detecting security problems and internet measurement
play

Detecting Security Problems and Internet Measurement Evaluating - PDF document

Oct 07, 2022 •298 likes •354 views

Detecting Security Problems and Internet Measurement Evaluating Security Solutions The Internet as a whole is poorly CS 239 measured Advanced Topics in Network And, hence, poorly understood Security No existing network-wide

  1. Detecting Security Problems and Internet Measurement Evaluating Security Solutions • The Internet as a whole is poorly CS 239 measured Advanced Topics in Network –And, hence, poorly understood Security • No existing network-wide Peter Reiher infrastructure for measuring anything • Ad hoc attempts to get some handle on May 12, 2003 what’s going on in the network Lecture 12 Lecture 12 Page 1 Page 2 CS 239, Spring 2003 CS 239, Spring 2003 Some Security Measurement So, How to Answer These Questions Questions? • What fraction of all IP packets have spoofed • Deduce based on the evidence available addresses? • Obtain snapshots from some points in the • How many DDoSattacks occur each day? network • How many compromised machines are • Use simulation techniques there on the Internet? • Use honeypots/honeynets to attract attacks • If I installed secure BGP at 200 chosen for measurement and analysis locations, how much better would things • Install serious measurement capabilities in be? the network Lecture 12 Lecture 12 Page 3 Page 4 CS 239, Spring 2003 CS 239, Spring 2003 Idea Behind Backscatter Inferring DoS Attacks Measurement Technique • An attempt to answer question of how • DoS consists of a stream of garbage packets common DoSattacks are to a single destination • How to answer that question? • The victim doesn’t know they’re garbage, so it answers them normally – Ask people to tell you when they’re victims • Often, the attacker spoofs the source address of attack packets – Observe congestion and deduce when it’s caused by DoS – So responses go to the real machines whose addresses were spoofed – Or, use backscatter Lecture 12 Lecture 12 CS 239, Spring 2003 Page 5 CS 239, Spring 2003 Page 6 1

  2. Spoofing and DoS Attacks Using Backscatter in Practice • In principle, DoS attackers could spoof any • Set up network of test machines source address – That send and receive no legitimate • Most often, they seem to spoof randomly traffic from entire IP address space • Record every packet they receive – Choose new address from 2 32 possible • Try to identify which of them seem to be addresses for each packet legitimate responses to some packet • If enough packets are sent in attack, every machine on the Internet will see some • Identify each such packet as a backscatter responses packet in a DoS attack Lecture 12 Lecture 12 Page 7 Page 8 CS 239, Spring 2003 CS 239, Spring 2003 For Example, Practical Use of Backscatter I got a SYN/ACK from 67.123.55.40 when I didn’t • Not definitive, since anyone could have sent 46.103.96.3 100.22.73.48 5.150.134.83 131.179.192.55 send him a SYN this packet Probably someone else sent – Or could be a legitimate response to him a SYN with my source address spoofed something other than DoS Maybe there’s a DoS attack on 67.123.55.40 67.123.55.40! • More accurate if you monitor lots of SYN addresses SYN/ACK • Tricky to tell when attacks begin and end 131.179.192.55 Lecture 12 Lecture 12 Page 9 Page 10 CS 239, Spring 2003 CS 239, Spring 2003 CAIDA Backscatter Experiment Results • Run during three week-long periods in • During one week, saw 12,805 attacks 2000 • Over three weeks observed 200 million • Using /8 network backscatter packets –So they control 2 24 distinct IP –Presumably out of around 50 billion addresses, or 1/256 th of all addresses such packets • Monitored all traffic arriving for any of • More than 5000 victim addresses in these addresses more than 2000 domains Lecture 12 Lecture 12 CS 239, Spring 2003 Page 11 CS 239, Spring 2003 Page 12 2

