a fast worm scan detection tool for vpn congestion
play

A Fast Worm Scan Detection Tool for VPN Congestion Avoidance Arno - PowerPoint PPT Presentation

Dec 24, 2023 •157 likes •353 views

A Fast Worm Scan Detection Tool for VPN Congestion Avoidance Arno Wagner,Thomas D ubendorfer, Roman Hiestand, Christoph G oldi, Bernhard Plattner Communication Systems Group Swiss Federal Institute of Technology Zurich (ETH Zurich)

  1. A Fast Worm Scan Detection Tool for VPN Congestion Avoidance Arno Wagner,Thomas D¨ ubendorfer, Roman Hiestand, Christoph G¨ oldi, Bernhard Plattner Communication Systems Group Swiss Federal Institute of Technology Zurich (ETH Zurich)

  2. Outline 1. Setting 2. Problem Statement 3. Design Goals 4. Approach 5. Implementation 6. Tests, Validation 7. Remarks Arno Wagner, ETH Zurich, DIMVA 2006 – p.1

  3. Setting Collaboration between OpenSystems AG, Zurich and Communication Systems Group (CSG) at ETH Zurich OpenSystems: Provides, e.g., managed VPN links on OpenSystems hardware (Linux based industrial PCs) Administration remotely from Zurich NOC Customers in 70 countries > 100 VPN links operational Arno Wagner, ETH Zurich, DIMVA 2006 – p.2

  4. Problem Statement Internet links: SAT-phones, . . . , high-speed Internet Congestion can cause significant problems Remote diagnosis can be difficult Customers may need their links repaired very fast IT competence at customers sites varies strongly Diagnosis has to be done remotely by OpenSystems ⇒ Typically requires several hours of manual work One main congestion source: Worm infected hosts Arno Wagner, ETH Zurich, DIMVA 2006 – p.3

  5. Design Goals The scan traffic detector needs to: Run on the VPN endpoints (detection is for attached network, not VPN tunnel) Communicate only when problems are detected Have low resource needs Detect scan and DoS traffic fast Identify infected hosts Have a low false positives rate Arno Wagner, ETH Zurich, DIMVA 2006 – p.4

  6. Approach Main approach: Failed connection counting on a per-host basis Relatively simple for TCP Still works for UDP and ICMP Idea is well documented in the literature Arno Wagner, ETH Zurich, DIMVA 2006 – p.5

  7. TCP Scan Detection Each active host has a state Measurements are done incrementally Identified infected hosts are ignored to reduce load Arno Wagner, ETH Zurich, DIMVA 2006 – p.6

  8. TCP Host Flowchart I first failed TCP connection TCP_BENIGN no > 100 failed conn. in < 2 minutes yes TCP_SCAN failed conn. no to >100 hosts in < 5 minutes yes Arno Wagner, ETH Zurich, DIMVA 2006 – p.7

  9. TCP Host Flowchart II back to TCP_BENIGN failed conn. > 1200 failed no no TCP_SAMEPORT_SCAN conn. to < 5 hosts in to >100 hosts in < 4 min < 5 minutes yes yes DoS TCP_HOST_SCAN TCP_DOS failed conn. to failed conn. no no > 100 hosts on the same TCP_HOST_NOTSAMEPORT_SCAN to > 300 hosts in port in < 5 min. < 5 min. yes yes WORM WORM TCP_HOST_SAMEPORT_SCAN TCP_HOST_PORT_SCAN Arno Wagner, ETH Zurich, DIMVA 2006 – p.8

  10. UDP Scan Detection Similar to TCP , but failed ”connection” can be UDP packet, no answering packet UDP packet, answering ICMP ”destination unreachable” Further differences: Thresholds are different More traffic needed to trigger detection Arno Wagner, ETH Zurich, DIMVA 2006 – p.9

  11. ICMP Scan Detection Similar to TCP , but No port checks Failed ”connections” possibilities (not distinguished): ICMP ”destination unreachable” ICMP requests without answer Arno Wagner, ETH Zurich, DIMVA 2006 – p.10

  12. Detection Latency Tests are done serially to conserve memory + No traffic needs to be stored - Worst case detection time is higher But: More scan traffic gives faster detection Worst case detection times are still reasonable (TCP: 17 min, UDP: 18 min) Arno Wagner, ETH Zurich, DIMVA 2006 – p.11

