Measurement and Diagnosis of Address Misconfigured P2P traffic Zhichun Li, Anup Goyal, Yan Chen and Aleksandar Kuzmanovic Lab for Internet and Security.

Slides:



Advertisements
Similar presentations
(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.
Advertisements

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
The BitTorrent Protocol
Incentives Build Robustness in BitTorrent Bram Cohen.
Clayton Sullivan PEER-TO-PEER NETWORKS. INTRODUCTION What is a Peer-To-Peer Network A Peer Application Overlay Network Network Architecture and System.
BotTorrent: Misusing BitTorrent to Launch DDoS Attacks Karim El Defrawy, Minas Gjoka, Athina Markopoulou UC Irvine.
Denial-of-Service Resilience in Peer-to-Peer Systems D. Dumitriu, E. Knightly, A. Kuzmanovic, I. Stoica and W. Zwaenepoel Presenter: Yan Gao.
DDoS Vulnerability Analysis of BitTorrent Protocol CS239 project Spring 2006.
Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University
FRIENDS: File Retrieval In a dEcentralized Network Distribution System Steven Huang, Kevin Li Computer Science and Engineering University of California,
Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.
Presented by Stephen Kozy. Presentation Outline Definition and explanation Comparison and Examples Advantages and Disadvantages Illegal and Legal uses.
Exploiting Content Localities for Efficient Search in P2P Systems Lei Guo 1 Song Jiang 2 Li Xiao 3 and Xiaodong Zhang 1 1 College of William and Mary,
Internet Cache Pollution Attacks and Countermeasures Yan Gao, Leiwen Deng, Aleksandar Kuzmanovic, and Yan Chen Electrical Engineering and Computer Science.
Understanding Churn in Peer-to-Peer Networks Daniel Stutzbach – University of Oregon Reza Rejaie – University of Oregon Internet Measurement Conference.
1 Characterizing Files in the Modern Gnutella Network: A Measurement Study Shanyu Zhao, Daniel Stutzbach, Reza Rejaie University of Oregon SPIE Multimedia.
Inferring Internet Denial-of- Service Activity David Moore, Geoffrey M Voelker, Stefan Savage Presented by Yuemin Yu – CS290F – Winter 2005.
On the Feasibility of Large-Scale Infections of iOS Devices
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Introduction to Honeypot, Botnet, and Security Measurement
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Privacy in P2P based Data Sharing Muhammad Nazmus Sakib CSCE 824 April 17, 2013.
BotNet Detection Techniques By Shreyas Sali
1 Reading Report 4 Yin Chen 26 Feb 2004 Reference: Peer-to-Peer Architecture Case Study: Gnutella Network, Matei Ruoeanu, In Int. Conf. on Peer-to-Peer.

BitTorrent How it applies to networking. What is BitTorrent P2P file sharing protocol Allows users to distribute large amounts of data without placing.
Socket Lab Info. Computer Network. Requirement Use TCP socket to implement a pair of programs, containing a server and a client. The server program shall.
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
The Internet Motion Sensor: A Distributed Blackhole Monitoring System Presented By: Arun Krishnamurthy Authors: Michael Bailey, Evan Cooke, Farnam Jahanian,
FlowScan at the University of Wisconsin Perry Brunelli, Network Services.
Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience Zhichun Li, Manan Sanghi, Yan Chen, Ming-Yang Kao and Brian.
Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.
A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science.
Network-based Intrusion Detection, Prevention and Forensics System 1 Yan Chen Department of Electrical Engineering and Computer Science Northwestern University.
Learning Rules for Anomaly Detection of Hostile Network Traffic Matthew V. Mahoney and Philip K. Chan Florida Institute of Technology.
Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin In First Workshop on Hot Topics in Understanding Botnets,
Content-oriented Networking Platform: A Focus on DDoS Countermeasure ( In incremental deployment perspective) Authors: Junho Suh, Hoon-gyu Choi, Wonjun.
Security. Security Flaws Errors that can be exploited by attackers Constantly exploited.
Presented by Teererai Marange. Background Open SSL Hearbeat extension Heartbleed vulnerability Description of work Methodology Summary of results Vulnerable.
Automating Analysis of Large-Scale Botnet Probing Events Zhichun Li, Anup Goyal, Yan Chen and Vern Paxson* Lab for Internet and Security Technology (LIST)
Efficient P2P Search by Exploiting Localities in Peer Community and Individual Peers A DISC’04 paper Lei Guo 1 Song Jiang 2 Li Xiao 3 and Xiaodong Zhang.
P2PComputing/Scalab 1 Gnutella and Freenet Ramaswamy N.Vadivelu Scalab.
Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma
Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF
Interactive Connectivity Establishment : ICE
DoS/DDoS attack and defense
Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.
Project 3 Overview Spring 2010 Recitation #9.
INTERNET TECHNOLOGIES Week 10 Peer to Peer Paradigm 1.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August
Network-based Intrusion Detection, Prevention and Forensics System 1 Yan Chen Department of Electrical Engineering and Computer Science Northwestern University.
Inferring Internet Denial-of-Service Activity Authors: David Moore, Geoffrey M. Voelker and Stefan Savage; University of California, San Diego Publish:
Skype.
The Internet Motion Sensor: A Distributed Blackhole Monitoring System Authors: Michael Bailey, Evan Cooke, Farnam Jahanian, Jose Nazario, and David Watson.
Internet Quarantine: Requirements for Containing Self-Propagating Code
An example of peer-to-peer application
Authors – Johannes Krupp, Michael Backes, and Christian Rossow(2016)
Unit 5: Providing Network Services
Monitoring Network Bias
A Distributed DoS in Action
Transport Layer Identification of P2P Traffic
Computer Networks Protocols
Presentation transcript:

Measurement and Diagnosis of Address Misconfigured P2P traffic Zhichun Li, Anup Goyal, Yan Chen and Aleksandar Kuzmanovic Lab for Internet and Security Technology (LIST) Northwestern Univ.

