Detecting Security Problems and Internet Measurement Evaluating - - PDF document

detecting security problems and internet measurement
SMART_READER_LITE
LIVE PREVIEW

Detecting Security Problems and Internet Measurement Evaluating - - PDF document

Oct 07, 2022 298 likes •354 views

Detecting Security Problems and Internet Measurement Evaluating Security Solutions The Internet as a whole is poorly CS 239 measured Advanced Topics in Network And, hence, poorly understood Security No existing network-wide

slide-1
SLIDE 1

1

Lecture 12 Page 1 CS 239, Spring 2003

Detecting Security Problems and Evaluating Security Solutions CS 239 Advanced Topics in Network Security Peter Reiher May 12, 2003

Lecture 12 Page 2 CS 239, Spring 2003

Internet Measurement

  • The Internet as a whole is poorly

measured –And, hence, poorly understood

  • No existing network-wide

infrastructure for measuring anything

  • Ad hoc attempts to get some handle on

what’s going on in the network

Lecture 12 Page 3 CS 239, Spring 2003

Some Security Measurement Questions

  • What fraction of all IP packets have spoofed

addresses?

  • How many DDoSattacks occur each day?
  • How many compromised machines are

there on the Internet?

  • If I installed secure BGP at 200 chosen

locations, how much better would things be?

Lecture 12 Page 4 CS 239, Spring 2003

So, How to Answer These Questions?

  • Deduce based on the evidence available
  • Obtain snapshots from some points in the

network

  • Use simulation techniques
  • Use honeypots/honeynets to attract attacks

for measurement and analysis

  • Install serious measurement capabilities in

the network

Lecture 12 Page 5 CS 239, Spring 2003

Inferring DoS Attacks

  • An attempt to answer question of how

common DoSattacks are

  • How to answer that question?

– Ask people to tell you when they’re victims – Observe congestion and deduce when it’s caused by DoS – Or, use backscatter

Lecture 12 Page 6 CS 239, Spring 2003

Idea Behind Backscatter Measurement Technique

  • DoS consists of a stream of garbage packets

to a single destination

  • The victim doesn’t know they’re garbage,

so it answers them normally

  • Often, the attacker spoofs the source

address of attack packets – So responses go to the real machines whose addresses were spoofed

slide-2
SLIDE 2

2

Lecture 12 Page 7 CS 239, Spring 2003

Spoofing and DoS Attacks

  • In principle, DoS attackers could spoof any

source address

  • Most often, they seem to spoof randomly

from entire IP address space – Choose new address from 232 possible addresses for each packet

  • If enough packets are sent in attack, every

machine on the Internet will see some responses

Lecture 12 Page 8 CS 239, Spring 2003

Using Backscatter in Practice

  • Set up network of test machines

– That send and receive no legitimate traffic

  • Record every packet they receive
  • Try to identify which of them seem to be

legitimate responses to some packet

  • Identify each such packet as a backscatter

packet in a DoS attack

Lecture 12 Page 9 CS 239, Spring 2003

For Example,

131.179.192.55 46.103.96.3 100.22.73.48 5.150.134.83 131.179.192.55 SYN SYN/ACK

I got a SYN/ACK from 67.123.55.40 when I didn’t send him a SYN Probably someone else sent him a SYN with my source address spoofed Maybe there’s a DoS attack on 67.123.55.40!

67.123.55.40

Lecture 12 Page 10 CS 239, Spring 2003

Practical Use of Backscatter

  • Not definitive, since anyone could have sent

this packet – Or could be a legitimate response to something other than DoS

  • More accurate if you monitor lots of

addresses

  • Tricky to tell when attacks begin and end

Lecture 12 Page 11 CS 239, Spring 2003

CAIDA Backscatter Experiment

  • Run during three week-long periods in

2000

  • Using /8 network

–So they control 224 distinct IP addresses, or 1/256th of all addresses

  • Monitored all traffic arriving for any of

these addresses

Lecture 12 Page 12 CS 239, Spring 2003

Results

  • During one week, saw 12,805 attacks
  • Over three weeks observed 200 million

backscatter packets –Presumably out of around 50 billion such packets

  • More than 5000 victim addresses in

more than 2000 domains

slide-3
SLIDE 3

3

Lecture 12 Page 13 CS 239, Spring 2003

Types of Attacks

  • TCP dominated

–94% of all attacks were TCP

  • Small number were ICMP

–But they represented nearly half of the backscatter traffic

  • Only 2% were UDP

Lecture 12 Page 14 CS 239, Spring 2003

Who Were the Victims?

  • Victim’s IP address is source address

in backscatter packet

  • Reverse lookup on that address to get

victim’s DNS name

  • Failed 30% of time
  • In other cases, .net and .com very

popular for attack targets

Lecture 12 Page 15 CS 239, Spring 2003

How Long Were the Attacks?

  • Typically one hour or less (90% of

them)

  • But 2% of attacks more than 5 hours
  • 1% longer than 10 hours
  • Dozens of attacks lasted for days

Lecture 12 Page 16 CS 239, Spring 2003

How Strong Are the Attacks?

  • More than 90% were 10,000 pkts/sec or less

– 500 SYNs per second overwhelms unprotected server

  • 46% of attacks were that strong

– 14,000 SYNs overwhelms anti-DoS firewall

  • 2.4% of attacks were that strong

Lecture 12 Page 17 CS 239, Spring 2003

Other Approaches

  • CERT
  • Other network observation points
  • Honeynets
  • The grapevine

Lecture 12 Page 18 CS 239, Spring 2003

CERT

  • Keeps reasonably close eye on the

Internet

  • Is extremely careful about issuing

advisories –Avoids panic, but delays response

  • Their staff observe and collect reports

from other human sources

slide-4
SLIDE 4

4

Lecture 12 Page 19 CS 239, Spring 2003

Other Network Observation Points

  • CAIDA, at San Diego, measures and
  • bserves much Internet behavior

– Including security-related behavior

  • Other places observe some forms of

behavior – E.g., Oregon Routeviewproject to collect router information from several ASs

Lecture 12 Page 20 CS 239, Spring 2003

Honeynets

  • Certain people maintain networks just to watch for

attack traffic – The backscatter project was a specialized version – More generally, draw attackers in by promise

  • f unprotected machine

– Use their behavior to learn about new problems

  • Pretty much ad hoc research and volunteer

activity, so far

Lecture 12 Page 21 CS 239, Spring 2003

The Grapevine

  • Sysadmins and network administrators tend

to know each other

  • When they see problems, they talk to each
  • ther
  • Word of new problems spreads quickly

– Often using telephones, rather than the network

  • Much of what CERT knows about
  • riginates this way

Lecture 12 Page 22 CS 239, Spring 2003

Commercial Players

  • Companies like Network Associates

and Symantec make it their business to know about certain kinds of problems –Typically viruses

  • Smaller companies try to build

reputation by finding and diagnosing problems

Lecture 12 Page 23 CS 239, Spring 2003

What Should We Do?

  • Is the current approach to finding security

problems in the Internet adequate?

  • If not, what would be?
  • What should a system for watching for

Internet threats look like?

  • Who would run it?
  • How would they do it?