detection of amplifiers using active measurements
play

Detection of Amplifiers using Active Measurements Hamza Zafar - PowerPoint PPT Presentation

Aug 20, 2022 •644 likes •943 views

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Detection of Amplifiers using Active Measurements Hamza Zafar Advisor: Simon Bauer Oliver Gasser Stefan Metzger Supervisor: Prof. Dr.-Ing.

  1. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Detection of Amplifiers using Active Measurements Hamza Zafar Advisor: Simon Bauer Oliver Gasser Stefan Metzger Supervisor: Prof. Dr.-Ing. Georg Carle Technical University of Munich (TUM) Department of Informatics Chair of Network Architectures and Services Garching, 08.04.2019

  2. Agenda  Introduction  Framework  Measurements  Dashboards  Conclusion Hamza Zafar | Detection of Amplifiers using Active Measurements 2

  3. Introduction: Background  Distributed Reflective Denial-of-Service Attack (DRDoS) Figure: DRDoS attack using a botnet.  Bandwidth Amplification Factor (BAF): BAF = len ( Response payload ) len ( Request payload )  Amplifier:  Publicly available  Lacks authentication  Connection-less  BAF > 1 Hamza Zafar | Detection of Amplifiers using Active Measurements 3

  4. Introduction: Motivation  Terabit Attack Era  GitHub reported 1.35 Tbps  Arbor Networks reported 1.7 Tbps  Abuse of IoT devices  Mirai malware  Solution  No IP address spoofing, no DRDoS attacks  Reduce the number of amplifiers  Our Contribution  Framework to detect amplifiers using active network measurements Hamza Zafar | Detection of Amplifiers using Active Measurements 4

  5. Introduction: Research Questions  How to orchestrate network scans in a large network?  How to conduct network scans ethically?  Do amplifiers exhibit any characteristics?  Does the bandwidth amplification factor (BAF) changes over time?  Does the number of active amplifiers change over time? Hamza Zafar | Detection of Amplifiers using Active Measurements 5

  6. Framework: Features  REST API  Developed using Django REST Framework (DRF)  CLI Client  Increases usability  Scan Scheduling  Periodically execute network scans  Celery Task Queue used Hamza Zafar | Detection of Amplifiers using Active Measurements 6

  7. Framework: Features (cont.)  E-mail notifications  Notify about amplifiers and error messages  Network Scanner (Zmap)  Horizontal scanner (one scan per protocol)  Fast network scanner “/0 scans in under 45 minutes”  Stateless  Randomized probes  IPv6 address space scanning  Visualization Dashboards  Developed using Grafana  Home Dashboard: stats from all scans  Scan Dashboard: stats for a specific scan  Amplifier Dashboard: stats for a specific amplifier Hamza Zafar | Detection of Amplifiers using Active Measurements 7

  8. Measurements  Address ranges: TUM’s public IPv4 addresses  Scanning frequency: Twice a day  Scanning duration: Two weeks (23.02.2019 – 06.03.2019)  No. of scanned addresses: 130k  Scan execution time: approx. 17 minutes Hamza Zafar | Detection of Amplifiers using Active Measurements 8 Figure: Scanning setup

  9. Measurements: Ethical Considerations  Validate probe packet  Don’t cause harm to the devices  Use Wireshark to validate packet structure  Optimally, deploy services and capture request packets  Host a web page to express scanning intentions  Maintain a blacklist  Avoid saturating networks  Low packet rate (128 pps)  ZMap’s randomized probing  Restricted access to scan results Hamza Zafar | Detection of Amplifiers using Active Measurements 9

  10. Measurements: Results  Amplifiers detected for 5 protocols  NetBIOS, SNMP have the highest no. of amplifiers  Amplifiers decrease during the weekend  Amplifiers increase during the day Table: Min, Max and Avg. number of amplifiers Figure: No. of active amplifiers detected over a period of two weeks Hamza Zafar | Detection of Amplifiers using Active Measurements 10

