network t elescopes revisited
play

Network T elescopes Revisited From Loads of Unwanted Traffjc to - PowerPoint PPT Presentation

Dec 21, 2023 •267 likes •684 views

Network T elescopes Revisited From Loads of Unwanted Traffjc to Threat Intelligence Piotr Bazydo, Adrian Korczak, Pawe Pawliski Research and Academic Computer Network (NASK, Poland) Who are we Piotr Bazydo Head of Network Security

  1. Network T elescopes Revisited From Loads of Unwanted Traffjc to Threat Intelligence Piotr Bazydło, Adrian Korczak, Paweł Pawliński Research and Academic Computer Network (NASK, Poland)

  2. Who are we Piotr Bazydło Head of Network Security Methods Team NASK @chudyPB piotr.bazydlo@nask.pl Adrian Korczak Network Security Methods Team NASK adrian.korczak@nask.pl Paweł Pawliński CERT Polska pawel.pawlinski@cert.pl

  3. Network T elescope ● Also known as darknet or blackhole. ● Unused IP address space. ● No legitimate network traffjc should be observed. ● First (?) & largest telescope (approx /8):

  4. Network T elescope In practice, we can see a lot of different activities: ● Misconfjguration of network devices/applications. ● Scanning. ● Backscatter from DoS attacks. ● Exploitation attempts (UDP). ● Weird stuff.

  5. DoS attacks (backscatter)

  6. What we want to achieve? ● Detect large-scale malicious events (botnets, exploits). ● Detect attacks on interesting targets. ● Track activities of specifjc actors responsible. ● Understand the dynamics (trends).

  7. Problems ● How to group packets? ● How to classify them into events? ● How to fjnd interesting events? ● How to identify actors? ● How to analyze trends?

  8. Our approach Traffic going to network telescope 1. Monitored IPv4 space: > 100 000 addresses 2. Analyze captured traffjc every 5 minutes. Stats: ~ 10 000 pps ~ 25 000 000 000 packets per month 80% = TCP

  9. Traffic going to network telescope T wo parsing scripts: ● Parser L4 – up to 4 th OSI layer. written in C++, uses libtins library. Parser L7 Parser L7 payload up to L4 ● Parser 7 – parsing of 7 th OSI layer. written in python, uses dpkt library

  10. Traffic going to network telescope Parser Parser L7 up to L4 Initial aggregation Redis Aggregator Aggregator Aggregator Broker 1 Broker ... 1 ... N

  11. Traffic going to network telescope Analysis Analyzer Analyzer Analyzer TCP UDP DNS Parser Parser L7 up to L4 Analyzer Analyzer Analyzer ... SIP amplifiers Initial aggregation Redis Aggregator Aggregator Aggregator Broker 1 Broker ... 1 ... N

  12. Elastic Traffic going to Search network telescope Analysis Analyzer Analyzer Analyzer TCP UDP DNS Parser Parser L7 up to L4 Analyzer Analyzer Analyzer ... SIP amplifiers Initial aggregation Redis Aggregator Aggregator Aggregator Broker 1 Broker ... 1 ... N

  13. Case study 1 Botnet Fingerprinting

  14. Botnet fjngerprinting

  15. Botnet fjngerprinting Packets with SEQ = IP_DST

  16. Botnet fjngerprinting

  17. Botnet fjngerprinting

  18. Botnet fjngerprinting In total, about 45 000 unique IP addresses were identifjed. Distribution of source IPs

  19. Case study 2 Memcached

  20. Memcached

  21. Memcached Github 1.3 Tbps DoS Reported 1.7 Tbps DoS

  22. Memcached Github 1.3 Tbps DoS Reported 1.7 Tbps DoS

  23. Day 1 – 20.02 (fjrst scan) ● Only 4 IP addresses ● Source: DigitalOcean, UK ● Duration: 25 minutes ● Constant source port per source IP ● One payload used (memcached statistics)

  24. Day 5 – 24.02 (new actor) ● Only 1 IP addresses ● Source: AS 27176, DataWagon LLC, US ● Small hosting with anti-DDoS ● Randomized source ports ● New payload ● Scan lasted longer: 3 hours

  25. And so on… Pre-GitHub scanners Distribution of source IPs ● About 60 IP addresses. ● Several scanning patterns.

  26. And so on… Post-GitHub scanners Distribution of source IPs ● About 315 IP addresses. ● Multiple scanning patterns.

  27. Looking deeper into packets

  28. PGA ● PGA = custom code to generate packets ● Improve DDoS Botnet Ya Liu, 360 Netlab, Botconf 4 th edition, Dec 2016 Tracking with Honeypots , ● Usually simple operations, examples ● constant values ● byte swap ● incrementation ● Leaves patterns that can be used for IDS ● Our tool detects patterns and creates new signatures

