1. 賴守全 銘傳大學 電腦與通訊工程學系 2007.08.23 網際網路安全 之異常偵測

2. Bad News! Huston, we have a problem! 2

3. Outline The Theory (review of previous talk) SNMP & MRTG NetFlow WireShark 3

4. The Theory

5. 5 Network Layers OSI reference modelInternet Protocol suites 7Application FTP HTTP SMTP SNMP NFS 6PresentationXDR 5SessionRPC 4TransportTCP UDP SCTP 3NetworkIPv4 IPv6 2Data link 1Physical ARP, RARP ICMP

6. 6 Layered Protocol Structure TCP UDP IP Application Layer 3 Layer 4 Layer 7 MAC Layer 2

7. 7 Protocol Stacks Application Transport Network Data Link Physical Application Transport Network Data Link Physical Message Segment Packet Frame M MHtM HnMHtHnHdMHtHnHdMHtHnMHt M M HnHd

8. 8 Ethernet (Layer 2) Ethernet address  MAC address  Hardware address  Uniquely assigned CSMA/CD  Binary exponential back-off Destination Address (6) Source Address (6) Type (2) Data (46 - 1500) Frame Check Sequence (4)

9. 9 Ethernet Hubs Signal relay (repeater)  Relay to all ports A LAN segment A single collision domain Half-duplex

10. 10 Ethernet Switches 10/100/1000Mbps Store and forward  Backplane bandwidth  Forwarding rate L2 forwarding table  Traffic filtering  FDB entries One collision domain for each port Full duplex

11. 11 Route packets Provides best-effort, unreliable, connectionless delivery of IP packets IP address − Assigned by authority − Logical address IP Network (Layer 3)

12. 12 IP Packet Format 1 byte Version IP Header Length Type Of ServiceTotal Length IdentificationFlagsFragment Offset Time To LiveProtocolHeader Checksum Source IP Address Destination IP Address Options (+ padding) Data

13. 13 IP Addresses Network address + Subnet address + Host address Public address Private addresses (NAT) − 10/8, 176.16/12, 192.168/16 Subnet address − Subnet mask − Gateway address (default router) CNetworkSubnetHost

14. 14 ARP (Address Resolution) Mapping the IP address to Ethernet address − ARP spoofing Broadcast protocol − ARP flooding Who is 163.25.6.227 Yes, I am

15. 15 IP Network Diagnose ICMP − echo, echo-reply, destination-unreachable − “ping” (knock on the door) − “traceroute (tracert)” (show the path)

16. 16 A virtual circuit UDP - datagram delivery, connectionless, unreliable, minimal TCP - byte-stream, connection-oriented, reliable, full-duplex Transport Layer (Layer 4)

17. 17 TCP and UDP Ports Host A (Client) Host B (Server) Process LISTEN CONNECT

18. Port Number Protocol Application (service) 21FTPFile transfer 23TELNETRemote login 25SMTPEmail 53DNS 80HTTPWWW 110POPEmail 119NNTPNewsgroup

19. 19 UDP Datagram Format 1 byte Source PortDestination Port ChecksumLength Data

20. 20 TCP Datagram Format 1 byte Source PortDestination Port Sequence Number Acknowledgement Number Offeset reserved ControlWindow ChecksumUrgent Pointer Options (if any) Data

21. 21 TCP Sequence Number Host A Host B Time SYNC=XSYNC=Y, ACK=X+1 SYNC=X+1, ACK=Y+1 TCP three-way handshaking

22. SNMP & MRTG

23. 23 SNMP Network Management TCEB Storage Traffic Analyzer DATA HTML SNMP Manager SNMP Statistics

24. SNMP SNMP – Simple Network Management Protocol To request (or set) values of MIB objects Five types of messages (SNMPv1) − Get − GetNext − Set − Response − Trap 24