  11. Measurements: NetBIOS Amplifiers  Windows based protocol to allow applications to communicate on LAN  Probe NetBIOS nametable  Linux/Unix based machines found running NetBIOS  SAMBA suite  Amplifiers belong to three subnets  Subnet-1:  End user devices  Subnet-2 & subnet-3:  Printers  Mail servers  LDAP servers Figure: Number of active NetBIOS amplifiers in three subnets Hamza Zafar | Detection of Amplifiers using Active Measurements 11

  12. Measurements: SNMP Amplifiers  Simple Network Management Protocol (SNMP)  Manage and monitor network devices  Probe system description property Figure: System description string received from a Samsung printer  SNMP GetRequest vs. GetBulkRequest  Majority of SNMP amplifiers are printers Hamza Zafar | Detection of Amplifiers using Active Measurements 12

  13. Measurements: SSDP Amplifiers  Simple Service Discovery Protocol (SSDP)  Discovery and advertisement of plug-and-play devices  Probe SSDP discover request  Two Samsung printers found DNS Amplifiers  Probe DNS ANY query for google.com  One DNS open resolver found  DNS resolver caches results  BAF drops during weekend due to less records in resolver’s cache Figure: Change in BAF of amplifiers Hamza Zafar | Detection of Amplifiers using Active Measurements 13

  14. Measurements: Chargen Amplifiers  Legacy character generator protocol  Testing and network debugging  Highest BAF (74X)  Two amplifiers  Nmap scan reveals amplifiers are running:  Legacy protocols Echo , Discard  Outdated Sun Solaris 8 OS  Sun Solaris 8 enables Chargen on system startup  Sun management console found Figure: Sun Management Console Hamza Zafar | Detection of Amplifiers using Active Measurements 14

  15. Measurements  Bandwidth Amplification Factor of amplifiers: Table: BAF per protocol recorded from the last scanning iteration, all shows the average BAF of all amplifiers, 50% and 10% shows the average BAF of 50% and 10% of the worst amplifiers, respectively.  9 devices found with multiple amplification vulnerabilities Table: Combination of vulnerable protocols detected in amplifiers Hamza Zafar | Detection of Amplifiers using Active Measurements 15

  16. Framework: Dashboards Visualization Dashboards Demo Hamza Zafar | Detection of Amplifiers using Active Measurements 16

  17. Conclusion  Extensible framework for amplifier detection using active measurements  Evaluation by executing scans ethically in Munich Scientific Network  Number of amplifiers and BAF varies with time  Misconfigurations exposes devices  Internet wide scans in future could be a source of interesting insights Hamza Zafar | Detection of Amplifiers using Active Measurements 17

  18. Backup Slides Hamza Zafar | Detection of Amplifiers using Active Measurements 18

  19. Framework: Home Dashboard Hamza Zafar | Detection of Amplifiers using Active Measurements 19

  20. Framework: Scan Dashboard Hamza Zafar | Detection of Amplifiers using Active Measurements 20

  21. Framework: Amplifier Dashboard Hamza Zafar | Detection of Amplifiers using Active Measurements 21

  22. Framework: REST API  REST architecture style  Client-server “separation of concerns”  Uniform Interface  Django REST Framework (DRF)  Python based  Opensource  Pluggable components  Field validations (IP address format, port range)  CLI Client  Constructs and sends request  Increases usability Figure: Framework architecture Hamza Zafar | Detection of Amplifiers using Active Measurements 22

  23. Framework: Scan Scheduling  Scan Scheduling  Periodically execute network scans  Celery  Task Queue  Asynchronous execution of long running tasks  Publisher-Subscriber model  Celery beat scheduler  Keeps track of scans  Triggers task execution  Celery worker  Executes tasks  Stores results in database Figure: Framework architecture Hamza Zafar | Detection of Amplifiers using Active Measurements 23

  24. Framework: Network Scanner  Network Scanner  Horizontal vs. vertical scanning technique  ZMap  Fast network scanner “/0 scans in under 45 minutes”  Stateless  Decouples sending probes and receiving responses  Bypasses the TCP/IP stack  Randomized probes  IPv6 address space scanning  Blacklist feature  One scan per protocol Figure: Framework architecture Hamza Zafar | Detection of Amplifiers using Active Measurements 24

