Network Measurements: Unused IP address space traffic analysis at SSSUP Campus Network Francesco Paolucci, Piero Castoldi Research Unit at Scuola Superiore.

Slides:



Advertisements
Similar presentations
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Advertisements

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
SYSTEM ADMINISTRATION Chapter 19
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines.
Computer Security and Penetration Testing
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.
Introduction to Honeypot, Botnet, and Security Measurement
CCNA Introduction to Networking 5.0 Rick Graziani Cabrillo College
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.
Characteristics of Internet Background Radiation Authors: Ruoming Pang, Vinod Yegneswaran, Paul Barford, Vern Paxson, & Larry Peterson & Larry Peterson.
Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu, Roberto Perdisci, Junjie Zhang, and.
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
BY OLIVIA WILSON AND BRITTANY MCDONALD Up Your Shields with Shields Up!
A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.
--Harish Reddy Vemula Distributed Denial of Service.
FlowScan at the University of Wisconsin Perry Brunelli, Network Services.
MonNet – a project for network and traffic monitoring Detection of malicious Traffic on Backbone Links via Packet Header Analysis Wolfgang John and Tomas.
MIS Week 4 Site:
Linux Networking and Security
A VIRTUAL HONEYPOT FRAMEWORK Author : Niels Provos Publication: Usenix Security Symposium Presenter: Hiral Chhaya for CAP6103.
CHAPTER 3 Classes of Attack. INTRODUCTION Network attacks come from both inside and outside firewall. Kinds of attacks: 1. Denial-of-service 2. Information.
Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.
Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.
1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.
Lecture 12 Page 1 CS 236, Spring 2008 Virtual Private Networks VPNs What if your company has more than one office? And they’re far apart? –Like on opposite.
Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.
An Internet-Wide View of Internet-Wide Scanning.  Scanning  IPv4  Horizontal scanning – individual ports  Network telescope - darknet What is internet.
Security with Honeyd By Ryan Olsen. What is Honeyd? ➲ Open source program design to create honeypot networks. ➲ What is a honeypot? ● Closely monitored.
Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.
Network Sniffer Anuj Shah Advisor: Dr. Chung-E Wang Department of Computer Science.
ACCESS CONTROL LIST.
Microsoft ISA Server 2000 Presented by Ricardo Diaz Ryan Fansa.
Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF
Inferring Denial of Service Attacks David Moore, Geoffrey Volker and Stefan Savage Presented by Rafail Tsirbas 4/1/20151.
DoS/DDoS attack and defense
1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.
1 Virtual Dark IP for Internet Threat Detection Akihiro Shimoda & Shigeki Goto Waseda University
SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
COMP2322 Lab 1 Introduction to Wireshark Weichao Li Jan. 22, 2016.
Role Of Network IDS in Network Perimeter Defense.
2009/6/221 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection Reporter : Fong-Ruei, Li Machine.
COSC513 Final Project Firewall in Internet Security Student Name: Jinqi Zhang Student ID: Instructor Name: Dr.Anvari.
Characteristics of Internet Background Radiation ACM Internet Measurement Conference (IMC), 2004 Authors: Ruoming Pang, Vinod Yegneswaran, Paul Barford,
WIRESHARK Lab#3. Computer Network Monitoring  Port Scanning  Keystroke Monitoring  Packet sniffers  takes advantage of “friendly” nature of net. 
@Yuan Xue Worm Attack Yuan Xue Fall 2012.
AP Waseem Iqbal.  DoS is an attack on computer or network that reduces, restricts or prevents legitimate of its resources  In a DoS attack, attackers.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Port Scanning James Tate II
DDoS Attacks on Financial Institutions Presentation
FIREWALL configuration in linux
Wireshark Lab#3.
8 Network Layer Part V Computer Networks Tutun Juhana
* Essential Network Security Book Slides.
Internet Worm propagation
Wireshark CSC8510 David Sivieri.
Modeling, Early Detection, and Mitigation of Internet Worm Attacks
Introduction to Internet Worm
EVAPI - Enumeration Auburn Hacking club
Presentation transcript:

Network Measurements: Unused IP address space traffic analysis at SSSUP Campus Network Francesco Paolucci, Piero Castoldi Research Unit at Scuola Superiore Sant’Anna, Pisa, Italy Italy-Tunisia Research Project sponsored by MIUR under FIRB International program 1° year plenary meeting, Tunis, March 29, 2007

2 Unused address space traffic Dumping Internet traffic sent to unused IP addresses space can give information about attacks towards the target subnetwork. Since there is no legitimate reason for a host to send packets to those destinations, such traffic provides strong evidence of malicious activity including DDoS backscatter, port scanning, and probe activity from active worms.

