Presentation is loading. Please wait.

Presentation is loading. Please wait.

28/09/2016 Mildly Penetrative Packet Inspection Shane Alcock WAND.

Published bySophie Tate Modified over 8 years ago

Similar presentations

Presentation on theme: "28/09/2016 Mildly Penetrative Packet Inspection Shane Alcock WAND."— Presentation transcript:

1 28/09/2016 Mildly Penetrative Packet Inspection Shane Alcock WAND

2 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 2 Application Protocol Identification Analysis Research! Traffic patterns, e.g. what apps are popular? Traffic shaping or blocking Especially P2P Diagnostics What are all those inbound flows?

3 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 3 Shallow Packet Inspection Examine headers only No application payload Relying almost entirely on ports Quick and easy Fewer privacy concerns Unreliable Applications using random ports Applications hiding on port 80 Ethernet VLAN IP TCP TCP Payload

4 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 4 Deep Packet Inspection Examine entire packet body Including all application payload Highest chance of success Privacy issues Protecting user data Difficult for researchers Computationally expensive DPI “solutions” typically cost $$$ Ethernet VLAN IP TCP TCP Payload

5 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 5 Mildly Penetrative Packet Inspection? Retain four bytes of payload Application headers Almost all user data is discarded All WAND captures since 2006 do this Enough to identify applications? Ethernet VLAN IP TCP TCP Payload

6 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 6 Libprotoident C software library developed at WAND Based on libtrace Simple API enables programmers to use software in their own tools Includes basic tools as well Examine first payload-bearing packet in each direction All subsequent packets can be ignored -> fast Properties examined Four bytes of payload Payload size Port – although we try to use this as little as possible!

7 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 7 MPPI In Action 13:00:16.233005 IP (tos 0x0, ttl 121, id 61601, offset 0, flags [none], proto: UDP (17), length: 111) 10.0.0.1.41822 > 10.0.0.2.25842: UDP, length 83 0x0000: 4500 006f f0a1 0000 7911 e1cf 0a00 0001 0x0010: 0a00 0002 a35e 64f2 005b 9bd9 fabe 9049 13:00:16.712164 IP (tos 0x0, ttl 125, id 29139, offset 0, flags [none], proto: UDP (17), length: 65) 10.0.0.2.25842 > 10.0.0.1.41822: UDP, length 37 0x0000: 4500 0041 71d3 0000 7d11 5ccc 0a00 0002 0x0010: 0a00 0001 64f2 a35e 002d db6a 0000 0408

8 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 8 MPPI In Action 13:00:16.233005 IP (tos 0x0, ttl 121, id 61601, offset 0, flags [none], proto: UDP (17), length: 111) 10.0.0.1.41822 > 10.0.0.2.25842: UDP, length 83 0x0000: 4500 006f f0a1 0000 7911 e1cf 0a00 0001 0x0010: 0a00 0002 a35e 64f2 005b 9bd9 fabe 9049 13:00:16.712164 IP (tos 0x0, ttl 125, id 29139, offset 0, flags [none], proto: UDP (17), length: 65) 10.0.0.2.25842 > 10.0.0.1.41822: UDP, length 37 0x0000: 4500 0041 71d3 0000 7d11 5ccc 0a00 0002 0x0010: 0a00 0001 64f2 a35e 002d db6a 0000 0408 $ lpi_protoident pcapfile:test.pcap pcapfile:test.pcap BitTorrent_UDP 10.0.0.2 10.0.0.1 25842 41822 17 1231286416.233 37 83 00000408.... 37 fabe9049...I 83

9 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 9 Pretty Graphs

10 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 10 Pretty Graphs

11 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 11 Pretty Graphs

12 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 12 Pretty Graphs

13 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 13 Current Status Support for 178 application protocols (and counting!) New 2011 capture might add a few new protocols :) Released library and tools – open source! Compare results against OpenDPI A bit tricky, as we need full payload traces Do some real-time tests Can we use this effectively on live data? If so, try to integrate into BSOD visualisation

14 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 14 Summary You don't need full DPI to identify applications effectively Just first four bytes of payload in each direction Less CPU-intensive Better from a network user privacy standpoint Subject to many of the same limitations as DPI Still need *some* payload Encryption makes life hard Requires active maintenance, e.g. new protocols Coming up with new protocol rules is hard work!