  25. Framework: Visualization  Grafana – Data visualization framework  Opensource  Support for several databases  Tables, graphs, heat-maps etc. to visualize data  Home Dashboard: stats from all scans  Scan Dashboard: stats for a specific scan  Amplifier Dashboard: stats for a specific amplifier Hamza Zafar | Detection of Amplifiers using Active Measurements 25

  26. Framework: Notifications  E-mail notifications  Sent when the scan completes or fails  Helps in tackling operational challenges of the framework Figure: Amplifiers found notification Figure: Error notification Hamza Zafar | Detection of Amplifiers using Active Measurements 26

  27. Measurements  TUM’s public IPv4 address ranges scanned  10 UDP-based protocols assessed for amplification abuse  PlanetLab static IP addresses used for scanning nodes  Scans executed twice a day Figure: Scanning setup Hamza Zafar | Detection of Amplifiers using Active Measurements 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Operational amplifiers Types of operational amplifiers (bioelectric amplifiers have different

Operational amplifiers Types of operational amplifiers (bioelectric amplifiers have different

Operational amplifiers Types of operational amplifiers (bioelectric amplifiers have different gain values) Low-gain amplifiers (x1 to x10) Used for buffering and impedance transformation between signal source and readout device

665 views • 28 slides
An Active Telescope for Spoo fj ng Detection Raphael Hiesgen INET, Hamburg University of Applied

An Active Telescope for Spoo fj ng Detection Raphael Hiesgen INET, Hamburg University of Applied

An Active Telescope for Spoo fj ng Detection Raphael Hiesgen INET, Hamburg University of Applied Sciences Motivation Spoofing is a problem throughout the Internet Our focus: impact on measurements Research and operations depend on

406 views • 19 slides
Detection of HTTP-GET Attack with Clustering and Information Theoretic Measurements Pawel

Detection of HTTP-GET Attack with Clustering and Information Theoretic Measurements Pawel

Problem definition Clustering Detection Measurements Result analysis Future work Detection of HTTP-GET Attack with Clustering and Information Theoretic Measurements Pawel Chwalinski Roman Belavkin Xiaochun Cheng Middlesex University

590 views • 35 slides
Distributed Measurements for Attack Detection Distributed Measurements for Attack Detection Prof.

Distributed Measurements for Attack Detection Distributed Measurements for Attack Detection Prof.

Universitt Tbingen Computer Networks and Internet Distributed Measurements for Attack Detection Distributed Measurements for Attack Detection Prof. Dr. Georg Carle Chair for Computer Networks and Internet University of Tbingen Germany

291 views • 8 slides
Directed Probing for Efficient and Accurate Active Measurements Arthur Berger 1 Robert Beverly

Directed Probing for Efficient and Accurate Active Measurements Arthur Berger 1 Robert Beverly

Directed Probing for Efficient and Accurate Active Measurements Arthur Berger 1 Robert Beverly Naval Postgraduate School 1 MIT CSAIL rbeverly@nps.edu, awberger@csail.mit.edu February 8, 2010 AIMS-2 - Workshop on Active Internet Measurements

658 views • 49 slides
a AMPLIFIERS FOR SIGNAL CONDITIONING I Input Offset Voltage <100V I Input Offset Voltage

a AMPLIFIERS FOR SIGNAL CONDITIONING I Input Offset Voltage <100V I Input Offset Voltage

PRACTICAL DESIGN TECHNIQUES FOR SENSOR SIGNAL CONDITIONING 1 Introduction 2 Bridge Circuits I 3 Amplifiers for Signal Conditioning 4 Strain, Force, Pressure, and Flow Measurements 5 High Impedance Sensors 6 Position and Motion Sensors 7

647 views • 54 slides
The effect of AM noise on correlation PM noise measurements 1/f noise in RF and microwave

