Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Characteristics of Internet Background Radiation Authors: Ruoming Pang, Vinod Yegneswaran, Paul Barford, Vern Paxson, Larry Peterson ACM Internet Measurement Conference (IMC), 2004 Presenter: Tai Do CDA6938 UCF, Spring 2007 Introduction • Background Radiation: – Traffic sent to unused addresses. – Nonproductive traffic: malicious (flooding backscatter, hostile scan, spam) OR benign (misconfigurations). – Pervasive nature (hence “background”). Backscatter Source: [MVS01] Introduction • Goals of Characterization: –What is all this nonproductive traffic trying to do? –How can we filter it out to detect new types of malicious activity? Outline • Introduction • Measurement Methodology – Filtering – Responders – Experimental Setup • Data Analysis • Concluding Remarks Measurement Methodology (Filtering) • Enormous volume of data: – 30,000 packets/sec of background radiation on a Class A network. • Source-Destination Filtering: – Assumption: background radiation sources posses the same degree of affinity to monitored IP addresses – For each source, keep the connections to N destinations. Measurement Methodology (Filtering) Measurement Methodology (Filtering) Measurement Methodology (Active Responders) • Why Active Responders? – Elicit further activity from scanners. – Differentiate different types of background radiation. • Stateless Responder: based on Active Sink. • Stateful Responder: based on Honeyd. Measurement Methodology (Application-Level Responders) • Data-driven: – Which responders to build is based on observed traffic volumes. • Application-level Responders: – Not only adhere to the structure of the underlying protocol, but also to know what to say. • New types of activities emerge over time, responders also need to evolve. • What degree can we automate the development process of responders? Measurement Methodology (Application-Level Responders) • Responders developed for: – HTTP (port 80) – NetBIOS (port 137/139), – CIFS/SMB (port 139/445) – DCE/RPC [10] (port 135/1025 and CIFS named pipes) – Dameware (port 6129). – Backdoors installed by MyDoom (port 3127) and Beagle (port 2745) Measurement Methodology (Experimental Setup) • Two different systems: iSink, and LBL Sink. • Traces collected from three sites: – Class A network (large) – UW campus (medium) – Lawrence Berkeley Lab (LBL) (small) • Same forms of application response. • Different underlying mechanisms. • Support two kinds of data analysis: – Passive analysis: no filter, no responder – Active analysis: with filter, and responder Experimental Setup: iSink Experimental Setup: LBL Sink Outline • Introduction • Measurement Methodology • Data Analysis – Passive Analysis – Active Analysis • Activities in Background Radiation • Characteristics of Sources • Concluding Remarks Passive Measurement Traffic Composition • What is the type and volume of observed traffic without actively responding to any packet? • Findings: – TCP dominates in all three networks (comparing to ICMP and UDP) – TCP/SYN packets constitute a significant portion of the background radiation traffic. – A small number of ports are the targets of a majority of TCP/SYN packets. Activities in Background Radiation • Study dominant activities on the popular ports. • Traffic is divided by ports: – Consider all connections between a sourcedestination pair on a given destination port. • Background Radiation concentrates on a small number of ports: – Only look at the most popular ports. – Many popular ports are also used by the normal traffic use application semantic level. • Investigate 12 ports. TCP Port 80 (HTTP) • Targeted against Microsoft IIS server. • Dominant activity is a WebDAV bufferoverrun exploit. TCP Port 80 (HTTP) Port 80 Activities Characteristics of Sources • Study background radiation activities coming from the same source IP (activity vector). • Activity vector in three dimensions: – Across ports – Across destination networks – Over time • Caveat: – DHCP: hosts might be assigned different addresses over time. Sources Across port Activities across ports may give a better picture of a source’s goals Agobot Sources: UW 1 Sources Across port • Top two exploits are extensively observed across all 4 networks. Sources Seen Over Time • Witty did not persist over a month: deliberately damages its host. • Blaster’s grip on hosts is quite tenacious. Outline • • • • Introduction Measurement Methodology Data Analysis Concluding Remarks Strengths of the paper • First attempt to characterize background radiation. • Good Measurement Methodology: – Effective filtering technique. – Detailed set of active responders for popular ports. • Meaningful Data Analysis: – Passive Analysis: activities concentrate on few popular ports. – Active Analysis: Extreme dynamism in many aspects of background radiation. Limitations of the paper • The filtering could be biased. – The same kind of activity to all destination IP addresses. – Fail to capture multi-vector worms that pick one exploit per IP address. • DHCP problem makes source IP address less accurate as source identity. • To what extent the development of applicationlevel responders can be automated? Thank you. Questions? References • [Barford2004] Paul Barford. Trends in Internet Measurement. PPT from U. of Wisconsin, Fall 2004. • [MVS01] Moore, Geoffrey M. Voelker, and Stefan Savage. Inferring Internet Denialof-Service Activity. In Proceedings of the 10th USENIX Security Symposium, pages 9--22. USENIX, August 2001. Some jargons • Named pipe: supports inter-process communication. FIFO. System-persistent. • CIFS: Common Interface File System. • DCE/RPC: Distributed Computing Environment/Remote Procedure Call • SAMR: Security Account Manager Remote service • srvsvc: server service • msmsgri32.exe: ??? • SMB: • Autorooter: similar to worms, without self-propagation