Presentation is loading. Please wait.

Presentation is loading. Please wait.

Vulnerabilities of Passive Internet Threat Monitors Yoichi Shinoda Japan Advanced Institute of Science and Technology Ko Ikai National Police Agency, Japan.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Vulnerabilities of Passive Internet Threat Monitors Yoichi Shinoda Japan Advanced Institute of Science and Technology Ko Ikai National Police Agency, Japan."— Presentation transcript:

1 Vulnerabilities of Passive Internet Threat Monitors Yoichi Shinoda Japan Advanced Institute of Science and Technology Ko Ikai National Police Agency, Japan Motomu Itoh JPCERT/CC

2 Passive Internet Threat Monitors Passive Internet monitoring measures and characterizes interesting network activity – e.g. worms, distributed DoS attacks, etc. The operation of Internet threat monitors assumes that sensors are observing only non-biased background traffic.

3 Passive Internet Threat Monitors

4 Characterizing Threat Monitors Report Types – Port Table Captured events over a range of ports. – Time-Series Graph Summarizing and visualizing events.

5 The Problem The addresses of real network monitor sensors can be identified. – Sensors may be fed with arbitrary packets. – Sensors may become DoS victims. – Sensors may be evaded. Sensor attackers or evaders do not require a complete list of sensor addresses.

6 Detection Methods The Basic Cycle

7 Feedback Properties Accumulation Window: The duration between two consecutive counter resets. Time Resolution: The minimum unit of time that can be observed in a feedback. Feedback Delay: The time between a capture event and next feedback update. Retention Time: The maximum duration that an event is held in the feedback.

8 Marking Algorithms Address-Encoded-Port Marking – An address is marked with a marker that has its destination port number derived from encoding part of the address bits.

9 Marking Algorithms Time Series Marking – Each sub-block is marked within the time resolution window of the feedback so that results from marking can be reverse back to the corresponding sub-block.

10 Marking Algorithms Uniform Intensity Marking (1/2) – All addresses are marked with the same intensity. – Address blocks are divided into smaller sub- blocks. – Each sub-block is marked using time-series marking, each address with a single marker.

11 Marking Algorithms Uniform Intensity Marking (2/2) – Example Suppose we have a /16 address block which contains several sensors. The original block is divided into 16 /20 sub-blocks. One sensor in sub-block #3 One sensor in sub-block #7 Two sensors in sub-block #10

12 Marking Algorithms Radix-Intensity Marking (1/2) – Selected address bits are translated into marking intensity. e.g. the number of packets for each address. – For example, if we are marking 16 /20 sub-blocks Mark the first /21 block within a sub-block with 2 markers and the second /21 block with 3 markers.

13 Marking Algorithms Radix-Intensity Marking (2/2) – Radix-intensity marking was able to derive information about the positions of these sensors within each sub-block. – Uniform-intensity marking would have derived only the number of sensors in each sub-block. – Ambiguity for feedback intensity value of 6 (?). One sensor in the first half One sensor in the second half Two sensors, one in the fist half and the other in the second half

14 Designing a Marking Activity Target Range – Decide on the range of addresses that we want to mark. Marking Algorithm – Determined by the properties of the feedback.  Table form  Address-Encoded-Port marking  Graph form  Time-Series marking Marker Design – Marker type: proto, source and destination port. – Source address. – Payload.

15 Designing a Marking Activity Intensity – Number of markers sent to a single address. Bandwidth – Limiting factor. Velocity – The speed with which marker packets can be generated. Address Range Subdivision – Calculated from the velocity and the intensity. Marking Order – Scramble the order in which we send the markers.

16 Designing a Marking Activity Bandwidth vs. Time for various sized blocks and intensities for 64-byte Markers.

17 Protecting Threat Monitors Provide Less Information – Decrease the amount of information the system is giving out. E.g. longer accumulation window, less sensitivity, etc. Throttle the Information – Apply some standard remediation techniques that are being used to provide privacy in data mining.

18 Protecting Threat Monitors Introducing Explicit Noise – Introduce explicit variance into level sensitivity into sensors. – Inter-monitor collaboration. Disturbing Mark-Examine-Update Cycle – Degree of mobility required to disturb the cycle and how it affects monitor results must be studied.

