The Internet Motion Sensor: A Distributed Blackhole Monitoring System Presented By: Arun Krishnamurthy Authors: Michael Bailey, Evan Cooke, Farnam Jahanian, Jose Nazario, David Watson. 12th Annual Network and Distributed System Security Symposium (NDSS'05)
Presentation Outline The Threat Problem The Threat Problem Why the Internet Motion Sensor (IMS) was created? Why the Internet Motion Sensor (IMS) was created? Introduction to IMS Introduction to IMS What is it? What is it? What is it supposed to do? What is it supposed to do? What are the components? What are the components? Observations Observations What nasty stuff did IMS find? What nasty stuff did IMS find? My comments and Conclusion My comments and Conclusion What rocked? What sucked? What rocked? What sucked? Suggestions for improvement? Suggestions for improvement?
The Threat Problem A network that is always connected is highly vulnerable to threats. A network that is always connected is highly vulnerable to threats. Threats Properties: Threats Properties: Globally Scoped. Globally Scoped. Can have no patches or fixes. Can have no patches or fixes. Evolutionary. Evolutionary. Can spread through the entire network within minutes. Can spread through the entire network within minutes.
The Threat Problem Promising Method to Investigate Threats: Promising Method to Investigate Threats: Monitor unused or dark address space. Monitor unused or dark address space. Issues: Issues: Sensor Coverage. Sensor Coverage. Visibility of the system into Internet threats. Visibility of the system into Internet threats. Service Emulation Service Emulation What services to emulate and at what level to emulate them? What services to emulate and at what level to emulate them?
The Internet Motion Sensor (What is it?) Definition: Definition: A globally scoped Internet monitoring system whose objective is to measure, characterize, and track threats. A globally scoped Internet monitoring system whose objective is to measure, characterize, and track threats. Goals: Goals: Maintain a level of interactivity that can differentiate traffic on the same service. Maintain a level of interactivity that can differentiate traffic on the same service. Provide visibility into Internet threats beyond address, geographical, and operational boundaries. Provide visibility into Internet threats beyond address, geographical, and operational boundaries. Enable characterization of emerging threats while minimizing incremental effort. Enable characterization of emerging threats while minimizing incremental effort.
The Internet Motion Sensor (Architecture – Basic Idea) Consist of a set of distributed blackhole sensors, each monitoring a dedicated range of unused IP address space. Blackhole sensors contain passive and active component. Consist of a set of distributed blackhole sensors, each monitoring a dedicated range of unused IP address space. Blackhole sensors contain passive and active component. Passive Component: Passive Component: Records packets sent to sensor’s address space. Records packets sent to sensor’s address space. Responds to specific packets to elicit more data from source. Responds to specific packets to elicit more data from source. Active Component: Active Component: Designed to extract the first payload of data across the major protocols. Designed to extract the first payload of data across the major protocols.
The Internet Motion Sensor (Architecture – Diagram)
The Internet Motion Sensor (Architecture - Main Components) Distributed Blackhole Network Distributed Blackhole Network Used to increase visibility into global threats. Used to increase visibility into global threats. Lightweight Active Responder Lightweight Active Responder Provides enough interactivity that traffic on the same service can be differentiated independent of application semantics. Provides enough interactivity that traffic on the same service can be differentiated independent of application semantics. Payload Signatures & Caching Payload Signatures & Caching Used to avoid recording duplicate payloads. Used to avoid recording duplicate payloads.
The Internet Motion Sensor (Distributed Blackhole Network ) A large distributed sensor network built from address blocks of many sizes that are scattered throughout the network. A large distributed sensor network built from address blocks of many sizes that are scattered throughout the network. Using Moore’s Telescopes Analogy, blocks of larger sizes have a broader detection coverage. Using Moore’s Telescopes Analogy, blocks of larger sizes have a broader detection coverage. Different sensors observe different magnitudes and types of traffic. Different sensors observe different magnitudes and types of traffic. /16 Address Sensor /8 Address Sensor
The Internet Motion Sensor (Lightweight Responder ) Main responsibility is to elicit payloads for TCP connections. Main responsibility is to elicit payloads for TCP connections. Two key contributions: Two key contributions: Ability to elicit payloads to differentiate traffic. Ability to elicit payloads to differentiate traffic. Ability to get responses across ports without application semantic information. Ability to get responses across ports without application semantic information.
