characteristics of internet background radiation
DESCRIPTION
Characteristics of Internet Background Radiation. Authors : Ruoming Pang, Vinod Yegneswaran, Paul Barford, Vern Paxson, Larry Peterson. ACM Internet Measurement Conference (IMC), 2004. Presenter : Tai Do CDA6938 UCF, Spring 2007. Introduction. Background Radiation: - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Characteristics of Internet Background Radiation](https://reader035.vdocument.in/reader035/viewer/2022062500/56814f5e550346895dbd10d7/html5/thumbnails/1.jpg)
Characteristics of Internet Background Radiation
ACM Internet Measurement Conference (IMC), 2004
Authors: Ruoming Pang, Vinod Yegneswaran, Paul Barford, Vern
Paxson, Larry Peterson
Presenter: Tai Do
CDA6938
UCF, Spring 2007
![Page 2: Characteristics of Internet Background Radiation](https://reader035.vdocument.in/reader035/viewer/2022062500/56814f5e550346895dbd10d7/html5/thumbnails/2.jpg)
Introduction
• Background Radiation:– Traffic sent to unused addresses.
– Nonproductive traffic: malicious (flooding backscatter, hostile scan, spam) OR benign (misconfigurations).
– Pervasive nature (hence “background”).
![Page 3: Characteristics of Internet Background Radiation](https://reader035.vdocument.in/reader035/viewer/2022062500/56814f5e550346895dbd10d7/html5/thumbnails/3.jpg)
Backscatter
Source: [MVS01]
![Page 4: Characteristics of Internet Background Radiation](https://reader035.vdocument.in/reader035/viewer/2022062500/56814f5e550346895dbd10d7/html5/thumbnails/4.jpg)
Introduction
• Goals of Characterization:–What is all this nonproductive traffic
trying to do?
–How can we filter it out to detect new types of malicious activity?
![Page 5: Characteristics of Internet Background Radiation](https://reader035.vdocument.in/reader035/viewer/2022062500/56814f5e550346895dbd10d7/html5/thumbnails/5.jpg)
Outline
• Introduction
• Measurement Methodology– Filtering– Responders– Experimental Setup
• Data Analysis
• Concluding Remarks
![Page 6: Characteristics of Internet Background Radiation](https://reader035.vdocument.in/reader035/viewer/2022062500/56814f5e550346895dbd10d7/html5/thumbnails/6.jpg)
Measurement Methodology(Filtering)
• Enormous volume of data:– 30,000 packets/sec of background radiation
on a Class A network.
• Source-Destination Filtering:– Assumption: background radiation sources
posses the same degree of affinity to monitored IP addresses
– For each source, keep the connections to N destinations.
![Page 7: Characteristics of Internet Background Radiation](https://reader035.vdocument.in/reader035/viewer/2022062500/56814f5e550346895dbd10d7/html5/thumbnails/7.jpg)
Measurement Methodology(Filtering)
![Page 8: Characteristics of Internet Background Radiation](https://reader035.vdocument.in/reader035/viewer/2022062500/56814f5e550346895dbd10d7/html5/thumbnails/8.jpg)
Measurement Methodology(Filtering)
![Page 9: Characteristics of Internet Background Radiation](https://reader035.vdocument.in/reader035/viewer/2022062500/56814f5e550346895dbd10d7/html5/thumbnails/9.jpg)
Measurement Methodology(Active Responders)
• Why Active Responders?– Elicit further activity from scanners.– Differentiate different types of background
radiation.
• Stateless Responder: based on Active Sink.
• Stateful Responder: based on Honeyd.
![Page 10: Characteristics of Internet Background Radiation](https://reader035.vdocument.in/reader035/viewer/2022062500/56814f5e550346895dbd10d7/html5/thumbnails/10.jpg)
Measurement Methodology(Application-Level Responders)
• Data-driven: – Which responders to build is based on observed
traffic volumes.
