SMB
DCE/RPC
Dameware
Emulate few backdoors (MyDoom, Beagle)
Do not provide understanding of binary code
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Top Level Responders
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Honeynet Architecture
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Traffic Composition
Snapshots80 hour traces collected at UW Campus on /19 network
One week trace at LBL on 10 contiguous /24 networks
One week trace at Class A with 1/10 sampling
99% of TCP packets are TCP/SYN
8 ports (445, 80, 135) account for 83%
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Radiation activity at LBL
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Port Classification
Rank by the number of IP’sFilter bias against sources that try to reach multipledestinations
Assume destination symmetry
Focus on the popularity
Multi-source activity is intentional
Per session activity
Analyze application semantic levelbackground radiation distribution
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Port Activity(1)
TCP HTTP 80 - against Microsoft IIS:WebDAV, Nimda, Code Red II, Agobot
TCP DCE/RPC 135/1025 – against EndpointMapper:
Blaster, Welchia, RPC170
TCP CIFS 139/445 – against NetBiosSession Service for CIFS:
Locator, Epmapper, Samr-exe, W32-Xibo
TCP Dameware 135/1025 – againstDameware Remote Control
TCP Virus Backdoors 3127/2745/4751 –MyDoom, Beagle (MZ marked files)
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Port Activity(2)
TCP Exploit Follow-Ups 1981/4444/9996 –two step worms: Blaster, Sasser, Agobot,Welchia
UDP 53 – malformed DNS requests:
UDP 137 – NetBios standard name queries
UDP WM Pop-Up Spam 1026/2027 –DCE/RPC exploits
UDP 1434 – Slammer
TCP 1433 – MS-SQL
TCP 5000 – Universal Plug and Play
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Summary
Diurnal cycles in volume (bursty arrivals)
Prevalence and variability of radiation
Majority of traffic targets services withfrequently exploited vulnerabilities
Domination for TCP SYN/RST packets
Consistent source activities across ports
Extremely dynamic traffic (daily)For benign traffic, major shifts on lengthy times
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Outline
Challenges
Methods for Measuring DoS attacks
Firewall Logs
Network Telescopes
Internet Sinks
Backscatter
Background Radiation
Conclusions
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Conclusions (1)
Scalable architectures for large number ofmonitored IP’s (class A or multiple class B)
Combination of passive and active measurements
A large variety of filtering methods. Importantassumptions
Big differences between traces temporally andspatially
A lot of place for improvement on data drivenactive responders
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Conclusions (2)
Large number of intrusions (scans, exploits,worms) – millions per dayWidely distributed sources of attackHorizontal scans cover 70% of all scanningDyurnal (daily cycles), extremely dynamic trafficBlacklists (worst offenders) can prevent majorityof attacksFrequent exploited vulnerabilities
Prevalence of Internet DoS attacks
The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
References
Internet Intrusions: Global Characteristics and Prevalence,Vinod Yegneswaran, Paul Barford, Johannes Ullrich
On the Design and Use of Internet Sinks for Network
Abuse Monitoring, Vinod Yegneswaran, Paul Barford, Dave Plonka
On the Marginal Utility of Network TopologyMeasurements, Paul Barford, Azer Bestavros, John Byers, Mark Crovella
Characteristics of Network Traffic Flow Anomalies, PaulBarford and David Plonka
Network Telescopes, David Moore
Inferring Internet Denial-of-Service Activity, David Moore
Inferring Internet Denial-of-Service Activity, David Moore
Characteristics of Internet Background Radiation, RuomingPang, Vinod Yegneswaran