I ntroduction I ntrusion Detection – How prevalent are DoS attacks? Backscatter and Global Analysis Quantitative analysis Long term predictions and Stefan Zota recurring patterns of attacks Measurement and Global Analysis The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL Outline Outline Challenges Challenges Methods for Measuring DoS attacks Methods for Measuring DoS attacks Firewall Logs Firewall Logs Network Telescopes Network Telescopes I nternet Sinks I nternet Sinks Backscatter Backscatter Background Radiation Background Radiation Conclusions Conclusions The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL Examples of Flow Challenges Anomalies Attackers find ingenious ways of compromising remote hosts Barford and Plonka identify three categories: Attackers give public access to the tools used so the hacking community improves The size and complexity of the Internet make Network Operation Anomalies impossible to remove all vulnerabilities The sharing of information between networks is complicated due to privacy issues Flash Crowd Anomalies Very little understanding of intrusion activity on a global basis Network Abuse Anomalies Very hard to detect the length of an attack or combined protocol attacks The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Network Operation Flash Crowd Anomalies Anomalies Outages, configuration changes, environmental Rapid rise in traffic flows to a particular limits destination with a gradual drop-off in time The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL Network Abuse Anomalies Outline Identify DoS flow Challenges flood attacks and Methods for Measuring DoS attacks port scans Firewall Logs They may not be apparent in bit or Network Telescopes packet rate I nternet Sinks measurements Backscatter Background Radiation Conclusions The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL Overview of Methods of Goals Measuring DoS attacks Characterization of the “non-productive” or Firewall Logs malicious traffic Starting from a dataset like DSHIELD Network Telescopes Large chunks of unused, globally routable IP space Develop a methodology for measuring Internet Sinks intrusions Unsolicited traffic for unused addresses Passive and Active Monitoring Filtering large traffic volume Backscatter Analysis of source addresses for attacks Designing scalable flexible architectures Background Radiation Traffic to unused addresses (similar to Network Telescopes) Building responders The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
DSHI ELD Network Telescopes Distributed Intrusion Detection System An attempt to collect data about cracker activity Chunk of globally routed IP address space from the Internet Little or no legitimate traffic Data contains: Unexpected traffic arriving at the network Tops of worst offenders telescope can imply remote network/security Port scans events Block lists It contains a lot of statistical and random data Port report It is good for seeing explosions not small events IP Info Subnet Report Easy to filter packets The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL I nternet Sinks Backscatter Monitors unused or dark IP Most denial of service attacks select source addresses at random for each sent packet Packets for those addresses may be dropped by Shaft, TFT, Trinoo, Stackeldraht, Mstream, Trinity gateways or border routers It detects only attacks that use spoofed IP’s The size of the address space monitored is very A router or an intermediate device may generate important an ICMP response to the attack Usually class A and B Includes an active component Assumption Generates packets as response to incoming traffic The victim responses are equi-probably distributed across the entire Internet space Extensible and scalable The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL Backscatter Background Radiation Monitor unused addresses Detect non-productive traffic Malicious: flooding backscatter, scans, worms Benign: misconfigurations What is all this nonproductive traffic trying to do? How can we filter and detect new types of malicious activity? The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Firewall Logs Outline Challenges Methods for Measuring DoS attacks Internet Intrusions: Global Characteristics and Prevalence Firewall Logs Data collected in 1600 networks in a 4 month period by DSHIELD.ORG Network Telescopes Each entry is recorded by firewalls and port scan logs recorded by NIDS (primarily Snort) I nternet Sinks Asses the daily volume of intrusion attempts Backscatter Use the results to project intrusion activity in the entire Internet Investigate utility of sharing intrusion detection information Background Radiation Conclusions The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL Scans Port Distribution Vertical Sequential or random scan of multiple ports (5 or more) of a single IP from the same source during one hour period Survey of well-known vulnerabilities (strobe scans) Horizontal Scan from a single source to multiple IP on the same port Looking for the same vulnerability Coordinated Scans from multiple sources (5 or more) aimed at a particular port of destinations in the same /24 during one hour period Aggressive, active collaborative peers Stealth Low frequency horizontal and vertical scans. Minimum threshold for average interscan distance The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL Persistence of Worm Top Sources (1) Activity The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Top Sources (2) Top Sources (3) The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL Scan Types Stealth Scan Types The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL I mplications of Shared Global Prevalence I nformation Refinement extent provided by additional data Relative entropy Highly dynamic scanning patterns Marginal utility metric How the volume of scans have changed over the Reduction of uncertainty resulting from the next experiment last year? added to the aggregate set Project daily scans to entire Internet Offline/Online Experiments to evaluate the marginal utility of Average scans per IP * Total Number of IP intrusion detection log sharing for worst offenders Assumption: uniformity and port identification Daily scan rates 25B/day Relatively steady rates for port 80 scans (decreasing) Select randomly days and logs from dataset and Relatively steady rates for non-worm scans (increasing 25%) try to estimate the gain in aggregation The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Marginal Utility (1) Marginal Utility (2) The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL Summary Outline 1M – 3M scans per day Challenges Widely distributed sources Methods for Measuring DoS attacks Power law distribution for the number of events Firewall Logs Large amounts of scans for port 80 Network Telescopes 60-70% of non-worm scans are horizontal A lot of daily vertical scan episodes I nternet Sinks Coordinated worst offenders are responsible for a Backscatter significant fraction of all scanning activity Background Radiation The collaboration benefit is sensitive to the size and diversity of the peering group Conclusions The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL Network Telescopes (2) Network Telescopes (1) Size of the telescope is important for: Detect events that generate fewer packets Better accuracy in determining the attack interval Assume The probability of detecting events increases with random IP the size of the telescope generation Increase the size by using distributed telescopes scanning Advantages: Reduces dependency on reaching a single block Traffic load may be distributed over multiple sites May avoid being skipped by some IP generation algorithms Disadvantages Synchronization Data distribution The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Network Telescopes – Code Network Telescopes Size(1) Red The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL Daily Non-Worm Scan Rate Daily Port 80 Scan Rate The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL Outline I nternet Sinks iSink capabilities: Challenges Trace packets Methods for Measuring DoS attacks Respond actively Masquerade as several applications Firewall Logs Fingerprint source hosts Network Telescopes Sample packets Monitor 4 class B and one class A for 4 months I nternet Sinks Stateless and sampling increases the scalability Backscatter B classes - holes between active subnets Main objective Background Radiation a highly interactive scalable backplane for filtering attacks, misconfigurations and attacks Conclusions The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL
Recommend
More recommend