• Application-level Responders:– Not only adhere to the structure of the underlying
protocol, but also to know what to say.
• New types of activities emerge over time, responders also need to evolve.
• What degree can we automate the development process of responders?
![Page 11: Characteristics of Internet Background Radiation](https://reader035.vdocument.in/reader035/viewer/2022062500/56814f5e550346895dbd10d7/html5/thumbnails/11.jpg)
Measurement Methodology(Application-Level Responders)
• Responders developed for:– HTTP (port 80)– NetBIOS (port 137/139),– CIFS/SMB (port 139/445)– DCE/RPC [10] (port 135/1025 and CIFS
named pipes)– Dameware (port 6129). – Backdoors installed by MyDoom (port
3127) and Beagle (port 2745)
![Page 12: Characteristics of Internet Background Radiation](https://reader035.vdocument.in/reader035/viewer/2022062500/56814f5e550346895dbd10d7/html5/thumbnails/12.jpg)
Measurement Methodology(Experimental Setup)
• Two different systems: iSink, and LBL Sink.• Traces collected from three sites:
– Class A network (large)– UW campus (medium)– Lawrence Berkeley Lab (LBL) (small)
• Same forms of application response.• Different underlying mechanisms.• Support two kinds of data analysis:
– Passive analysis: no filter, no responder– Active analysis: with filter, and responder
![Page 13: Characteristics of Internet Background Radiation](https://reader035.vdocument.in/reader035/viewer/2022062500/56814f5e550346895dbd10d7/html5/thumbnails/13.jpg)
Experimental Setup: iSink
![Page 14: Characteristics of Internet Background Radiation](https://reader035.vdocument.in/reader035/viewer/2022062500/56814f5e550346895dbd10d7/html5/thumbnails/14.jpg)
Experimental Setup: LBL Sink
![Page 15: Characteristics of Internet Background Radiation](https://reader035.vdocument.in/reader035/viewer/2022062500/56814f5e550346895dbd10d7/html5/thumbnails/15.jpg)
Outline
• Introduction
• Measurement Methodology
• Data Analysis– Passive Analysis– Active Analysis
• Activities in Background Radiation• Characteristics of Sources
• Concluding Remarks
![Page 16: Characteristics of Internet Background Radiation](https://reader035.vdocument.in/reader035/viewer/2022062500/56814f5e550346895dbd10d7/html5/thumbnails/16.jpg)
Passive MeasurementTraffic Composition
• What is the type and volume of observed traffic without actively responding to any packet?
• Findings:– TCP dominates in all three networks
(comparing to ICMP and UDP)– TCP/SYN packets constitute a significant
portion of the background radiation traffic.– A small number of ports are the targets of a
majority of TCP/SYN packets.
![Page 17: Characteristics of Internet Background Radiation](https://reader035.vdocument.in/reader035/viewer/2022062500/56814f5e550346895dbd10d7/html5/thumbnails/17.jpg)
Activities in Background Radiation
• Study dominant activities on the popular ports. • Traffic is divided by ports:
– Consider all connections between a source-destination pair on a given destination port.
• Background Radiation concentrates on a small number of ports:– Only look at the most popular ports.– Many popular ports are also used by the normal traffic
use application semantic level.
• Investigate 12 ports.
![Page 18: Characteristics of Internet Background Radiation](https://reader035.vdocument.in/reader035/viewer/2022062500/56814f5e550346895dbd10d7/html5/thumbnails/18.jpg)
TCP Port 80 (HTTP)
• Targeted against Microsoft IIS server.
• Dominant activity is a WebDAV buffer-overrun exploit.
![Page 19: Characteristics of Internet Background Radiation](https://reader035.vdocument.in/reader035/viewer/2022062500/56814f5e550346895dbd10d7/html5/thumbnails/19.jpg)
TCP Port 80 (HTTP)Port 80 Activities
![Page 20: Characteristics of Internet Background Radiation](https://reader035.vdocument.in/reader035/viewer/2022062500/56814f5e550346895dbd10d7/html5/thumbnails/20.jpg)
Characteristics of Sources
• Study background radiation activities coming from the same source IP (activity vector).