  3. Types of Attacks Who Were the Victims? • Victim’s IP address is source address • TCP dominated in backscatter packet –94% of all attacks were TCP • Reverse lookup on that address to get • Small number were ICMP victim’s DNS name –But they represented nearly half of • Failed 30% of time the backscatter traffic • In other cases, .net and .com very • Only 2% were UDP popular for attack targets Lecture 12 Lecture 12 Page 13 Page 14 CS 239, Spring 2003 CS 239, Spring 2003 How Long Were the Attacks? How Strong Are the Attacks? • More than 90% were 10,000 pkts/sec or less • Typically one hour or less (90% of them) – 500 SYNs per second overwhelms unprotected server • But 2% of attacks more than 5 hours • 46% of attacks were that strong • 1% longer than 10 hours – 14,000 SYNs overwhelms anti-DoS • Dozens of attacks lasted for days firewall • 2.4% of attacks were that strong Lecture 12 Lecture 12 Page 15 Page 16 CS 239, Spring 2003 CS 239, Spring 2003 Other Approaches CERT • Keeps reasonably close eye on the • CERT Internet • Other network observation points • Is extremely careful about issuing • Honeynets advisories • The grapevine –Avoids panic, but delays response • Their staff observe and collect reports from other human sources Lecture 12 Lecture 12 CS 239, Spring 2003 Page 17 CS 239, Spring 2003 Page 18 3

  4. Other Network Observation Points Honeynets • Certain people maintain networks just to watch for • CAIDA, at San Diego, measures and attack traffic observes much Internet behavior – The backscatter project was a specialized – Including security-related behavior version • Other places observe some forms of – More generally, draw attackers in by promise of unprotected machine behavior – Use their behavior to learn about new problems – E.g., Oregon Routeviewproject to collect • Pretty much ad hoc research and volunteer router information from several ASs activity, so far Lecture 12 Lecture 12 Page 19 Page 20 CS 239, Spring 2003 CS 239, Spring 2003 The Grapevine Commercial Players • Sysadmins and network administrators tend • Companies like Network Associates to know each other and Symantec make it their business to • When they see problems, they talk to each know about certain kinds of problems other –Typically viruses • Word of new problems spreads quickly – Often using telephones, rather than the • Smaller companies try to build network reputation by finding and diagnosing • Much of what CERT knows about problems originates this way Lecture 12 Lecture 12 Page 21 Page 22 CS 239, Spring 2003 CS 239, Spring 2003 What Should We Do? • Is the current approach to finding security problems in the Internet adequate? • If not, what would be? • What should a system for watching for Internet threats look like? • Who would run it? • How would they do it? Lecture 12 CS 239, Spring 2003 Page 23 4

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

HSARPA Cyber Security Division Internet Measurement and Attack Modeling Project Active Internet

HSARPA Cyber Security Division Internet Measurement and Attack Modeling Project Active Internet

HSARPA Cyber Security Division Internet Measurement and Attack Modeling Project Active Internet Measurement Systems Workshop (AIMS) February 6-8, 2013 Ann Cox, PhD. Program Manager Cyber Security Division Homeland Security Advanced Research

545 views • 21 slides
Detecting outages with telemetry Alessio Placitelli - @dexterp37 June 16th - Internet

Detecting outages with telemetry Alessio Placitelli - @dexterp37 June 16th - Internet

Detecting outages with telemetry Alessio Placitelli - @dexterp37 June 16th - Internet Measurement Village 2020 Italy, March 11th - 2020 Tales from a mid-pandemic network outage Public 2 ...failure on a foreign network... Source :

591 views • 29 slides
Uncovering Cryptographic Failures with Internet-Wide Measurement Zakir Durumeric University

Uncovering Cryptographic Failures with Internet-Wide Measurement Zakir Durumeric University

Uncovering Cryptographic Failures with Internet-Wide Measurement Zakir Durumeric University of Michigan Who am I? My research focuses on measurement-driven security. Developing tools for researchers to better measure the

632 views • 49 slides
Internet Atlas: A Geographical Database of the Physical Internet Active Internet Measurement

Internet Atlas: A Geographical Database of the Physical Internet Active Internet Measurement

Internet Atlas: A Geographical Database of the Physical Internet Active Internet Measurement Systems Workshop (AIMS) February 6-8, 2013 Ram Durairajan Computer Sciences University of Wisconsin Motivation rkrish@cs.wisc.edu 2

505 views • 33 slides
Detecting Service Violation in Internet and Mobile Ad Hoc Networks Bharat Bhargava CERIAS

