NetFlow Analysis: Detecting covert channels on the network Detecting - PowerPoint PPT Presentation

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using NetFlow data By: Joey Dreijer, Student OS3 5-07-14 1

NetFlow Analysis: Detecting covert channels on the network Gathering NetFlow data Introduction Research  Router/Switch sends flow stats to external collector  Collector receives and stores flow details Tooling  Parser/interface reads flow from collector dump Detection Demo Demo NetFlow Conclusion packet(s) Switch / Collector Router Read NetFlow dumps Traffic generated by Console hosts 05-07-14 5-07-14 2 Joey Dreijer, student OS3/UvA

NetFlow Analysis: Detecting covert channels on the network NetFlow in short Introduction Research  NetFlow data not just a 'term'  NetFlow (v9) specified in RFC3954 Tooling  NetFlow commonly used from v5 and up Detection Demo Demo  NetFlow standardized to sent 'flow' characteristics Conclusion  Stats such as bytes, packet number, port, session timer  Implemented in different (multi-vendor) routers/switches  Does not include packet content  Request and response two different flows  Often used for network performance measurement 05-07-14 5-07-14 3 Joey Dreijer, student OS3/UvA

NetFlow Analysis: Detecting covert channels on the network Data required for research Introduction Research  NetFlow collector stored the following details (using v5): Tooling  (TCP Flags)  Source Address Detection  Bytes send  Destination Address Demo Demo  Packets send  Source Port  Time  Destination Port Conclusion Note: NetFlow v5 is dinosaur old. Use v9 or IPFIX instead for more stats. 05-07-14 5-07-14 4 Joey Dreijer, student OS3/UvA

NetFlow Analysis: Detecting covert channels on the network Data required for research Introduction Research  Combining request/response to get the following data: Tooling  Source Address  Bytes Incoming Detection  Destination Address  Bytes outgoing Demo Demo  Source Port  Packets incoming  Destination Port  Packets outgoing Conclusion  (TCP Flags)  Average session time 05-07-14 5-07-14 5 Joey Dreijer, student OS3/UvA

NetFlow Analysis: Detecting covert channels on the network Collecting NetFlow data Introduction Research  SoftFlowd sends NetFlow data to collector (nfcapd). Optional: Pcap or Interface as input Tooling  NetFlow data stored in binary format Detection  Format parsed by Python wrapper and nfdump (custom Demo Demo patched pynfdump_altered) Conclusion Converter Collector and Analysis PCAP NetFlow Analy- Dump ser SoftFlowd Nfcapd 05-07-14 5-07-14 6 Joey Dreijer, student OS3/UvA

NetFlow Analysis: Detecting covert channels on the network Initial protocol analysis Introduction Research  Gathering 'known-good' traffic  Generating 'known-bad' traffic Tooling  Comparing differences / similarities Detection  Storing usefull comparison data Demo Demo Conclusion In Bytes In Bytes Database containing: Out Bytes Out Bytes For each: Max/min In Packets In Packets values Dst. Port Out Packets Out Packets Averages Avg Time Avg Time Standard Deviation 05-07-14 5-07-14 7 Joey Dreijer, student OS3/UvA

NetFlow Analysis: Detecting covert channels on the network Comparing NetFlow data Introduction Research  Traffic analysis; comparing 'real-time' binary (nfdump) vs stored (MySQL) Tooling  'Anomaly detection' based on selected metrics/profile Detection  Maximum range via standard deviation Demo Demo  Note: Only if possible. Not all traffic can be normalized Conclusion Metrics Database Statistics NetFlow Analy- Dump ser 05-07-14 5-07-14 8 Joey Dreijer, student OS3/UvA

NetFlow Analysis: Detecting covert channels on the network Detecting Tunnels / Covert Channels Introduction Research  Example 1: DNS Tunnels  DNS may have 'normal behaviour' Tooling  Tunneling via DNS abnormal statistics based on metric x? Detection  Verify differentation per metric Demo Demo Conclusion Compared to +- 2 million DNS Flows 'Starting' DNS Tunnel. Not sending data yet 05-07-14 5-07-14 Joey Dreijer, student OS3/UvA 9

NetFlow Analysis: Detecting covert channels on the network Detecting Tunnels / Covert Channels Introduction Research  Previous examples DNS done via anomaly Tooling detection Detection Demo Demo  Known-good etc Packets Out Session Time database used as Conclusion reference  Pre-defined profile (ie. alert only if anomaly = ( max difference * standard deviation ) + average packets and time mismatch by x) If anomaly is larger than current flow: If packetAnomaly and timeAnomaly: Generate Alert 05-07-14 5-07-14 Joey Dreijer, student OS3/UvA 10

NetFlow Analysis: Detecting covert channels on the network Detecting Tunnels / Covert Channels Introduction Research  Why are multiple metrics important? (and/and policy)  NetFlow parser shows incorrect flows with much Tooling traffic Detection  True automated anomaly detection shows many FP's Demo Demo  Example: Conclusion 10.10.0.2:50001 → 8.8.8.8:53 Packets: 4, time: 4001 seconds (….?)  Actually 2 DNS requests on different times  However, identical source port and destination lets 'nfdump' think it is the same flow –> results in False Positive 05-07-14 5-07-14 Joey Dreijer, student OS3/UvA 11

NetFlow Analysis: Detecting covert channels on the network Detecting Tunnels / Covert Channels Introduction Research  Comparing with realistic dataset  17 million flows from GuestNet Tooling  Literal flow dump, can contain 'malicious' flows Detection  Both bad and good traffic? Demo Demo Conclusion  2 million DNS responses  Results in 0,0005% hits based on combined metrics  Includes previous 'bug' with multiple sessions combined due to identical ports and destinations  Uncertain if actual tunnels inside dump 05-07-14 5-07-14 Joey Dreijer, student OS3/UvA 12

NetFlow Analysis: Detecting covert channels on the network Other uses Introduction Research  Example 2: NMAP Scan  Aggregated NetFlow shows requests and response Tooling  NetFlow shows flow with no responses for filtered ports Detection Demo Demo  Probability 'x' amount of ports do not reply within 'y' amount Conclusion of time based on 'z' amount of retries/packets 05-07-14 5-07-14 Joey Dreijer, student OS3/UvA 13

NetFlow Analysis: Detecting covert channels on the network Other uses Introduction Research  Small problem with portscans.... Tooling  Nfcapd holds a default 5 minute NetFlow cache Detection  Not all flows stored after cache timer Demo Demo  Waits for finished sessions before storing flow Conclusion  Half open TCP sessions will be cached untill timeout  Timeout can last 20 minutes depending on config 05-07-14 5-07-14 Joey Dreijer, student OS3/UvA 14

NetFlow Analysis: Detecting covert channels on the network Introduction Research Tooling Detection Demo Demo DEMO Conclusion 05-07-14 5-07-14 Joey Dreijer, student OS3/UvA 15

NetFlow Analysis: Detecting covert channels on the network Conclusion Introduction Research  NetFlow only sends limited amount of information  Does not say anything about packet contents Tooling Detection  Fairly easy to detect 'well-know' and publicly available Demo Demo tunnels and scans Conclusion  Covert Channels / tunnels always possible; attacker has all the time in the world.  Craft pingtunnel to send fixed size packets every second to conform the 'default' behaviour. 05-07-14 16 5-07-14 Joey Dreijer, student OS3/UvA