25. MIB MIB – Management Information Database 25

26. MIB Objects System Group (system) : 1.3.6.1.2.1.1 Interface Group (interface) : 1.3.6.1.2.1.2 − ifInOctets (.1.3.6.1.2.1.2.2.1.10.x) − ifOutOctets (.1.3.6.1.2.1.2.2.1.16.x) Internet Protocol (ip) : 1.3.6.1.2.1.4 Transmission Control Protocol (tcp) : 1.3.6.1.2.1.6 User Datagram Protocol (udp) : 1.3.6.1.2.1.7 Private (private) : 1.3.6.1.4 26

27. SNMP & MIB 27 Manager Agent Get/GetNext/Set Response Trap UDP/161 UDP/162

28. MRTG: Multi Router Traffic Grapher − http://people.ee.ethz.ch/~oetiker/webtools/mrtg/ http://people.ee.ethz.ch/~oetiker/webtools/mrtg/ RRDTool: Round-Robin Database Tool − http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/ http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/ MRTG & RRD Tool

29. Internet Worm Detection A worm-infected host may generate extra high volume of probing packets 29

30. NetFlow

31. What is a Flow? Defined by 7 unique keys − Source IP address − Destination IP address − Source port − Destination port − Layer 3 protocol type − TOS byte (DSCP) − Input logical interface (ifIndex)

32. Source IP Address Destination IP Address Input ifIndex Output ifIndex Type of Service TCP Flags Protocol Start sysUpTime End sysUpTime Source TCP/UDP Port Destination TCP/UDP Port Next Hop Address Source AS Number Dest. AS Number Source Prefix Mask Dest. Prefix Mask Source IP Address Destination IP Address From/To Application Routing and Peering Usage Time of Day Port Utilization Quality of Service Packet Count Byte Count NetFlow Version 5 Format

33. Why NetFlow ? NetFlow statistics empowers users with the ability to characterize their IP data flows The who, what, where, when, and how much IP traffic questions are answered Offers a rich data set to be mined for network management, traffic engineering, and value-added service offerings (i.e. marketing data, personal NMS data)

34. NetFlow Collection PC server − PIII-800 CPU, 512MB RAM, 60GB HD − FreeBSD, Linux or Solaris flow-tools − http://www.splintered.net/sw/flow-tools/

35. NetFlow Export srcIP dstIP prot srcPort dstPort octets packets 140.114.207.5 220.160.200.175 6 16881 3832 1349 18 140.114.220.101 219.137.134.186 6 26898 1580 1731 16 140.114.220.101 219.78.108.200 6 26898 2945 64440 64 140.114.226.53 158.130.67.92 6 1710 80 7734 49 140.114.226.53 158.130.67.92 6 1711 80 4002 20 140.114.220.139 218.30.69.60 6 3111 80 1026 14 140.114.220.95 66.103.161.14 6 21929 2422 11367 16 140.114.222.89 218.169.119.181 6 6689 3651 5676041 5261 140.114.215.148 66.176.238.135 6 3182 17832 13778622 11612 140.114.220.95 210.85.10.144 6 21929 51618 15808052 15228 140.114.201.85 219.78.180.227 6 16881 4201 7690251 12210 140.114.200.89 61.64.210.102 6 4662 4641 7784807 6377 140.114.207.124 219.68.60.215 6 3887 4662 8545059 7087 140.114.229.95 203.69.46.221 6 1849 5000 815011 17017 140.114.212.185 61.241.109.19 6 1947 4686 957536 19186 140.114.218.12 218.167.184.51 6 2012 4662 6749068 5604 140.114.201.85 220.138.79.26 6 16881 3825 7888766 10540 140.114.201.85 218.102.191.195 6 16881 3328 7452556 12174 140.114.216.144 172.180.24.79 6 47383 1111 306 6 140.114.226.3 140.120.234.194 6 2927 1882 4140 90 140.114.226.167 61.51.36.149 6 11376 4177 92 2