Detecting Service Violation in Internet and Mobile Ad Hoc Networks Bharat Bhargava CERIAS

Detecting Service Violation in Internet and Mobile Ad Hoc Networks Bharat Bhargava CERIAS Security Center CWSA Wireless Center Department of CS and ECE Purdue University bb@cs.purdue.edu Supported by NSF IIS 0209059, NSF IIS 0242840 , NSF

1k views • 97 slides
Presented by the Internet Security Alliance

Presented by the Internet Security Alliance

Presented by the Internet Security Alliance Problems and Whos in Howard True and False Potpourri Charge Schmidt Solu9ons

868 views • 31 slides
Do we need a new Internet? Part 2: Motivations for Change Adrian Perrig Network Security Group,

Do we need a new Internet? Part 2: Motivations for Change Adrian Perrig Network Security Group,

Do we need a new Internet? Part 2: Motivations for Change Adrian Perrig Network Security Group, ETH Zrich Worst Internet Security Problems? Malware (worms, viruses, etc.) Spyware Ransomware APT HTTP-based attacks Spam,

424 views • 17 slides
Development of Survey Procedures and Measurement System for the Detecting concentration of

Development of Survey Procedures and Measurement System for the Detecting concentration of

Transactions of the Korean Nuclear Society Virtual Spring Meeting July 9-10, 2020 Development of Survey Procedures and Measurement System for the Detecting concentration of residual radioactivity in Decommissioning of NPP Ga-Yeong Kim ,

73 views • 3 slides
(POSTER) An Empirical Comparative Measurement on Real ICS Network Tra ffi c to Internet Tra ffi c

(POSTER) An Empirical Comparative Measurement on Real ICS Network Tra ffi c to Internet Tra ffi c

(POSTER) An Empirical Comparative Measurement on Real ICS Network Tra ffi c to Internet Tra ffi c Chanwoo Bae, Won-Seok Hwang National Security Research Institute (NSRI) Motivation Cyber-Physical Systems = Industrial Control Systems

507 views • 9 slides
The Internet Security Alliance The Internet Security Alliance is a collaborative effort with

The Internet Security Alliance The Internet Security Alliance is a collaborative effort with

The Internet Security Alliance The Internet Security Alliance is a collaborative effort with Carnegie Mellon University. It is a cross-sector, internationally- based trade association devoted to cyber security. ISA has individual corporate

349 views • 30 slides
Community Oriented Network Measurement March 30, 2005 Welcome Internet Measurement

Community Oriented Network Measurement March 30, 2005 Welcome Internet Measurement

Community Oriented Network Measurement March 30, 2005 Welcome Internet Measurement Kleinrock and Naylor, 1974: Original ARPANET had built-in abilities to: Trace a single packets passage through the network Obtain

475 views • 28 slides
Communication security over the Internet The big picture Me Internet Resource Internet

Communication security over the Internet The big picture Me Internet Resource Internet

Communication security over the Internet The big picture Me Internet Resource Internet Server Client Attack vectors MAN DNS LAN Client Internet Back Bone Router Networking WWW overview MITM (Man In The Middle) 3 2 4 5 LAN

244 views • 23 slides
Network Security Architecture 1 Additional Reading Firewalls and Internet Security:

Network Security Architecture 1 Additional Reading Firewalls and Internet Security:

Network Security Architecture 1 Additional Reading Firewalls and Internet Security: Repelling the Wily Hacker, Cheswick, Bellovin, and Rubin. New second edition Firewall and Internet Security, the Second Hundred (Internet)

801 views • 78 slides
Internet Security Summary ITS335: IT Security Sirindhorn International Institute of Technology

Internet Security Summary ITS335: IT Security Sirindhorn International Institute of Technology

ITS335 Internet Security Internet Security Secure Email Internet Security Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20 December 2015 its335y15s2l10,

450 views • 25 slides
Measurement of cross-counter leader fractions in an 18NM64: Detecting single and multiple

Measurement of cross-counter leader fractions in an 18NM64: Detecting single and multiple

Measurement of cross-counter leader fractions in an 18NM64: Detecting single and multiple atmospheric secondaries Alejandro Siz, 1 Warit Mitthumsiri, 1 David Ruffolo, 1 Paul Evenson, 2 and Tanin Nutaro 3 1 Department of Physics, Faculty of

548 views • 20 slides
A summary of security-related network measurements. David Malone Maynooth University.

