Download Visualizing Network Attacks

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
Document related concepts

Distributed firewall wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Airborne Networking wikipedia , lookup

Transcript 
Visualizing Network Attacks
Eric Conrad
http://www.ericconrad.com
April 2009
1
A picture is worth 1,000 words
• Many network, security and system
engineers have trained themselves to
correlate complex information from
text-based representation of events
– Like Cypher in The Matrix
• However, many concepts lend
themselves to visual interpretation
2
One example: visual cryptanalysis
of DES ECB mode
• The Data Encryption Standard (DES) is a
block cipher with a number of modes
• The ‘native mode,’ Electronic Code Book, does
not ‘chain’ the ciphertext
– Identical 64-bit blocks of plaintext become
identical blocks of ciphertext
• As a result, patterns may propagate
• The other modes of DES destroy patterns by
chaining the previous block of ciphertext with
the next
3
Showing weaknesses of
DES ECB mode
• Left image is BMP, right image is
same BMP encrypted in ECB mode
4
Showing the effects of chaining
• Same logo, Cipher Block Chaining
(CBC) mode ciphertext on right
5
DAVIX
• DAVIX is a live CD
for data analysis and
visualization
• Available at
http://secviz.org/
• Burn ISO to CD, and
boot your laptop
into a rich
visualization
environment
6
The DAVIX Live CD
• The DAVIX start
menu links to all
major tools
• Visualization work
is broken down
into 3 processes:
Capture, Process,
Visualize
7
The DAVIX process
• Capture includes tools that capture
network data, like wireshark, tcpdump,
etc.
• Process includes tools that manipulate
data, such as afterglow.pl, as well as
the classic Unix shell tools such as sed,
awk, perl and grep
• Visualize includes tools to display the
data
8
A word on tools
• All tools mentioned in this paper are on the
DAVIX 1.0.1 distribution
• All graphics used in this paper were
generated directly from the DAVIX live CD
• You may download all scripts in this paper at
http://files.ericconrad.com/viz-current.tgz
• All example commands in this paper will work
directly on the DAVIX live CD
9
Dot
• Dot is a language used to describe
graphs
• Example digraph (directed graph) in dot
language, and resulting image:
digraph directed{
A -> B -> C;
B -> D;
}
10
Turning Dot into graphics
• Graphviz (Graph Visualization Software)
includes a number of programs to manipulate
Dot programs
– http://graphviz.org/
• Includes tools that take a Dot file as input,
and create a graphics file as output
• This paper uses the Graphviz tools ‘twopi’ and
‘neato’
– twopi uses a ‘radial model’ to lay out nodes
– neato uses a ‘spring model’ to lay out nodes
11
Afterglow
• Afterglow takes CSV files as
input and creates a Dot
language file as output
• Makes creating directed graphs
very easy
• The graph on the right was
created with echo “1,2,3” |
afterglow.pl | neato –
Tpng –o example.png
12
Two-column mode
• Two-column
mode has 2 types
of nodes: source
and target
• This graph shows
2 source nodes
connecting to
three targets
13
Afterglow two-column example:
normal arp requests
14
‘Arp bomb’: scan of
unused IP addresses
15
Three-column mode
• Three-column
mode adds an
‘event’ node
• Source nodes
connect to targets
via ‘events’
• Example event:
protocol type
16
Visualizing honeypot attacks
• Let’s use the Dot language to visualize
attacks vs. a honeypot
• Data is from the Honeynet Project® Scan of
the Month 27:
– During its first week of operation, the honeypot
was repeatedly compromised by attackers and
worms exploiting several distinct vulnerabilities.
Subsequent to a successful attack, the honeypot
was joined to a large botnet.
• Source: http://www.honeynet.org/scans/scan27/
• What do the attacks look like visually?
17
The attacks, visually
18
Visual traceroute with Dot
• Generate a route graph with Dot:
– traceroute to the top 100 internet sites
– Compute average time to each hop
– Draw directed graph showing all
connections within 6 hops
– Display nodes with colors showing RTT
•
•
•
•
•
First node is blue (and larger)
Nodes < 15 ms are palegreen
Nodes < 30 ms are green
Nodes < 45 ms are yellow
Rest are red
19
20
Visualizing Mitnick vs. Shimomura
• One of the most famous network attacks
occurred on Christmas Day, 1994, when Kevin
Mitnick allegedly attacked Tsutomu
Shimomura’s systems
• The attack exploited a trust relationship
between Shimomura’s ‘x-terminal’ and ‘server’
• Shimomura analyzed the attack, and was kind
enough to post a detailed post mortem of the
attack to the comp.security.misc Usenet
group
– Including tcpdump output
21
The players
• 4 systems were involved in the attack:
– apollo.it.luc.edu: the source of the attack
– server: a host trusted by xterminal
– x-terminal: trusted by server
– 130.92.6.97: used as spoofed source for
DOS attack
• There was no live system at this IP address at time of
attack
22
The attack
• Goal was to forge a packet ‘from’ server to
xterminal
– DOSed server from 130.92.6.97
– Harvested TCP sequence numbers from xterminal
– Spoofed connection ‘from’ server to xterminal
• Attacker did not see the SYN/ACK, and had to guess the
sequence number used, and increment by 1 for the reply
• Let’s use Shimomura’s analysis to see the
attack visually
23
Mitnick vs. Shimomura
24
rumint: ‘rumors in the network’
• Another useful DAVIX tool is rumint, a
‘PVR for Network Traffic and Security
Visualization’
– ‘rumint’ is short for ‘rumor intelligence’
– Site: www.rumint.org
• Much of what IDS analysts must do is
separating useful signals from noise
• rumint is useful for ‘spotting the outlier’
25
Analyzing honeypot with rumint
26
rumint ‘text rainfall’ mode
• Matrix-style falling
text from live
network capture
or pcap file
• This shows botnet
IRC command
and control traffic
27
Any questions?
28
Related documents
RELEASE FROM PREVIOUS DOT EMPLOYER
RELEASE FROM PREVIOUS DOT EMPLOYER
1.16. The Vector Space Cn of n-Tuples of Complex Numbers
1.16. The Vector Space Cn of n-Tuples of Complex Numbers
Some Examples of Networks in Cytoscape
Some Examples of Networks in Cytoscape
here
here
Alignment of pairs of sequences
Alignment of pairs of sequences
Hypothesis testing from a known population
Hypothesis testing from a known population
CSE451 Introduction to Operating Systems
CSE451 Introduction to Operating Systems
Session 6 Powerpoints - Curry International Tuberculosis Center
Session 6 Powerpoints - Curry International Tuberculosis Center
cs739-intro - Computer Sciences User Pages
cs739-intro - Computer Sciences User Pages