3 Useful Tools Two kind of tools acquire information about unused traffic: Network telescopes –They work by monitoring traffic sent to communication dead-ends such as unallocated portions of the IP address space. –can potentially provide early warning of a scanning-worm outbreak, and can yield excellent forensic information Honeypots –are closely monitored network decoys serving several purposes – they can distract adversaries from more valuable machines on a network –they allow in-depth examination of adversaries during and after exploitation of a honeypot. When coupled with honeypots, telescopes can be used to interact with potentially malicious traffic in order to determine the intent behind the traffic, including particular vulnerabilities being exploited and follow-on activity after a compromise succeeds.

4 SSSUP Unused traffic dumping Scuola Superiore Sant’Anna Campus Network 8 different sites in Pisa and Pontedera Average incoming traffic: 25 Mbit/s 4 class-C address space Total IP address space = 1016 Utilized IP address space = 162 (16%) NETWORK SNIFFER & ANALYZER Measurements Tools Linux Box PC equipped with high performance INTEL Network Interface Card Sniffer: Dumpcap (Wireshark Suite) Analyzer and offline filtering: Tshark & Wireshark Dumping point: Last switch to GARR Net, NO NAT, NO FIREWALL.

5 Dumping methodology Only Incoming traffic tracing 1-hour long dumping twice a day for a week –Most of the anomalous activities last less than 1 hour –Day-time and Night-time traces give indications about high and low human user traffic characteristics Light online filtering Complex offline filtering (entire IP address space set filter)

6 Global traffic results : 25 Mbit/s TCP packets (86%) UDP packets (13%) About 80% of the traffic is driven by peer-to-peer applications. Within High ports traffic (src and dst >1024) values are distributed (no particular values emerge): p2p applications choose random high ports.

7 Unused traffic main results Traffic to unused addresses represents the 0,2% of the total incoming packets on the whole subnet. 4 pkts/s, average rate 6 kbit/s Traffic activity profile is constant and independent on the daytime (no profile differences between day and night time) Almost whole traffic represents (TCP) SYN or (UDP) spam packets

8 Packets statistics TCP and ICMP packets are quite short (SYN, PING = 70 byte long) UDP packets are longer (500 byte long)

9 Source IPPackets% Total Packets % % % % % % % % % % Unused Traffic sources

10 TCP destination ports statistics Port 445 ( Microsoft-DS Active Directory, Windows shares, Sasser worm, Agobot, Zobotworm ) Port 135 ( EPMAP (End Point Mapper) / Microsoft RPC Locator Service, Nachi or MSBlast worms ) Port 22 ( SSH SYN ) represent more than 75% of the total TCP traffic

11 UDP destination ports statistics Port 1026 ( CAP, Calendar Access Protocol, Windows Messenger Spam ) Port 1027 ( unassigned, Messenger Spam ) Port 1434 ( MS-SQL, systems infected with the SQL Slammer ) represent 97% of the total UDP traffic

12 ICMP packets Type 8 (Ping request): 96 %

13 Burstiness characteristics Similar behaviour at day and night time Peaks of instantaneous 3-4 Mbit/s in 300 ms interval events (SPAM) Average SCAN and ICMP 1 kbit/s events DAY NIGHT

14 Traffic burstiness sorted by protocol Different behaviour between TCP, UDP and ICMP traffic TCP –“Constant” bursts (1 packet, t inter = 4 s, duration= 0.2 s, rate 0.4 kbit/s) –Burst train events (event duration = 100 s, each burst lasts 0.3 s with 200 kbit/s peak rate) UDP –Isolated 0.2 s long bursts with up to 3 Mbit/s peak rate (SPAM) ICMP –Similar behaviour like TCP but lower peak and average rate (PING)