Extracting Benefit from Harm: Using Malware Pollution to Analyze the - - PowerPoint PPT Presentation

• A. Dainotti, R. Amman, E. Aben, K. C. Claffy

alberto@caida.org CAIDA/UCSD

Extracting Benefit from Harm: Using Malware Pollution to Analyze the Impact of Political and Geophysical Events on the Internet

SIGCOMM 2012 13-17 August, 2012 - Helsinki, Finland

w w w . cai da.

• r

g

CONTEXT

Analysis of large-scale Internet Outages

Cooperative Association for Internet Data Analysis University of California San Diego

2

• r

• Country-level Internet Blackouts

(BGP withdrawals, packet-filtering, satellite-signal jamming, ...)

• Natural disasters affecting the

infrastructure/population

Egypt, Jan 2011 Government orders to shut down the Internet Japan, Mar 2011 Earthquake of Magnitude 9.0

EPICENTER

IDEA

• Use Internet Background Radiation (IBR) generated by

malware-infected hosts as a “signal”

“Extracting benefit from harm..”

Cooperative Association for Internet Data Analysis University of California San Diego

3

• r

Infected Host Randomly Scanning the Internet UCSD Network Telescope Darknet xxx.0.0.0/8

. . .

Opportunistic Measurement

NOVELTY

• Revival of Network Telescopes

Using IBR to study Internet Outages

Cooperative Association for Internet Data Analysis University of California San Diego

4

IBR Revisited Slammer Worm Study of Spread

• f CodeRed

Worm Inferring DoS Activity 2001 2002 2011 Study of Internet Outages Characteristics

• f IBR

2010 2003 2004

• r

• Alternative/Complementary measurement approaches to study
• utages
• BGP [13][28]
• Active Probing [20][42]
• Passive Traffic [22][24]
• Google services [13][14]
• Peer-to-Peer traffic [5][6]

2005

THE EVENTS (1/2)

• Egypt
• January 25th, 2011: protests start in the country
• The government orders service providers to “shut down” the Internet
• January 27th, around 22:34 UTC: several sources report the withdrawal in the

Internet’s global routing table of almost all routes to Egyptian networks

• The disruption lasts 5.5 days
• Libya
• February 17th, 2011: protests start in the country
• The government controls most of the country’s communication infrastructure
• February 18th (6.8 hrs), 19th (8.3 hrs), March 3rd (3.7 days): three

different connectivity disruptions:

Internet Disruptions in North Africa

5 2011

Feb Mar Feb

G G

Jan 27 22:12 (5.5 days) Feb 18 23:15 (6.8 hours) Feb 19 21:55 (8.3 hours) Mar 03 16:57 (3.7 days) Jan 25 Feb 17

Figure 1: Timeline of Internet disruptions described in the paper. Times in figure are UTC (Egypt and Libya are UTC+2). The pair of red dots indicate the start

Cooperative Association for Internet Data Analysis University of California San Diego

• r

NETWORK INFO

• Egypt
• 3165 IPv4 and 6 IPv6 prefixes are delegated to Egypt by AfriNIC
• They are managed by 51 Autonomous Systems
• Filtering type: BGP only
• Libya
• 13 IPv4 prefixes, no IPv6 prefixes
• 3 Autonomous Systems operate in the country
• Filtering type: mix of BGP

, packet filtering, satellite signal jamming

Prefixes, ASes, Filtering

6

EG LY

Cooperative Association for Internet Data Analysis University of California San Diego

• r

• A. Dainotti, C. Squarcella, E. Aben, K. C. Claffy, M. Chiesa, M. Russo, A. Pescapè,

“Analysis of Country-wide Internet Outages Caused by Censorship” ACM SIGCOMM Internet Measurement Conference 2011

EGYPT

IBR: packet rate

7

Cooperative Association for Internet Data Analysis University of California San Diego

• r

20 40 60 80 100 120 140 01-27 00:00 01-28 00:00 01-29 00:00 01-30 00:00 01-31 00:00 02-01 00:00 02-02 00:00 02-03 00:00 02-04 00:00 packets per second

RANDOM PROBING

E.g., Conficker

Cooperative Association for Internet Data Analysis University of California San Diego

8

• r

Infected Host Randomly Scanning the Internet UCSD Network Telescope Darknet xxx.0.0.0/8 DST:xxx.1.2.3

BACKSCATTER

e.g., SYN+ACK replies to spoofed SYNs

Cooperative Association for Internet Data Analysis University of California San Diego

9

• r

DoS VICTIM UCSD Network Telescope Darknet xxx.0.0.0/8 ATTACKER (spoofing SRC IPs) src:yyy.1.2.3 src:zzz.4.5.6 src:xxx.1.2.3 DST:xxx.1.2.3

EGYPT

IBR: dissecting it

10

Cooperative Association for Internet Data Analysis University of California San Diego

• r

10 20 30 40 50 60 70 80 01-27 00:00 01-28 00:00 01-29 00:00 01-30 00:00 01-31 00:00 02-01 00:00 02-02 00:00 02-03 00:00 02-04 00:00 packets per second

distinct IPs conficker-like (pps) backscatter (pps)

• ther (pps)

EGYPT

IBR: rate of distinct src IPs vs packet rate

Cooperative Association for Internet Data Analysis University of California San Diego

• r

100 200 300 400 500 600 700 01-27 00:00 01-28 00:00 01-29 00:00 01-30 00:00 01-31 00:00 02-01 00:00 02-02 00:00 02-03 00:00 02-04 00:00 10 20 30 40 50 60 70 80 90 IPs per hour packets per second distinct IPs conficker-like (pps) backscatter (pps)

• ther (pps)

LIBYA

the first two outages

12

Cooperative Association for Internet Data Analysis University of California San Diego

