bisyron wahyudi muhammad salahuddien - first · pdf file218.75.49.242 485758 0.237019134...
TRANSCRIPT
by Bisyron Wahyudi Muhammad Salahuddien
Amount of malicious traffic circulating on the Internet is increasing significantly.
Increasing complexity and rapid change in hosts and networks technology suggests that there will be new vulnerabilities.
Attackers have interest in identifying networks and hosts to expose vulnerabilities :
Network scans
Worms
Trojans
Botnet
Complicated methods of attacks make difficult to identify the real attacks : It is not simple as filtering out the traffic from some sources
Security is implemented like an “add on” module for the Internet.
Understanding nature behavior of malicious sources and targeted ports is important to minimize the damage by build strong specific security rules and counter measures
Help the cyber security policy-making process, and to raise public awareness
Questions : Do malicious sources generate the attacks uniformly ? Is there any pattern specific i.e. recurrence event ? Is there any correlation between the number of some
attacks over specific time ?
Many systems and phenomena (events) are distributed according to a “power law”
When one quantity (say y) depends on another (say x) raised to some power, we say that y is described by a power law
A power law applies to a system when:
large is rare and
small is common
Collection of System logs from Networked Intrusion Detection System (IDS)
The NIDS contains 11 sensors installed in different core networks in Indonesian ISP (NAP)
Period : January, 2012 - September, 2012 Available fields :
▪ Event Message, Timestamp, Dest. IP, Source IP, Attacks Classification, Priority, Protocol, Dest. Port/ICMP code, Source Port/ICMP type, Sensors ID
Two quantities x and y are related by a power law if y is proportional to x(-c) for a constant c
y = .x(-c) If x and y are related by a power law, then the
graph of log(y) versus log(x) is a straight line log(y) = -c.log(x) + log()
The slope of the log-log plot is the power exponent c
Destination Port Distribution
Monitor destination port for intrusion attempts
Source IP’s Distribution
Look for trends in the source address associated with intrusions events
Group intrusions into port 1434, 1433, 53, and 445
Understanding the behavior of malicious sources over the time
• Is there any correlation between the number of attacks over time ?
Time series analysis : Power spectrum analysis and Detrended Fluctuation Analysis (DFA)
0
0.2
0.4
0.6
0.8
1
1.2
61.
235
.46
.14
6
194
.14
6.1
06
.10
6
22
2.2
14.2
16.1
80
20
2.1
55.8
7.34
116
.66
.20
0.1
8
122
.117
.233
.118
60
.12
.20
0.2
3
124
.81.
80
.67
218
.20
1.19
2.2
02
114
.57.
34.3
1
124
.81.
210
.230
22
3.2
55.2
25.
80
218
.56
.33.
60
114
.57.
34.1
99
20
2.1
69
.52
.24
2
118
.97.
58.1
66
76.1
69
.138
.24
6
22
2.1
86
.13.
90
114
.59
.80
.61
60
.19
0.1
37.1
38
113.
212
.116
.37
22
3.2
55.2
30.6
5
22
3.2
55.2
30.7
4
61.
176
.19
2.1
50
180
.214
.233
.33
22
3.2
55.2
30.6
8
124
.81.
254
.14
7
117.
102
.10
1.18
3
22
3.2
55.2
30.2
9
22
3.2
55.2
30.6
110
.5.9
6.1
26
103.
10.6
6.7
0
116
.0.1
51.1
61
22
3.2
55.2
30.5
20
2.1
55.6
1.8
0
24
.73.
139
.84
22
3.2
55.2
29
.16
22
3.2
55.2
31.2
1
20
2.1
55.6
4.1
47
108
.18
.19
6.1
6
22
3.2
55.2
31.1
8
174
.55.
20
0.1
66
Cumulative Distribution
Cumulative Distribution
Source IP Counter Cumulative Distribution
61.235.46.146 1136787 0.127079841
124.239.195.131 497699 0.182716922
218.75.49.242 485758 0.237019134
211.141.86.248 315837 0.272326114
202.155.14.117 241850 0.29936219
119.235.24.210 214618 0.323354038
60.190.118.153 148839 0.339992544
61.128.110.96 145968 0.356310104
117.102.102.34 124868 0.370268924
Only a few sources are responsible for many generating malicious traffics
These sources attacks on ports 1434 (MS SQL-M), 53 (DNS), 445 (Microsoft DS), 1433(MS SQL-S)
Argument for a blacklist Most of sources are generating 1 attack
It is not efficient to filtering out these type of sources
Understanding the behavior of malicious sources over the time
• Is there any correlation between the number of attacks over time ?
Time series analysis : Power spectrum analysis and DFA
If we analyze the total time series from all sensors: there are no strong correlation between the number of attacks and time
Analyzing the time series from each sensor is preferred. The statistical properties for each sensor is not the same.
11/27/2012 19
11/27/2012 20
11/27/2012 21
11/27/2012 22
The number of attacks behavior over the time is random
The result of DFA seems to be divided into two region of different exponents of Power Law fluctuation.
There is a bending point, need more investigation.
