Network Measurements: Unused IP address space traffic analysis at SSSUP Campus Network Francesco Paolucci, Piero Castoldi Research Unit at Scuola Superiore Sant’Anna, Pisa, Italy Italy-Tunisia Research Project sponsored by MIUR under FIRB International program 1° year plenary meeting, Tunis, March 29, 2007
2 Unused address space traffic Dumping Internet traffic sent to unused IP addresses space can give information about attacks towards the target subnetwork. Since there is no legitimate reason for a host to send packets to those destinations, such traffic provides strong evidence of malicious activity including DDoS backscatter, port scanning, and probe activity from active worms.
3 Useful Tools Two kind of tools acquire information about unused traffic: Network telescopes –They work by monitoring traffic sent to communication dead-ends such as unallocated portions of the IP address space. –can potentially provide early warning of a scanning-worm outbreak, and can yield excellent forensic information Honeypots –are closely monitored network decoys serving several purposes – they can distract adversaries from more valuable machines on a network –they allow in-depth examination of adversaries during and after exploitation of a honeypot. When coupled with honeypots, telescopes can be used to interact with potentially malicious traffic in order to determine the intent behind the traffic, including particular vulnerabilities being exploited and follow-on activity after a compromise succeeds.
4 SSSUP Unused traffic dumping Scuola Superiore Sant’Anna Campus Network 8 different sites in Pisa and Pontedera Average incoming traffic: 25 Mbit/s 4 class-C address space Total IP address space = 1016 Utilized IP address space = 162 (16%) NETWORK SNIFFER & ANALYZER Measurements Tools Linux Box PC equipped with high performance INTEL Network Interface Card Sniffer: Dumpcap (Wireshark Suite) Analyzer and offline filtering: Tshark & Wireshark Dumping point: Last switch to GARR Net, NO NAT, NO FIREWALL.
5 Dumping methodology Only Incoming traffic tracing 1-hour long dumping twice a day for a week –Most of the anomalous activities last less than 1 hour –Day-time and Night-time traces give indications about high and low human user traffic characteristics Light online filtering Complex offline filtering (entire IP address space set filter)
6 Global traffic results : 25 Mbit/s TCP packets (86%) UDP packets (13%) About 80% of the traffic is driven by peer-to-peer applications. Within High ports traffic (src and dst >1024) values are distributed (no particular values emerge): p2p applications choose random high ports.
7 Unused traffic main results Traffic to unused addresses represents the 0,2% of the total incoming packets on the whole subnet. 4 pkts/s, average rate 6 kbit/s Traffic activity profile is constant and independent on the daytime (no profile differences between day and night time) Almost whole traffic represents (TCP) SYN or (UDP) spam packets
8 Packets statistics TCP and ICMP packets are quite short (SYN, PING = 70 byte long) UDP packets are longer (500 byte long)
9 Source IPPackets% Total Packets % % % % % % % % % % Unused Traffic sources
10 TCP destination ports statistics Port 445 ( Microsoft-DS Active Directory, Windows shares, Sasser worm, Agobot, Zobotworm ) Port 135 ( EPMAP (End Point Mapper) / Microsoft RPC Locator Service, Nachi or MSBlast worms ) Port 22 ( SSH SYN ) represent more than 75% of the total TCP traffic
11 UDP destination ports statistics Port 1026 ( CAP, Calendar Access Protocol, Windows Messenger Spam ) Port 1027 ( unassigned, Messenger Spam ) Port 1434 ( MS-SQL, systems infected with the SQL Slammer ) represent 97% of the total UDP traffic
12 ICMP packets Type 8 (Ping request): 96 %
13 Burstiness characteristics Similar behaviour at day and night time Peaks of instantaneous 3-4 Mbit/s in 300 ms interval events (SPAM) Average SCAN and ICMP 1 kbit/s events DAY NIGHT
14 Traffic burstiness sorted by protocol Different behaviour between TCP, UDP and ICMP traffic TCP –“Constant” bursts (1 packet, t inter = 4 s, duration= 0.2 s, rate 0.4 kbit/s) –Burst train events (event duration = 100 s, each burst lasts 0.3 s with 200 kbit/s peak rate) UDP –Isolated 0.2 s long bursts with up to 3 Mbit/s peak rate (SPAM) ICMP –Similar behaviour like TCP but lower peak and average rate (PING)