• r

50 100 150 200 250 300 350 400 450 02-18 18:00 02-19 00:00 02-19 06:00 02-19 12:00 02-19 18:00 02-20 00:00 02-20 06:00 02-20 12:00 02-20 18:00 Ratio of distinct IPs per hour

THE EVENTS (2/2)

• Christchurch - NZ
• February 21st, 2011 23:51:42 UTC
• Local time 22nd, 12:51:42 PM
• Magnitude: 6.1
• Tohoku - JP
• March 11th, 2011 05:46:23 UTC
• Local time 02:46:23 PM
• Magnitude: 9.0

Earthquakes

13

Cooperative Association for Internet Data Analysis University of California San Diego

• r

Christchurch - NZ Tohoku - JP Distance (Km) Networks IP Addresses Networks IP Addresses < 5 1 255 < 10 283 662,665 < 20 292 732,032 < 40 299 734,488 < 80 309 738,062 5 91 < 100 310 738,317 58 42,734 < 200 348 769,936 1,352 1,691,560 < 300 425 828,315 3,953 4,266,264 < 400 1,531 3,918,964 16,182 63,637,753 < 500 1,721 4,171,527 41,522 155,093,650

We use MaxMind GeoLite City DB to compute distance from a given network to the epicenters

A SIMPLE METRIC

• number of distinct source IP addresses seen by the telescope over

the interval ∆ti,

• 1-hour time slots following the event
• 1-hour time slots preceding the event

to evaluate impact and extension

14

Cooperative Association for Internet Data Analysis University of California San Diego

• r

θ =

−24

X

i=−1

I∆ti

24

X

j=1

I∆tj

I∆ti scope

where ∆t1, ..., ∆tn

and ∆t−1, ..., ∆t−n

RADIUS OF IMPACT

rough estimate based on θ

15

Cooperative Association for Internet Data Analysis University of California San Diego

• r

• We compute θ for address ranges geolocated at different distances from the

epicenter of the earthquake (0 to 500km in bins of 1km each)

• θ around 1 indicates no substantial change in the number of unique IP

addresses observed in IBR before and after the event.

Christchurch

0.5 1 1.5 2 2.5 3 20 40 60 80 100 120 140 160 180 200 220 240 260 280 300 320 340 360 380 400 420 440 460 480 500 θ - Ratio of distinct IPs before/after earthquake Km (x=20,y=2.4)

RADIUS OF IMPACT

rough estimate based on θ

16

Cooperative Association for Internet Data Analysis University of California San Diego

• r

We call the maximum distance at which we observe a value of θ significantly > 1

radius ρmax of Figure ??

10 20 30 40 50 60 70 80 90 80 100 120 140 160 180 200 220 240 260 280 300 320 340 360 380 400 420 440 460 480 500 θ - Ratio of distinct IPs before/after earthquake Km (x=304,y=9.3)

Tohoku

EXTENSION OF IMPACT

Networks within each respective

geo coordinates of most affected networks

17

Cooperative Association for Internet Data Analysis University of California San Diego

• r

(a) Christchurch (b) Tohoku

radius ρmax of Figure ??

“MAGNITUDE”

• Varying the radius, we pick the highest value of θ calculated

for the whole set of networks within the corresponding circle

A measure of impact

18

Cooperative Association for Internet Data Analysis University of California San Diego

• r

0.5 1 1.5 2 2.5 3 3.5 4 20 40 60 80 100 120 140 160 180 200 220 240 260 280 300 320 340 360 380 400 420 440 460 480 500 θ - Ratio of distinct IPs before/after earthquake Km (x=137,y=3.59) (x=6,y=2.0) Christchurch Tohoku Christchurch Tohoku Magnitude (θmax) 2 at 6km 3.59 at 137km Radius (ρmax) 20km 304km

IP RATE IN TIME

reflects the dynamics of the event

19

Cooperative Association for Internet Data Analysis University of California San Diego

• r

20 40 60 80 100 120 140 160 180 02-18 00:00 02-20 00:00 02-22 00:00 02-24 00:00 02-26 00:00 02-28 00:00 03-02 00:00 03-04 00:00 Number of distinct IPs per hour EARTHQUAKE 100 200 300 400 500 600 700 800 03-04 00:00 03-06 00:00 03-08 00:00 03-10 00:00 03-12 00:00 03-14 00:00 03-16 00:00 03-18 00:00 03-20 00:00 03-22 00:00 Number of distinct IPs per hour EARTHQUAKE

Christchurch Tohoku

EVALUATING Θ

• 2 months period of observation
• θ normally stays within [0.7 - 1.3]

variations over a long time period

20

Cooperative Association for Internet Data Analysis University of California San Diego

• r

0.4 0.6 0.8 1 1.2 1.4 1.6 01-31 02-04 02-08 02-12 02-16 02-20 02-24 02-28 03-04 03-08 03-12 03-16 03-20 03-24 03-28 θ - Ratio of distinct IPs before/after earthquake Telescope was switched off here

EARTHQUAKE

0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 2 01-31 02-04 02-08 02-12 02-16 02-20 02-24 02-28 03-04 03-08 03-12 03-16 03-20 03-24 03-28 θ - Ratio of distinct IPs before/after earthquake Telescope was switched off here

EARTHQUAKE

Christchurch Tohoku

CONCLUSION

• IBR is an effective source of data for the analysis of network
• utages caused by events of different type
• Future work
• Integrate and combine analysis of multiple data sources (BGP

, IBR, active measurement, ...)

• Analysis of AS/Link-level topology
• Automated detection + triggered active measurements

21

• ngoing work

Cooperative Association for Internet Data Analysis University of California San Diego

• r

THANKS

22

Cooperative Association for Internet Data Analysis University of California San Diego

• r