MonNet – a project for network and traffic monitoring Detection of malicious Traffic on Backbone Links via Packet Header Analysis Wolfgang John and Tomas.

Slides:



Advertisements
Similar presentations
Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.
Advertisements

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
COEN 252 Computer Forensics Using TCPDump / Windump for package analysis.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
CSE551: Computer Network Review r Network Layers r TCP/UDP r IP.
Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Firewalls and Intrusion Detection Systems
CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.
Chapter 5 The Network Layer.
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
TCP/IP Basics A review for firewall configuration.
Assessing the Nature of Internet traffic: Methods and Pitfalls Wolfgang John Chalmers University of Technology, Sweden together with Min Zhang Beijing.
Licentiate Seminar: On Measurement and Analysis of Internet Backbone Traffic Wolfgang John Department of Computer Science and Engineering Chalmers University.
ECE Prof. John A. Copeland fax Office: Klaus 3362.
CCNA Introduction to Networking 5.0 Rick Graziani Cabrillo College
1 Figure 3-33: Internet Control Message Protocol (ICMP) ICMP is for Supervisory Messages at the Internet Layer ICMP and IP  An ICMP message is delivered.
4: Network Layer4a-1 IP datagram format ver length 32 bits data (variable length, typically a TCP or UDP segment) 16-bit identifier Internet checksum time.
Internet Control Message Protocol ICMP. ICMP has two major purposes: –To report erroneous conditions –To diagnose network problems ICMP has two major.
Petrozavodsk State University, Alex Moschevikin, 2003NET TECHNOLOGIES Internet Control Message Protocol ICMP author -- J. Postel, September The purpose.
Guide to TCP/IP, Third Edition
ICMP (Internet Control Message Protocol) Computer Networks By: Saeedeh Zahmatkesh spring.
FIREWALL Mạng máy tính nâng cao-V1.
Differences between In- and Outbound Internet Backbone Traffic Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers University.
1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen
Introduction to InfoSec – Recitation 11 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Fall 2005Computer Networks20-1 Chapter 20. Network Layer Protocols: ARP, IPv4, ICMPv4, IPv6, and ICMPv ARP 20.2 IP 20.3 ICMP 20.4 IPv6.
© Introduction to Internetworking – Alex Kooijman 04/04/2000 Introduction to internetworking Part Two.
Analysis of Internet Backbone Traffic and Header Anomalies Observed Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers.
Heuristics to Classify Internet Backbone Traffic based on Connection Patterns Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering.
Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.
Lecture 22 Network Security CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Hesham El-Rewini.
Internet Protocol Formats. IP (V4) Packet byte 0 byte1 byte 2 byte 3 data... – up to 65 K including heading info Version IHL Serv. Type Total Length Identifcation.
Network Layer4-1 Datagram networks r no call setup at network layer r routers: no state about end-to-end connections m no network-level concept of “connection”
1 Introduction to TCP/IP. 2 OSI and Protocol Stack OSI: Open Systems Interconnect OSI ModelTCP/IP HierarchyProtocols 7 th Application Layer 6 th Presentation.
S305 – Network Infrastructure Chapter 5 Network and Transport Layers.
Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 25 November 16, 2004.
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
1 Figure 3-13: Internet Protocol (IP) IP Addresses and Security  IP address spoofing: Sending a message with a false IP address (Figure 3-17)  Gives.
DoS/DDoS attack and defense
1 Figure 3-5: IP Packet Total Length (16 bits) Identification (16 bits) Header Checksum (16 bits) Time to Live (8 bits) Flags Protocol (8 bits) 1=ICMP,
1 Figure 4-11: Denial-of-Service (DoS) Attacks Introduction  Attack on availability  Act of vandalism Single-Message DoS Attacks  Crash a host with.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
Data Communications and Computer Networks Chapter 4 CS 3830 Lecture 19 Omar Meqdadi Department of Computer Science and Software Engineering University.
or call for office visit,
Data Communications and Networks Chapter 6 – IP, UDP and TCP ICT-BVF8.1- Data Communications and Network Trainer: Dr. Abbes Sebihi.
Network Layer/IP Protocols 1. Outline IP Datagram (IPv4) NAT Connection less and connection oriented service 2.
4: Network Layer4-1 Chapter 4: Network Layer r 4. 1 Introduction r 4.2 Virtual circuit and datagram networks r 4.3 What’s inside a router r 4.4 IP: Internet.
Internet Control Message Protocol (ICMP)
Chapter 5 Network and Transport Layers
Internet Control Message Protocol (ICMP)
UDP TCP.
or call for office visit, or call Kathy Cheek,
Hping2.
Internet Control Message Protocol (ICMP)
or call for office visit,
Internet Protocol Formats
Wireshark Lab#3.
8 Network Layer Part V Computer Networks Tutun Juhana
Byungchul Park ICMP & ICMPv DPNM Lab. Byungchul Park
Internet Control Message Protocol (ICMP)
Internet Control Message Protocol (ICMP)
Internet Control Message Protocol (ICMP)
TRANSMISSION CONTROL PROTOCOL
Internet Protocol Formats
46 to 1500 bytes TYPE CODE CHECKSUM IDENTIFIER SEQUENCE NUMBER OPTIONAL DATA ICMP Echo message.
Session 20 INST 346 Technologies, Infrastructure and Architecture
32 bit destination IP address
Presentation transcript:

MonNet – a project for network and traffic monitoring Detection of malicious Traffic on Backbone Links via Packet Header Analysis Wolfgang John and Tomas Olovsson Department of Computer Science and Engineering Chalmers University of Technology Göteborg, Sweden

TNC 2008 Introduction Traffic filtering is often done locally Backbone provides broader view What is happening „in the wild“? –Old, well known attack types? –Distributed attacks to several hosts/networks? –What to expect on ingress hosts? How good is pure packet header analysis?

