network telescopes
play

Network Telescopes David Moore October 29th, 2003 - USENIX LISA - PowerPoint PPT Presentation

Nov 04, 2023 •277 likes •928 views

Network Telescopes David Moore October 29th, 2003 - USENIX LISA dmoore@caida.org UCSD CSE www.caida.org What is a "Network Telescope"? A way of seeing remote security events, without being there. Can see: victims of

  1. Network Telescopes David Moore October 29th, 2003 - USENIX LISA dmoore@caida.org UCSD CSE www.caida.org

  2. What is a "Network Telescope"? • A way of seeing remote security events, without being there. • Can see: – victims of certain kinds of denial-of-service attacks – hosts infected by random-spread worms – port and host scanning – misconfiguration University California, San Diego – Department of Computer Science UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS

  3. Network Telescope: Basic Idea If a computer sends packets to IP addresses randomly , we should see some of the packets if we monitor enough address space. University California, San Diego – Department of Computer Science UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS

  4. Network Telescope • Chunk of (globally) routed IP address space • Little or no legitimate traffic (or easily filtered) – might be "holes" in a real production network • Unexpected traffic arriving at the network telescope can imply remote network/security events • Generally good for seeing explosions, not small events • Depends on statistics/randomness working University California, San Diego – Department of Computer Science UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS

  5. Outline • What is a network telescope? • Denial-of-Service Attacks • Internet Worms • How to use your own telescope University California, San Diego – Department of Computer Science UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS

  6. Network Telescope: Denial-of-Service Attacks • Attacker floods the victim with requests using random spoofed source IP addresses • Victim believes requests are legitimate and responds to each spoofed address • With a /8 ("class A"), one can observe 1/256 th of all victim responses to spoofed addresses University California, San Diego – Department of Computer Science UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS

  7. Backscatter Analysis Technique • Flooding-style DoS attacks – e.g. SYN flood, ICMP flood • Attackers spoof source address randomly – True of many major attack tools – i.e. not SMURF or reflector attack • Victims, in turn, respond to attack packets • Unsolicited responses ( backscatter ) equally distributed across IP space • Received backscatter is evidence of an attacker elsewhere University California, San Diego – Department of Computer Science UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS

  8. Backscatter Analysis • Monitor block of n IP addresses • Expected number of backscatter packets given an attack of m packets: nm E(X) = 32 2 • Extrapolated attack rate R is a function of measured backscatter rate R’: 32 2 ≥ R R ' n University California, San Diego – Department of Computer Science UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS

  9. Assumptions and Biases • Address uniformity – Ingress filtering, reflectors, etc. cause us to underestimate number of attacks – Can bias rate estimation (can we test uniformity?) • Reliable delivery – Packet losses, server overload & rate limiting cause us to underestimate attack rates/durations • Backscatter hypothesis – Can be biased by purposeful unsolicited packets • Port scanning (minor factor at worst in practice) – Can we verify backscatter at multiple sites? University California, San Diego – Department of Computer Science UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS

  10. Identifying DoS Attacks • Flow-based analysis (categorical) – Keyed on victim IP address and protocol – Flow duration defined by explicit parameters (min. threshold, timeout) • Event-based analysis (intensity) – Attack event: backscatter packets from IP address in 1 − minute window – No notion of attack duration or “kind” University California, San Diego – Department of Computer Science UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS

  11. DoS Attack breakdown (three weeks in February 2001) Week1 Week2 Week3 Attacks 4173 3878 4754 Victim IPs 1942 1821 2385 Victim prefixes 1132 1085 1281 Victim ASes 585 575 677 Victim DNS domains 750 693 876 Victim DNS TLDs 60 62 71 University California, San Diego – Department of Computer Science UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS

  12. DoS Attacks over time University California, San Diego – Department of Computer Science UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS

  13. DoS Attacks over time University California, San Diego – Department of Computer Science UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS

  14. DoS Attack characterization • Protocols – Mostly TCP (90-94% attacks), but a few large ICMP floods (up to 43% of packets) – Some evidence of ISP “blackholing” (ICMP host unreachable) • Services – Most attacks on multiple ports (~80%) – A few services (HTTP, IRC) singled out University California, San Diego – Department of Computer Science UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS

  15. DoS Attack duration distribution University California, San Diego – Department of Computer Science UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS

  16. DoS Victim characterization • Entire spectrum of commercial businesses – Yahoo, CNN, Amazon, etc and many smaller biz • Evidence that minor DoS attacks used for personal vendettas – 10-20% of attacks to home machines – A few very large attacks against broadband • 5% of attacks target infrastructure – Routers (e.g. core2-core1-oc48.paol.above.net) – Name servers (e.g. ns4.reliablehosting.com) University California, San Diego – Department of Computer Science UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS

  17. DoS Victim breakdown by TLD 35 30 Week 1 25 Week 2 Percent of Attacks Week 3 20 15 10 5 0 unknown net com ro br org edu ca de uk University California, San Diego – Department of Computer Science Top-Level Domain UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS

  18. Example 1: Periodic attack (1hr per 24hrs) University California, San Diego – Department of Computer Science UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS

  19. Example 2: Punctuated attack (1min interval) University California, San Diego – Department of Computer Science UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS

  20. Validation • Backscatter not explained by port scanning – 98% of backscatter packets do not cause response – This may be changing • Repeated experiment with independent monitor (3 /16’s from Vern Paxson) – Only captured TCP SYN/ACK backscatter – 98% inclusion into larger dataset • Matched to actual attacks detected by Asta Networks on large backbone network University California, San Diego – Department of Computer Science UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS

  21. Backscatter Conclusions • Lots of attacks – some very large – >12,000 attacks against >5,000 targets – Most < 1,000 pps, but some over 600,000 pps • Most attacks are short – some have long duration – a few victims were attacked continuously during the three week study • Everyone is a potential target – Targets not dominated by any TLD or domain • Targets include large e-commerce sites, mid-sized business, ISPs, government, universities and end-users • Targets include routers and domain name servers – Something weird was happening in Romania University California, San Diego – Department of Computer Science UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS

  22. Outline • What is a network telescope? • Denial-of-Service Attacks • Internet Worms • How to use your own telescope University California, San Diego – Department of Computer Science UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS

  23. What is a Network Worm? • Self-propagating self-replicating network program – Exploits some vulnerability to infect remote machines • No human intervention necessary – Infected machines continue propagating infection University California, San Diego – Department of Computer Science UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS

  24. Network Telescope: Worm Attacks • Infected host scans for other vulnerable hosts by randomly generating IP addresses We monitor 1/256 th of all IPv4 addresses • We see 1/256 th of all worm traffic of worms (when no bias or bugs) • University California, San Diego – Department of Computer Science UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS

  25. Code-Red worm – July 2001 • Exploits a vulnerability in Microsoft IIS • Days 1-19 of each month – displays ‘hacked by Chinese’ message on English language servers – tries to open connections to infect randomly chosen machines using 100 threads • Day 20-27 – stops trying to spread – launches a denial-of-service attack on the IP address of www1.whitehouse.gov University California, San Diego – Department of Computer Science UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Network Telescopes: The FloCon Files There are &quot;reseachers&quot; seriously interested in

Network Telescopes: The FloCon Files There are &quot;reseachers&quot; seriously interested in

Flocon Stream of Conciousness Network Telescopes: The FloCon Files There are &quot;reseachers&quot; seriously interested in pieces of operational problems. anomaly detection, early worm detection flow aggregation, line-speed

259 views • 11 slides
Telescopes and Technology: A history and close up look at the amazing telescope. Telescopes and

Telescopes and Technology: A history and close up look at the amazing telescope. Telescopes and

Telescopes and Technology: A history and close up look at the amazing telescope. Telescopes and Technology Common questions about telescopes: What is a telescope? What is the history and origin of the telescope? How do telescopes

827 views • 60 slides
Improvement of PCAL Signal Distribution on RT-32 Radio Telescopes of Quasar VLBI Network

Improvement of PCAL Signal Distribution on RT-32 Radio Telescopes of Quasar VLBI Network

Institute of Applied Astronomy Improvement of PCAL Signal Distribution on RT-32 Radio Telescopes of Quasar VLBI Network Dmitry Marshalov Evgeny Nosov Institute of Applied Astronomy Russian Academy of Sciences EVN TOG &amp; GMVA

524 views • 20 slides
A view of the Universe with the IceCube and ANTARES Neutrino Telescopes Ignacio Taboada Georgia

A view of the Universe with the IceCube and ANTARES Neutrino Telescopes Ignacio Taboada Georgia

A view of the Universe with the IceCube and ANTARES Neutrino Telescopes Ignacio Taboada Georgia Institute of Technology Neutrino 2018, Heidelberg J Yang Neutrino Telescopes Atmospheric Neutrinos Earth Nuclear Reactors n Telescopes

429 views • 22 slides
Telescopes &amp; Mirrors Telescopes &amp; Mirrors Giovanni Pareschi INAF - Osservatorio

Telescopes &amp; Mirrors Telescopes &amp; Mirrors Giovanni Pareschi INAF - Osservatorio

Telescopes &amp; Mirrors Telescopes &amp; Mirrors Giovanni Pareschi INAF - Osservatorio Astronomico di Brera Via E. Bianchi 46 23807 Merate - Italy E-mail: giovanni.pareschi@brera.inaf.it Outline Outline remarks on grazing incidence

