Characteristics of Internet Background Radiation Authors: Ruoming Pang, Vinod Yegneswaran, Paul Barford, Vern Paxson, & Larry Peterson & Larry Peterson.

Slides:



Advertisements
Similar presentations
A First Look at Modern Enterprise Traffic
Advertisements

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
Greg Williams CS691 Summer Honeycomb  Introduction  Preceding Work  Important Points  Analysis  Future Work.
Network Measurements: Unused IP address space traffic analysis at SSSUP Campus Network Francesco Paolucci, Piero Castoldi Research Unit at Scuola Superiore.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Copyright © 2005 Department of Computer Science CPSC 641 Winter WAN Traffic Measurements There have been several studies of wide area network traffic.
Internet Intrusions: Global Characteristics and Prevalence Presented By: Elliot Parsons Using slides from Vinod Yegneswaran’s presentation at SIGMETRICS.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Miscreant of Social Networks Paper1: Social Honeypots, Making Friends With A Spammer Near You Paper2: Social phishing Kai and Isaac.
Report by: Loizos Konomou EL933 Fall 2005 Prof: Yong Liu Ruoming Pang, Mark Allman, Mike Bennett, Jason Lee, Vern Paxson, Brian Tierney Princeton University,
Inferring Internet Denial-of- Service Activity David Moore, Geoffrey M Voelker, Stefan Savage Presented by Yuemin Yu – CS290F – Winter 2005.
10/21/20031 Framework For Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann, Christos Papadopoulos Kavita Chada & Viji Avali CSCE 790.
1 WAN Measurements Carey Williamson Department of Computer Science University of Calgary.
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
A Study of Mass- mailing Worms By Cynthia Wong, Stan Bielski, Jonathan M. McCune, and Chenxi Wang, Carnegie Mellon University, 2004 Presented by Allen.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.
KaZaA: Behind the Scenes Shreeram Sahasrabudhe Lehigh University
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.
Introduction to Honeypot, Botnet, and Security Measurement
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Differences between In- and Outbound Internet Backbone Traffic Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers University.
Internet Worms Brad Karp UCL Computer Science CS GZ03 / th December, 2007.
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu, Roberto Perdisci, Junjie Zhang, and.
Toward Self-directed Intrusion Detection Paul Barford Assistant Professor Computer Science University of Wisconsin June, 2005.
Carleton University School of Computer Science Detecting Intra-enterprise Scanning Worms based on Address Resolution David Whyte, Paul van Oorschot, Evangelos.
A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.
The Internet Motion Sensor: A Distributed Blackhole Monitoring System Presented By: Arun Krishnamurthy Authors: Michael Bailey, Evan Cooke, Farnam Jahanian,
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Mitsubishi Research Institute, Inc Analyses on Distribution of Malicious Packets and Threats over the Internet August 27-31, 2007 APAN Network Research.
Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.
Attacks On systems And Networks To understand how we can protect our system and network we need to know about what kind of attacks a hacker/cracker would.
A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science.
Carleton University School of Computer Science Exposure Maps: Removing Reliance on Attribution During Scan Detection David Whyte, P.C. van Oorschot, Evangelos.
MonNet – a project for network and traffic monitoring Detection of malicious Traffic on Backbone Links via Packet Header Analysis Wolfgang John and Tomas.
Automated Classification and Analysis of Internet Malware M. Bailey J. Oberheide J. Andersen Z. M. Mao F. Jahanian J. Nazario RAID 2007 Presented by Mike.
Presented by Spiros Antonatos Distributed Computing Systems Lab Institute of Computer Science FORTH.
Linux Networking and Security
A VIRTUAL HONEYPOT FRAMEWORK Author : Niels Provos Publication: Usenix Security Symposium Presenter: Hiral Chhaya for CAP6103.
Not So Fast Flux Networks for Concealing Scam Servers Theodore O. Cochran; James Cannady, Ph.D. Risks and Security of Internet and Systems (CRiSIS), 2010.
The UCSD Network Telescope A Real-time Monitoring System for Tracking Internet Attacks Stefan Savage David Moore, Geoff Voelker, and Colleen Shannon Department.
Mapping Internet Sensors with Probe Response Attacks Authors: John Bethencourt, Jason Franklin, Mary Vernon Published At: Usenix Security Symposium, 2005.
Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.
1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.
A Virtual Honeypot Framework Niels Provos Google, Inc. The 13th USENIX Security Symposium, August 9–13, 2004 San Diego, CA Presented by: Sean Mondesire.
Studying Spamming Botnets Using Botlab 台灣科技大學資工所 楊馨豪 2009/10/201 Machine Learning And Bioinformatics Laboratory.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Published: Internet Measurement Conference (IMC) 2006 Presented by Wei-Cheng Xiao 2015/11/221.
Understanding the network level behavior of spammers Published by :Anirudh Ramachandran, Nick Feamster Published in :ACMSIGCOMM 2006 Presented by: Bharat.
Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.
An Internet-Wide View of Internet-Wide Scanning.  Scanning  IPv4  Horizontal scanning – individual ports  Network telescope - darknet What is internet.
Bradley Cowie Supervised by Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University DATA CLASSIFICATION FOR CLASSIFIER.
The Dark Menace: Characterizing Network-based Attacks in the Cloud
Inferring Denial of Service Attacks David Moore, Geoffrey Volker and Stefan Savage Presented by Rafail Tsirbas 4/1/20151.
DoS/DDoS attack and defense
1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.
Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.
1 Monitoring and Early Warning for Internet Worms Authors: Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst Publish: 10th.
2009/6/221 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection Reporter : Fong-Ruei, Li Machine.
Characteristics of Internet Background Radiation ACM Internet Measurement Conference (IMC), 2004 Authors: Ruoming Pang, Vinod Yegneswaran, Paul Barford,
Inferring Internet Denial-of-Service Activity Authors: David Moore, Geoffrey M. Voelker and Stefan Savage; University of California, San Diego Publish:
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
The Internet Motion Sensor: A Distributed Blackhole Monitoring System Authors: Michael Bailey, Evan Cooke, Farnam Jahanian, Jose Nazario, and David Watson.
Characteristics of Internet Background Radiation
CPSC 641: WAN Measurement Carey Williamson
Brad Karp UCL Computer Science
Carey Williamson Department of Computer Science University of Calgary
Introduction to Internet Worm
Presentation transcript:

Characteristics of Internet Background Radiation Authors: Ruoming Pang, Vinod Yegneswaran, Paul Barford, Vern Paxson, & Larry Peterson & Larry Peterson Publisher: ACM Internet Measurement Conference (IMC), 2004 Presented by: Chowdhury, Abu Rahat Chowdhury, Abu Rahat

Today’s Outline The Authors and their Problem Statements Objective & Terminology The study and Network Telescope Measurement Methodology: Passive Measurement Active Measurement Comments.

Ruoming Pang Software engineer Google NY Current Research Projects and Thrusts Current Research Projects and Thrusts Measurement, analysis, and security of wide area networked systems and network protocols Vern Paxson Associate Professor EECS Department of UC Berkeley, Vinod Yegneswaran Grad Student Computer Science and Statistics University of Wisconsin The Authors Paul Barford Assistant Professor, Department of Computer Sciences University of Wisconsin-Madison Larry L. Peterson Professor Department of Computer Science Princeton, NJ 08544

The Problem Background radiation reflects fundamentally nonproductive traffic, either malicious or benign. While the general presence of background radiation is well known to the network operator community, its nature has yet to be broadly characterized Goals of Characterization: –What is all this nonproductive traffic trying to do? –How can we filter it out to detect new types of malicious activity?

Outline The Authors and their Problem Statements Objective & Terminology The study and Network Telescope Measurement Methodology: Passive Measurement Active Measurement Comments

Objective To characterize Background Radiation based on: –Types of attack, behavior, traffic composition, frequency, target networks, etc. Secondary objectives –Development of an effective traffic filtering system –Use of active responders to effectively identify the objective of attacks

Natural Background Radiation We are all exposed to ionizing radiation from natural sources at all times. This radiation is called natural background radiation, and its main sources are the following : Radioactive substances in the earth's crust Emanation of radioactive gas from the earth Cosmic rays from outer space which bombard the earth Source: Google Earth

Internet Background Radiation The Baseline “Noise” of Internet traffic – Every IP address---even an unused one---receives packets constantly…So Fundamentally nonproductive traffic. –Traffic sent to unused addresses. –Nonproductive traffic: malicious (flooding backscatter, hostile scan, spam) OR benign (misconfigurations). –Pervasive nature (hence “background”).

Backscatter Source: [MVS01]

Background Radiation The volume of this traffic is not minor. For example, traffic logs from LBL for an arbitrarily-chosen day show that a total of about 8 million connection attempts (2/3 of the total) Misconfiguration Backscatters Scan for Vulnerability Worms BenignMalicious Background Radiation

The Study Why do we study it? – To understand Internet malware in action This paper is the first broad characterization of Internet background radiation Focus: traffic semantics – What is the traffic trying to do at application level? Measurement methodology – How to extract the meaning of background radiation ?

