d4 project - open and collaborative network monitoring · 2019-05-22 · objective based on our...
TRANSCRIPT
![Page 1: D4 Project - Open and collaborative network monitoring · 2019-05-22 · Objective Based on our experience with MISP1 where sharing played an important role, we transpose the model](https://reader034.vdocument.in/reader034/viewer/2022042017/5e7586685482a71c731035a3/html5/thumbnails/1.jpg)
D4 ProjectOpen and collaborative network monitoring
D4 projectTeam CIRCLhttps://www.d4-project.org/
2019/05/22
TEAM CIRCL
![Page 2: D4 Project - Open and collaborative network monitoring · 2019-05-22 · Objective Based on our experience with MISP1 where sharing played an important role, we transpose the model](https://reader034.vdocument.in/reader034/viewer/2022042017/5e7586685482a71c731035a3/html5/thumbnails/2.jpg)
Problem statement
CSIRTs (or private organisations) build their own honeypot,honeynet or blackhole monitoring networkDesigning, managing and operating such infrastructure is atedious and resource intensive taskAutomatic sharing between monitoring networks fromdi�erent organisations is missingSensors and processing are often seen as blackbox ordi�cult to audit
1 33
![Page 3: D4 Project - Open and collaborative network monitoring · 2019-05-22 · Objective Based on our experience with MISP1 where sharing played an important role, we transpose the model](https://reader034.vdocument.in/reader034/viewer/2022042017/5e7586685482a71c731035a3/html5/thumbnails/3.jpg)
Objective
Based on our experience with MISP1 where sharing playedan important role, we transpose the model in D4 projectKeeping the protocol and code base simple and minimalAllowing every organisation to control and audit their ownsensor networkExtending D4 or encapsulating legacy monitoring protocolsmust be as simple as possibleEnsuring that the sensor server has no control on the sensor(unidirectional streaming)Don’t force users to use dedicated sensors and allow�exibility of sensor support (software, hardware, virtual)
1https://github.com/MISP/MISP2 33
![Page 4: D4 Project - Open and collaborative network monitoring · 2019-05-22 · Objective Based on our experience with MISP1 where sharing played an important role, we transpose the model](https://reader034.vdocument.in/reader034/viewer/2022042017/5e7586685482a71c731035a3/html5/thumbnails/4.jpg)
D4 Overview
3 33
![Page 5: D4 Project - Open and collaborative network monitoring · 2019-05-22 · Objective Based on our experience with MISP1 where sharing played an important role, we transpose the model](https://reader034.vdocument.in/reader034/viewer/2022042017/5e7586685482a71c731035a3/html5/thumbnails/5.jpg)
(short) History
D4 Project (co-funded under INEA CEF EU program) started -1st November 2018D4 encapsulation protocol version 1 published - 1stDecember 2018v0.1 release of the D4 core2 including a server and simple D4C client - 21st January 2019First version of a golang D4 client3 running on ARM, MIPS,PPC and x86 - 14th February 2019
2https://www.github.com/D4-project/d4-core3https://www.github.com/D4-project/d4-goclient/
4 33
![Page 6: D4 Project - Open and collaborative network monitoring · 2019-05-22 · Objective Based on our experience with MISP1 where sharing played an important role, we transpose the model](https://reader034.vdocument.in/reader034/viewer/2022042017/5e7586685482a71c731035a3/html5/thumbnails/6.jpg)
(short) History
Release Dateanalyzer-d4-passivedns-v0.1 Apr. 5, 2019analyzer-d4-passivessl-0.1 Apr. 25, 2019analyzer-d4-pibs-v0.1 Apr. 8, 2019BGP-Ranking-1.0 Apr. 25, 2019d4-core-v0.1 Jan. 25, 2019d4-core-v0.2 Feb. 14, 2019d4-core-v0.3 Apr. 8, 2019d4-goclient-v0.1 Feb. 14, 2019d4-goclient-v0.2 Apr. 8, 2019d4-server-packer-0.1 Apr. 25, 2019IPASN-History-1.0 Apr. 25, 2019sensor-d4-tls-�ngerprinting-0.1 Apr. 25, 2019
see https://github.com/D4-Project
5 33
![Page 7: D4 Project - Open and collaborative network monitoring · 2019-05-22 · Objective Based on our experience with MISP1 where sharing played an important role, we transpose the model](https://reader034.vdocument.in/reader034/viewer/2022042017/5e7586685482a71c731035a3/html5/thumbnails/7.jpg)
Roadmap - output
CIRCL will host a server instance for organisations willing tocontribute to a public dataset without running their own D4server:X Blackhole DDoSX Passive DNSX Passive SSL
BGP mappingegress �ltering mappingRadio-Spectrum monitoring: 802.11, BLE, etc....
