passive host monitoring
play

Passive Host Monitoring John Kristoff DePaul University - PowerPoint PPT Presentation

Dec 12, 2023 •257 likes •389 views

Passive Host Monitoring John Kristoff DePaul University jtk@depaul.edu February 2001 1 Overview Linux Redhat 6.2 default install University network environment NOT a honeypot Capture every packet 2 As Seen on the Net RPC and FTP mostly

  1. Passive Host Monitoring John Kristoff DePaul University jtk@depaul.edu February 2001 1

  2. Overview Linux Redhat 6.2 default install University network environment NOT a honeypot Capture every packet 2

  3. As Seen on the Net RPC and FTP mostly NetBIOS, most from internal network ICMP host unreachables Some TELNET and DNS Barely any HTTP 3

  4. Observations Packet analysis is slow, but educational It was relatively easy to protect the host Nothing I could do to stop DoS/spoofed packets Attackers are lamerz too, their tools suck Monitoring log files is helpful, need better tools Basic system config tricks would stop/slow attackers 4

  5. Example 1 - Crafted Packets No. Time Source Destination Length Protocol 1 0.000000 suspect igunda 60 TCP sunrpc > sunrpc [FIN, SYN] Seq=1597357078 Ack=1032676069 Win=1028 Len=0 5

  6. Example 2 - Suspicious Packets No. Time Source Destination Length Protocol 1 0.0000000 suspect igunda 60 TCP 0 > 1024 [SYN, ACK] Seq=713323970 Ack=2383656254 Win=0 Len=0 2 0.000262 suspect igunda 60 TCP 0 > 1024 [RST, ACK] Seq=713323971 Ack=2383656254 Win=0 Len=0 6

  7. Example 3 - Correlation No. Time Source Destination Length Protocol 1 0.000000 suspect-1 igunda 60 TCP www > 1538 [RST, ACK] Seq=0 Ack=674711610 Win=0 Len=0 2 1117.980147 suspect-2 igunda 60 TCP www > 1538 [SYN, ACK] Seq=897862236 Ack=674711610 Win=16384 Len=0 3 1117.981982 igunda suspect-2 60 TCP 1538 > www [RST] Seq=674711610 Ack=0 Win=0 Len=0 4 1117.986725 suspect-2 igunda 60 TCP www > 1538 [RST, ACK] Seq=897862237 Ack=674711610 Win=16384 Len=0 7

  8. Example 4 - Attack Packet Byte Hex ASCII 3d0 9090 9090 9090 9090 31c0 eb7c 5989 4110 ........1..|Y.A. 3e0 8941 08fe c089 4104 89c3 fec0 8901 b066 .A....A........f 3f0 cd80 b302 8959 0cc6 410e 99c6 4108 1089 .....Y..A...A... 400 4904 8041 040c 8801 b066 cd80 b304 b066 I..A.....f.....f 410 cd80 b305 30c0 8841 04b0 66cd 8089 ce88 ....0..A..f..... 420 c331 c9b0 3fcd 80fe c1b0 3fcd 80fe c1b0 .1..?.....?..... 430 3fcd 80c7 062f 6269 6ec7 4604 2f73 6841 ?..../bin.F./shA 440 30c0 8846 0789 760c 8d56 108d 4e0c 89f3 0..F..v..V..N... 450 b00b cd80 b001 cd80 e87f ffff ff00 .............. 8

  9. Example 5 - Log files Sep 5 02:39:31 igunda in.ftpd[7594]: connect from suspect Sep 5 02:39:41 igunda ftpd[7594]: lost connection to suspect Sep 5 02:39:41 igunda ftpd[7594]: FTP session closed Sep 5 02:39:41 igunda inetd[478]: pid 7594: exit status 255 Oct 8 06:19:29 igunda rpc.statd[340]: gethostbyname error for ... Oct 27 13:27:54 igunda rpc.statd[353]: SM_MON request for hostname Oct 27 13:27:54 igunda rpc.statd[353]: POSSIBLE SPOOF/ATTACK ATTEMPT! Oct 27 13:27:54 igunda rpc.statd[353]: STAT_FAIL to localhost for SM_MON of 9

