Detecting Abuse of Abandoned Internet Resources Tim Schmidt - - PowerPoint PPT Presentation

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Detecting Abuse of Abandoned Internet Resources

Tim Schmidt

Betreuer: Dipl. Inf. Johann Schlamp, Dipl. Ing. Quirin Scheitle

12.08.2015 Chair for Network Architectures and Services Department of Informatics Technische Universit¨ at M¨ unchen

Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 1

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Overview

Basics Existing Work RIR Models Timeline & Outlook

Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 2

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Overview

Basics Existing Work RIR Models Timeline & Outlook

Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 3

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Regional Internet Registry (RIR) Manages and assigns Internet Number Resources such as:

◮ IP Address spaces (IPv4 and v6) ◮ AS Numbers

Note There are five Regional Internet Registries, compare next slide.

Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 4

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Areas of Responsibility

Figure: RIR regions1

1Source: nro.net

Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 5

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Overview

Basics Existing Work RIR Models Timeline & Outlook

Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 6

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Existing Work Note My work is based on Christian Eckert’s master’s thesis: ”Ein Fruehwarnsystem fuer AS Hijacking” (TUM, 2013) → C. Eckert implemented a parser for RIPE data (dumpfiles) → My implementation uses parts of his code → The TUM Chair for Network Architectures and Services provides dumpfiles for every RIR, updated daily.

Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 7

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Detecting Abandoned Resources

• 1. Domain information
• 2. Maintainer relations
• 3. Organisation relations
• 4. No. of relations

Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 8

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Detecting Abandoned Resources

• 1. Domain information → domain expired?
• 2. Maintainer relations
• 3. Organisation relations
• 4. No. of relations

Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 9

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Detecting Abandoned Resources

• 1. Domain information → domain expired?
• 2. Maintainer relations → maintainer nonexistent / inactive?
• 3. Organisation relations
• 4. No. of relations

Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 10

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Detecting Abandoned Resources

• 1. Domain information → domain expired?
• 2. Maintainer relations → maintainer nonexistent / inactive?
• 3. Organisation relations → org. nonexistent / inactive?
• 4. No. of relations

Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 11

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Detecting Abandoned Resources

• 1. Domain information → domain expired?
• 2. Maintainer relations → maintainer nonexistent / inactive?
• 3. Organisation relations → org. nonexistent / inactive?
• 4. No. of relations → low degree of connectivity?

Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 12

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Detecting Abandoned Resources

• 1. Domain information → domain expired?
• 2. Maintainer relations → maintainer nonexistent / inactive?
• 3. Organisation relations → org. nonexistent / inactive?
• 4. No. of relations → low degree of connectivity?

Scoring-System Based on those aspects determine a score for possibility that resource is abandoned and or abused / hijacked.

Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 13

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Dumpfile Example: Objects (1)

Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 14

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Dumpfile Example: Objects (2)

Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 15

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Dumpfile Example: Objects (3)

Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 16

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Tasks

• 1. Analyze and understand the structure of the dump data for

all RIRs

• 2. Map data from the other RIRs to generic data model

(based on RIPE)

• 3. Adapt existing RIPE-parser code to the four remaining

RIRs

• 4. Use the same database format for compatibility: neo4j
• 5. Evaluate Data based on existing model for abuse detection

Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 17

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Overview

Basics Existing Work RIR Models Timeline & Outlook

Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 18

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

RIPE

Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 19

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

APNIC

Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 20

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

AFRINIC

Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 21

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

LACNIC

Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 22

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

ARIN

Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 23

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Generic Model

Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 24

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

RIR Object types

Figure: Number of object types for all RIRs

Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 25

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Overview

Basics Existing Work RIR Models Timeline & Outlook

Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 26

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Timeline

Figure: Timeline

Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 27

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Outlook What needs to be done: → Feed data to neo4j database Parsed data is already in correct format! → Implement cronjobs for daily parsing / updates → Evaluation

Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 28

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Any questions? Feel free to ask!

Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 29