1. Traffic Analysis and Risk Assessment of a Medium-Sized ISP Alan W. Rateliff, II Florida Internet Service Provider Approximately 2000 ADSL users Connections between 256kb/s and 5Mb/s Traffic monitoring between ADSL aggregation device and Internet

2. The Tool Selected ISP customer DSL traffic is sent to Q- Radar using a network switch “monitor” port Analyzes captures to identify potentially malicious traffic Three primary activities used as presentation basis www.q1labs.com

3. Traffic Anomolies Protocol and port mismatch 500kb/s bursts Remote system port scanning 1.2Mb/s bursts Internet Relay Chat bot-net controls > 59,000 events over 12-day period Honorable Mentions  “Direct-to-MX” SMTP transactions (spam, etc.)‏  P2P Networking (BitTorrent, eDonkey, etc.)‏

4. Protocol/Port Mismatches Protocol communication on a non-common port Evades port-blocking and monitoring  Firewalls and ACLs  Simple IDS IANA maintains official list of commonly used or well-known ports Examples of legitimate port mismatches:  SMTP (port 25) on port 587  HTTP (port 80) on port 8080

5. Remote System Port Scans First stages of attack on a remote system Probes for services actively accepting connections Services are probed for known vulnerabilities Can detect services on non-standard ports Can identify operating systems F/OSS Scanner: nmap (insecure.org)‏

7. Internet Relay Chat (IRC) Connections Internet-based “chat rooms” called “channels” Bot-net clients connect and idle in protected channels Bot Master issues commands to clients via protected channel Standard IRC port is 6667 (Defined by RFC 1459 and 2812)‏ Can make use of port mismatching

8. Mitigating Violations Pro Increases end-user security and satisfaction Decreases network loads Increases network usability Con Potential information leaks Potentially subject to disclosure Information could be abused Other privacy concerns

9. Discussion Strict policy and legal controls and enforcement can mitigate privacy concerns Other pros and cons Questions and comments