  10. Statistics A VERY unscientific look at the sources – Non-US (29) – ISP DSL/Cable/Modem pools (10) – Big ISP netblocks (10) – Internal NetBios (5) – US Universities (4) – Other (18) 10

  11. Statistics [continued] A VERY unscientific look at destinations – assumed wu-ftpd (28) – assumed rpc.statd (17) – ICMP destination unreachables (11) – telnet (9) – NETBIOS (9) – DNS (3) 11

  12. Resources http://www.cert.org http://www.ethereal.com http://www.rfc-editor.org http://packetstorm.securify.com http://www.securityfocus.com http://project.honeynet.org 12

  13. The End For further analysis see: http://condor.depaul.edu/ jkristof/igunda.pdf or http://condor.depaul.edu/ jkristof/igunda.ps 13

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Role of Passive Sampling and Porewater Remedial Guidelines (PWRGs) in Long-term Monitoring (Part

Role of Passive Sampling and Porewater Remedial Guidelines (PWRGs) in Long-term Monitoring (Part

Contaminated Sediments Virtual Workshop: Session 4: Long-term Monitoring Role of Passive Sampling and Porewater Remedial Guidelines (PWRGs) in Long-term Monitoring (Part 1) ROBERT M BURGESS U.S. ENVIRONMENTAL PROTECTION AGENCY, ORD/NHEERL,

371 views • 14 slides
Passive Wireless Sensors Fabricated by Direct Writing for Temperature and Health Monitoring of

Passive Wireless Sensors Fabricated by Direct Writing for Temperature and Health Monitoring of

Passive Wireless Sensors Fabricated by Direct Writing for Temperature and Health Monitoring of Energy Systems in Harsh Environments Team: Dr. Daryl Reynolds a Dr. Edward M. Sabolsky b Dr. Kostas Sierros b a Lane Department of Computer

419 views • 40 slides
From calls to counts: Estimating animal density using passive acoustic monitoring (PAM) Images

From calls to counts: Estimating animal density using passive acoustic monitoring (PAM) Images

From calls to counts: Estimating animal density using passive acoustic monitoring (PAM) Images courtesy of J. Hildebrand (L) and http://www.birds.cornell.edu/brp/elephant (R) Why acoustics? A wealth of recorded information Acoustic

496 views • 21 slides
Application and Use of Passive Samplers for Monitoring Organic Contaminants at Superfund Sediment

Application and Use of Passive Samplers for Monitoring Organic Contaminants at Superfund Sediment

Application and Use of Passive Samplers for Monitoring Organic Contaminants at Superfund Sediment Sites 26 August 2013 1 of x The Use of Passive Samplers to Monitor Organic Contaminants at Superfund Sediment Sites Background Management of

729 views • 23 slides
DNSSM: A Large Scale Passive DNS Security Monitoring Framework Samuel Marchal, J er ome

DNSSM: A Large Scale Passive DNS Security Monitoring Framework Samuel Marchal, J er ome

samuel.marchal@uni.lu 16/04/12 DNSSM: A Large Scale Passive DNS Security Monitoring Framework Samuel Marchal, J er ome Fran cois, Cynthia Wagner, Radu State, Alexandre Dulaunoy, Thomas Engel, Olivier Festor Motivation Solution

217 views • 18 slides
Thank You for Attending Todays W ebinar: Benzene-Specific Monitoring Your Host Featured

Thank You for Attending Todays W ebinar: Benzene-Specific Monitoring Your Host Featured

Treat yourself to better rental service. Thank You for Attending Todays W ebinar: Benzene-Specific Monitoring Your Host Featured Speaker Werner Haag Matt DeLacluyse Sr Application Chemist Operations Mgr Ion Science RAECO Rents

600 views • 33 slides
Passive Monitoring of RTT spikes Jorma Kilpi VTT Information Technology P.O.Box 1202, 02044 VTT,

Passive Monitoring of RTT spikes Jorma Kilpi VTT Information Technology P.O.Box 1202, 02044 VTT,