6 33
![Page 8: D4 Project - Open and collaborative network monitoring · 2019-05-22 · Objective Based on our experience with MISP1 where sharing played an important role, we transpose the model](https://reader034.vdocument.in/reader034/viewer/2022042017/5e7586685482a71c731035a3/html5/thumbnails/8.jpg)
D4 encapsulation protocol
7 33
![Page 9: D4 Project - Open and collaborative network monitoring · 2019-05-22 · Objective Based on our experience with MISP1 where sharing played an important role, we transpose the model](https://reader034.vdocument.in/reader034/viewer/2022042017/5e7586685482a71c731035a3/html5/thumbnails/9.jpg)
D4 Header
Name bit size Descriptionversion uint 8 Version of the headertype uint 8 Data encapsulated typeuuid uint 128 Sensor UUIDtimestamp uint 64 Encapsulation timehmac uint 256 Authentication header (HMAC-SHA-256-128)size uint 32 Payload size
8 33
![Page 10: D4 Project - Open and collaborative network monitoring · 2019-05-22 · Objective Based on our experience with MISP1 where sharing played an important role, we transpose the model](https://reader034.vdocument.in/reader034/viewer/2022042017/5e7586685482a71c731035a3/html5/thumbnails/10.jpg)
D4 Header
Type Description0 Reserved1 pcap (libpcap 2.4)2 meta header (JSON)3 generic log line4 dnscap output5 pcapng (diagnostic)6 generic NDJSON or JSON Lines7 generic YAF (Yet Another Flowmeter)8 passivedns CSV stream254 type de�ned by meta header (type 2)
9 33
![Page 11: D4 Project - Open and collaborative network monitoring · 2019-05-22 · Objective Based on our experience with MISP1 where sharing played an important role, we transpose the model](https://reader034.vdocument.in/reader034/viewer/2022042017/5e7586685482a71c731035a3/html5/thumbnails/11.jpg)
D4 meta header
D4 header includes an easy way to extend the protocol (via type2) without altering the format. Within a D4 session, the initial D4packet(s) type 2 de�nes the custom headers and then thefollowing packets with type 254 is the custom data encapsulated.{" type " : " ja3− j l " ," encoding " : " utf −8" ," tags " : [" t lp : white "
] ,"misp : org " : "5 b642239−4db4−4580−adf4−4ebd950d210f "
}
10 33
![Page 12: D4 Project - Open and collaborative network monitoring · 2019-05-22 · Objective Based on our experience with MISP1 where sharing played an important role, we transpose the model](https://reader034.vdocument.in/reader034/viewer/2022042017/5e7586685482a71c731035a3/html5/thumbnails/12.jpg)
D4 server
D4 core server4 is a complete server to handle clients(sensors) including the decapsulation of the D4 protocol,control of sensor registrations, management of decodingprotocols and dispatching to adequate decoders/analysers.D4 server is written in Python 3.6 and runs on standardGNU/Linux distribution.
4https://github.com/D4-project/d4-core11 33
![Page 13: D4 Project - Open and collaborative network monitoring · 2019-05-22 · Objective Based on our experience with MISP1 where sharing played an important role, we transpose the model](https://reader034.vdocument.in/reader034/viewer/2022042017/5e7586685482a71c731035a3/html5/thumbnails/13.jpg)
D4 server handling
D4 server reconstructs the encapsulated stream from the D4sensor and saves it in a Redis stream.
Support TLS connectionUnpack D4 headerVerify client secret key (HMAC)check blocklistFilter by types (Only accept one connection by type-UUID -except: type 254)Discard incorrect dataSave data in a Redis Stream (unique for each session)
12 33
![Page 14: D4 Project - Open and collaborative network monitoring · 2019-05-22 · Objective Based on our experience with MISP1 where sharing played an important role, we transpose the model](https://reader034.vdocument.in/reader034/viewer/2022042017/5e7586685482a71c731035a3/html5/thumbnails/14.jpg)
D4 server - worker handler
After the stream is processed depending of the type usingdedicated worker.