0
0.2
0.4
0.6
0.8
1
1.2
1434
(ms-
sql-
m)/
ud
p
66
99
/ud
p
102
7/u
dp
1030
(iad
1)/u
dp
356
93/
ud
p
180
62
/ud
p
129
98
/ud
p
100
13/u
dp
64
016
/ud
p
1054
/ud
p
1071
/ud
p
99
66
/ud
p
84
41/
ud
p
1059
(nim
reg
)/u
dp
136
63/
ud
p
5112
0/u
dp
20
973
/ud
p
558
18/u
dp
479
07/
ud
p
474
29
/ud
p
100
39/u
dp
188
42
/ud
p
389
35/u
dp
1119
/ud
p
1873
/ud
p
168
8/u
dp
20
184
/ud
p
60
00
1/u
dp
159
4/u
dp
5937
5/u
dp
1078
5/u
dp
118
1/u
dp
540
75/u
dp
100
92
/ud
p
100
54/u
dp
272
04
/ud
p
180
76/u
dp
109
6/u
dp
1811
9/u
dp
5236
(pad
l2si
m)/
ud
p
1131
/ud
p
1634
/ud
p
134
7 (b
bn
-mm
c)/u
dp
22
185/
ud
p
Cumulative Distribution
Cumulative Distribution
Only a few ports become target of most attacks Port 1434 (MS SQL-M), 53 (DNS), 1433 (MS SQL-
S), 445 (microsoft-ds)
Destination Port Counter Cumulative Distribution
1434 (ms-sql-m)/udp 4129135 0.46774675
53 (domain)/udp 1900826 0.683071554
1433 (ms-sql-s)/tcp 891009 0.784004694
445 (microsoft-ds)/tcp 304656 0.818516003
3306/tcp 98583 0.829683446
80 (http)/tcp 78690 0.838597417
80 (http)/udp 65922 0.846065035
34354/tcp 62865 0.853186357
32115/udp 46580 0.85846292
0
0.2
0.4
0.6
0.8
1
1.2
SQ
L p
rob
e re
spo
nse
ove
rflo
w a
ttem
pt …
SQ
L h
eap
-bas
ed o
verf
low
att
emp
t (1
:49
90
)
SQ
L S
A b
rute
fo
rce
log
in a
ttem
pt
TD
S v
7/8
…
SQ
L v
ersi
on
ove
rflo
w a
ttem
pt
(1:2
050
)
SQ
L W
orm
pro
pag
atio
n a
ttem
pt
(1:2
00
3)
BO
TN
ET
-CN
C V
iru
t D
NS
req
ues
t fo
r C
&C
…
BO
TN
ET
-CN
C V
iru
t D
NS
req
ues
t at
tem
pt …
WE
B-M
ISC
Mic
roso
ft A
SP
.NE
T in
form
atio
n …
SP
YW
AR
E-P
UT
To
rpig
bo
t si
nkh
ole
ser
ver …
BO
TN
ET
-CN
C P
alev
o b
ot
DN
S r
equ
est …
BO
TN
ET
-CN
C P
alev
o b
ot
DN
S r
equ
est
for …
BO
TN
ET
-CN
C T
roja
n.Z
eus
P2
P o
utb
ou
nd
…
AT
TA
CK
-RE
SP
ON
SE
S In
valid
UR
L (1
:12
00
)
BO
TN
ET
-CN
C P
oss
ible
ho
st in
fect
ion
- …
WE
B-P
HP
Wo
rdp
ress
tim
thu
mb
.ph
p t
hem
e …
BO
TN
ET
-CN
C T
orp
ig b
ot
sin
kho
le s
erve
r …
SQ
L s
a b
rute
fo
rce
faile
d lo
gin
un
ico
de
…
DO
S M
icro
soft
Win
do
ws
NA
T H
elp
er D
NS
…
PO
LIC
Y f
aile
d m
ysq
l lo
gin
att
emp
t (1
:133
57)
BO
TN
ET
-CN
C P
oss
ible
Zeu
s U
ser-
Ag
ent
- …
MY
SQ
L c
lien
t au
then
tica
tio
n b
ypas
s …
SP
EC
IFIC
-TH
RE
AT
S m
sbla
st a
ttem
pt
(1:9
42
2)
PO
LIC
Y m
ysq
l lo
gin
att
emp
t fr
om
…
SQ
L g
ener
ic s
ql u
pd
ate
inje
ctio
n a
ttem
pt
- …
SH
EL
LC
OD
E x
86
OS
ag
no
stic
fn
sten
v g
etei
p …
MY
SQ
L p
roto
col 4
1 cl
ien
t au
then
tica
tio
n …
PO
LIC
Y f
aile
d O
racl
e M
ysq
l lo
gin
att
emp
t …
SQ
L p
ing
att
emp
t (1
:20
49
)
BA
CK
DO
OR
tro
jan
ag
ent.
