ENABLING SSH PROTOCOL VISIBILITY IN FLOW MONITORING Wednesday 10 th April, 2019 Pavel ČELEDA Petr VELAN, Benjamin KRÁL Ondřej KOZÁK
Introduction SSH – Secure Shell provides secure connection over an unsecured network remote command-line login and remote command execution target of network scans, brute-force and dictionary attacks Research Goals propose fl ow-based (IPFIX) application level SSH visibility analysis of SSH tra ffi c – operational relevant use-cases provide anonymized dataset used for the evaluation Enabling SSH Protocol Visibility in Flow Monitoring Page 2 / 18
SSH Protocol Measurement Enabling SSH Protocol Visibility in Flow Monitoring Page 3 / 18
SSH Connection Setup Client Server Protocol version + software version Supported algorithms Plaintext Key exchange SSH_MSG_NEWKEYS Request service "ssh-userauth" Supported authentication methods Authentication credentials Encrypted Authentication outcome Application data ... Enabling SSH Protocol Visibility in Flow Monitoring Page 4 / 18
SSH-Aware Flow Monitoring Metering Process Exporting Process L2-L4 Header Application Processing Processing Packets IPFIX Transport Flow Message Protocol records Flow Cache Flow Processing Flow Start Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Packets Bytes 14:33:12.329 0.648 TCP 147.251.165.135:47466 147.228.240.28:22 .AP.SF 219 275100 14:33:12.334 0.643 TCP 147.228.240.28:22 147.251.165.135:47466 .AP.SF 43 6439 Application Version Client Application Server Application Key Exchange Algorithm SSH 2.0 OpenSSH_7.4p1 Debian-10 OpenSSH_6.7p1 Debian-5 ecdsa-sha2-nistp256 Client Encryption Server Encryption Compression Login Attempts chacha20-poly1305 chacha20-poly1305 none 1 Enabling SSH Protocol Visibility in Flow Monitoring Page 5 / 18
SSH-Aware Telemetry Enabling SSH Protocol Visibility in Flow Monitoring Page 6 / 18
SSH-Aware Telemetry SSH Visibility passive fl ow monitoring – Flowmon probe, IPFIXcol collector SSH protocol detection (aka Cisco NBAR2) – any port client/server SSH information – IPFIX information elements Test Setup developed Flowmon probe plugin to provide SSH information deployed at the perimeter of the campus network of the MU Many Operational Relevant Use-Cases SSH is widely used by developers, admins, and attackers we need to understand our SSH tra ffi c (campus wide) Enabling SSH Protocol Visibility in Flow Monitoring Page 7 / 18
Top 10 Non-Standard SSH Ports 40 30 Flows (%) 20 10 0 2 5 2 4 3 6 0 0 2 8 2 4 2 2 3 7 0 8 2 2 2 5 2 2 2 1 0 0 1 2 4 2 9 2 7 4 0 0 2 5 6 1 Enabling SSH Protocol Visibility in Flow Monitoring Page 8 / 18
SSH Software Implementations Client Software % of Flows Server Software % of Flows OpenSSH 37.935 OpenSSH 91.827 libssh2 23.289 Cisco 1.680 check_ssh 18.107 libssh 0.238 libssh 10.016 dropbear 0.243 PuTTY 2.510 HomeSSH 0.020 Go 2.196 ROSSSH 0.033 paramiko 2.171 conker 0.032 WinSCP 1.022 mod_sftp 0.004 zabbix_agent 0.741 FlowSsh 0.012 Granados 0.331 Zyxel 0.001 nsssh2 0.057 Comware 0.003 FileZilla 0.007 CerberusFTPServer 0.000 Enabling SSH Protocol Visibility in Flow Monitoring Page 9 / 18
SSH Scanning and Brute Force Attacks Enabling SSH Protocol Visibility in Flow Monitoring Page 10 / 18
SSH Scanning and Brute Force Attacks SSH Remote Login Attacks attempts to access computer systems by remote attackers scanning IP address(es) – looking for systems running SSH brute-force attacks – guessing usernames and passwords Attackers vs. Researchers many attempts to detect scanning and brute-force activities high number of SSH scans – no added value in detection we need to detect successful logins – utmost importance Enabling SSH Protocol Visibility in Flow Monitoring Page 11 / 18
User Authentication – Keyboard-Inter. Method Client Server USERAUTH_REQUEST 50 username keyboard-interactive ... USERAUTH_INFO_REQUEST 60 prompt ... USERAUTH_INFO_RESPONSE 61 reply USERAUTH_SUCCESS 52 Enabling SSH Protocol Visibility in Flow Monitoring Page 12 / 18
Authentication Attempts per SSH Connection 1x10 7 Successful login Total authentication attempts Failed login 1x10 6 100000 10000 1000 100 10 1 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Enabling SSH Protocol Visibility in Flow Monitoring Page 13 / 18
Unsuccessful SSH Clients Client Software % of Flows libssh2 39.746 check_ssh 34.909 libssh 17.847 OpenSSH 3.001 Go 1.603 zabbix_agent 1.429 Terminal 0.413 Granados 0.366 paramiko 0.340 PuTTY 0.077 WinSCP 0.017 Enabling SSH Protocol Visibility in Flow Monitoring Page 14 / 18
Conclusion Enabling SSH Protocol Visibility in Flow Monitoring Page 15 / 18
Conclusion SSH Traffic Analysis – Lessons Learned SSH measurement may be tricky (e.g., persistent connections) SSH bad practise – non-standard ports, password logins threat landscape evolves very fast – scans vs logins it is possible to detect (in most cases) successful / failed logins Future Work SSH client / server fingerprinting, and clustering identification of SSH communication patterns in the clusters Enabling SSH Protocol Visibility in Flow Monitoring Page 16 / 18
SSH Dataset Description Basic Flow Elements SSH Elements Flow Start Timestamp SSH Client / Server Version Flow End Timestamp SSH Client Application Source IP address (Anon.) SSH Key Exchange Algorithm Source Transport Port SSH Host Key Destination IP Address (Anon.) SSH Client / Server Encryption Alg. Destination Transport Port SSH Client / Server MAC Alg. Transport Protocol SSH Server MAC Alg. Number of Packets SSH Client Compression Alg. Number of Bytes SSH Server Compression Alg. TCP Flags No. of Authentication Attempts Authentication Attempts Result Dataset available for download http://dx.doi.org/10.5281/zenodo.1412596 Enabling SSH Protocol Visibility in Flow Monitoring Page 17 / 18
THANK YOU FOR YOUR ATTENTION Pavel ČELEDA csirt.muni.cz @csirtmu celeda@ics.muni.cz
Recommend
More recommend