19 Protecting Threat Monitors Marking Detection – Events generated by marking activities are basically local and transient by nature. Sensor Scale and Placement – Increasing number of sensors that are carefully placed provide a certain level of protection. Small Cautions – Prevent ICMP-based fingerprinting – introduce TTL mangling

20 A Simple Example

Download ppt "Vulnerabilities of Passive Internet Threat Monitors Yoichi Shinoda Japan Advanced Institute of Science and Technology Ko Ikai National Police Agency, Japan."

Similar presentations

Internet Measurement Conference 2003 Source-Level IP Packet Bursts: Causes and Effects Hao Jiang Constantinos Dovrolis (hjiang,

Internet Measurement Conference 2003 Source-Level IP Packet Bursts: Causes and Effects Hao Jiang Constantinos Dovrolis (hjiang,
24-1 Chapter 24. Congestion Control and Quality of Service (part 1) 23.1 Data Traffic 23.2 Congestion 23.3 Congestion Control 23.4 Two Examples.

24-1 Chapter 24. Congestion Control and Quality of Service (part 1) 23.1 Data Traffic 23.2 Congestion 23.3 Congestion Control 23.4 Two Examples.
RTP: A Transport Protocol for Real-Time Applications Provides end-to-end delivery services for data with real-time characteristics, such as interactive.

RTP: A Transport Protocol for Real-Time Applications Provides end-to-end delivery services for data with real-time characteristics, such as interactive.
1 Chapter 3 TCP and IP. Chapter 3 TCP and IP 2 Introduction Transmission Control Protocol (TCP) Transmission Control Protocol (TCP) User Datagram Protocol.

1 Chapter 3 TCP and IP. Chapter 3 TCP and IP 2 Introduction Transmission Control Protocol (TCP) Transmission Control Protocol (TCP) User Datagram Protocol.
Abilene Transit Security Policy Joint Techs Summer ’05 Vancouver, BC, CA Steve Cotter Director, Network Services Steve Cotter Director,

Abilene Transit Security Policy Joint Techs Summer ’05 Vancouver, BC, CA Steve Cotter Director, Network Services Steve Cotter Director,
Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.

Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.
Generated Waypoint Efficiency: The efficiency considered here is defined as follows: As can be seen from the graph, for the obstruction radius values (200,

Generated Waypoint Efficiency: The efficiency considered here is defined as follows: As can be seen from the graph, for the obstruction radius values (200,
1 Stochastic Event Capture Using Mobile Sensors Subject to a Quality Metric Nabhendra Bisnik, Alhussein A. Abouzeid, and Volkan Isler Rensselaer Polytechnic.

1 Stochastic Event Capture Using Mobile Sensors Subject to a Quality Metric Nabhendra Bisnik, Alhussein A. Abouzeid, and Volkan Isler Rensselaer Polytechnic.
Network Attacks Mark Shtern.

Network Attacks Mark Shtern.
Architecture for Network Hub in 2011 David Chinnery Ben Horowitz.

Architecture for Network Hub in 2011 David Chinnery Ben Horowitz.
Denial of Service Resilience in Ad Hoc Networks Imad Aad, Jean-Pierre Hubaux, and Edward W. Knightly Designed by Yao Zhao.

Denial of Service Resilience in Ad Hoc Networks Imad Aad, Jean-Pierre Hubaux, and Edward W. Knightly Designed by Yao Zhao.
Available bandwidth measurement as simple as running wget D. Antoniades, M. Athanatos, A. Papadogiannakis, P. Markatos Institute of Computer Science (ICS),

Available bandwidth measurement as simple as running wget D. Antoniades, M. Athanatos, A. Papadogiannakis, P. Markatos Institute of Computer Science (ICS),
Streaming Media. Unicast Redundant traffic Multicast One to many.

Streaming Media. Unicast Redundant traffic Multicast One to many.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
Subnetting.

Subnetting.
John Kristoff DePaul Security Forum 2003 1 Network Defenses to Denial of Service Attacks John Kristoff +01 312 362-5878.

John Kristoff DePaul Security Forum Network Defenses to Denial of Service Attacks John Kristoff
Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts

Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts
Fast and Robust Worm Detection Algorithm Tian Bu Aiyou Chen Scott Vander Wiel Thomas Woo bearhsu.

Fast and Robust Worm Detection Algorithm Tian Bu Aiyou Chen Scott Vander Wiel Thomas Woo bearhsu.
Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.

Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.
MITACS-PINTS Prediction In Interacting Systems Project Leader : Michael Kouriztin.

MITACS-PINTS Prediction In Interacting Systems Project Leader : Michael Kouriztin.

Similar presentations

Ads by Google