ENABLING SSH PROTOCOL VISIBILITY IN FLOW MONITORING Wednesday 10 th - - PowerPoint PPT Presentation

ENABLING SSH PROTOCOL VISIBILITY IN FLOW MONITORING

Wednesday 10th April, 2019

Pavel ČELEDA

Petr VELAN, Benjamin KRÁL Ondřej KOZÁK

Introduction

SSH – Secure Shell provides secure connection over an unsecured network remote command-line login and remote command execution target of network scans, brute-force and dictionary attacks Research Goals propose flow-based (IPFIX) application level SSH visibility analysis of SSH traffic – operational relevant use-cases provide anonymized dataset used for the evaluation

Enabling SSH Protocol Visibility in Flow Monitoring Page 2 / 18

SSH Protocol Measurement

Enabling SSH Protocol Visibility in Flow Monitoring Page 3 / 18

SSH Connection Setup

...

Client Server

Application data Supported algorithms Key exchange SSH_MSG_NEWKEYS Protocol version + software version Request service "ssh-userauth" Supported authentication methods Authentication credentials Authentication outcome

Plaintext Encrypted

Enabling SSH Protocol Visibility in Flow Monitoring Page 4 / 18

SSH-Aware Flow Monitoring

Packets Flow Cache Flow Processing L2-L4 Header Processing Application Processing IPFIX Message Transport Protocol Flow records Metering Process Exporting Process Flow Start Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Packets Bytes 14:33:12.329 0.648 TCP 147.251.165.135:47466 147.228.240.28:22 .AP.SF 219 275100 14:33:12.334 0.643 TCP 147.228.240.28:22 147.251.165.135:47466 .AP.SF 43 6439 Application Version Client Application Server Application Key Exchange Algorithm SSH 2.0 OpenSSH_7.4p1 Debian-10 OpenSSH_6.7p1 Debian-5 ecdsa-sha2-nistp256 Client Encryption Server Encryption Compression Login Attempts chacha20-poly1305 chacha20-poly1305 none 1

Enabling SSH Protocol Visibility in Flow Monitoring Page 5 / 18

SSH-Aware Telemetry

Enabling SSH Protocol Visibility in Flow Monitoring Page 6 / 18

SSH-Aware Telemetry

SSH Visibility passive flow monitoring – Flowmon probe, IPFIXcol collector SSH protocol detection (aka Cisco NBAR2) – any port client/server SSH information – IPFIX information elements Test Setup developed Flowmon probe plugin to provide SSH information deployed at the perimeter of the campus network of the MU Many Operational Relevant Use-Cases SSH is widely used by developers, admins, and attackers we need to understand our SSH traffic (campus wide)

Enabling SSH Protocol Visibility in Flow Monitoring Page 7 / 18

Top 10 Non-Standard SSH Ports

10 20 30 40 2 2 2 2 2 5 4 5 4 5 2 2 2 2 9 2 2 4 2 2 3 3 7 1 7 6 4 8 6 2 2 1 1 2 8 Flows (%)

Enabling SSH Protocol Visibility in Flow Monitoring Page 8 / 18

SSH Software Implementations

Client Software % of Flows Server Software % of Flows OpenSSH 37.935 OpenSSH 91.827 libssh2 23.289 Cisco 1.680 check_ssh 18.107 libssh 0.238 libssh 10.016 dropbear 0.243 PuTTY 2.510 HomeSSH 0.020 Go 2.196 ROSSSH 0.033 paramiko 2.171 conker 0.032 WinSCP 1.022 mod_sftp 0.004 zabbix_agent 0.741 FlowSsh 0.012 Granados 0.331 Zyxel 0.001 nsssh2 0.057 Comware 0.003 FileZilla 0.007 CerberusFTPServer 0.000

Enabling SSH Protocol Visibility in Flow Monitoring Page 9 / 18

SSH Scanning and Brute Force Attacks

Enabling SSH Protocol Visibility in Flow Monitoring Page 10 / 18

SSH Scanning and Brute Force Attacks

SSH Remote Login Attacks attempts to access computer systems by remote attackers scanning IP address(es) – looking for systems running SSH brute-force attacks – guessing usernames and passwords Attackers vs. Researchers many attempts to detect scanning and brute-force activities high number of SSH scans – no added value in detection we need to detect successful logins – utmost importance

Enabling SSH Protocol Visibility in Flow Monitoring Page 11 / 18

User Authentication – Keyboard-Inter. Method

... ...

Client reply Server keyboard-interactive username 50 prompt 60 61 52 USERAUTH_REQUEST USERAUTH_INFO_REQUEST USERAUTH_INFO_RESPONSE USERAUTH_SUCCESS

Enabling SSH Protocol Visibility in Flow Monitoring Page 12 / 18

Authentication Attempts per SSH Connection

1 10 100 1000 10000 100000 1x106 1x107 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Total authentication attempts Successful login Failed login

Enabling SSH Protocol Visibility in Flow Monitoring Page 13 / 18

Unsuccessful SSH Clients

Client Software % of Flows libssh2 39.746 check_ssh 34.909 libssh 17.847 OpenSSH 3.001 Go 1.603 zabbix_agent 1.429 Terminal 0.413 Granados 0.366 paramiko 0.340 PuTTY 0.077 WinSCP 0.017

Enabling SSH Protocol Visibility in Flow Monitoring Page 14 / 18

Conclusion

Enabling SSH Protocol Visibility in Flow Monitoring Page 15 / 18

Conclusion

SSH Traffic Analysis – Lessons Learned SSH measurement may be tricky (e.g., persistent connections) SSH bad practise – non-standard ports, password logins threat landscape evolves very fast – scans vs logins it is possible to detect (in most cases) successful / failed logins Future Work SSH client / server fingerprinting, and clustering identification of SSH communication patterns in the clusters

Enabling SSH Protocol Visibility in Flow Monitoring Page 16 / 18

SSH Dataset Description

Basic Flow Elements SSH Elements Flow Start Timestamp SSH Client / Server Version Flow End Timestamp SSH Client Application Source IP address (Anon.) SSH Key Exchange Algorithm Source Transport Port SSH Host Key Destination IP Address (Anon.) SSH Client / Server Encryption Alg. Destination Transport Port SSH Client / Server MAC Alg. Transport Protocol SSH Server MAC Alg. Number of Packets SSH Client Compression Alg. Number of Bytes SSH Server Compression Alg. TCP Flags

• No. of Authentication Attempts

Authentication Attempts Result Dataset available for download http://dx.doi.org/10.5281/zenodo.1412596

Enabling SSH Protocol Visibility in Flow Monitoring Page 17 / 18

THANK YOU FOR YOUR ATTENTION

csirt.muni.cz

Pavel ČELEDA

@csirtmu celeda@ics.muni.cz