TNC 2008 Introduction: Outline 1.Packet headers considered Fields and potential problems 2.Dataset Measurement location Transport protocol breakdown 3.Anomalies observed IP (+fragmentation), TCP, UDP, ICMP Discussion and highlights 4.Summary and Conclusions

TNC 2008 Packet Headers IP header structure

TNC 2008 Packet Headers (2) TCP header structure

TNC 2008 Packet Headers (3 ) UDP header structure ICMP header structure

TNC 2008 Outline (2) 1.Packet headers considered Fields and potential problems 2.Dataset Measurement location Transport protocol breakdown 3.Anomalies observed IP (+fragmentation), TCP, UDP, ICMP Discussion 4.Summary and Conclusions

TNC 2008 Dataset: Measurement location Internet Regional ISPs Göteborg Stockholm Other smaller Universities and Institutes Göteborgs Univ. Student- Net 2x 10 Gbit/s (OC-192) capturing headers only IP addresses anonymized 554 traces in late min. intervals during 3 months Chalmers Univ.

TNC 2008 Dataset (2) Transport protocol breakdown CAIDA‘s DatCat: SUNET fall IP Original Datagram IP Segment 1 IP Segment 2 IP Segment 3 IP Seg. 4 Fragment 1 Fragment 2 Fragment 3 Fragment 4 Fragment Series

TNC 2008 Outline (3) 1.Packet headers considered Fields and potential problems 2.Dataset Measurement location Transport protocol breakdown 3.Anomalies observed IP (+fragmentation), TCP, UDP, ICMP Discussion 4.Summary and Conclusions

TNC 2008 Anomalies observed IP header anomalies Two intervals with one million packets to four destinations Source IP of private class C ( /16) ICMP echo replies, 228 bytes DoS attack? No exploits of IP source route Land attack

TNC 2008 IP fragmenation inconsistencies IP ID values of zero are over-represented! one host inside a University five campaigns to five destinations with series of 6-7 fragments Iterating over entire port range half of the series with inconsistencies (holes etc.) hijacked host performing DoS (Frag attack!) 42 hosts are the main target 1/5 of all fragment series to these hosts are incomplete many gaps only 8 byte long! DDoS? Or just packet loss? 35 different times and different hosts! Not only overlaps, but also gasp Overlapping fragments fill gaps – on wrong places! 8 – 48 bytes overlapping fragments on consistent offsets Hardware/Software error? Common attack tool? Anomalies observed (2) Good news: Ping-of-death, sPing, IceNewk etc. not observed!

TNC 2008 Anomalies observed (3) TCP header anomalies Two or more field anomalies within the same TCP header 21 % in RST/ACK packets from port % in SYN/ACK packets …. SYN/ACK attacks? source and desination ports of zero equally shared mainly SYN packets in host scanning campaigns Mahoney et al: FIN without ACK can reveal port-sweeps Not supported by our data!! Mainly to P2P ports – pure FIN after SYN connection attempts

TNC 2008 Anomalies observed (4) UDP header anomalies From UDP port zero: around 30 scanning campaigns of /24 ranges to port numbers 1025 and 1026 Windows messenger spam!

TNC 2008 Anomalies observed (5) ICMP header observations two hosts sending 46 million “host redirects” during 12 days DoS attacks like Winfreez

TNC 2008 Anomalies observed (6) ICMP header observations contd. –No Ping-of-Death type attacks –No obvious attack with ICMP dest. unreachable (Smack) –No ICMP timestamp attacks (like moyari13) –No large scale usage of invalid ICMP types (Twinge or Trash attacks)

TNC 2008 Outline (4) 1.Packet headers considered Fields and potential problems 2.Dataset Measurement location Transport protocol breakdown 3.Anomalies observed IP (+fragmentation), TCP, UDP, ICMP Discussion 4.Summary and Conclusions

TNC 2008 Summary and Conclusions Systematic listing of header anomalies Occurences in real backbone traffic Many old attacks still out there –but some formerly popular attacks vanished Constant ”noise” of anomalous packets Some major campaigns of malicious activities detected

TNC 2008 Summary and Conclusions (2) Pure packet header analysis reveals a substantial amount of malicious activity Watch out for –IP ID of zero –port numbers of zero –Strange TCP flags –Reserved IP addresses –Unusual ICMP activity

TNC 2008 Summary and Conclusions (3) Next steps –Study potential of IP ID, SEQ and ACK numbers and port numbers for detection –Get access to payload data / broadcast addr. Anomalous applications headers? Malicious code? –Correlate packets (flows) Scannings, DDoS campaigns? What happens before? After?....

MonNet – a project for network and traffic monitoring More Information: or Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.