Upload
teva
View
30
Download
0
Embed Size (px)
DESCRIPTION
Network Measurements: Unused IP address space traffic analysis at SSSUP Campus Network. Francesco Paolucci, Piero Castoldi Research Unit at Scuola Superiore Sant’Anna, Pisa, Italy. Italy-Tunisia Research Project sponsored by MIUR under FIRB International program - PowerPoint PPT Presentation
Citation preview
Network Measurements: Unused IP address space traffic analysis at SSSUP Campus Network
Francesco Paolucci, Piero CastoldiResearch Unit at Scuola Superiore Sant’Anna, Pisa,
ItalyItaly-Tunisia Research Project
sponsored by MIUR under FIRB International program1° year plenary meeting, Tunis, March 29, 2007
2
Unused address space traffic
Dumping Internet traffic sent to unused IP addresses space can give information about attacks towards the target subnetwork.
Since there is no legitimate reason for a host to send packets to those destinations, such traffic provides strong evidence of malicious activity including DDoS backscatter, port scanning, and probe activity from active worms.
3
Useful Tools
Two kind of tools acquire information about unused traffic:
• Network telescopes – They work by monitoring traffic sent to communication dead-ends
such as unallocated portions of the IP address space. – can potentially provide early warning of a scanning-worm outbreak,
and can yield excellent forensic information• Honeypots
– are closely monitored network decoys serving several purposes– they can distract adversaries from more valuable machines on a
network– they allow in-depth examination of adversaries during and after
exploitation of a honeypot.
When coupled with honeypots, telescopes can be used to interact with potentially malicious traffic in order to determine the intent behind the traffic, including particular vulnerabilities being exploited and follow-on activity after a compromise succeeds.
4
SSSUP Unused traffic dumping
Scuola Superiore Sant’Anna Campus Network • 8 different sites in Pisa and Pontedera• Average incoming traffic: 25 Mbit/s• 4 class-C address space• Total IP address space = 1016• Utilized IP address space = 162 (16%)
NETWORK SNIFFER & ANALYZER
Measurements Tools• Linux Box PC equipped with high performance INTEL Network Interface Card• Sniffer: Dumpcap (Wireshark Suite) • Analyzer and offline filtering: Tshark & Wireshark• Dumping point: Last switch to GARR Net, NO NAT, NO FIREWALL.
5
Dumping methodology
• Only Incoming traffic tracing• 1-hour long dumping twice a day for a week
– Most of the anomalous activities last less than 1 hour
– Day-time and Night-time traces give indications about high and low human user traffic characteristics
• Light online filtering • Complex offline filtering (entire IP address
space set filter)
6
Global traffic results : 25 Mbit/s 68 %
16 %1 2 %
2 % 1 % 1 % 1% 0 % 0 %
TCP traffic
High ports (P 2P ,S pam)HTTP (80)P 2P serverP ort 8080S MTP (25)HTTP S (443)S S H (22)P OP (110)Messenger (1863)FTP (21)
8 2 %
12 %6 %
1 % 0 %
High P ortsE donkey 4662 4672D NS (53 )OIC Q (8000)MS N (1863)
TCP packets (86%) UDP packets (13%)
About 80% of the traffic is driven by peer-to-peer applications.Within High ports traffic (src and dst >1024) values are distributed (no particular values emerge): p2p applications choose random high ports.
7
Unused traffic main results
• Traffic to unused addresses represents the 0,2% of the total incoming packets on the whole subnet.
• 4 pkts/s, average rate 6 kbit/s• Traffic activity profile is constant and
independent on the daytime (no profile differences between day and night time)
• Almost whole traffic represents (TCP) SYN or (UDP) spam packets
8
Packets statistics
ICMP 14%TCP 54%
UDP 32%
Traffic Protocols distribution
0-19 20 -39 40- 79 80-1 59 160-31 9 32 0-6 39 640-12 79 1280-2 55 90
10
20
30
40
50
60
7067,61
0,89 0,02
29,52
0,01
Packet length distribution
%
•TCP and ICMP packets are quite short (SYN, PING = 70 byte long)•UDP packets are longer (500 byte long)
9
Source IP Packets % Total Packets
193.194.89.102
9306 5 %
193.205.39.28 5822 3%74.7.94.205 4200 2.2%
193.111.95.32 4180 2.2%12.161.101.51 3912 2%221.209.110.8 3558 1.9%207.176.236.7 3546 1.8%221.209.110.1
33469 1.8%
222.28.80.5 3400 1.8%202.97.238.20
03163 1.6%
Unused Traffic sources
10
54%
18%
5%3%
2%2%
2%2%
2%1%
1%1%0%0%
7%
MIC ROS OF T D S S YN 445E P M A P S YN 135S S H 22NE TB IOS -S S N 139E C HO S YN 7P OP 3 110IMA P 143FTP 21HTTP 80V E TTTC P 78RA D M IN 4899MS -S QL -S 1433D OM A IN S YN 53S MTP 25Other
TCP destination ports statistics
• Port 445 (Microsoft-DS Active Directory, Windows shares, Sasser worm, Agobot, Zobotworm)• Port 135 (EPMAP (End Point Mapper) / Microsoft RPC Locator Service , Nachi or MSBlast worms) • Port 22 (SSH SYN) represent more than 75% of the total TCP traffic
11
7 0%
23 %
5%
1%
0%1%C A P 10261027MS -S QL-M 1434NE TB IOS -NS 137S NMP 161Other
UDP destination ports statistics
• Port 1026 (CAP, Calendar Access Protocol, Windows Messenger Spam)• Port 1027 (unassigned, Messenger Spam) • Port 1434 (MS-SQL, systems infected with the SQL Slammer ) represent 97% of the total UDP traffic
12
ICMP packets
• Type 8 (Ping request): 96 %
96%
2%
1%
P ing request (type 8)TTL exceeded (type 11)D S T unreachable (type 3)
13
Burstiness characteristics• Similar behaviour at day and night time• Peaks of instantaneous 3-4 Mbit/s in 300 ms interval events (SPAM)• Average SCAN and ICMP 1 kbit/s events
DAY NIGHT
14
Traffic burstiness sorted by protocol
Different behaviour between TCP, UDP and ICMP traffic• TCP
– “Constant” bursts (1 packet, tinter= 4 s, duration= 0.2 s, rate 0.4 kbit/s)
– Burst train events (event duration = 100 s, each burst lasts 0.3 s with 200 kbit/s peak rate)
• UDP– Isolated 0.2 s long bursts with up to 3 Mbit/s peak rate (SPAM)
• ICMP– Similar behaviour like TCP but lower peak and average rate (PING)