Worker Manager (one by type)I Check if a new session is created and valid data are saved ina Redis stream
I Launch a new Worker for each sessionWorkerI Get data from a streamI Reconstruct dataI Save data on disk (with �le rotation)I Save data in Redis. Create a queue for D4 Analyzer(s)
13 33
![Page 15: D4 Project - Open and collaborative network monitoring · 2019-05-22 · Objective Based on our experience with MISP1 where sharing played an important role, we transpose the model](https://reader034.vdocument.in/reader034/viewer/2022042017/5e7586685482a71c731035a3/html5/thumbnails/15.jpg)
D4 server - type 254 worker handler
Worker custom type (called Worker 2)I Get type 2 data from a streamI Reconstruct JsonI Extract extended type nameI Use default type or special extended handlerI Save Json on diskI Get type 254 data from a streamI Reconstruct type 254I Save data in Redis. Create a queue for D4 Analyzer(s)
14 33
![Page 16: D4 Project - Open and collaborative network monitoring · 2019-05-22 · Objective Based on our experience with MISP1 where sharing played an important role, we transpose the model](https://reader034.vdocument.in/reader034/viewer/2022042017/5e7586685482a71c731035a3/html5/thumbnails/16.jpg)
D4 server - type 254 - implementation
15 33
![Page 17: D4 Project - Open and collaborative network monitoring · 2019-05-22 · Objective Based on our experience with MISP1 where sharing played an important role, we transpose the model](https://reader034.vdocument.in/reader034/viewer/2022042017/5e7586685482a71c731035a3/html5/thumbnails/17.jpg)
D4 server - management interface
The D4 server provides a web interface to manage D4 sensors,sessions and analyzer.
Get Sensors status, errors and statisticsGet all connected sensorsManage Sensors (stream size limit, secret key, ...)Manage Accepted typesUUID/IP blocklistCreate Analyzer Queues
16 33
![Page 18: D4 Project - Open and collaborative network monitoring · 2019-05-22 · Objective Based on our experience with MISP1 where sharing played an important role, we transpose the model](https://reader034.vdocument.in/reader034/viewer/2022042017/5e7586685482a71c731035a3/html5/thumbnails/18.jpg)
D4 server - main interface
17 33
![Page 19: D4 Project - Open and collaborative network monitoring · 2019-05-22 · Objective Based on our experience with MISP1 where sharing played an important role, we transpose the model](https://reader034.vdocument.in/reader034/viewer/2022042017/5e7586685482a71c731035a3/html5/thumbnails/19.jpg)
D4 server - server management
18 33
![Page 20: D4 Project - Open and collaborative network monitoring · 2019-05-22 · Objective Based on our experience with MISP1 where sharing played an important role, we transpose the model](https://reader034.vdocument.in/reader034/viewer/2022042017/5e7586685482a71c731035a3/html5/thumbnails/20.jpg)
D4 server - server management
19 33
![Page 21: D4 Project - Open and collaborative network monitoring · 2019-05-22 · Objective Based on our experience with MISP1 where sharing played an important role, we transpose the model](https://reader034.vdocument.in/reader034/viewer/2022042017/5e7586685482a71c731035a3/html5/thumbnails/21.jpg)
D4 server - sensor overview
20 33
![Page 22: D4 Project - Open and collaborative network monitoring · 2019-05-22 · Objective Based on our experience with MISP1 where sharing played an important role, we transpose the model](https://reader034.vdocument.in/reader034/viewer/2022042017/5e7586685482a71c731035a3/html5/thumbnails/22.jpg)
D4 server - sensor management
21 33
![Page 23: D4 Project - Open and collaborative network monitoring · 2019-05-22 · Objective Based on our experience with MISP1 where sharing played an important role, we transpose the model](https://reader034.vdocument.in/reader034/viewer/2022042017/5e7586685482a71c731035a3/html5/thumbnails/23.jpg)
A distributed Network telescope to observe DDoS attacks
22 33
![Page 24: D4 Project - Open and collaborative network monitoring · 2019-05-22 · Objective Based on our experience with MISP1 where sharing played an important role, we transpose the model](https://reader034.vdocument.in/reader034/viewer/2022042017/5e7586685482a71c731035a3/html5/thumbnails/24.jpg)
Motivation
DDoS Attacks produce an observable side-e�ect:
0
500000
1× 106
1.5× 106
2× 106
2.5× 106
3× 106
01/10 01/24 02/07 02/21 03/07
https://www.circl.lu/
Num
berofpackets
date (month / day)
Backscatter tra�c volume per 5 minutes in 2019 (/22)
backscattertcp tra�c
23 33
![Page 25: D4 Project - Open and collaborative network monitoring · 2019-05-22 · Objective Based on our experience with MISP1 where sharing played an important role, we transpose the model](https://reader034.vdocument.in/reader034/viewer/2022042017/5e7586685482a71c731035a3/html5/thumbnails/25.jpg)
What can be derived from backscatter traffic?