963 views • 83 slides
APPEC Town Meeting - Neutrino Telescopes Gisela Anton Paris, April 6th, 2016 Short Summary recent

APPEC Town Meeting - Neutrino Telescopes Gisela Anton Paris, April 6th, 2016 Short Summary recent

APPEC Town Meeting - Neutrino Telescopes Gisela Anton Paris, April 6th, 2016 Short Summary recent results from neutrino telescopes 2 Existing neutrino telescopes ANTARES IceCube Baikal Mediterranean Sea, Lake Baikal, South Pole glacier,

657 views • 47 slides
The telescopes from the The telescopes from the technological point of view: technological point

The telescopes from the The telescopes from the technological point of view: technological point

The telescopes from the The telescopes from the technological point of view: technological point of view: structures and mirrors for tructures and mirrors for IACTs IACTs Rodolfo Canestrari Rodolfo Canestrari INAF INAF-Astronomical

786 views • 43 slides
in the era of big telescopes In collaboration with: M. Bernardi H. Dominiguez-Sanchez, J.-L.

in the era of big telescopes In collaboration with: M. Bernardi H. Dominiguez-Sanchez, J.-L.

Stellar and Dark Masses: IMF gradients in the era of big telescopes In collaboration with: M. Bernardi H. Dominiguez-Sanchez, J.-L. Fischer, A. Meert UPenn and K. Chae, M. Huertas-Company, F. Shankar, R. Sheth A galaxy is made of luminous +

750 views • 48 slides
Results from the H.E.S.S. Telescopes -and a look at the next generation instrument Paula

Results from the H.E.S.S. Telescopes -and a look at the next generation instrument Paula

Results from the H.E.S.S. Telescopes -and a look at the next generation instrument Paula Chadwick, Dept. of Physics University of Durham The Plan Some background information Recent H.E.S.S. results The Galactic Plane survey

787 views • 60 slides
WFIRST and Giant Segmented Mirror Telescopes (GSMTs) Mark Dickinson (NOAO) + Michael Bolte

WFIRST and Giant Segmented Mirror Telescopes (GSMTs) Mark Dickinson (NOAO) + Michael Bolte

WFIRST and Giant Segmented Mirror Telescopes (GSMTs) Mark Dickinson (NOAO) + Michael Bolte (UCSC) Giant Segmented Mirror Telescopes GSMTs (aperture &gt;20m; aka ELTs) offer: Greater collecting area &amp; sensitivity than

708 views • 55 slides
COSMOLOGY &amp; ASTRONOMY telescopes, but they did some have in access to very old Egyptian

COSMOLOGY &amp; ASTRONOMY telescopes, but they did some have in access to very old Egyptian

PCES 1.31 The ancient Greeks had no COSMOLOGY &amp; ASTRONOMY telescopes, but they did some have in access to very old Egyptian astronomical records. They knew about the seasons, ANCIENT GREECE the tilt of the earths axis w ith respect

236 views • 7 slides
COSMOLOGY &amp; ASTRONOMY telescopes, but they did some have in access to very old Egyptian

COSMOLOGY &amp; ASTRONOMY telescopes, but they did some have in access to very old Egyptian

PCES 1.32 The ancient Greeks had no COSMOLOGY &amp; ASTRONOMY telescopes, but they did some have in access to very old Egyptian astronomical records. They knew about the seasons, ANCIENT GREECE the tilt of the earths axis w ith respect

218 views • 8 slides
with TUG Telescopes H.H.Esenolu 1,2 , A.Galeev 1,3 , .Hamitolu 1 , O.Erece 1 , K.Ulu 1 ,

with TUG Telescopes H.H.Esenolu 1,2 , A.Galeev 1,3 , .Hamitolu 1 , O.Erece 1 , K.Ulu 1 ,

GAIA Studies at TUG Observations of Gaia Sources with TUG Telescopes H.H.Esenolu 1,2 , A.Galeev 1,3 , .Hamitolu 1 , O.Erece 1 , K.Ulu 1 , O.Okuyan 1 , S.Kaynar 1 , M.Koak 1 , T.zk 1 , M.Dindar 1 , S.Kl 1 , H.Krbyk 1 1

338 views • 19 slides
CSP .LMC Prototype Proposed Design E.Giani, C.Baffa LMC harmonization through Telescopes

CSP .LMC Prototype Proposed Design E.Giani, C.Baffa LMC harmonization through Telescopes

CSP .LMC Prototype Proposed Design E.Giani, C.Baffa LMC harmonization through Telescopes Step2: LMC Peer Review Meeting 1 Madrid, 11-13 April 2016 2 of 34 Main Topics General introduction. CSP .LMC architecture and functionalities.

