Backscatter and Global Analysis Stefan Zota Attacks Analyze tcpdump logs and get global Top attack sources abnormal traffic Unsuccessful TCP connections Gather vanilla statistics: SYN attacks TCP RST ACK backscatter Port classification traffic Destination and Source address traffic DNS lookup and ping messages to Classification of the I CMP error messages (TTL check if we have spoofed inexistent field, port unreachable, fragmentation needed, sources echo reply for echo request floods) Percent of successful connections and connection Look at the destination I P over fixed based bit rate and packet rate stats time-windows. Event based Average duration and interval for malicious classification connections The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL Intrusion Detection with Honeypots Intrusion Detection with Honeypots Claire O’Shea Passive monitoring results: � Setup � Using honeyd to monitor 14 IP addresses in the CS department � 1491 packets Honeypot traffic 100 � Behind campus IDS, but not department received from 60 TCP UDP 90 ICMP firewalls unique IPs e 80 � All incoming packets are logged t � ICMP: 214 packets u n 70 i from 27 I Ps m � 1 week of passive monitoring r 60 e � TCP: 951 packets p � 1 week of emulating services (in progress) s from 33 I Ps 50 t e � FTP server k c � UDP: 326 packets 40 a P from 3 I Ps � Telnet 30 � SMTP server 20 10 � Web server 0 0 20 40 60 80 100 120 140 160 180 Hours Intrusion Detection with Honeypots About that little buffer in Active monitoring results: � Comparable amount of traffic (lots of scans) that Big Server � So far, most of interesting activity has been on port 80 Sun Apr 24 10: 41: 52 EDT 2005: Connection from 61.73.157.174 to 152.2.137.202 Port 80 POST / _vti_bin/ _vti_aut/ fp30reg.dll HTTP/ 1.1 Host: monaco137.cs.unc.edu Ritesh Kumar Transfer-Encoding: chunked Content-Length: 1499 An IIS server script (lots of binary data) with a known buffer overflow exploit!
The Exploit The Counter � Forking Servers? � Stack Translation ? The address changed! � Array bounds check function() Address? � C#, Java l � C !! e n � libsafe little buffer main() g t libc_main() h locals ? argv[] ret_address ENV ENV ENV Experiment Description • Setup – One ‘attacker’ and one ‘victim’ Simulation of DoS DoS Simulation of • tcpdump on victim, MACE on attacker • Tools Attacks Attacks – “MACE” • Malicious traffic generator from Paul Barford’s group at Wisconsin • Pre-programmed series of attacks* • TCP/SYN • Jolt Ben Wilde Ben Wilde • Rose • Land • Teardrop • Nestea • Ping of Death • Oshare • Bonk *I still don’t know what most of them do or if they are interesting… Preliminary Results Using LDA classification to I finally got everything running on Tuesday and ran each of the attacks listed on the previous page. I still need to look into what the attacks are and then crunch the data to see what looks interesting… Identify Malicious traffic Example histogram from a TCP/SYN attack: Alok Shriram
Objective Recap � Previously had talked about � LDA uses some training data points with classification techniques. known classification � LDA proposed a classification scheme � With those data points it attempts to to classify traffic for different QoS classify new data points � Project Goal: To use the LDA to see if � Each of the training data points needs to we can distinguish attack and normal be on a metric which characterizes that traffic connection Measuring Anomalies Metrics in Consideration Lingsong Zhang & Jeff Terrell � Average Packet size � Root Mean Square Packet size � Average Flow duration � Average IAT � Variance of IAT � Number of packets � Number of packets per second Anomaly Marking
CloudShield Portscan Detector Example TRW Brian Begnoche Threshold Random Walk algorithm � – “Fast Portscan Detection Using Sequential Hypothesis Testing” – Implement on CloudShield – So far, TCP only and unidirectional Observe connection attempts from source � – Failure indicative of scanner – Look for SYN of 3-way handshake from source, if ACK observed later then it is a successful attempt – After enough observations, classify as scanner or benign Still working out the kinks... � Will compare with ATN scanner alarms � Tmix trace generator Tmix trace generator • Generating realistic traffic is difficult due to TCP feedback loop Effectiveness of Effectiveness of • Source level models like SURGE are Shrew Attack on Shrew Attack on difficult to understand, model and more so to maintain Real Networks Real Networks • Tmix uses an application and By By network independent model Sushant Rew askar Sushant Rew askar – It uses Application data units instead of network data units. Evading UNC’s IPS/IDS Experimental network Experimental network Priyank Porwal Trying out Evasion, Insertion techniques to bypass Tipping Point and Snort protecting UNC network • Goal: Test instead of Attack • Tests similar to those done by Ptacek and Newsham – Different TTL values – DF bit set and large packets – IP fragment, TCP segment reassembly related issues • Dummy attack string instead of strings detected by IDS – To avoid being blocked totally Target IDS host: Source: wireless i/f home/dept
Current Status Results / Still To Do • Able to establish TCP connections by sending raw • Findings packets and snif fi ng responses – TCP connections do not timeout on – Firewalled some ports on my laptop used to attack Windows XP, even after almost 60 hrs of • Developed a shell to take different parameters: TTL, Seq#, Ack#, Data, etc. before hand-crafting packets inactivity and sending them out • Tests – Framework and infrastructure ready – Tests still to be run Worm Attack Control : Header Based ‘Attack Control’ � Utilize packet propagation properties � WORM: Schemes for Worm and DDOS Tries to multiply upon reaching � a compromised machine. Threats For one worm packet coming � in, multiple packets targeting multiple destinations go out. Comp290: Network Intrusion Detection Target a particular vulnerability – fixed port. � For a particular port, study number of distinct destination � address reached out Manoj Ampalam & Ankur Agiwal Worm Attack Control : :DDOS Attack Control : � Considered Scenario: � Algorithm: � All internal clients trusted � for a time interval T � Multiple zombies attack from for a port number if there are some incoming packets outer network if(#(distinct out_destination address) > (1 + delta )average)) � Network link or CPU resources suspect attack; endif in victim become limited average = alpha (average) + (1- alpha )# � Change in relationship between end if end for � Number of incoming and outgoing end for packets
:DDOS Attack Control :DDOS Attack Control � Using Properties of Normal Traffic Modes: � On one of attack data sets (MIT Lincoln Laboratory) TCP: flow controlled by continuous flow of acknowledgements � :DDOS Attack Control Finding Representative � DDOS: Records from tcpdump Using Properties of Normal Traffic Modes: � � ICMP: Behavior Similar to TCP dataset Each request associated with corresponding reply � � UDP: � Limit Number of allowed connections � Limit Number of packets per connection Feng Pan Data Set Find representative records � The dataset is unlabelled, therefore, � Summarize tcpdump raw data into connection unsupervised data mining method shall records. be used. Time duration service Src_host Dst_host Src_byte Dst_byte flag stamp � Algorithm: Representative Finder Summarize connection according to the SYN and FIN flag? How to get the service type? � Similar to clustering algorithm Where is the flag such as “S0, SF, REJ” in the raw data? � Selects representatives which cover both major types (normal connections) and � Discretize numeric attributes, and make all outliers (intrusion connections). attributes categorical. � Works well on biased dataset. (intrusion connections shall be a small portion in the dataset)
Recommend
More recommend
