Download ppt

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
Document related concepts

Deep packet inspection wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Transcript 
Characteristics of Internet
Background Radiation
Authors: Ruoming Pang, Vinod
Yegneswaran, Paul Barford, Vern
Paxson, Larry Peterson
ACM Internet Measurement
Conference (IMC), 2004
Presenter: Tai Do
CDA6938
UCF, Spring 2007
Introduction
• Background Radiation:
– Traffic sent to unused addresses.
– Nonproductive traffic: malicious (flooding
backscatter, hostile scan, spam) OR
benign (misconfigurations).
– Pervasive nature (hence “background”).
Backscatter
Source: [MVS01]
Introduction
• Goals of Characterization:
–What is all this nonproductive traffic
trying to do?
–How can we filter it out to detect
new types of malicious activity?
Outline
• Introduction
• Measurement Methodology
– Filtering
– Responders
– Experimental Setup
• Data Analysis
• Concluding Remarks
Measurement Methodology
(Filtering)
• Enormous volume of data:
– 30,000 packets/sec of background radiation
on a Class A network.
• Source-Destination Filtering:
– Assumption: background radiation sources
posses the same degree of affinity to
monitored IP addresses
– For each source, keep the connections to N
destinations.
Measurement Methodology
(Filtering)
Measurement Methodology
(Filtering)
Measurement Methodology
(Active Responders)
• Why Active Responders?
– Elicit further activity from scanners.
– Differentiate different types of background
radiation.
• Stateless Responder: based on Active
Sink.
• Stateful Responder: based on Honeyd.
Measurement Methodology
(Application-Level Responders)
• Data-driven:
– Which responders to build is based on observed
traffic volumes.
• Application-level Responders:
– Not only adhere to the structure of the underlying
protocol, but also to know what to say.
• New types of activities emerge over time,
responders also need to evolve.
• What degree can we automate the development
process of responders?
Measurement Methodology
(Application-Level Responders)
• Responders developed for:
– HTTP (port 80)
– NetBIOS (port 137/139),
– CIFS/SMB (port 139/445)
– DCE/RPC [10] (port 135/1025 and CIFS
named pipes)
– Dameware (port 6129).
– Backdoors installed by MyDoom (port
3127) and Beagle (port 2745)
Measurement Methodology
(Experimental Setup)
• Two different systems: iSink, and LBL Sink.
• Traces collected from three sites:
– Class A network (large)
– UW campus (medium)
– Lawrence Berkeley Lab (LBL) (small)
• Same forms of application response.
• Different underlying mechanisms.
• Support two kinds of data analysis:
– Passive analysis: no filter, no responder
– Active analysis: with filter, and responder
Experimental Setup: iSink
Experimental Setup: LBL Sink
Outline
• Introduction
• Measurement Methodology
• Data Analysis
– Passive Analysis
– Active Analysis
• Activities in Background Radiation
• Characteristics of Sources
• Concluding Remarks
Passive Measurement
Traffic Composition
• What is the type and volume of observed
traffic without actively responding to any
packet?
• Findings:
– TCP dominates in all three networks
(comparing to ICMP and UDP)
– TCP/SYN packets constitute a significant
portion of the background radiation traffic.
– A small number of ports are the targets of a
majority of TCP/SYN packets.
Activities in Background Radiation
• Study dominant activities on the popular ports.
• Traffic is divided by ports:
– Consider all connections between a sourcedestination pair on a given destination port.
• Background Radiation concentrates on a small
number of ports:
– Only look at the most popular ports.
– Many popular ports are also used by the normal traffic
 use application semantic level.
• Investigate 12 ports.
TCP Port 80 (HTTP)
• Targeted against Microsoft IIS server.
• Dominant activity is a WebDAV bufferoverrun exploit.
TCP Port 80 (HTTP)
Port 80 Activities
Characteristics of Sources
• Study background radiation activities coming
from the same source IP (activity vector).
• Activity vector in three dimensions:
– Across ports
– Across destination networks
– Over time
• Caveat:
– DHCP: hosts might be assigned different addresses
over time.
Sources Across port
Activities across ports may give a better picture of a source’s goals
Agobot Sources: UW 1
Sources Across port
• Top two exploits are extensively observed
across all 4 networks.
Sources Seen Over Time
• Witty did not persist over a month: deliberately damages
its host.
• Blaster’s grip on hosts is quite tenacious.
Outline
•
•
•
•
Introduction
Measurement Methodology
Data Analysis
Concluding Remarks
Strengths of the paper
• First attempt to characterize background
radiation.
• Good Measurement Methodology:
– Effective filtering technique.
– Detailed set of active responders for popular ports.
• Meaningful Data Analysis:
– Passive Analysis: activities concentrate on few
popular ports.
– Active Analysis: Extreme dynamism in many aspects
of background radiation.
Limitations of the paper
• The filtering could be biased.
– The same kind of activity to all destination IP
addresses.
– Fail to capture multi-vector worms that pick one
exploit per IP address.
• DHCP problem makes source IP address less
accurate as source identity.
• To what extent the development of applicationlevel responders can be automated?
Thank you.
Questions?
References
• [Barford2004] Paul Barford. Trends in
Internet Measurement. PPT from U. of
Wisconsin, Fall 2004.
• [MVS01] Moore, Geoffrey M. Voelker, and
Stefan Savage. Inferring Internet Denialof-Service Activity. In Proceedings of the
10th USENIX Security Symposium, pages
9--22. USENIX, August 2001.
Some jargons
• Named pipe: supports inter-process communication.
FIFO. System-persistent.
• CIFS: Common Interface File System.
• DCE/RPC: Distributed Computing Environment/Remote
Procedure Call
• SAMR: Security Account Manager Remote service
• srvsvc: server service
• msmsgri32.exe: ???
• SMB:
• Autorooter: similar to worms, without self-propagation
Related documents
Nona*s Homemade * Marketing Project * C Block Marketing Class
Nona*s Homemade * Marketing Project * C Block Marketing Class
Ports and IPv6
Ports and IPv6
Globalization and Global Trade Patterns Learning Goal 4: Compare
Globalization and Global Trade Patterns Learning Goal 4: Compare
Mod10Chap19TCPIP
Mod10Chap19TCPIP
What is Cancer???????????
What is Cancer???????????
Slide 1
Slide 1
Period 11 Exercise Answers
Period 11 Exercise Answers
resolution of upper gastrointestinal symptoms
resolution of upper gastrointestinal symptoms
GLOBAL WARMING: IT*S EFFECT TO THE PORT
GLOBAL WARMING: IT*S EFFECT TO THE PORT
Last Monday of 2012 at school!
Last Monday of 2012 at school!