The Internet Motion Sensor (Lightweight Responder – Other Characteristics ) Differentiate Services: Differentiate Services: By using payload signatures, IMS can identify the presence of new worms even in extremely noisy conditions. By using payload signatures, IMS can identify the presence of new worms even in extremely noisy conditions. Service Agnostic: Service Agnostic: Enables insight into less popular services. Enables insight into less popular services. Example: Backdoor ports on existing worms Example: Backdoor ports on existing worms One Limitation: One Limitation: IMS provides little or no information on threats that depend on application level responses. IMS provides little or no information on threats that depend on application level responses.
The Internet Motion Sensor (Payload Signatures and Caching ) Basic idea: Basic idea: Check the MD5 checksum of the payload. Check the MD5 checksum of the payload. If the checksum is found in cache, then If the checksum is found in cache, then Only log the signature. (DO NOT store the payload.) Only log the signature. (DO NOT store the payload.) Else Else Store both payload and signature. Store both payload and signature. With a 96% cache hit rate, this method saves over 100 GB/day per address sensor!!! With a 96% cache hit rate, this method saves over 100 GB/day per address sensor!!!
The Internet Motion Sensor (Payload Signatures and Caching Example ) WormSignaturePayloadHits MyWorm 9e107d9d372bb6 826bd81d3542bt5 69g1 MD5 Signature + Payload Blackhole Sensor
The Internet Motion Sensor (Payload Signatures and Caching Example ) WormSignaturePayloadHits MyWorm 9e107d9d372bb6 826bd81d3542bt5 69g1 AnotherWorm e56d4cd98f00b204e ecf8427e1 MD5 Signature + Payload Blackhole Sensor
The Internet Motion Sensor (Payload Signatures and Caching Example ) WormSignaturePayloadHits MyWorm 9e107d9d372bb6 826bd81d3542bt5 69g2 AnotherWorm e56d4cd98f00b204e ecf8427e1 9e107d9d372bb6826bd81d3542bt569g MD5 Signature + Payload Blackhole Sensor
The Internet Motion Sensor (Observations ) An IMS prototype developed at University of Michigan consisted of 28 address sensors at 18 physical locations. An IMS prototype developed at University of Michigan consisted of 28 address sensors at 18 physical locations. 3 events captured: 3 events captured: Internet Worms Internet Worms Scanning Scanning Distributed Denial of Service (DDoS) Attacks Distributed Denial of Service (DDoS) Attacks
The Internet Motion Sensor (Internet Worms ) IMS detection of various behaviors from worms: IMS detection of various behaviors from worms: Worm Virulence Worm Virulence How much traffic resulted from worm? How much traffic resulted from worm? What routers/paths got congested? What routers/paths got congested? Worm Demographics Worm Demographics Number of hosts infected? Number of hosts infected? Operating System and other information of host? Operating System and other information of host? Worm Propagation Worm Propagation How does the worm select next target? How does the worm select next target? Community Response Community Response What organizations reacted the fastest? What organizations reacted the fastest? Who is still infected? Who is still infected?
The Internet Motion Sensor (The Blaster Worm ) Description: Description: Affected Windows 2000/XP systems running DCOM RPC services and used a buffer overflow attack to run code on target machine. Affected Windows 2000/XP systems running DCOM RPC services and used a buffer overflow attack to run code on target machine. In a 7 day period, IMS detected 3 Phases: In a 7 day period, IMS detected 3 Phases: 1 st Phase – Growth 1 st Phase – Growth 2 nd Phase – Decay 2 nd Phase – Decay 3 rd Phase – Persistence 3 rd Phase – Persistence
The Internet Motion Sensor (The Blaster Worm – Phases Diagram )
The Internet Motion Sensor (The Blaster Worm ) Other observation: Other observation: The Blaster Worm sends an exploit on TCP port 135, then follows with some commands on TCP port The Blaster Worm sends an exploit on TCP port 135, then follows with some commands on TCP port Conclusion from Blaster Worm observations: Conclusion from Blaster Worm observations: IMS provides data that can differentiate between different variants of worms. IMS provides data that can differentiate between different variants of worms. Passive blackhole sensors can not do that! Passive blackhole sensors can not do that!