The effect of AM noise on correlation PM noise measurements 1/f noise in RF and microwave

The effect of AM noise on correlation PM noise measurements 1/f noise in RF and microwave amplifiers Enrico Rubiola, Rodolphe Boudot, Yannick Gruson FEMTO-ST Institute, Besanon, France CNRS and Universit de Franche Comt TimeNav 07

731 views • 27 slides
a STRAIN GAGE BASED MEASUREMENTS I Strain: Strain Gage, PiezoElectric Transducers I Force: Load

a STRAIN GAGE BASED MEASUREMENTS I Strain: Strain Gage, PiezoElectric Transducers I Force: Load

PRACTICAL DESIGN TECHNIQUES FOR SENSOR SIGNAL CONDITIONING 1 Introduction 2 Bridge Circuits 3 Amplifiers for Signal Conditioning I 4 Strain, Force, Pressure, and Flow Measurements 5 High Impedance Sensors 6 Position and Motion Sensors 7

483 views • 17 slides
Melting the Snow: Detecting Snowshoe Spam Domains Using Active DNS Measurements Introduction 1

Melting the Snow: Detecting Snowshoe Spam Domains Using Active DNS Measurements Introduction 1

Olivier van der Toorn <o.i.vandertoorn@utwente.nl> November 13, 2018 University of Twente, Design and Analysis of Communication Systems NOMS 2018 Melting the Snow: Detecting Snowshoe Spam Domains Using Active DNS Measurements

784 views • 75 slides
Changepoint detection in network measurements Allen B. Downey 1 Fundamental problem: Predict

Changepoint detection in network measurements Allen B. Downey 1 Fundamental problem: Predict

Changepoint detection in network measurements Allen B. Downey 1 Fundamental problem: Predict next value in time series. Applications: Protocol parameters (timeouts). Resource selection, scheduling. User feedback. 2 Two kinds of

678 views • 31 slides
Detection of topological phase transitions through entropy measurements Valeriy Gusynin

Detection of topological phase transitions through entropy measurements Valeriy Gusynin

Detection of topological phase transitions through entropy measurements Valeriy Gusynin Bogolyubov Institute for Theoretical Physics, Kyiv, Ukraine of the National Academy of Sciences of Ukraine Conference on Modern Concepts and New Materials

277 views • 25 slides
Conducting large-scale active and passive measurements of SSH deployments Oliver Gasser Master

Conducting large-scale active and passive measurements of SSH deployments Oliver Gasser Master

Conducting large-scale active and passive measurements of SSH deployments Oliver Gasser Master Thesis Advisor: Ralph Holz Chair for Network Architectures and Services Faculty of Computer Science Technische Universit at M unchen June

594 views • 17 slides
Melting the Snow Using Active DNS Measurements to Detect Snowshoe Spam Domains Olivier van der

Melting the Snow Using Active DNS Measurements to Detect Snowshoe Spam Domains Olivier van der

Melting the Snow Using Active DNS Measurements to Detect Snowshoe Spam Domains Olivier van der Toorn November 13, 2018 University of Twente, Design and Analysis of Communication Systems Introduction Olivier

825 views • 71 slides
Melting the Snow Using Active DNS Measurements to Detect Snowshoe Spam Domains Olivier van der

Melting the Snow Using Active DNS Measurements to Detect Snowshoe Spam Domains Olivier van der

Melting the Snow Using Active DNS Measurements to Detect Snowshoe Spam Domains Olivier van der Toorn February 1, 2018 University of Twente, Design and Analysis of Communication Systems Introduction Olivier

1.46k views • 90 slides
MySpeedTest: Active and Passive Measurements of Cellular Data Network Performance Sachit

MySpeedTest: Active and Passive Measurements of Cellular Data Network Performance Sachit

MySpeedTest: Active and Passive Measurements of Cellular Data Network Performance Sachit Muckaden Georgia Institute of Technology Motivation To study the effect of several possible parameters on performance Understand if and how

284 views • 10 slides
Active learning Co-training 3 Subtract-average detection score Grey-scale detection score

Active learning Co-training 3 Subtract-average detection score Grey-scale detection score

Active learning Co-training 3 Subtract-average detection score Grey-scale detection score Summary Boosting is a method for learning an accurate classifiers by combining many weak classifiers. Boosting is resistant to over-fitting .