A summary of security-related network measurements. David Malone Maynooth University.

A summary of security-related network measurements. David Malone Maynooth University. 2017-09-11 15:15:00 Network Measurement Results Internet Measurement Conference (IMC), Passive and Active Measurement Conference (PAM), Traffic

812 views • 12 slides
Category-level localization Cordelia Schmid Category-level localization Localization up to a

Category-level localization Cordelia Schmid Category-level localization Localization up to a

Category-level localization Cordelia Schmid Category-level localization Localization up to a bounding box Sliding window approach, previous course: Felzenszwalb 2010 Today: shape-based descriptor + sliding window Category-level

1.4k views • 110 slides
Determination of Alterasion Zones Using Hyperspectral Imagery Based on Spectral Unmixing By Seyd

Determination of Alterasion Zones Using Hyperspectral Imagery Based on Spectral Unmixing By Seyd

Determination of Alterasion Zones Using Hyperspectral Imagery Based on Spectral Unmixing By Seyd Teymoor Seydi Mohammad Reza Yousefi Outlines Geology of the area Proposed Methods Endmember estimation Endmember extraction

541 views • 10 slides
AIRS Atmospheric Infrared Sounder Status George H. Aumann Project Scientist 30 Nov 2004 H. H.

AIRS Atmospheric Infrared Sounder Status George H. Aumann Project Scientist 30 Nov 2004 H. H.

AIRS Atmospheric Infrared Sounder Status George H. Aumann Project Scientist 30 Nov 2004 H. H. Aumann AIRS/AMSU/HSB Project Overview Spacecraft: EOS Aqua Spacecraft: EOS Aqua Instruments: Instruments: AIRS, AMSU, HSB, AIRS, AMSU, HSB,

558 views • 42 slides
Hamburg University of Technology in cooperation with

Hamburg University of Technology in cooperation with

www.ie-leipzig.de Forschung, Institut fr Energetik und Umwelt Entwicklung, Dienstleistungen fr - Energie Institute for Energy and Environment - Umwelt Status of Geothermal Electricity Generation in Europe - Requirements and Challenges

232 views • 20 slides
MU MUSCLE-BO BONE CR CROSS SSTALK IN IN B BURN IN INJU JURY Gordon L. Klein MD MPH

MU MUSCLE-BO BONE CR CROSS SSTALK IN IN B BURN IN INJU JURY Gordon L. Klein MD MPH

MU MUSCLE-BO BONE CR CROSS SSTALK IN IN B BURN IN INJU JURY Gordon L. Klein MD MPH Department of Orthopaedic Surgery and Rehabilitation University of Texas Medical Branch Galveston, Texas USA SEVERE B SE BURN I INJURY I INITIATES S

948 views • 11 slides
Dev "Programming" Ops for DevOps Success Damon Edwards @damonedwards dev2ops.org

Dev "Programming" Ops for DevOps Success Damon Edwards @damonedwards dev2ops.org

Dev "Programming" Ops for DevOps Success Damon Edwards @damonedwards dev2ops.org DevOps Cafe Disclosure: DevOps (to me) Disclosure: DevOps (to me) DevOps is not a specific methodology or prescriptive steps only achievable

1.94k views • 154 slides
Relationships of Viruses & Bacteria to Disease Virtual Science University 1 Relationships

Relationships of Viruses & Bacteria to Disease Virtual Science University 1 Relationships

Relationships of Viruses & Bacteria to Disease Virtual Science University 1 Relationships of Viruses & Bacteria to Disease Texas TEK B.4 (C) Student will compare the structures and functions of viruses to cells and describe the role

584 views • 34 slides
The Sudden Shift: What prompts increased local government response to the climate change

The Sudden Shift: What prompts increased local government response to the climate change

The Sudden Shift: What prompts increased local government response to the climate change challenge in the Philippines? Michael P. Caares Step Up Consulting Services Philippines Its just a a b buzzword rd fro rom abov ove :

592 views • 40 slides

More recommend