External point of view on ongoing Denial of Service attacks:I Con�rm if there is a DDoS attackI Recover time line of attacked targetsI Con�rm which services (DNS, webserver, . . . )I Observe Infrastructure changes
Assess the state of an infrastructure under denial of serviceattackI Detect failure/addition of intermediate network equipments,�rewalls, proxy servers etc
I Detect DDoS mitigation devicesCreate models of DoS/DDoS attacks
24 33
![Page 26: D4 Project - Open and collaborative network monitoring · 2019-05-22 · Objective Based on our experience with MISP1 where sharing played an important role, we transpose the model](https://reader034.vdocument.in/reader034/viewer/2022042017/5e7586685482a71c731035a3/html5/thumbnails/26.jpg)
D4 in this setting
D4 - for data collection and processing:provide various points of observation in non contiguousaddress space,aggregate and mix backscatter tra�c collected from D4sensors,perform analysis on big amount of data.
D4 - from a end-user perspective:provide backscatter analysis results,provide daily updates,provide additional relevant (or pivotal) information (DNS,BGP, etc.),provide an API and search capabilities.
25 33
![Page 27: D4 Project - Open and collaborative network monitoring · 2019-05-22 · Objective Based on our experience with MISP1 where sharing played an important role, we transpose the model](https://reader034.vdocument.in/reader034/viewer/2022042017/5e7586685482a71c731035a3/html5/thumbnails/27.jpg)
First release
X analyzer-d4-pibs5, an analyzer for a D4 network sensor:I processes data produced by D4 sensors (pcaps),I displays potential backscatter tra�c on standard output,I focuses on TCP SYN �ood in this �rst release.
5https://github.com/D4-project/analyzer-d4-pibs26 33
![Page 28: D4 Project - Open and collaborative network monitoring · 2019-05-22 · Objective Based on our experience with MISP1 where sharing played an important role, we transpose the model](https://reader034.vdocument.in/reader034/viewer/2022042017/5e7586685482a71c731035a3/html5/thumbnails/28.jpg)
Passive DNS
27 33
![Page 29: D4 Project - Open and collaborative network monitoring · 2019-05-22 · Objective Based on our experience with MISP1 where sharing played an important role, we transpose the model](https://reader034.vdocument.in/reader034/viewer/2022042017/5e7586685482a71c731035a3/html5/thumbnails/29.jpg)
Problem statement
CIRCL (and other CSIRTs) have their own passive DNS6collection mechanismsCurrent collection models are a�ected with DoH7 andcentralised DNS servicesDNS answers collection is a tedious processSharing Passive DNS stream between organisation ischallenging due to privacy
6https://www.circl.lu/services/passive-dns/7DNS over HTTPS
28 33
![Page 30: D4 Project - Open and collaborative network monitoring · 2019-05-22 · Objective Based on our experience with MISP1 where sharing played an important role, we transpose the model](https://reader034.vdocument.in/reader034/viewer/2022042017/5e7586685482a71c731035a3/html5/thumbnails/30.jpg)
Potential Strategy
Improve Passive DNS collection diversity by being closer tothe source and limit impact of DoH (e.g. at the OS resolverlevel)Increasing diversity and mixing models beforesharing/storing Passive DNS recordsSimplify process and tools to install for Passive DNScollection by relying on D4 sensors instead of custommechanismsProvide a distributed infrastructure for mixing streams and�ltering out the sharing to the validated partners
29 33
![Page 31: D4 Project - Open and collaborative network monitoring · 2019-05-22 · Objective Based on our experience with MISP1 where sharing played an important role, we transpose the model](https://reader034.vdocument.in/reader034/viewer/2022042017/5e7586685482a71c731035a3/html5/thumbnails/31.jpg)
First release
X analyzer-d4-passivedns8, an analyzer for a D4 networksensor:I processes data produced by D4 sensors (in passivedns CSVformat9),
I ingests these into a Passive DNS server which can be queriedlater to search for the Passive DNS records,
I provides a lookup server (using on redis-compatiblebackend) that is a Passive DNS REST server compliant to theCommon Output Format10.