Measurement Apparatus: Network Telescope Unused but globally reachable IP Addresses Their main telescopes: – Lawrence Berkeley National Lab – Size: 1,280 addresses

Outline The Authors and their Problem Statements Objective & Terminology The study and Network Telescope Measurement Methodology: Passive Measurement Active Measurement Comments.

Measurement Methodology: Passive Hit Pattern What is the type and volume of observed traffic without actively responding to any packet?

How Often Do We See a Packet? Feb 2006 at Lawrence Berkeley Lab (Average on 1,280 IP’s over period of a week) 342 packets / destination IP / day === > A packet every 4 minutes on any IP But, how are radiation packets distributed: – Among destination IP’s? (Hotspot?) – Over time Source: Ruoming Pang

Distribution over Destination IP’s Number of packets per destination IP received over a week

Distribution over Destination IP’s Packets are in general evenly distributed among destinations The biggest hotspot receives < 1% of packets

Number of Source IP’s Per Hour Variation of Number of Source IP’s Number of source IP’s also vary over time But not correlated with packet volume

Other Figures

Summary of Passive Observation TCP dominates (99% of the TCP packets are TCP/SYN) Near uniformity among destinations – Hit pattern: sweeping or random Variation over time Considerable amount of ICMP traffic Smaller set of sources scan all possible IPs Most of spoofed IPs are in class A The sources are expecting replies!

Outline The Authors and their Problem Statements Objective & Terminology The study and Network Telescope Measurement Methodology: Passive Measurement Active Measurement Comments.

The Big Picture Unused IP space Monitored traffic Internet Local network Monitor network traffic to understand/track Internet attack activities Monitor incoming traffic to unused IP space Active Measurement

Network Telescope Use a honeypot to keep conversation going … (in the paper they used HoneyD and Active Sink) Answer PING Establish TCP connections Reply to application (e.g., HTTP) requests … … Till we find out what the intention is

Key Components Responding to Application Requests Taming the Traffic Volume Analyzing Traffic Semantics Filter

Measurement Methodology (Application-Level Responders) Data-driven: –Which responders to build is based on observed traffic volumes Application-level Responders: –Not only adhere to the structure of the underlying protocol, but also to know what to say New types of activities emerge over time, responders also need to evolve

Radiation Activity Classification Which Malware is Most Active? What is the most Popular Application? Which Vulnerability is Most Targeted?

A Rich Collection of Applications are targeted in the Background Radiation Windows RPC HTTP Netbios/CIFS/SMB Virus backdoors (MyDoom, Beagle, etc.) Dameware Universal PnP Microsoft SQL (Slammer) MySQL DNS BitTorrent

TCP Port 80 (HTTP) Targeted against Microsoft IIS server. Dominant activity is a WebDAV buffer-overrun exploit.

TCP Port 80 (HTTP) Port 80 Activities

Other Figures

Summary of Active Observation Study dominant activities on the popular ports Same Attacker on multiple networks Some sources avoid Class A Traffic is divided by ports: –Consider all connections between a source-destination pair on a given destination port Background Radiation concentrates on a small number of ports: –Only look at the most popular ports. –Many popular ports are also used by the normal traffic  use application semantic level. –Many replies are needed to see what is happening

Conclusion Background Radiation is –Complex in Structure, highly automated, frequently malicious, potentially adversarial & matured in rapid speed Passive measurement reveal only part of the story Need to interact with the traffic to see what are the actual objectives of the attacker

Strengths First attempt to characterize background radiation Good Measurement Methodology: –Detailed set of active responders for popular ports. Meaningful Data Analysis: –Passive Analysis: activities concentrate on popular ports. –Active Analysis: Extreme dynamism in many aspects of background radiation.

Weaknesses The filtering could be biased. –The same kind of activity to all destination IP addresses. – Fail to capture multi-vector worms that pick one exploit per IP address Significant amount of connections didn’t proceed DHCP problem makes source IP address less accurate as source identity. To what extent the development of application-level responders can be automated?

Reference & Back up Slide

References [Barford2004] Paul Barford. Trends in Internet Measurement. PPT from U. of Wisconsin, Fall 2004 [MVS01] Moore, Geoffrey M. Voelker, and Stefan Savage. Inferring Internet Denial-of- Service Activity. In Proceedings of the 10th USENIX Security Symposium, pages USENIX, August 2001 Google Earth

Measurement Methodology (Experimental Setup) Two different systems: iSink, and LBL Sink. Traces collected from three sites: –Class A network –UW campus –Lawrence Berkeley Lab (LBL) Same forms of application response. Different underlying mechanisms. Support two kinds of data analysis: –Passive analysis: no filter, no responder –Active analysis: with filter, and responder

Experimental Setup: iSink

Experimental Setup: LBL Sink

Thank You