The Internet Motion Sensor (Blaster Worm Captured )
The Internet Motion Sensor (Scanning ) Attackers scan for vulnerable services to exploit them. Attackers scan for vulnerable services to exploit them. Beagle and MyDoom Worm: Beagle and MyDoom Worm: SMTP worms that began spreading in SMTP worms that began spreading in Listens to port 2745 (Beagle) and port 3127 (MyDoom) for backdoors to load malicious software. Listens to port 2745 (Beagle) and port 3127 (MyDoom) for backdoors to load malicious software. Conclusion from observations: Conclusion from observations: Lightweight Responder allowed IMS to detect the backdoor ports. Lightweight Responder allowed IMS to detect the backdoor ports. Since both worms have variants, having the responder made it less time consuming than creating handcrafted service modules for each variant. Since both worms have variants, having the responder made it less time consuming than creating handcrafted service modules for each variant.
The Internet Motion Sensor (Beagle and MyDoom Scanning Activity Chart )
The Internet Motion Sensor (Distributed Denial of Service ) These attacks rely on many end hosts to consume network resources. These attacks rely on many end hosts to consume network resources. The SCO Group Attack: The SCO Group Attack: Attacked on December 10, 2003 Attacked on December 10, 2003 Attacked 3 web servers, an FTP server, and a SMTP server. Attacked 3 web servers, an FTP server, and a SMTP server. Since the attackers used spoofed IP addresses, IMS was able to observe some backscatter from these attacks. Since the attackers used spoofed IP addresses, IMS was able to observe some backscatter from these attacks. Conclusion from observation: Conclusion from observation: Showed the need for address diversity (having different blocks of many sizes). Showed the need for address diversity (having different blocks of many sizes).
The Internet Motion Sensor (Backscatter Diagram from SCO Attack )
The Internet Motion Sensor (Strengths ) IMS’ variety of address blocks allows it to find various worms that passive sensors can not detect. IMS’ variety of address blocks allows it to find various worms that passive sensors can not detect. Payload Signature and Caching System can save over 100GB of memory per sensor per day! Payload Signature and Caching System can save over 100GB of memory per sensor per day!
The Internet Motion Sensor (Weaknesses ) Provides little or no information on threats that depend on application level responses. Provides little or no information on threats that depend on application level responses. NetBIOS services requires RPC bind() before being able to do RPC request(). IMS can detect RPC bind(), but not RPC request() since no application level response was sent. NetBIOS services requires RPC bind() before being able to do RPC request(). IMS can detect RPC bind(), but not RPC request() since no application level response was sent. Requires a relatively powerful machine. Requires a relatively powerful machine. x86 machine with at least 1GB RAM. 1 x86 machine with at least 1GB RAM. 1 1 From Internet Motion Sensor FAQ Site.
The Internet Motion Sensor (Suggestions for Improvement ) Find a way to get information on threats that depend of application level responses. Find a way to get information on threats that depend of application level responses. Get IMS to fully learn the behavior of worms so it can automatically develop patches. Get IMS to fully learn the behavior of worms so it can automatically develop patches.
The Internet Motion Sensor (Conclusion ) The IMS uses a variety of blackhole sensors of various sizes to track, characterize, and measure threats. The IMS uses a variety of blackhole sensors of various sizes to track, characterize, and measure threats. It can detect various types of threats that passive sensors can’t detect! It can detect various types of threats that passive sensors can’t detect! It would be great to run if you have a relatively powerful computer! It would be great to run if you have a relatively powerful computer!