  13. Implementation VPN node: P4 2.4GHz, 1GB RAM, 2 * FE, 2 * GbE, customised 2.4 kernel Detector: Uses Bro intrusion detection system Traffic capturing via libpcap Event propagation via system log Alerting via OpenSystems log monitor Arno Wagner, ETH Zurich, DIMVA 2006 – p.12

  14. Performance I 4 infected hosts, simulated TCP worm traffic (MACE) 1 cpu usage (%) 0 0 1 2 3 4 5 6 7 8 9 10 time (min) Memory load stays below 8MB Arno Wagner, ETH Zurich, DIMVA 2006 – p.13

  15. Performance II 252 infected hosts, simulated TCP worm traffic (MACE) 80 70 60 cpu usage (%) 50 40 30 20 10 0 0 1 2 3 4 5 6 7 8 9 10 time (min) Memory load stays below 20MB Arno Wagner, ETH Zurich, DIMVA 2006 – p.14

  16. Validation The detector was tested with Blaster worm (real infection) SQL Slammer worm (real infection) Simulated worm traffic by MACE 22 hours of productive traffic from 15 VPN links ⇒ No false positives Several different P2P filesharing applications ⇒ Alerts from eMule when firewalled and searching Arno Wagner, ETH Zurich, DIMVA 2006 – p.15

  17. Remarks I Detector is used in OpenSystems production environment Source code available upon request: Detector scripts (Bro): GPL MACE extensions: non-commercial use Very successful project: Students: Very good master’s thesis OpenSystems: Practical solution of a real problem ETH: Paper at DIMVA’06 Arno Wagner, ETH Zurich, DIMVA 2006 – p.16

  18. Remarks II: Collaboration Industrial collaboration with OpenSystems on student theses works well. No money flows Topics must be of interest to all sides Everybody invests real effort and shapes results Mutual understanding of different goals Produced software GPL where possible Important: Avoid ”problem students” Arno Wagner, ETH Zurich, DIMVA 2006 – p.17

  19. Thank You! Arno Wagner, ETH Zurich, DIMVA 2006 – p.18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Considerations for Scan Detection Using Flow Data. 1 Ov Over erview iew Scans and scan

Considerations for Scan Detection Using Flow Data. 1 Ov Over erview iew Scans and scan

Considerations for Scan Detection Using Flow Data. 1 Ov Over erview iew Scans and scan detection goals and objectives A review of Threshold Random Walk Real time vs. Flow based approaches Bi-flows and Oracles Extensions

522 views • 18 slides
Optimised Scan-to-Scan integration techniques for low observable target detection in sea clutter

Optimised Scan-to-Scan integration techniques for low observable target detection in sea clutter

Optimised Scan-to-Scan integration techniques for low observable target detection in sea clutter Krishna Venkataraman 1 , Si Tran Nguyen 1 , Lachlan Bateman 2 1 Defence Science and Technology Group Department of Defence, Edinburgh, Australia 2

96 views • 5 slides
Worm Detection ICMP Packet Analysis Ankur Agiwal 1 2 Packet Content Matching Packet

Worm Detection ICMP Packet Analysis Ankur Agiwal 1 2 Packet Content Matching Packet

Worm Detection Packet Content Matching Port Number Matching Worm Detection ICMP Packet Analysis Ankur Agiwal 1 2 Packet Content Matching Packet Content Matching Which characteristic of worm is exploited? Should whole packet

325 views • 7 slides
1 TCP AIMD TCP Congestion Control additive increase: multiplicative decrease: increase CongWin

1 TCP AIMD TCP Congestion Control additive increase: multiplicative decrease: increase CongWin

Principles of Congestion Control Congestion: informally: too many sources sending too much Congestion Control data too fast for network to handle different from flow control! manifestations: lost packets (buffer overflow at

242 views • 3 slides
Scan Matching Overview Problem statement: n Given a scan and a map, or a scan and a scan, or a

Scan Matching Overview Problem statement: n Given a scan and a map, or a scan and a scan, or a

Scan Matching Pieter Abbeel UC Berkeley EECS Scan Matching Overview Problem statement: n Given a scan and a map, or a scan and a scan, or a map and a map, find the rigid-body n transformation (translation+rotation) that aligns them best

710 views • 26 slides
Scan Matching Overview Problem statement: n Given a scan and a map, or a scan and a scan, or a

Scan Matching Overview Problem statement: n Given a scan and a map, or a scan and a scan, or a