  29. PGA examples 2. XoR.DDoS PGA: 1. Mirai: IP_ID = SPORT TCP_SEQ = IP_DST TCP_SEQ[1:2] = IP_ID

  30. PGA example

  31. Signatures everywhere SYN FLOOD on IP belonging to Google – full of PGA signatures.

  32. Signatures everywhere SYN FLOOD on IP belonging to Google – full of PGA signatures. 1. SPORT = TCP_SEQ[1:2] 2. TCP_SEQ[3:4] = 0xFFFF 3. SPORT = IP_SRC[3:4] 1 2 3

  33. Operations

  34. Operational value of network telescopes ● Raw output from analyzers is not actionable (too many events) ● Scans →! abuse notifjcations (automated for high confjdence events) ● PGA fjngerprinting →! Shadowserver remediation feeds 1 ● DoS attacks →! situational awareness & alerts ● Automated feeds provide limited “intelligence” 2 3

  35. DoS backscatter for the Polish IPv4 space (color = PGA fjngerprint)

  36. Sharing threat information ● Automated distribution of abuse reports & IoCs ● Free 1 ● > 100 active participating entities ● > 50 data sources 2 3 ● Formats: JSON & CSV & more

  37. Interested in getting the data? ● Network owners: send an email to n6@cert.pl to sign up ● Usually working with national CSIRTs 1 2 3

  38. Aiming for actual intelligence ● In-depth analysis of events extracted from the traffjc ● insight into TTP ● more diffjcult to automate ● Anomaly / trend detection: ● forecast exploitation campaigns. 1 ● new campaigns 2 3 ● Attribute activities to botnets / actors

  39. Future plans ● Combine network telescopes with other data sources Honeypots, sandboxes, botnet tracking ● Research collaboration: 1 Looking for help in linking PGA signatures to tools / malware 2 3

  40. https://sissden.eu This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 700176.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

T elescopes T elescopes Ryan Orvedahl Ryan Orvedahl ASTR 1040 Rec ASTR 1040 Rec T odays

T elescopes T elescopes Ryan Orvedahl Ryan Orvedahl ASTR 1040 Rec ASTR 1040 Rec T odays

T elescopes T elescopes Ryan Orvedahl Ryan Orvedahl ASTR 1040 Rec ASTR 1040 Rec T odays Class - T odays Class - T elescopes T elescopes Measuring a telescopes Measuring a telescopes performance performance Ways to

344 views • 19 slides
Hard State Revisited: Network Filesystems Hard State Revisited: Network Filesystems Jeff Chase

Hard State Revisited: Network Filesystems Hard State Revisited: Network Filesystems Jeff Chase

Hard State Revisited: Network Filesystems Hard State Revisited: Network Filesystems Jeff Chase CPS 212, Fall 2000 Network File System (NFS) Network File System (NFS) server client syscall layer user programs VFS syscall layer NFS VFS

430 views • 29 slides
Real-Time RFI Mitigation for Single-Dish Radio T elescopes Ric ichard d Prestag age, GBO BO

Real-Time RFI Mitigation for Single-Dish Radio T elescopes Ric ichard d Prestag age, GBO BO

Real-Time RFI Mitigation for Single-Dish Radio T elescopes Ric ichard d Prestag age, GBO BO CASPER ASPER Workshop op 2017 Collaborators Cedric Viou, Jessica Masson Station de radioastronomie de Nanay Observatoire de Paris, PSL

462 views • 30 slides
Similarity of Neural Network Representations Revisited Simon Kornblith, Mohammad Norouzi,

Similarity of Neural Network Representations Revisited Simon Kornblith, Mohammad Norouzi,

Similarity of Neural Network Representations Revisited Simon Kornblith, Mohammad Norouzi, Honglak Lee, Geofgrey Hinton Motivation We need tools to understand trained neural networks Neural network training involves interactions between an

588 views • 16 slides
Hom and Ext, Revisited Justin Lyle Lawrence, KS justin.lyle@ku.edu April 28, 2018 JL Hom and

Hom and Ext, Revisited Justin Lyle Lawrence, KS justin.lyle@ku.edu April 28, 2018 JL Hom and