ISMA 2004 Workshop on Internet Signal Processing 1 Passive Monitoring of RTT spikes Jorma Kilpi VTT Information Technology P.O.Box 1202, 02044 VTT, FINLAND Email: Jorma.Kilpi@vtt.fi (Joint work with Pasi Lassila form HUT) 5th November 2004

393 views • 7 slides
Reduce passive income, reduce taxes We help. You grow. What is passive income and why does it

Reduce passive income, reduce taxes We help. You grow. What is passive income and why does it

Reduce passive income, reduce taxes We help. You grow. What is passive income and why does it matter? Federal government changed rules, effective for tax years that begin after 2018. Canadian controlled private corporations (CPCC) Passive

193 views • 8 slides
Passive Gas System Design PRESENTED BY BRYAN WELDON P.E. Passive System Overview 01 Passive

Passive Gas System Design PRESENTED BY BRYAN WELDON P.E. Passive System Overview 01 Passive

Passive Gas System Design PRESENTED BY BRYAN WELDON P.E. Passive System Overview 01 Passive Components 02 Integrating and Upgrading 03 Questions 04 2 Passive System Overview ___ 3 Passive Gas System ___ 4 Passive Gas System Usually

332 views • 12 slides
Current Home-Host Issues in CESE Vienna, March 2009 Current Home-Host Issues in CESE Topics

Current Home-Host Issues in CESE Vienna, March 2009 Current Home-Host Issues in CESE Topics

International Monetary Fund Vienna Initiative Current Home-Host Issues in CESE Vienna, March 2009 Current Home-Host Issues in CESE Topics Monitoring Liquidity Capital needs Other 2 March 2009 Current Home-Host Issues in CESE Monitoring

720 views • 10 slides
Passive Fire Protection For the Oil & Gas Industry Passive Fire Protection What is purpose

Passive Fire Protection For the Oil & Gas Industry Passive Fire Protection What is purpose

Passive Fire Protection For the Oil & Gas Industry Passive Fire Protection What is purpose of fireproofing? To Save Lives To Preserve Assets To Prevent Escalation Passive Fire Protection Passive Fire Protection Passive Fire

311 views • 29 slides
What Are Active and Passive Voice? Can you write definitions for active and passive

What Are Active and Passive Voice? Can you write definitions for active and passive

What Are Active and Passive Voice? Can you write definitions for active and passive voice? Active Voice In an active sentence, the subject performs the action (the verb) to the object . Passive Voice In a passive sentence, the thing

610 views • 14 slides
Passive Transport (no energy input required) Passive Transport Passive transport is the

Passive Transport (no energy input required) Passive Transport Passive transport is the

Passive Transport (no energy input required) Passive Transport Passive transport is the movement of ions and other molecules across cell membranes without the need of energy input (ATP) Ions or molecules move from an area of higher

650 views • 33 slides
QUIC passive RTT measurement IETF 99 By Ian Swett Background Almost all of QUIC is encrypted,

QUIC passive RTT measurement IETF 99 By Ian Swett Background Almost all of QUIC is encrypted,

QUIC passive RTT measurement IETF 99 By Ian Swett Background Almost all of QUIC is encrypted, including acks Network monitoring and AQM use RTT Only Handshake RTT is visible Issue #631 Motivation RTT (and change of RTT from baseline)

269 views • 8 slides
Multivariate Solutions to Emerging Passive DNS Challenges Dr. Paul Vixie, CEO and Dr. Joe St

Multivariate Solutions to Emerging Passive DNS Challenges Dr. Paul Vixie, CEO and Dr. Joe St

Multivariate Solutions to Emerging Passive DNS Challenges Dr. Paul Vixie, CEO and Dr. Joe St Sauver, Scientist 1 Agenda Introduction Passive DNS, Including Times When Passive DNS May Not Work Well Overcoming Obfuscation Pillz

962 views • 47 slides
Active / Passive Voice Acquistion THE PASSIVE VOICE IS EVIL. Two exceptions:

Active / Passive Voice Acquistion THE PASSIVE VOICE IS EVIL. Two exceptions:

Active / Passive Voice Acquistion THE PASSIVE VOICE IS EVIL. Two exceptions: blame-shifting scientific writing Acquisition Active Voice: the subject performs the action of the verb Example: The dog attacked my neighbor.