2 What is P2P address misconfiguration?  Thousands of peers send P2P file downloading requests to a “random” target (even not in the P2P system) on the Internet Peers “random” target on the Internet Address-misconfigured P2P traffic

3 Motivations  P2P file sharing accounted for > 60% of traffic in USA and > 80% in Asia  P2P software DC++ has already been exploited by attackers for DoS  direct gigabit “junk” data per second to a victim host from more than 150,000 peers  End user perspective  Involve innocent users in DDoS attacks unconsciously  Anti-P2P arm-race  Downloading performance  ISP perspective  Reduce unwanted traffic for “green” Internet Get contacted by an ISP in Canada  P2P developer perspective  Identify the buggy software among a large number of variances.  Help design more robust P2P software

4 Outline Motivation Passive measurement results P2PScope system design Root cause diagnosis and analysis Conclusion

5 Passive Measurement Honeynet/honeyfarm datasets Events: # of unique sources > 100 in 6 hours LBLNUGQ Sensor5 /2410 /244 /16 Traces901GB916GB49GB Duration47 months 16 months 26 days Scan traffic removal Event time window extraction Target identification

6 Measurement Results Event characteristics: –Usually involve thousands of peers on average –Duration: A few hours to up to a month LBLNU eMule BitTorrent74211 Gnutella43 Soribada60 Xunlei120 VAgaa11

7 Popularity Growing Trend: IP space: observed in three sensors in five different /8 IP prefixes The total numbers of connections that match the P2P signatures. 39%!

8 Further Diagnosis Problems with passive measurement on archived data –Events have gone –Hard to backtrack the propagation –Root cause? Need a real-time backtracking and diagnosis system!

9 Outline Motivation Passive measurement results P2PScope system design Root cause diagnosis and analysis Conclusion

10 Design of P2PScope System Root cause inference Backtracking system P2P-enabled Honeynet P2P payload signature based responder Event identification infohash; ‘abc.avi’ Protocol parsing for metadata

11 Design of P2P Doctor System Root cause inference Backtracking system P2P-enabled Honeynet Index Server (tracker) Crawling BT: top 100, eMule: 185 Peer Exchange Protocol Crawling DHT Crawling

12 Design of P2P Doctor System Root cause inference Backtracking system P2P-enabled Honeynet Track the information flow for suspicious P2P software Track how honeynet IPs propagated in P2P systems Peer routability checking Anti-P2P analysis Hypothesis formulation and testing Totally ~7000 lines of Python, Perl and Bro

13 Outline Motivation Passive measurement results P2P Doctor system design Root cause diagnosis and analysis Conclusion

14 Diagnosis & Analysis Questions –What is the root cause? –Which peers spread misconfiguration? –How is misconfiguration disseminated? –How badly are individual clients affected? Results –Data plane traffic radiation –Detailed results focus on eMule and BitTorrent

15 Data Plane Traffic Radiation DHT Peer Exchange Index Server Who has avatar.avi? Resource mapping

16 eMule – Root Cause Byte ordering is the problem!

17 eMule – Root Cause Byte ordering is the problem! –61% of the reverse honeynet peers indeed running eMule with the port number reported –For the backtracked peers which is in the unroutable IP space, 69.6% of them having reverse IPs run eMule Locate bugs in source code –At least aMule (a popular eMule alternative) has the byte order bug

18 eMule – Peers & Dissemination Which peers spread misconfiguration? –99.24% of misconfigured peers are normal peers How is the misconfiguration disseminated? –Index Server? No –Peer exchange? Yes –DHT? No Percentage of bogus peers in eMule network? –[12.7%, 25.0%] w/ a total of 37,079 backtracked peers

19 BitTorrent – Root Cause I Anti-P2P companies deliberately inject bogus peers! –20% of traffic we observed related to anti-P2P peers –Only return bogus peers or anti-P2P peers –Using UTorrent peer exchange protocol to disseminate –Find a particular peer farm One /24 network, each IP run hundreds of peers Run Azureus and IPs also run VMware Return peers even for non-existing file hashes.

20 BitTorrent – Root Cause II KTorrent also has a byte-order bug –Discover using information flow tracking on KTorrent, UTorrent and Azureus –Identify the actual bug, report to KTorrent Developers and get confirmed. Misconfiguration propagation –[fully] KTorrent: all peers exchanged from others –[partial] UTorrent: all peers that respond to TCP handshaking –[almost not] Azureus: all peers that respond to BitTorrent handshaking.

21 Conclusions The first study to measure and diagnose large- scale address misconfigured P2P traffic Find 39% Internet background radiation is caused by address misconfiguration –Popular in various P2P systems, increase 100% each year for four years, and scattered in the IPv4 space For eMule, we found it is caused by network byte order problem For BitTorrent –Anti-P2P companies deliberately inject bogus peers –KTorrent has a byte order bug

22