36. NetFlow Analysis Top hosts Traffic accounting (service accounting) Behavior analysis (anomaly detection) − Host which provide public service (host with lots of incoming connection) − The provided service (port with lots of incoming connection)

37. Worm Detection 1213.17:13:45.689 140.114.218.165:0 140.111.0.108:0 1 1 92 1213.17:13:45.778 140.114.218.165:0 140.111.0.117:0 1 1 92 1213.17:13:45.786 140.114.218.165:0 140.111.0.127:0 1 1 92 1213.17:13:45.898 140.114.218.165:0 140.111.0.202:0 1 1 92 1213.17:13:45.944 140.114.218.165:0 140.111.0.225:0 1 1 92 1213.17:13:45.991 140.114.218.165:0 140.111.0.248:0 1 1 92 1213.17:13:46.037 140.114.218.165:0 140.111.1.12:0 1 1 92 1213.17:13:46.055 140.114.218.165:0 140.111.1.21:0 1 1 92 1213.17:13:48.100 140.114.218.165:0 140.111.1.45:0 1 1 92 1213.17:13:48.149 140.114.218.165:0 140.111.1.67:0 1 1 92 1213.17:13:48.194 140.114.218.165:0 140.111.1.90:0 1 1 92 1213.17:13:48.207 140.114.218.165:0 140.111.1.98:0 1 1 92 37

38. Open Mail Relay Detection SMTP POP3 A B C 38

39. WireShark

40. 40 Switch Port Mirroring Broadcast traffic Port Mirroring (Unicast) SPAN (Switched Port Analyzer) Failing open

41. Sniffing Network analysis (also known as traffic analysis, protocol analysis, sniffing, packet analysis, eavesdropping, and so on) is the process of capturing network traffic and inspecting it closely to determine what is happening on the network. A sniffer is a program that monitors data traveling over a network. 41

42. A Double-Edged Sword A network analyzer is used for − Converting the binary data in packets to readable format − Troubleshooting problems on the network − Analyzing the performance of a network to discover bottlenecks − Network intrusion detection − Logging network traffic for forensics and evidence − Analyzing the operations of applications 42

43. Network Analyzer A network analyzer is composed of five basic parts − Hardware − Capture dirver − Buffer − Real-time analysis − Decode 43

44. WireShark One of the best sniffers available and is being developed as a free, commercial-quality sniffer It has numerous features, a nice graphical user interface (GUI), decodes over 400 protocols, and is actively being developed and maintained Runs on UNIX-based systems, Mac OS X, and Windows This is a great sniffer to use in a production environment, and is available at http://www.wireshark.org/ 44

45. A Sniffing Example 45 Summary Detail Data

46. Summary

47. User Requirements Fast and reliable problem resolution. Most users will tolerate occasional outages, but …. To be kept informed of the network status, including both scheduled and unscheduled disruptive maintenance Network to be managed in such a way as to afford their applications consistently good response time 47

48. Network Management Techniques ICMP (ping, traceroute): network connectivity, link quality, routing path SNMP (MRTG or RRD Tools): bandwidth utilization (bps), forwarding rate (pps) NetFlow (flow-tools): accounting, top hosts, service analysis Packet Sniffing (WireShark): troubleshooting, analysis 48

49. Anomaly Detection Computer network knowledge is the best (or required) support for network anomaly detection Data are transmitted hierarchically through network procotol stacks Anomaly detection could be done hierarchically 1. Network statistics (MRTG) 2. Traffic analysis (NetFlow) 3. Protocol analyzer (WireShark) 49

50. The Measurements What can these measurements tell? − Bandwidth consumption − Packet forwarding rate − NetFlow accountings − Ping results − Traceroute results − Protocol-decoded packets after sniffing − DNS, SMTP, POP, HTTP request-response results − CPU load, memory usage, disk space 50

51. What’s Wrong? 51

52. The End & Thank You!