8https://github.com/D4-project/analyzer-d4-passivedns9https://github.com/gamelinux/passivedns10https://tools.ietf.org/html/
draft-dulaunoy-dnsop-passive-dns-cof-0430 33
![Page 32: D4 Project - Open and collaborative network monitoring · 2019-05-22 · Objective Based on our experience with MISP1 where sharing played an important role, we transpose the model](https://reader034.vdocument.in/reader034/viewer/2022042017/5e7586685482a71c731035a3/html5/thumbnails/32.jpg)
Passive SSL revamping
31 33
![Page 33: D4 Project - Open and collaborative network monitoring · 2019-05-22 · Objective Based on our experience with MISP1 where sharing played an important role, we transpose the model](https://reader034.vdocument.in/reader034/viewer/2022042017/5e7586685482a71c731035a3/html5/thumbnails/33.jpg)
A passive SSL fingerprinter
CSIRT’s rationale for collecting TLS handshakes:pivot on additional data points,�nd owners of IP addresses,detect usage of CIDR blocks,detect vulnerable systems,detect compromised services,detect key material reuse,detect weak keys.
32 33
![Page 34: D4 Project - Open and collaborative network monitoring · 2019-05-22 · Objective Based on our experience with MISP1 where sharing played an important role, we transpose the model](https://reader034.vdocument.in/reader034/viewer/2022042017/5e7586685482a71c731035a3/html5/thumbnails/34.jpg)
Objectives - TLS Fingerprinting
Keeping a log of links between:x509 certi�cates,ports,IP address,client (ja3),server (ja3s),
“JA3 is a method for creating SSL/TLS client �ngerprintsthat should be easy to produce on any platform and canbe easily shared for threat intelligence.”11
11https://github.com/salesforce/ja333 / 33
![Page 35: D4 Project - Open and collaborative network monitoring · 2019-05-22 · Objective Based on our experience with MISP1 where sharing played an important role, we transpose the model](https://reader034.vdocument.in/reader034/viewer/2022042017/5e7586685482a71c731035a3/html5/thumbnails/35.jpg)
Objectives - Mind your Ps and Qs
Collect and store x509 certi�cates and TLS sessions:Public keys type and size,moduli and exponents,curves parameters.
Detect anti patterns in crypto:Shared Public Keys,Moduli that share one prime factor,Moduli that share both prime factor,Small factors,Nonces reuse / common pre�x or su�x, etc.
34 / 33
![Page 36: D4 Project - Open and collaborative network monitoring · 2019-05-22 · Objective Based on our experience with MISP1 where sharing played an important role, we transpose the model](https://reader034.vdocument.in/reader034/viewer/2022042017/5e7586685482a71c731035a3/html5/thumbnails/36.jpg)
First release
X sensor-d4-tls-�ngerprinting 12: Extracts and �ngerprintscerti�cates, and computes TLSH fuzzy hash.
X analyzer-d4-passivessl 13: Stores Certi�cates / PK details in aPostgreSQL DB.lookup-d4-passivessl 14: Exposes the DB through a publicREST API.
12github.com/D4-project/sensor-d4-tls-fingerprinting13github.com/D4-project/analyzer-d4-passivessl14github.com/D4-project/lookup-d4-passivessl
35 / 33
![Page 37: D4 Project - Open and collaborative network monitoring · 2019-05-22 · Objective Based on our experience with MISP1 where sharing played an important role, we transpose the model](https://reader034.vdocument.in/reader034/viewer/2022042017/5e7586685482a71c731035a3/html5/thumbnails/37.jpg)
Future
Mixing models for passive collection streams (for privacy) innext version of D4 core serverInterconnecting private D4 sensor networks with other D4sensor networks (sharing to partners �ltered stream)Previewing datasets collected in D4 sensor network andproviding open data stream (if contributor agrees to shareunder speci�c conditions)Leverage MISP sharing communities to augment ThreatIntelligence, and provide accurate metrology.
36 / 33
![Page 38: D4 Project - Open and collaborative network monitoring · 2019-05-22 · Objective Based on our experience with MISP1 where sharing played an important role, we transpose the model](https://reader034.vdocument.in/reader034/viewer/2022042017/5e7586685482a71c731035a3/html5/thumbnails/38.jpg)
Get in touch if you want to join the project, hosta sensor or contribute
Collaboration can include research partnership, sharing ofcollected streams or improving the software.Contact: [email protected]://github.com/D4-Projecthttps://twitter.com/d4_projecthttps://d4-project.org
37 / 33