Hom and Ext, Revisited Hom and Ext, Revisited Justin Lyle Lawrence, KS justin.lyle@ku.edu April 28, 2018 JL Hom and Ext, Revisited Hom and Ext, Revisited Joint work with Hailong Dao and Mohammad Eghbali JL Hom and Ext, Revisited Hom

871 views • 45 slides
Passive Network Synthesis Revisited Malcolm C. Smith Department of Engineering University of

Passive Network Synthesis Revisited Malcolm C. Smith Department of Engineering University of

Passive Network Synthesis Revisited Malcolm C. Smith Department of Engineering University of Cambridge U.K. Mathematical Theory of Networks and Systems (MTNS) 17th International Symposium Kyoto International Conference Hall Kyoto, Japan,

683 views • 57 slides
Owning Your Home Network: Router Security Revisited Marcus

Owning Your Home Network: Router Security Revisited Marcus

Owning Your Home Network: Router Security Revisited Marcus Niemietz, Jrg Schwenk {marcus.niemietz, joerg.schwenk} @rub.de Ruhr University Bochum Table of

623 views • 24 slides
A Practice-Based Research Network Ecology of Medical care Revisited Green et al NEJM 2012 Primary

A Practice-Based Research Network Ecology of Medical care Revisited Green et al NEJM 2012 Primary

A Practice-Based Research Network Ecology of Medical care Revisited Green et al NEJM 2012 Primary Care Data in Ontario Demographics 85% recorded on EMRs Prescribing Diagnoses Tests & Procedures Free Text Big Data

76 views • 5 slides
Reliable Byte-Stream (TCP) Outline Connection Establishment/Termination Sliding Window Revisited

Reliable Byte-Stream (TCP) Outline Connection Establishment/Termination Sliding Window Revisited

Reliable Byte-Stream (TCP) Outline Connection Establishment/Termination Sliding Window Revisited Flow Control Adaptive Timeout 1 End-to-End Protocols Underlying best-effort network drop messages re-orders messages delivers

458 views • 12 slides
6 Decision- -Making Making MVC (revisited) 6 Decision MVC (revisited) decision

6 Decision- -Making Making MVC (revisited) 6 Decision MVC (revisited) decision

6 Decision- -Making Making MVC (revisited) 6 Decision MVC (revisited) decision decision - - m m a a king and games king and games model state instance core structures levels of decision levels of decision- -making

148 views • 4 slides
Calibration Revisited Jan Kodovsk, Jessica Fridrich September 7, 2009 / ACM MM&Sec 09

Calibration Revisited Jan Kodovsk, Jessica Fridrich September 7, 2009 / ACM MM&Sec 09

Calibration Revisited Jan Kodovsk, Jessica Fridrich September 7, 2009 / ACM MM&Sec 09 Calibration Revisited 1 / 16 What is Calibration? 2002 - Calibration introduced (attack on F5) Part of feature extraction procedure for blind

544 views • 43 slides
CEPH WIRE PROTOCOL REVISITED CEPH WIRE PROTOCOL REVISITED MESSENGER V2 MESSENGER V2 Ricardo

CEPH WIRE PROTOCOL REVISITED CEPH WIRE PROTOCOL REVISITED MESSENGER V2 MESSENGER V2 Ricardo

CEPH WIRE PROTOCOL REVISITED CEPH WIRE PROTOCOL REVISITED MESSENGER V2 MESSENGER V2 Ricardo Dias | rdias@suse.com FOSDEM'19 - Soware Defined Storage devroom OUTLINE OUTLINE What is the Ceph messenger Messenger API Messenger V1

1.01k views • 63 slides
lecture 21 Input / Output (I/O) 3 - system bus and memory (lectures 16-18 revisited) -

lecture 21 Input / Output (I/O) 3 - system bus and memory (lectures 16-18 revisited) -

lecture 21 Input / Output (I/O) 3 - system bus and memory (lectures 16-18 revisited) - system bus and interrupts - exceptions (lecture 12 revisited) Wed. March 3, 2016 Let's review what happens when there is a TLB miss. In

504 views • 32 slides
Cyber-Insurance Revisited Workshop on the Economics of Information Security Kennedy School of

Cyber-Insurance Revisited Workshop on the Economics of Information Security Kennedy School of

CYBER-INSURANCE REVISITED Cyber-Insurance Revisited Workshop on the Economics of Information Security Kennedy School of Government Harvard University 03 June 2005 Rainer Bhme rainer.boehme@inf.tu-dresden.de Department of Computer Science