Scan Matching Pieter Abbeel UC Berkeley EECS Many slides adapted from Thrun, Burgard and Fox, Probabilistic Robotics Scan Matching Overview Problem statement: n Given a scan and a map, or a scan and a scan, or a map and a map, find the

831 views • 50 slides
Scan Matching Overview Problem statement: n Given a scan and a map, or a scan and a scan, or a

Scan Matching Overview Problem statement: n Given a scan and a map, or a scan and a scan, or a

Scan Matching Pieter Abbeel UC Berkeley EECS Many slides adapted from Thrun, Burgard and Fox, Probabilistic Robotics Scan Matching Overview Problem statement: n Given a scan and a map, or a scan and a scan, or a map and a map, find the

650 views • 49 slides
1 Research Goal Proposed tool: Chained clone detection tool Detection of clone sets connected

1 Research Goal Proposed tool: Chained clone detection tool Detection of clone sets connected

Overview of my presentation Introduction of chained clone detection Detection of Chained Clone and Its Application N.Yoshida, et al.: &quot;On Refactoring Support Based on Code Clone Dependency Relation&quot;, Proc. of METRICS 2005.

316 views • 4 slides
Code-Red: a case study on the spread and victims of an Internet worm David Moore, Colleen

Code-Red: a case study on the spread and victims of an Internet worm David Moore, Colleen

Code-Red: a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeff Brown November, 2002 IMW {dmoore, cshannon} @ caida.org www.caida.org Outline What is the Code-Red worm? Detection Host

495 views • 35 slides
What do you mean, Congestion? some history Congestion Collapse

What do you mean, Congestion? some history Congestion Collapse

What do you mean, Congestion? some history Congestion Collapse Congestion Avoidance Congestion Control Explicit Congestion Notification Datagram Congestion Control Protocol this

425 views • 15 slides
The use of the solar scan tool StableNextSol Action MP1307 2nd MC Meeting, 1st WG Meeting, 1st

The use of the solar scan tool StableNextSol Action MP1307 2nd MC Meeting, 1st WG Meeting, 1st

The use of the solar scan tool StableNextSol Action MP1307 2nd MC Meeting, 1st WG Meeting, 1st Industry Day and ISOS-7 Conference Barcelona, 8 th October 2014 Nieves Espinosa Frederik C. Krebs SOL group Printed organic photovoltaics

383 views • 21 slides
CS 557 RED Random Early Detection Gateways for Congestion Avoidance S. Floyd and V. Jacobson,

CS 557 RED Random Early Detection Gateways for Congestion Avoidance S. Floyd and V. Jacobson,

CS 557 RED Random Early Detection Gateways for Congestion Avoidance S. Floyd and V. Jacobson, 1993 Spring 2013 The Story So Far . Some Essential Apps: DNS (naming) and NTP (time). Transport layer: End to End communication,

445 views • 13 slides
Congestion Control Outline Queuing Discipline Reacting to Congestion Avoiding Congestion 1

Congestion Control Outline Queuing Discipline Reacting to Congestion Avoiding Congestion 1

Congestion Control Outline Queuing Discipline Reacting to Congestion Avoiding Congestion 1 Issues Two sides of the same coin pre-allocate resources to avoid congestion (e.g. telephone networks) control congestion if (and when)

493 views • 14 slides
clang-scan-deps Fast Dependency Scanning For Explicit Modules Alex Lorenz, Michael

clang-scan-deps Fast Dependency Scanning For Explicit Modules Alex Lorenz, Michael

clang-scan-deps Fast Dependency Scanning For Explicit Modules Alex Lorenz, Michael Spencer, Apple LLVM Developers Meeting, Brussels, Belgium, April 2019 1 Clang Modules Dependency Scanning Fast Dependency Scanning

977 views • 55 slides
Worm enabling exploits Cyber Security Lab Spring 10 Background reading Worm Anatomy and

Worm enabling exploits Cyber Security Lab Spring 10 Background reading Worm Anatomy and

Worm enabling exploits Cyber Security Lab Spring 10 Background reading Worm Anatomy and Model http://portal.acm.org/citation.cfm?id=948196 Smashing the Stack for Fun and Profit

525 views • 36 slides
Edge Detection State of The Art P. Dollar and C. Zitnick Structured Forests for Fast Edge

Edge Detection State of The Art P. Dollar and C. Zitnick Structured Forests for Fast Edge

Edge Detection State of The Art P. Dollar and C. Zitnick Structured Forests for Fast Edge Detection ICCV 2013 Code: http://research.microsoft.com/en-us/downloads/ 389109f6-b4e8-404c-84bf-239f7cbf4e3d/default.aspx (Time stamp: Sept 15, 2014)

744 views • 35 slides
Aggregating and Predicting Sequence Labels from Crowd Annotations An T. Nguyen 1 Byron C.

