1. Mapping Internet Sensors With Probe Response Attacks
Authors: John Bethencourt, Jason Franklin, Mary Vernon
Presented: Usenix Security Symposium, 2005
Tracy Wagner CDA February 22, 2007

2. Outline Introduction Probe Response Attacks Case Study:
SANS Internet Storm Center
Improvements
Simulation Analysis
Countermeasures
Summary
Contributions / Weaknesses / Future Work

3. Introduction Internet Sensor Networks Publicly Reported Statistics
Secrecy Protects Integrity of Information
Little Attention Given To Determining Sensor Locations
Probe Response Attack Techniques and Algorithm

4. Case Study – SANS ISC Internet Storm Center Challenging network to map
DShield Project - Firewall and IDS logs
Analyzes and aggregates information
Automatically publishes public reports
Challenging network to map
Large number of sensors
Non-contiguous IP addresses

5. Case Study – SANS ISC ISC Port Reports Port: Destination Port
Reports: # Log Entries with destination port
Sources: # Distinct Source IPs
Targets: # Distinct Destination IPs
SANS ISC Port Report from February 19, 2007

6. Case Study – SANS ISC Basic Idea:
Probe an IP address with port activity
Check the published reports for activity
Send enough packets to distinguish from other activity
Use for every possible valid IP address

7. Case Study – SANS ISC Two observations:
Majority of IP addresses correspond to no host or to a non-monitored host
Reports list activity by port
Preprocessing: Filter Invalid IPs
Leaves ~2.1 billion IP addresses

8. Basic Probe Response Algorithm: Stage One
If n ports can be used for probes: {p1, p2,…,pn}
Divide list of IPs into n intervals: {S1, S2, …, Sn}
For (1 ≤ i ≤ n)
Send a SYN packet on port pi to each address in Si

9. Basic Probe Response Algorithm: Stage One
Retrieve Updated Port Report
Traffic on monitored IPs will be reported
Tells us the number of monitored IPs in each Si
Each non-monitored interval is discarded
Each interval that has monitored IPs is kept

10. Basic Probe Response Algorithm: Stage Two
Input: Remaining k intervals, R1, R2,…, Rk
Number of monitored IPs in each interval
Assign n/k ports to each interval
For (1 ≤ i ≤ k)
Divide Ri into (n/k + 1) subintervals
While (1 ≤ j ≤ n/k)
Send a packet on pj to each address in subinterval j

11. Basic Probe Response Algorithm: Stage Two

12. Dealing With Noise
Other sources may be sending packets to monitored IPs on same ports
Tradeoff
Tolerate some noise,
but must send more packets
Report Noise Cancellation Factor
If < 5 for a given port, send 5 packets instead of one
Divide reported number by 5, round down to nearest integer
Number of
Ports
Reports
561
≤ 5
19,364
≤ 10
41,357
≤ 15
51,959
≤ 20
56,305
≤ 25

13. Improvements – Speed Up Attack
Stop working on an interval when some percentage of monitored IPs are found
Creates a Superset of Sensor IPs (False Positives)
Discard an interval when monitored IPs are below some threshold
Creates a Subset of Sensor IPs (False Negatives)

14. Improvements – Speed Up Attack
Multiple Source Technique
Further divide interval into some number of pieces – Multiple Source Factor
Send packets from 2i-1 source addresses to each address in ith piece
Use number of sources reported to determine if any intervals did not have monitored IPs

15. Improvements – Speed Up Attack
Example: Multiple Source Technique
Interval
Sources 1 2 3 4
Divide interval into three pieces
Five sources reported
Know monitored addresses are in first and third intervals
More efficient – reduces size of intervals for next iteration
Limited use – exponential increase in number of packets

16. Simulation Analysis Three Attacker Models T1 Attacker T3 Attacker
1.544 Mbps upload bandwidth
T3 Attacker
38.4 Mbps upload bandwidth
OC6 Attacker
384 Mbps upload bandwidth

17. Simulation Analysis Actual Set of Monitored IP Addresses T1 Attacker
Report Noise Cancellation Factor of 2
Do not use Multiple Source Technique
33 days, 17 hours; 9.5 billion packets
T3 Attacker
Multiple Source Factor of 2
4 days, 16 hours; 14 billion packets

18. Simulation Analysis Actual Set of Monitored IP Addresses OC6 Attacker
Noise Report Cancellation Factor of 8
Multiple Source Factor of 2
Source Based Noise Cancellation Factor of 4
70 hours

19. Simulation Analysis Superset T3 Attacker
Maximum false positive rate .94
Report Noise Cancellation Factor of 4
Multiple Source Factor of 2
Reduction from 112 hours to 78 hours
3.5 million false positives
Number of probes reduced by less than 1%

20. Simulation Analysis Subset T1 Attacker
Maximum false negative rate .001
Report Noise Cancellation Factor of 2
Use only a single source
33 days, 17 hours reduced to 15 days, 18 hours
Reduction from 9.5 billion to 4.4 billion packets
Miss 26% of sensors

21. Countermeasures Current Methods Do Not Prevent Probe Response Attacks
Hashing/Encrypting source IP addresses
Bloom Filters
Impractical Methods
Information Limiting also limits use of network
IPv6 adoption out of control of sensor network
Delayed Reporting
More time to complete
Use non-adaptive algorithm

22. Summary
Consequences of an attacker mapping a set of sensor IPs are severe
Could avoid monitored IPs in any future scanning
Include blacklist in any released worms
Flood monitored addresses; real alerts unnoticed
Recovery would be extremely time consuming

23. Contributions Introduction of a new class of attacks
Case study and extensive simulations to determine optimal parameters and produce time estimates
Insight into factors affecting success
Modifications to map other networks

24. Weaknesses Algorithm is sensor network-specific
Time and resources involved
Countermeasures are brief

25. Future Work
Development and evaluation of nonadaptive approach for determining sensor locations
Study of effectiveness of delayed reporting countermeasures