595 views • 21 slides
FX Options Trading Class 8 Gregory McDermott, MApp Fin OU Chief FX Strategist U.S.

FX Options Trading Class 8 Gregory McDermott, MApp Fin OU Chief FX Strategist U.S.

FX Options Trading Class 8 Gregory McDermott, MApp Fin OU Chief FX Strategist U.S. Government Required Disclaimer Foreign Exchange trading has large potential rewards, but also large potential risk. You must be aware of the risks and

1.02k views • 48 slides
WISENT Distributed processing of energy meteorologic data with Condor Jan Ploski September 14th,

WISENT Distributed processing of energy meteorologic data with Condor Jan Ploski September 14th,

WISENT Distributed processing of energy meteorologic data with Condor Jan Ploski September 14th, 2006 Slide 1 Business Information Management OFFIS Outline Project data & goals Overview of applications Introduction to Condor Live

571 views • 26 slides
P ROGRAMMING IN CUDA Tams Budavri / The Johns Hopkins University 7/18/2012 How I got into

P ROGRAMMING IN CUDA Tams Budavri / The Johns Hopkins University 7/18/2012 How I got into

GRAPHICS PROCESSOR P ROGRAMMING IN CUDA Tams Budavri / The Johns Hopkins University 7/18/2012 How I got into this? Tams Budavri 2 Galaxy correlation function 8 bins Histogram of distances State-of-the-art method

1.32k views • 65 slides
CS 6453 LECTURE 6: MESOS PLATFORM REUBEN RAPPAPORT WHAT IS THE PROBLEM? There are many

CS 6453 LECTURE 6: MESOS PLATFORM REUBEN RAPPAPORT WHAT IS THE PROBLEM? There are many

CS 6453 LECTURE 6: MESOS PLATFORM REUBEN RAPPAPORT WHAT IS THE PROBLEM? There are many existing frameworks for cluster computing Generally, different frameworks are best for each application Obvious problem: How to share

194 views • 17 slides
CS 61: Database Systems NoSQL/Mongo CRUD Adapted from mongodb.com unless otherwise noted Agenda

CS 61: Database Systems NoSQL/Mongo CRUD Adapted from mongodb.com unless otherwise noted Agenda

CS 61: Database Systems NoSQL/Mongo CRUD Adapted from mongodb.com unless otherwise noted Agenda 1. Why choose NoSQL 2. Mongo CRUD 2 Relational databases have historically been the safe bet for the enterprise SQL databases are a solid

667 views • 29 slides
Advances in the perturbative description of LSS Zvonimir Vlah CERN with: Elisa Chisari, Fabian

Advances in the perturbative description of LSS Zvonimir Vlah CERN with: Elisa Chisari, Fabian

Advances in the perturbative description of LSS Zvonimir Vlah CERN with: Elisa Chisari, Fabian Schmidt & Patrick McDonald Understanding galaxy overdensity and shape clustering 2 / LSS using PT Introduction 24 Galaxies and biasing of

561 views • 25 slides
20 Degrees: zero-carbon city and country The future Brisbane through the lens of greenspace:

20 Degrees: zero-carbon city and country The future Brisbane through the lens of greenspace:

20 Degrees: zero-carbon city and country The future Brisbane through the lens of greenspace: nature, landscape and food. mongard.com.au Why do children have to strike to make us save the planet? mongard.com.au Climate Crisis = Place Crisis

586 views • 29 slides
Parallel computing with Python Delft University of Technology Alvaro Leitao Rodr guez

Parallel computing with Python Delft University of Technology Alvaro Leitao Rodr guez

Parallel computing with Python Delft University of Technology Alvaro Leitao Rodr guez December 10, 2014 Alvaro Leitao Rodr guez (TU Delft) Parallel Python December 10, 2014 1 / 36 Outline 1 Python tools for parallel

593 views • 36 slides

More recommend