aarm
ru
nti
me …
BA
CK
DO
OR
on
ly 1
rat
ru
nti
me
det
ecti
on
- …
SP
YW
AR
E-P
UT
Ad
war
e d
ow
nlo
ad …
BO
TN
ET
-CN
C W
32.D
ofo
il va
rian
t o
utb
ou
nd
…
BA
D-T
RA
FF
IC B
IND
nam
ed 9
dyn
amic
…
PO
LIC
Y O
racl
e M
ysq
l lo
gin
att
emp
t fr
om
…
WE
B-M
ISC
Mic
roso
ft A
SP
.NE
T in
form
atio
n …
WE
B-C
LIE
NT
Po
rtab
le E
xecu
tab
le b
inar
y fi
le …
NE
TB
IOS
DC
ER
PC
NC
AC
N-I
P-T
CP
srv
svc …
EX
PL
OIT
IBM
Tiv
oli
Sto
rag
e M
anag
er …
SQ
L g
ener
ic s
ql i
nse
rt in
ject
ion
att
tem
pt
- …
SH
EL
LC
OD
E x
86
OS
ag
no
stic
xo
r d
wo
rd …
DO
S M
SD
TC
att
emp
t (1
:14
08
)
SQ
L u
nio
n s
elec
t -
po
ssib
le s
ql i
nje
ctio
n …
SQ
L M
ySQ
L/M
aria
DB
clie
nt
auth
enti
cati
on
…
AT
TA
CK
-RE
SP
ON
SE
S id
ch
eck
retu
rned
…
BA
CK
DO
OR
c9
9sh
ell.p
hp
co
mm
and
req
ues
t …
MY
SQ
L S
un
MyS
QL
mys
ql_
log
…
BO
TN
ET
-CN
C T
roja
n-…
SP
EC
IFIC
-TH
RE
AT
S k
org
o a
ttem
pt
(1:9
42
0)
SP
EC
IFIC
-TH
RE
AT
S R
edK
it R
epea
ted
…
Cumulative Distribution
Cumulative Distribution
Event Message Counter Cumulative Distribution
SQL probe response overflow attempt (1:2329) 4436014 0.34605762
SQL heap-based overflow attempt (1:4990) 2526867 0.543180888
SQL SA brute force login attempt TDS v7/8 (1:3543) 884743 0.612200521
SQL version overflow attempt (1:2050) 878459 0.680729933
SQL Worm propagation attempt (1:2003) 696421 0.735058389
BOTNET-CNC Virut DNS request for C&C attempt (1:16302) 609160 0.782579533
BOTNET-CNC Virut DNS request attempt (1:16304) 554635 0.825847131
WEB-MISC Microsoft ASP.NET information disclosure attempt (3:17429) 413011 0.858066507
SPYWARE-PUT Torpig bot sinkhole server DNS lookup attempt (1:16693) 208301 0.874316263
Exploit for the SQL Server 2000 resolution service buffer overflow
The SQL Slammer or Sapphire worm used a classic Buffer Overflow in the Microsoft SQL Resolution Service that was provided with SQL Server 2000 and MSDE
It used only a single UDP packet aimed at port 1434 to spread, causing it to be fast and nearly unstoppable
11/27/2012 32
11/27/2012 33
11/27/2012 34
The attacks behavior on port 1434 is random The result of DFA seems to be divided into
two region of different exponents of Power Law fluctuation
There is a bending point– further analysis needed, is there any specific real activities (social, user behavior, etc.) related to this different exponents
Blocking adultery sites address (Admin policy) Authors of viruses, Trojan horses and other malware may
interfere with user DNS for a variety of reasons, including: attempting to block access to remediation resources (such as
system patches, AV updates, malware cleanup tools) attempting to redirect users from legitimate sensitive sites
(such as online banks and brokerages) to rogue web sites run by phishers
attempting to redirect users from legitimate sites to malware-tainted sites where the user can become (further) infected
attempting to redirect users to pay-per-view or pay-per-click websites in an effort to garner advertising revenues
attempting to resolve the target for spreading malware
The attacks behavior on port 53 is random The result of DFA seems to be divided into two region
of different exponents of Power Law fluctuation There is a bending point – further analysis needed, is
there any specific real occasion (social, user behavior, etc.) related to this different exponents
Peaks appears several times in the short time scales Suggestion :
▪ DNS poisoning
▪ Network scans running by hosts infected by malware or hosts part of bot-net
Microsoft-DS Service is used for resource sharing on Windows 2000, XP, 2003, and other samba based connections
This is the port that is used to connect file shares for example
0 1 2 3 4 5 6 7 8 9 10
x 105
-1
-0.5
0
0.5
1
1.5x 10
4
t (second)
yt
100
101
102
103
104
105
106
10710
-7
10-6
10-5
10-4
10-3
10-2
10-1
= 0.74937
l
F(l)
The data shows clear Power Law fluctuations The exponents of the fluctuation for attacks
targeted port 445 are almost unity The attacks on the port 445 seems to have
correlation (possible recurrence event) This finding agrees with previous research
done by Uli Harder, “Observing Internet Worm and Virus Attacks with a Small Network Telescope”
• Ravindo Tower 17th Floor
• Kebon Sirih Raya, Kav. 75
• Central Jakarta, 10340
• Phone +62 21 3192 5551
• Fax +62 21 3193 5556
• [email protected] ; www.idsirtii.or.id