1 SANS Technology Institute - Candidate for Master of Science Degree 1 The Afterglow Effect and Peer 2 Peer Networks Jay Radcliffe June 2010 GIAC: GSEC.

Slides:



Advertisements
Similar presentations
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Leveraging the Load Balancer to Fight DDoS Brough Davis September 2010 GIAC GCIA,
Advertisements

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Steganography Then and Now John Hally May 2012 GIAC GSEC, GCIA, GCIH, GCFA, GCWN,
1 Firewalls. 2 References 1.Mark Stamp, Information Security: Principles and Practice, Wiley Interscience, Robert Zalenski, Firewall Technologies,
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Baselining Windows and Comparative Analysis: Quick and Easy Kevin Fuller May 2012.
SANS Technology Institute - Candidate for Master of Science Degree 1 Covert Channels A Primer for Security Professionals Erik Couture GIAC GSEC GCIH GCIA.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,
An Empirical Study of Real Audio Traffic A. Mena and J. Heidemann USC/Information Sciences Institute In Proceedings of IEEE Infocom Tel-Aviv, Israel March.
1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)
DDoS Vulnerability Analysis of BitTorrent Protocol CS239 project Spring 2006.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
Chapter 7 Firewalls. Firewall Definition  A network device that enforces network access control based upon a defined security policy.
Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Report on statistical Intrusion Detection systems By Ganesh Godavari.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
ECE 526 – Network Processing Systems Design Packet Processing II: algorithms and data structures Chapter 5: D. E. Comer.
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Intrusion Detection & Response: Leveraging Next-Generation Firewalls Ahmed Abdel-Aziz.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
KaZaA: Behind the Scenes Shreeram Sahasrabudhe Lehigh University
A Brief Taxonomy of Firewalls
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
Tracking Port Scanners on the IP Backbone Tao Ye Sprint Burlingame, CA Avinash Sridharan University of Southern California.
Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
SANS Technology Institute - Candidate for Master of Science Degree
BitTorrent How it applies to networking. What is BitTorrent P2P file sharing protocol Allows users to distribute large amounts of data without placing.
Chapter 6: Packet Filtering
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
Intrusion Detection and Prevention. Objectives ● Purpose of IDS's ● Function of IDS's in a secure network design ● Install and use an IDS ● Customize.
FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
ICOM 6115©Manuel Rodriguez-Martinez ICOM 6115 – Computer Networks and the WWW Manuel Rodriguez-Martinez, Ph.D. Lecture 26.
Packet Filtering & Firewalls. Stateless Packet Filtering Assume We can classify a “good” packet and/or a “bad packet” Each rule can examine that single.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Access Control List (ACL)
Chapter 6-2 the TCP/IP Layers. The four layers of the TCP/IP model are listed in Table 6-2. The layers are The four layers of the TCP/IP model are listed.
CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Detecting and Responding to Data Link Layer Attacks With Scapy TJ OConnor September.
1 Firewalls Types of Firewalls Inspection Methods  Static Packet Inspection  Stateful Packet Inspection  NAT  Application Firewalls Firewall Architecture.
1 Virtual Dark IP for Internet Threat Detection Akihiro Shimoda & Shigeki Goto Waseda University
WebRTC Don McGregor Research Associate MOVES Institute
Greg Steen.  What is Snort?  Snort purposes  Where can it be used?
Stateful Filtering and Stateful Inspection.  Stateful filtering has been used to define the stateful tracking of protocol information at Layer 4 and.
Role Of Network IDS in Network Perimeter Defense.
Access Control List (ACL) W.lilakiatsakun. Transport Layer Review (1) TCP (Transmission Control Protocol) – HTTP (Web) – SMTP (Mail) UDP (User Datagram.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
IP packet filtering Breno de Medeiros. Florida State University Fall 2005 Packet filtering Packet filtering is a network security mechanism that works.
1 CNLab/University of Ulsan Chapter 19 Firewalls  Packet Filtering Firewall  Application Gateway Firewall  Firewall Architecture.
Skype.
18-1 PRENTICE HALL ©2008 Pearson Education, Inc. Upper Saddle River, NJ FORENSIC SCIENCE An Introduction By Richard Saferstein.
An Introduction To Gateway Intrusion Detection Systems Hogwash GIDS Jed Haile Nitro Data Systems.
Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos
Could SP-NAT Save the Internet?
Chapter Objectives In this chapter, you will learn:
IDS Intrusion Detection Systems
Port Scanning James Tate II
Copyright notice © 2008 Raul Jimenez - -
“Enterprise Network Design and Implementation for Airports” Master’s Thesis: By Ashraf Ali and advised by professor Nicholas Rosasco Introduction Practical.
Principles of Computer Security
Introduction to Networking
Firewalls.
Transport Layer Systems Firewalls and NAT
Lecture 3: Secure Network Architecture
Firewalls.
Access Control Lists (ACLs)
Computer Networks Protocols
Intrusion Detection Systems
Presentation transcript:

1 SANS Technology Institute - Candidate for Master of Science Degree 1 The Afterglow Effect and Peer 2 Peer Networks Jay Radcliffe June 2010 GIAC: GSEC Gold, GCIH Gold, GCIA Gold, GCFA, GLEG, GLIT, GSPA, GLDR, GPEN, GWAPT

SANS Technology Institute - Candidate for Master of Science Degree 2 Objective How statistical analysis can be used to view network connections? What type of connection patterns can be found in peer to peer afterglow traffic? Can any type of pattern or markers be identified that could indicate malicious post-termination connections?

SANS Technology Institute - Candidate for Master of Science Degree 3 What is P2P Networking? Peer to Peer networking is a distributed architecture designed to make file sharing more efficient. Bit Torrent is a P2P methodology using trackers to track who is participating in the sharing of a single torrent which may contain one or more files.

SANS Technology Institute - Candidate for Master of Science Degree 4 P2P Afterglow An “Afterglow” connection is one that occurs after the client has terminated the P2P session. The tracker will remove the IP address from the list of participating clients after a certain period of time, usually less then 20 minutes

SANS Technology Institute - Candidate for Master of Science Degree 5 Test Setup Client sits behind a firewall with a monitoring box running snort Snort rules setup to record new TCP connections (SYN only) and UDP connections on the specified unique port number

SANS Technology Institute - Candidate for Master of Science Degree 6 Test Conditions Initiate a Bit Torrent P2P session using a Fedora Installation DVD ISO image. Terminate torrent session after twelve hours. Continue monitoring for 14 hours after termination tracking afterglow connections

SANS Technology Institute - Candidate for Master of Science Degree 7 Test Data Results Connections will be tallied in 10 minute increments (00:00-00:10: 20 connections)

SANS Technology Institute - Candidate for Master of Science Degree 8 Results (Quantitative) Data had non-standard distribution. This skews typical statistical analysis. All three test runs had wide variance in standard deviation and skew. Trial #1Trial #2Trial #3 N Mean (SD) 1.54 (3.41) 9.99 (17.05) (60.66) Skew Kurtosis

SANS Technology Institute - Candidate for Master of Science Degree 9 Results (Qualitative)

SANS Technology Institute - Candidate for Master of Science Degree 10 Results (Source Country) Using Whois/ARIN data to lookup the source countries of the afterglow connections Trial #1Trial #2Trial #3 USA26.77%USA29.73%USA20.36% Brazil24.80%China7.68%Brazil6.41% Poland7.87%France4.87%Russia5.81% Thailand7.87% Great Britain4.55%Canada5.23% Russia7.48% Netherlan ds4.29%China4.47%

SANS Technology Institute - Candidate for Master of Science Degree 11 Unique Anomaly

SANS Technology Institute - Candidate for Master of Science Degree 12 Unique Anomaly Theories on why there are spikes every two hours: –Unique client code (Timeout/retry, cached client list) –Dropped or Filtered Traffic –Malicious Retry to verify disconnection

SANS Technology Institute - Candidate for Master of Science Degree 13 Study Limitations Limited number of Trial runs Identical “safe” torrent files Wide variance in data connection rates

SANS Technology Institute - Candidate for Master of Science Degree 14 Directions for the Future Ideas for follow-up research –Client identification (Certain P2P clients might have a fingerprint or signature) –Packet Analysis (Flags or structure in Afterglow connections to identify malicious or non-typical connections) –Traffic Analysis (Do other protocols/attacks exhibit similar patterns like 2 hour retry with 5 attempts) –Torrent Variance (Movies, music, etc.)

SANS Technology Institute - Candidate for Master of Science Degree 15 Summary Certain qualitative statistical analysis can be used to look at network traffic for anomalies and patterns. Quantitative analysis is more difficult. Unexplained connection patterns exist in P2P afterglow connections.