Overview 2 XS4ALL Darknet Research question Argus Research - - PowerPoint PPT Presentation

Project Darklight

Rob Buijs Michael Rave

Overview

XS4ALL Darknet Research question Argus Research

Results Zero day warning system Internet Security Index

Conclusion

Future work

2

Project Darklight

Rob Buijs Michael Rave

XS4ALL Darknet

Darknets Traffic to the XS4ALL darknet

For everyone Not used XS4ALL space For XS4ALL customers Not used XS4ALL space Bogon IP’s

Argus No response

3

Project Darklight

Rob Buijs Michael Rave

XS4ALL Darknet

4

Project Darklight

Rob Buijs Michael Rave

Research question

5

“What information can be gained from the captured XS4ALL Darknet streams, and could it be used as a zero day warning system?”

Project Darklight

Rob Buijs Michael Rave

Argus

Real time flow monitor Fields

Source and destination IP address Source and destination port Type protocol Start time

UDP first 712 bytes payload 4 Months of data Argus tools

6

Project Darklight

Rob Buijs Michael Rave

Research - Patterns

Port scans IP scans IP patterns Port patterns Time patterns

7

Project Darklight

Rob Buijs Michael Rave

Research - Protocol usage

8

56% 37% 6%

TCP UDP ICMP 3686 IGMP ARP RTCP IPv6 ESP Average Protocol Usage

Project Darklight

Rob Buijs Michael Rave

Research - Time pattern

9

25000 50000 75000 100000 125000 150000 175000 200000 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 1 2 3 4 5 6

Average amount of packets per hour

Project Darklight

Rob Buijs Michael Rave

Research - Origin

Why

Misconfiguration Viruses, worms and malware Scans

From where

Countries Customers Non customers

10

Project Darklight

Rob Buijs Michael Rave

Research - Traffic streams

11

Project Darklight

Rob Buijs Michael Rave

Research - Country origin

12

80% 6% 3% 3% 2% 2% 1%

NL FR DE PL IT GN ES HU CN IL Country origin of traffic to not used XS4ALL space

Project Darklight

Rob Buijs Michael Rave

Research - Country origin

13

Country origin of traffic to not used XS4ALL space, without XS4ALL customers

57% 16% 6% 5% 3% 3% 2%

NL FR IT GB PL ES HU CN IL KR

Project Darklight

Rob Buijs Michael Rave

Research - Analysis

Top N Baseline Trends

14

Project Darklight

Rob Buijs Michael Rave

Research - Port analysis

15

Top N

50000 100000 150000 200000 250000 300000 350000 Day 1 Day 2 Day 3 Day 4 Day 5 Day 6 Day 7 Day 8 Day 9 Day 10

65535 8000 4662 137 135 80 ICMP

Project Darklight

Rob Buijs Michael Rave

Research - Port trends

16

The coming of the SAV worm

Project Darklight

Rob Buijs Michael Rave

Research - Port trend analysis

17

62.50% - Portnumber: 12149 - Port amount: 13 - Overallaverage: 8 40.00% - Portnumber: 12186 - Port amount: 7 - Overallaverage: 5 34.21% - Portnumber: 12183 - Port amount: 51 - Overallaverage: 38 25.00% - Portnumber: 12165 - Port amount: 10 - Overallaverage: 8 18.52% - Portnumber: 12210 - Port amount: 32 - Overallaverage: 27 18.18% - Portnumber: 12204 - Port amount: 13 - Overallaverage: 11 16.67% - Portnumber: 12188 - Port amount: 7 - Overallaverage: 6

Trends calculation with baseline Effective to detect upcoming popularity of ports Important to define minimum port frequency Otherwise:

Project Darklight

Rob Buijs Michael Rave

Zero day warning system

Identify and notify upcoming threats in an early stage Trend analysis of darknet data Top N analysis

18

Project Darklight

Rob Buijs Michael Rave

Internet security index

Total amount Rapid increase Port rating IP rating

19

Project Darklight

Rob Buijs Michael Rave

Conclusion

IP origin, country of IP address Protocol usage Time patterns Port patterns Zero day warning day

Trend analysis Top N

20

Project Darklight

Rob Buijs Michael Rave

Future work

Cooperate with Dshield / Internet Storm Center Build zero day warning system Build internet security index Build abuse messages system

21

Project Darklight

Rob Buijs Michael Rave

Questions

22

?