Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 The Afterglow Effect and Peer 2 Peer Networks Jay Radcliffe June 2010 GIAC: GSEC.

Published byAmelia Elliott Modified over 9 years ago

Similar presentations

Presentation on theme: "1 SANS Technology Institute - Candidate for Master of Science Degree 1 The Afterglow Effect and Peer 2 Peer Networks Jay Radcliffe June 2010 GIAC: GSEC."— Presentation transcript:

1 1 SANS Technology Institute - Candidate for Master of Science Degree 1 The Afterglow Effect and Peer 2 Peer Networks Jay Radcliffe June 2010 GIAC: GSEC Gold, GCIH Gold, GCIA Gold, GCFA, GLEG, GLIT, GSPA, GLDR, GPEN, GWAPT

2 SANS Technology Institute - Candidate for Master of Science Degree 2 Objective How statistical analysis can be used to view network connections? What type of connection patterns can be found in peer to peer afterglow traffic? Can any type of pattern or markers be identified that could indicate malicious post-termination connections?

3 SANS Technology Institute - Candidate for Master of Science Degree 3 What is P2P Networking? Peer to Peer networking is a distributed architecture designed to make file sharing more efficient. Bit Torrent is a P2P methodology using trackers to track who is participating in the sharing of a single torrent which may contain one or more files.

4 SANS Technology Institute - Candidate for Master of Science Degree 4 P2P Afterglow An “Afterglow” connection is one that occurs after the client has terminated the P2P session. The tracker will remove the IP address from the list of participating clients after a certain period of time, usually less then 20 minutes

5 SANS Technology Institute - Candidate for Master of Science Degree 5 Test Setup Client sits behind a firewall with a monitoring box running snort Snort rules setup to record new TCP connections (SYN only) and UDP connections on the specified unique port number

6 SANS Technology Institute - Candidate for Master of Science Degree 6 Test Conditions Initiate a Bit Torrent P2P session using a Fedora Installation DVD ISO image. Terminate torrent session after twelve hours. Continue monitoring for 14 hours after termination tracking afterglow connections

7 SANS Technology Institute - Candidate for Master of Science Degree 7 Test Data Results Connections will be tallied in 10 minute increments (00:00-00:10: 20 connections)

8 SANS Technology Institute - Candidate for Master of Science Degree 8 Results (Quantitative) Data had non-standard distribution. This skews typical statistical analysis. All three test runs had wide variance in standard deviation and skew. Trial #1Trial #2Trial #3 N 170312526 Mean (SD) 1.54 (3.41) 9.99 (17.05) 15.31 (60.66) Skew 3.385.5154.92 Kurtosis 13.720.28176.60

9 SANS Technology Institute - Candidate for Master of Science Degree 9 Results (Qualitative)

10 SANS Technology Institute - Candidate for Master of Science Degree 10 Results (Source Country) Using Whois/ARIN data to lookup the source countries of the afterglow connections Trial #1Trial #2Trial #3 USA26.77%USA29.73%USA20.36% Brazil24.80%China7.68%Brazil6.41% Poland7.87%France4.87%Russia5.81% Thailand7.87% Great Britain4.55%Canada5.23% Russia7.48% Netherlan ds4.29%China4.47%

11 SANS Technology Institute - Candidate for Master of Science Degree 11 Unique Anomaly

12 SANS Technology Institute - Candidate for Master of Science Degree 12 Unique Anomaly Theories on why there are spikes every two hours: –Unique client code (Timeout/retry, cached client list) –Dropped or Filtered Traffic –Malicious Retry to verify disconnection

13 SANS Technology Institute - Candidate for Master of Science Degree 13 Study Limitations Limited number of Trial runs Identical “safe” torrent files Wide variance in data connection rates

14 SANS Technology Institute - Candidate for Master of Science Degree 14 Directions for the Future Ideas for follow-up research –Client identification (Certain P2P clients might have a fingerprint or signature) –Packet Analysis (Flags or structure in Afterglow connections to identify malicious or non-typical connections) –Traffic Analysis (Do other protocols/attacks exhibit similar patterns like 2 hour retry with 5 attempts) –Torrent Variance (Movies, music, etc.)

15 SANS Technology Institute - Candidate for Master of Science Degree 15 Summary Certain qualitative statistical analysis can be used to look at network traffic for anomalies and patterns. Quantitative analysis is more difficult. Unexplained connection patterns exist in P2P afterglow connections.

Download ppt "1 SANS Technology Institute - Candidate for Master of Science Degree 1 The Afterglow Effect and Peer 2 Peer Networks Jay Radcliffe June 2010 GIAC: GSEC."

Similar presentations

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Leveraging the Load Balancer to Fight DDoS Brough Davis September 2010 GIAC GCIA,

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Leveraging the Load Balancer to Fight DDoS Brough Davis September 2010 GIAC GCIA,
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Steganography Then and Now John Hally May 2012 GIAC GSEC, GCIA, GCIH, GCFA, GCWN,

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Steganography Then and Now John Hally May 2012 GIAC GSEC, GCIA, GCIH, GCFA, GCWN,
1 Firewalls. 2 References 1.Mark Stamp, Information Security: Principles and Practice, Wiley Interscience, 2006. 2.Robert Zalenski, Firewall Technologies,

1 Firewalls. 2 References 1.Mark Stamp, Information Security: Principles and Practice, Wiley Interscience, Robert Zalenski, Firewall Technologies,
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Baselining Windows and Comparative Analysis: Quick and Easy Kevin Fuller May 2012.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Baselining Windows and Comparative Analysis: Quick and Easy Kevin Fuller May 2012.
SANS Technology Institute - Candidate for Master of Science Degree 1 Covert Channels A Primer for Security Professionals Erik Couture GIAC GSEC GCIH GCIA.

SANS Technology Institute - Candidate for Master of Science Degree 1 Covert Channels A Primer for Security Professionals Erik Couture GIAC GSEC GCIH GCIA.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,

1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,
An Empirical Study of Real Audio Traffic A. Mena and J. Heidemann USC/Information Sciences Institute In Proceedings of IEEE Infocom Tel-Aviv, Israel March.

An Empirical Study of Real Audio Traffic A. Mena and J. Heidemann USC/Information Sciences Institute In Proceedings of IEEE Infocom Tel-Aviv, Israel March.
1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)

1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)
DDoS Vulnerability Analysis of BitTorrent Protocol CS239 project Spring 2006.

DDoS Vulnerability Analysis of BitTorrent Protocol CS239 project Spring 2006.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
Chapter 7 Firewalls. Firewall Definition  A network device that enforces network access control based upon a defined security policy.

Chapter 7 Firewalls. Firewall Definition  A network device that enforces network access control based upon a defined security policy.
Scanning February 23, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Report on statistical Intrusion Detection systems By Ganesh Godavari.

Report on statistical Intrusion Detection systems By Ganesh Godavari.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
ECE 526 – Network Processing Systems Design Packet Processing II: algorithms and data structures Chapter 5: D. E. Comer.

ECE 526 – Network Processing Systems Design Packet Processing II: algorithms and data structures Chapter 5: D. E. Comer.
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Intrusion Detection & Response: Leveraging Next-Generation Firewalls Ahmed Abdel-Aziz.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Intrusion Detection & Response: Leveraging Next-Generation Firewalls Ahmed Abdel-Aziz.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Similar presentations

Ads by Google