674 views • 34 slides
Introduction scopes and structure the EEE station MRPC technology telescopes

Introduction scopes and structure the EEE station MRPC technology telescopes

Extreme Energy Events: an extended multi purpose cosmic ray observatory I. Gnesi on behalf of the EEE Collaboration TAUP 2019, Toyama Introduction scopes and structure the EEE station MRPC technology telescopes and Data

989 views • 29 slides
UT#Astronomical#Observing# &quot;Telescopes and CCDs and Spectrographs, oh my! Observing at

UT#Astronomical#Observing# &quot;Telescopes and CCDs and Spectrographs, oh my! Observing at

UT#Astronomical#Observing# &quot;Telescopes and CCDs and Spectrographs, oh my! Observing at McDonald, LCOGT, and SALT&quot; Keaton#Bell# Graduate#Student#/#Postdoc#Seminar# 4#April#2014# Whats#what?# 2.1#m#OGo#Struve#Telescope#

659 views • 37 slides
End to End Competent Procurement Solution A wonder strategy to create competitive procurement

End to End Competent Procurement Solution A wonder strategy to create competitive procurement

A year of Challenge, Growth and Success End to End Competent Procurement Solution A wonder strategy to create competitive procurement advantage to your company Prepared by: Daniel Chan, PCB Council Chairman Date: Oct, 2006 Integrated Supply

446 views • 17 slides
Content Introduction Strategic Focus Updates Market Review &amp; Outlook Going

Content Introduction Strategic Focus Updates Market Review &amp; Outlook Going

Investor Meetings August 2010 1 Content Introduction Strategic Focus Updates Market Review &amp; Outlook Going Forward Recent Awards 2 1 Introduction 3 Introduction Total assets of $6.6 bil as @ 30 June 2010 Premier

666 views • 27 slides
Content Introduction Strategic Focus Updates Market Review &amp; Outlook Going

Content Introduction Strategic Focus Updates Market Review &amp; Outlook Going

Investor Meetings June 2010 1 Content Introduction Strategic Focus Updates Market Review &amp; Outlook Going Forward i d Recent Awards 2 1 Introduction 3 Introduction Premier Property Total assets of $6.7 bil as @ 31

485 views • 25 slides
Background What are the factors explaining firms EE investment decisions? Why

Background What are the factors explaining firms EE investment decisions? Why

Strategic Fit of Energy Efficiency Strategic and Cultural Dimensions of Investment Decisions Catherine Cooremans ECEEE Summer Study June 7, 2007 Outline Background and objectives Conceptual framework Decision-making in

364 views • 14 slides
Pre-transitional mortality indicators for a Brazilian region in the 19th century Dayane Julia

Pre-transitional mortality indicators for a Brazilian region in the 19th century Dayane Julia

Pre-transitional mortality indicators for a Brazilian region in the 19th century Dayane Julia Carvalho Dias Unicamp dayanejuliacd@gmail.com Luciana Conceio de Lima UFRN limamarx@gmail.com Luana Junqueira Dias Myrrha UFRN

226 views • 11 slides
international international c e n t e r c e n t e r for research for research on

international international c e n t e r c e n t e r for research for research on

international international c e n t e r c e n t e r for research for research on anarchism on anarchism CIRA, avenue de Beaumont 24, CH 1012 Lausanne, Switzerland (Bus 5 from train station, stop at Hpital CHUV)

337 views • 4 slides
RJC India Seminars Mumbai and Surat February 2014 Agenda 1. Welcome Address 2. RJC and India

RJC India Seminars Mumbai and Surat February 2014 Agenda 1. Welcome Address 2. RJC and India

RJC India Seminars Mumbai and Surat February 2014 Agenda 1. Welcome Address 2. RJC and India Engagement 3. RJC Code of Practices 2013 4. Our experience of RJC certification 5. Question - Answer Session Lunch hosted by RJC

740 views • 31 slides
ADDRESSING INCREASED REGULATION IN THE ADDRESSING INCREASED REGULATION IN THE ADDRESSING

ADDRESSING INCREASED REGULATION IN THE ADDRESSING INCREASED REGULATION IN THE ADDRESSING

ADDRESSING INCREASED REGULATION IN THE ADDRESSING INCREASED REGULATION IN THE ADDRESSING INCREASED REGULATION IN THE ADDRESSING INCREASED REGULATION IN THE PRECIOUS METALS SUPPLY CHAIN PRECIOUS METALS SUPPLY CHAIN PRECIOUS METALS SUPPLY CHAIN

99 views • 5 slides

More recommend