• Activity vector in three dimensions:– Across ports– Across destination networks– Over time
• Caveat: – DHCP: hosts might be assigned different addresses
over time.
![Page 21: Characteristics of Internet Background Radiation](https://reader035.vdocument.in/reader035/viewer/2022062500/56814f5e550346895dbd10d7/html5/thumbnails/21.jpg)
Sources Across portActivities across ports may give a better picture of a source’s goals
Agobot Sources: UW 1
![Page 22: Characteristics of Internet Background Radiation](https://reader035.vdocument.in/reader035/viewer/2022062500/56814f5e550346895dbd10d7/html5/thumbnails/22.jpg)
Sources Across port
• Top two exploits are extensively observed across all 4 networks.
![Page 23: Characteristics of Internet Background Radiation](https://reader035.vdocument.in/reader035/viewer/2022062500/56814f5e550346895dbd10d7/html5/thumbnails/23.jpg)
Sources Seen Over Time
• Witty did not persist over a month: deliberately damages its host.
• Blaster’s grip on hosts is quite tenacious.
![Page 24: Characteristics of Internet Background Radiation](https://reader035.vdocument.in/reader035/viewer/2022062500/56814f5e550346895dbd10d7/html5/thumbnails/24.jpg)
Outline
• Introduction
• Measurement Methodology
• Data Analysis
• Concluding Remarks
![Page 25: Characteristics of Internet Background Radiation](https://reader035.vdocument.in/reader035/viewer/2022062500/56814f5e550346895dbd10d7/html5/thumbnails/25.jpg)
Strengths of the paper
• First attempt to characterize background radiation.
• Good Measurement Methodology:– Effective filtering technique.– Detailed set of active responders for popular ports.
• Meaningful Data Analysis:– Passive Analysis: activities concentrate on few
popular ports.– Active Analysis: Extreme dynamism in many aspects
of background radiation.
![Page 26: Characteristics of Internet Background Radiation](https://reader035.vdocument.in/reader035/viewer/2022062500/56814f5e550346895dbd10d7/html5/thumbnails/26.jpg)
Limitations of the paper
• The filtering could be biased.– The same kind of activity to all destination IP
addresses.– Fail to capture multi-vector worms that pick one
exploit per IP address.
• DHCP problem makes source IP address less accurate as source identity.
• To what extent the development of application-level responders can be automated?
![Page 27: Characteristics of Internet Background Radiation](https://reader035.vdocument.in/reader035/viewer/2022062500/56814f5e550346895dbd10d7/html5/thumbnails/27.jpg)
Thank you.
Questions?
![Page 28: Characteristics of Internet Background Radiation](https://reader035.vdocument.in/reader035/viewer/2022062500/56814f5e550346895dbd10d7/html5/thumbnails/28.jpg)
References
• [Barford2004] Paul Barford. Trends in Internet Measurement. PPT from U. of Wisconsin, Fall 2004.
• [MVS01] Moore, Geoffrey M. Voelker, and Stefan Savage. Inferring Internet Denial-of-Service Activity. In Proceedings of the 10th USENIX Security Symposium, pages 9--22. USENIX, August 2001.
![Page 29: Characteristics of Internet Background Radiation](https://reader035.vdocument.in/reader035/viewer/2022062500/56814f5e550346895dbd10d7/html5/thumbnails/29.jpg)
Some jargons
• Named pipe: supports inter-process communication. FIFO. System-persistent.
• CIFS: Common Interface File System. • DCE/RPC: Distributed Computing Environment/Remote
Procedure Call• SAMR: Security Account Manager Remote service• srvsvc: server service• msmsgri32.exe: ???• SMB: • Autorooter: similar to worms, without self-propagation