389 views • 22 slides
CompSci 356: Computer Network Architectures Lecture 8: Switching technologies Chapter 3.1

CompSci 356: Computer Network Architectures Lecture 8: Switching technologies Chapter 3.1

CompSci 356: Computer Network Architectures Lecture 8: Switching technologies Chapter 3.1 Xiaowei Yang xwy@cs.duke.edu Review Sliding window revisited End-to-end arguments Reliable transmission Multiple access links

599 views • 43 slides
Presentation schedule revisited Politeness Positive and negative politeness Form

Presentation schedule revisited Politeness Positive and negative politeness Form

Presentation schedule revisited Politeness Positive and negative politeness Form and Function; Context and Presupposition Politeness, refinement, manners, and cultural capital Presentation schedule revisited Politeness

471 views • 18 slides
Q4 2016 & Capital Markets Update Oslo, Norway 28 February 2017 1 Disclaimer This

Q4 2016 & Capital Markets Update Oslo, Norway 28 February 2017 1 Disclaimer This

Q4 2016 & Capital Markets Update Oslo, Norway 28 February 2017 1 Disclaimer This presentation and its enclosures and appendices (jointly referred to as the Presentation) has been produced by Asetek A/S (the Company) and has been

563 views • 54 slides
Real Estate in Central & Eastern Europe Mike Edwards Head of Valuation Advisory Services,

Real Estate in Central & Eastern Europe Mike Edwards Head of Valuation Advisory Services,

Real Estate in Central & Eastern Europe Mike Edwards Head of Valuation Advisory Services, Central Europe Real Estate in Central & Eastern Europe Evolution of the market Attributes of the market Performance Investment

507 views • 18 slides
The Dantean Anomaly (1309-1321): Rapid Climate Change in Late Medieval Europe with a Global

The Dantean Anomaly (1309-1321): Rapid Climate Change in Late Medieval Europe with a Global

C i t a t i o n Martin Bauch, The Dantean Anomaly (1309-1321): Rapid Climate Change in Late Medieval Europe with a Global Perspective, in: Mittelalter. Interdisziplinre Forschung und Rezeptionsgeschichte 1 (2018), pp. 92-103,

465 views • 12 slides
Multivariate Conditional Anomaly Detection and Its Clinical Application Charmgil Hong Milos

Multivariate Conditional Anomaly Detection and Its Clinical Application Charmgil Hong Milos

Multivariate Conditional Anomaly Detection and Its Clinical Application Charmgil Hong Milos Hauskrecht {charmgil, milos}@cs.pitt.edu Department of Computer Science University of Pittsburgh Prepared for the Twentieth AAAI/SIGAI Doctoral

562 views • 40 slides
2017 Preliminary Results Martyn Ratcliffe Chairman Rebecca Archer Finance Director To be read

2017 Preliminary Results Martyn Ratcliffe Chairman Rebecca Archer Finance Director To be read

2017 Preliminary Results Martyn Ratcliffe Chairman Rebecca Archer Finance Director To be read in conjunction with the audited preliminary results announcement released on 28 February 2018 In addition to IFRS measures, alternative performance

672 views • 22 slides
VanEck TM Natural Resources Index & S-Network Natural Resources Indexes Rules and Methodology

VanEck TM Natural Resources Index & S-Network Natural Resources Indexes Rules and Methodology

10/24/2018 7 VanEck TM Natural Resources Index & S-Network Natural Resources Indexes Rules and Methodology 1 RVEI Family Rulebook v17 10-24-2018 TABLE OF CONTENTS I. GENERAL DESCRIPION

799 views • 21 slides
The prospects for geothermal energy in Scotland Ed Stephens, University of St Andrews Cairngorms

The prospects for geothermal energy in Scotland Ed Stephens, University of St Andrews Cairngorms

The prospects for geothermal energy in Scotland Ed Stephens, University of St Andrews Cairngorms Hot Dry Rocks: Granites Southampton Hot Wet Rocks: Aquifers Scottish Energy Context Installed capacity ~11GW, peak demand ~7GW 2009 TWh %

596 views • 11 slides
Advancing precious metals in North America Corporate Presentation June 2020

Advancing precious metals in North America Corporate Presentation June 2020

Advancing precious metals in North America Corporate Presentation June 2020 www.excellonresources.com TSX:EXN, EXN.WT, OTC:EXLLF and FRA:E4X1 Forward Looking Statements Disclaimer This document contains forwardlooking statements

660 views • 30 slides

More recommend