Mapping Internet Sensors With Probe Response Attacks Authors: John Bethencourt, Jason Franklin, Mary Vernon Presented: Usenix Security Symposium, 2005 Tracy Wagner CDA 6938 February 22, 2007

Outline Introduction Probe Response Attacks Case Study: SANS Internet Storm Center Improvements Simulation Analysis Countermeasures Summary Contributions / Weaknesses / Future Work

Introduction Internet Sensor Networks Publicly Reported Statistics Secrecy Protects Integrity of Information Little Attention Given To Determining Sensor Locations Probe Response Attack Techniques and Algorithm

Case Study – SANS ISC Internet Storm Center Challenging network to map DShield Project - Firewall and IDS logs Analyzes and aggregates information Automatically publishes public reports http://www.dshield.org/ Challenging network to map Large number of sensors Non-contiguous IP addresses

Case Study – SANS ISC ISC Port Reports Port: Destination Port Reports: # Log Entries with destination port Sources: # Distinct Source IPs Targets: # Distinct Destination IPs SANS ISC Port Report from http://isc.sans.org February 19, 2007

Case Study – SANS ISC Basic Idea: Probe an IP address with port activity Check the published reports for activity Send enough packets to distinguish from other activity Use for every possible valid IP address

Case Study – SANS ISC Two observations: Majority of IP addresses correspond to no host or to a non-monitored host Reports list activity by port Preprocessing: Filter Invalid IPs Leaves ~2.1 billion IP addresses

Basic Probe Response Algorithm: Stage One If n ports can be used for probes: {p1, p2,…,pn} Divide list of IPs into n intervals: {S1, S2, …, Sn} For (1 ≤ i ≤ n) Send a SYN packet on port pi to each address in Si

Basic Probe Response Algorithm: Stage One Retrieve Updated Port Report Traffic on monitored IPs will be reported Tells us the number of monitored IPs in each Si Each non-monitored interval is discarded Each interval that has monitored IPs is kept

Basic Probe Response Algorithm: Stage Two Input: Remaining k intervals, R1, R2,…, Rk Number of monitored IPs in each interval Assign n/k ports to each interval For (1 ≤ i ≤ k) Divide Ri into (n/k + 1) subintervals While (1 ≤ j ≤ n/k) Send a packet on pj to each address in subinterval j

Basic Probe Response Algorithm: Stage Two

Dealing With Noise Other sources may be sending packets to monitored IPs on same ports Tradeoff Tolerate some noise, but must send more packets Report Noise Cancellation Factor If < 5 for a given port, send 5 packets instead of one Divide reported number by 5, round down to nearest integer Number of Ports Reports 561 ≤ 5 19,364 ≤ 10 41,357 ≤ 15 51,959 ≤ 20 56,305 ≤ 25

Improvements – Speed Up Attack Stop working on an interval when some percentage of monitored IPs are found Creates a Superset of Sensor IPs (False Positives) Discard an interval when monitored IPs are below some threshold Creates a Subset of Sensor IPs (False Negatives)

Improvements – Speed Up Attack Multiple Source Technique Further divide interval into some number of pieces – Multiple Source Factor Send packets from 2i-1 source addresses to each address in ith piece Use number of sources reported to determine if any intervals did not have monitored IPs

Improvements – Speed Up Attack Example: Multiple Source Technique Interval Sources 1 2 3 4 Divide interval into three pieces Five sources reported Know monitored addresses are in first and third intervals More efficient – reduces size of intervals for next iteration Limited use – exponential increase in number of packets

Simulation Analysis Three Attacker Models T1 Attacker T3 Attacker 1.544 Mbps upload bandwidth T3 Attacker 38.4 Mbps upload bandwidth OC6 Attacker 384 Mbps upload bandwidth

Simulation Analysis Actual Set of Monitored IP Addresses T1 Attacker Report Noise Cancellation Factor of 2 Do not use Multiple Source Technique 33 days, 17 hours; 9.5 billion packets T3 Attacker Multiple Source Factor of 2 4 days, 16 hours; 14 billion packets

Simulation Analysis Actual Set of Monitored IP Addresses OC6 Attacker Noise Report Cancellation Factor of 8 Multiple Source Factor of 2 Source Based Noise Cancellation Factor of 4 70 hours

Simulation Analysis Superset T3 Attacker Maximum false positive rate .94 Report Noise Cancellation Factor of 4 Multiple Source Factor of 2 Reduction from 112 hours to 78 hours 3.5 million false positives Number of probes reduced by less than 1%

Simulation Analysis Subset T1 Attacker Maximum false negative rate .001 Report Noise Cancellation Factor of 2 Use only a single source 33 days, 17 hours reduced to 15 days, 18 hours Reduction from 9.5 billion to 4.4 billion packets Miss 26% of sensors

Countermeasures Current Methods Do Not Prevent Probe Response Attacks Hashing/Encrypting source IP addresses Bloom Filters Impractical Methods Information Limiting also limits use of network IPv6 adoption out of control of sensor network Delayed Reporting More time to complete Use non-adaptive algorithm

Summary Consequences of an attacker mapping a set of sensor IPs are severe Could avoid monitored IPs in any future scanning Include blacklist in any released worms Flood monitored addresses; real alerts unnoticed Recovery would be extremely time consuming

Contributions Introduction of a new class of attacks Case study and extensive simulations to determine optimal parameters and produce time estimates Insight into factors affecting success Modifications to map other networks

Weaknesses Algorithm is sensor network-specific Time and resources involved Countermeasures are brief

Future Work Development and evaluation of nonadaptive approach for determining sensor locations Study of effectiveness of delayed reporting countermeasures