Aggregating and Predicting Sequence Labels from Crowd Annotations An T. Nguyen 1 Byron C.

Aggregating and Predicting Sequence Labels from Crowd Annotations An T. Nguyen 1 Byron C. Wallace 2 Jessy Li 1 , 3 Ani Nenkova 3 Matthew Lease 1 1 University of Texas at Austin 2 Northeastern University 3 University of Pennsylvania ACL 2017

751 views • 51 slides
and Sealing vs Restenosis: Utility of the Micronet MGuard Stent for MI, SVG, Aneurysms, and More

and Sealing vs Restenosis: Utility of the Micronet MGuard Stent for MI, SVG, Aneurysms, and More

Tradeoffs of Embolic Protection and Sealing vs Restenosis: Utility of the Micronet MGuard Stent for MI, SVG, Aneurysms, and More Dariusz Dudek Institute of Cardiology, Krakow, Poland Disclosure Statement of Financial Interest I, Dariusz Dudek

564 views • 35 slides
14.12 Economic Applications of Game Theory Professor: Muhamet Yildiz 1 Merthyr Banbury

14.12 Economic Applications of Game Theory Professor: Muhamet Yildiz 1 Merthyr Banbury

14.12 Economic Applications of Game Theory Professor: Muhamet Yildiz 1 Merthyr Banbury Prime Meridian Luton WALES Oxford Tydfil Swindon Chelmsford London Swansea Gillingham Cardiff Bristol Newbury Barnstaple Maidstone UNITED

340 views • 14 slides
Combining learned and highly- reactive management Alva L. Couch and Marc Chiarini Tufts

Combining learned and highly- reactive management Alva L. Couch and Marc Chiarini Tufts

Combining learned and highly- reactive management Alva L. Couch and Marc Chiarini Tufts University couch@cs.tufts.edu, mchiar01@cs.tufts.edu Context of this paper This paper is Part 3 of a series Part 1 (AIMS 2009): Can ignore

478 views • 28 slides
Determination of the infrared radiative forcing at the tropical tropopause with AIRS AIRS

Determination of the infrared radiative forcing at the tropical tropopause with AIRS AIRS

Determination of the infrared radiative forcing at the tropical tropopause with AIRS AIRS Science Team Meeting March 7, 2006 Daniel Feldman, Caltech Brian Kahn, JPL Kuo-Nan Liou, UCLA Yuk Yung, Caltech Outline Motivation

240 views • 21 slides
Application areas of Application areas of Scalable Adaptive Multicast Scalable Adaptive

Application areas of Application areas of Scalable Adaptive Multicast Scalable Adaptive

Application areas of Application areas of Scalable Adaptive Multicast Scalable Adaptive Multicast Nobuo Kawaguchi Nobuo Kawaguchi Nagoya University / WIDE Project Nagoya University / WIDE Project What is SAM? What is SAM? Issues

556 views • 26 slides
Quantile Stein Variational Gradient Descent for Batch Bayesian Optimization Chengyue Gong [1] Jian

Quantile Stein Variational Gradient Descent for Batch Bayesian Optimization Chengyue Gong [1] Jian

Quantile Stein Variational Gradient Descent for Batch Bayesian Optimization Chengyue Gong [1] Jian Peng [2] Qiang Liu [1] [1] The University of Texas at Austin [2] University of Illinois at Urbana-Champaign Chengyue Gong, Jian Peng, Qiang Liu

127 views • 9 slides
What is Universal Design? will being at 12:30 PM ET 1 About Your Hosts TransCen, Inc.

What is Universal Design? will being at 12:30 PM ET 1 About Your Hosts TransCen, Inc.

6/26/2017 What is Universal Design? will being at 12:30 PM ET 1 About Your Hosts TransCen, Inc. Improving lives of people with disabilities Transcen logo and through meaningful work and community NIDILRR logo inclusion

550 views • 26 slides

More recommend