611 views • 31 slides
WATER Wonderful Water Module 2.1 Proudly developed by SMART with funding from Inspiring

WATER Wonderful Water Module 2.1 Proudly developed by SMART with funding from Inspiring

WATER Wonderful Water Module 2.1 Proudly developed by SMART with funding from Inspiring Australia Three States of Matter: Solid, Liquid, Gas Image source: https://pixabay.com/ All matter is made of Atoms! Image source:

388 views • 16 slides
DARE: A Standards-based Middleware for Science Gateways http://radical.rutgers.edu EGI

DARE: A Standards-based Middleware for Science Gateways http://radical.rutgers.edu EGI

DARE: A Standards-based Middleware for Science Gateways http://radical.rutgers.edu EGI Manchester 09 th April , 2013 Distributed Application Runtime Environment (DARE) Design Objectives: Separation of Concerns: Agile, flexible user

381 views • 19 slides
Jean Tabaka, Rally Software So what? Victor Rodrigues Riaan Rottier Simon Sinek The Golden

Jean Tabaka, Rally Software So what? Victor Rodrigues Riaan Rottier Simon Sinek The Golden

The Golden Circle Why How What Jean Tabaka, Rally Software So what? Victor Rodrigues Riaan Rottier Simon Sinek The Golden Circle Why How What Start with Why Why Why Why = Vision Why is our gut Why has emotion and

1.83k views • 135 slides
HTTP request proxying vulnerability andres@laptop:~/$ curl

HTTP request proxying vulnerability andres@laptop:~/$ curl

HTTP request proxying vulnerability andres@laptop:~/$ curl http://target.com/?url=http://httpbin.org/user-agent andres@laptop:~/$ { "user-agent": "python-requests/1.2.3 CPython/2.7.3 Linux/3.2.0-48- virtual" }

697 views • 40 slides
Joy-Filled Healthy Living: Discover Your Five Deepest Longings by Carol Kent The Five Deepest

Joy-Filled Healthy Living: Discover Your Five Deepest Longings by Carol Kent The Five Deepest

Joy-Filled Healthy Living: Discover Your Five Deepest Longings by Carol Kent The Five Deepest Longings of Women 1._________________________________________________________________

608 views • 25 slides
Database Integrity in Django: Safely Handling Critical Data in Distributed Systems Dealing with

Database Integrity in Django: Safely Handling Critical Data in Distributed Systems Dealing with

Database Integrity in Django: Safely Handling Critical Data in Distributed Systems Dealing with concurrency, money, and log-structured data in the Django ORM Nick Sweeting (@theSquashSH) Slides: github.com/pirate/django-concurrency-talk

1.26k views • 42 slides
IntelliGenWiki: An Intelligent Semantic Wiki for Life Sciences Bahar Sateli Marie-Jean Meurs

IntelliGenWiki: An Intelligent Semantic Wiki for Life Sciences Bahar Sateli Marie-Jean Meurs

IntelliGenWiki: An Intelligent Semantic Wiki for Life Sciences Bahar Sateli Marie-Jean Meurs Greg Butler Justin Powlowski Adrian Tsang Ren e Witte Concordia University, Montr eal, QC, Canada Semantic Software Lab Nov. 15 th , Como,

537 views • 14 slides
Pacing/Teacher's Notes Investigation #11: Transpiration Click on the topic to go to that section

Pacing/Teacher's Notes Investigation #11: Transpiration Click on the topic to go to that section

Slide 1 / 34 Slide 2 / 34 New Jersey Center for Teaching and Learning AP BIOLOGY Progressive Science Initiative This material is made freely available at www.njctl.org and is intended for the non-commercial use of Investigation #11 students

79 views • 6 slides

More recommend