15 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 15 Links Graphs http://www.wand.net.nz/~salcock/proto/results.html Library http://research.wand.net.nz/software/libprotoident.php Contact salcock@cs.waikato.ac.nz

16 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 16 WAND Network Research Group Department of Computer Science The University of Waikato Private Bag 3105 Hamilton, New Zealand www.crc.net.nz www.wand.net.nz www.waikato.ac.nz

17 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 17 Example Rule Matching World of Warcraft TCP flows Request packet payload is 0x00 0x08 ANY ANY Bytes 3 and 4 are the payload length minus 4 bytes Response packet payload is 0x00 0x00 0x00 ANY Packet payload is always 119 bytes long

18 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 18 Deep Packet Inspection OpenDPI Ipoque DPI engine, open-sourced C library with external API Supports 86 application protocols Not updated very frequently L7-filter Classifier for netfilter Supports 112 application protocols Current website inaccessible :( Ethernet VLAN IP TCP TCP Payload

Download ppt "28/09/2016 Mildly Penetrative Packet Inspection Shane Alcock WAND."

Similar presentations

Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv4 20.3 IPv6.

Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Leon-Garcia & Widjaja: Communication Networks Copyright ©2000 The McGraw Hill Companies A Little More on Chapter 7 And Start Chapter 8 TCP/IP.

Leon-Garcia & Widjaja: Communication Networks Copyright ©2000 The McGraw Hill Companies A Little More on Chapter 7 And Start Chapter 8 TCP/IP.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Detecting P2P Traffic from the P2P Flow Graph Jonghyun Kim Khushboo Shah Stephen Bohacek Electrical and Computer Engineering.

Detecting P2P Traffic from the P2P Flow Graph Jonghyun Kim Khushboo Shah Stephen Bohacek Electrical and Computer Engineering.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Computer Networks Transport Layer. Topics F Introduction  F Connection Issues F TCP.

Computer Networks Transport Layer. Topics F Introduction  F Connection Issues F TCP.
1 Internet Networking Spring 2002 Tutorial 2 IP Checksum, Fragmentation.

1 Internet Networking Spring 2002 Tutorial 2 IP Checksum, Fragmentation.
Treatment-Based Traffic Signatures Mark Claypool Robert Kinicki Craig Wills Computer Science Department Worcester Polytechnic Institute

Treatment-Based Traffic Signatures Mark Claypool Robert Kinicki Craig Wills Computer Science Department Worcester Polytechnic Institute
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Licentiate Seminar: On Measurement and Analysis of Internet Backbone Traffic Wolfgang John Department of Computer Science and Engineering Chalmers University.

Licentiate Seminar: On Measurement and Analysis of Internet Backbone Traffic Wolfgang John Department of Computer Science and Engineering Chalmers University.
IP-UDP-RTP Computer Networking (In Chap 3, 4, 7) 건국대학교 인터넷미디어공학부 임 창 훈.

IP-UDP-RTP Computer Networking (In Chap 3, 4, 7) 건국대학교 인터넷미디어공학부 임 창 훈.
Firewall Slides by John Rouda

Firewall Slides by John Rouda
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
A fast identification method for P2P flow based on nodes connection degree LING XING, WEI-WEI ZHENG, JIAN-GUO MA, WEI- DONG MA Apperceiving Computing and.

A fast identification method for P2P flow based on nodes connection degree LING XING, WEI-WEI ZHENG, JIAN-GUO MA, WEI- DONG MA Apperceiving Computing and.
Jennifer Rexford Princeton University MW 11:00am-12:20pm Programmable Data Planes COS 597E: Software Defined Networking.

Jennifer Rexford Princeton University MW 11:00am-12:20pm Programmable Data Planes COS 597E: Software Defined Networking.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Intranet, Extranet, Firewall. Intranet and Extranet.

Intranet, Extranet, Firewall. Intranet and Extranet.
FIREWALL Mạng máy tính nâng cao-V1.

FIREWALL Mạng máy tính nâng cao-V1.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Similar presentations

Ads by Google