Evaluation of Network Security

May 13, 2004

Moshe Golan

Everett Anderson

Agenda

Introduction Measuring – a general problem Network Security Evaluation Discussion References

Introduction

The problem – Bell-Lab/LumetaInternet Mapping Project

Lumena – IPSonar

The Internet Mapping Project was started at Bell Labs in the summer of 1998.

Its long-term goal is to acquire and save Internet topological data over a long period of time.

This data has been used in the study of routing problems and changes, DDoS attacks, and graph theory.

IPSonar inject small non-intrusive measurement packets

Some Security Questions

What fraction of all IP packets have spoofed addresses?

How many DDoS attacks occur each day? How many compromised machines are

there on the Internet? If I installed Secure BGP at 200 chosen

locations, how much better would things be?

How do we answer?

Deduce based on the evidence available Obtain snapshots from some points in the

network Use simulation techniques Use honeypots/honeynets to attract attacks

for measurement and analysis Install serious measurement infrastructure

in the network

Measuring – a General Problem

Network Measurements

LAN – We can perform measurements of traffic for

local optimization and economics

Internet– Poorly measured– Poorly Understood– Use of sampling and statistical method– Simplified assumptions

SCAN - ISI

network fault isolation– refer to the problem of pinpointing the origin of

a particular application-perceived dynamic Usage of Multicast based announce-listen

techniques for network measurements Distributed Infrastructure of Active

Instrumentation Visualization Trace back using historical views

SCAN – Mercator Program

Small LAN WAN

Oregon – Route View Originally conceived as a tool for Internet operators to

obtain real-time information about the global routing system from the perspectives of several different backbones and locations around the Internet.

The Route Views router, router uses multi-hop BGP peering sessions with backbones at interesting locations. Route Views uses AS6447 in its peering sessions, and routes received from neighbors are never passed on nor used to forward traffic nor announce any prefixes.

Now a basis for many research facilities:

Contributors

Dozens of big players AOL, APAN, ATT, Abilene, Accretive,

Accretive, Army Research Lab, Broadwing, Broadwing, Broadwing, C&W USA, COMindico, Carrier1, EBONE, ELI ....... TouchAmerica, Verio, WCI Cable, X0, Zocalo, blackrose.org, netINS

Many sponsors are commercial

CAIDA

The Cooperative Association for Internet Data Analysis, provides tools and analyses promoting the engineering and maintenance of a robust, scalable global Internet infrastructure

Provides Human interaction in addition to automated systems – Use the phone

Evaluating Network securityTechniques

Backscatter – Basic Idea

DoS consists of a stream of packets to a specific destination

The victim answers them normally Often, the attacker spoofs the source

address of attack packets Responses go to the real machines whose

addresses were spoofed

An Example – Prof Reiher

IP spoofing

Usually uses random IP selection (2^32) Every machine has equal chance 1/(2^32) to

receive a response to a spoofed packet If enough spoof packets are sent, every

machine will receive some spoof packets

Assumptions

CAIDA Experiment

3 times 1 week-long periods in 2001 Using /8 network – Sample 1/256th of all

addresses or 2^24 IP addresses Monitored all traffic arriving for any of

these addresses Expectations = n/2^24

Results

During one week, saw 12,805 attacks Over three weeks observed 200 million

backscatter packets Presumably out of around 50 billion such

packets More than 5000 victim addresses in more

than 2000 domains

Closer Look – Types of Attack

Closer Look – Attack Duration

90% less than an hour 2% more than 5 hours 1% over 10 hours Only dozens over a

day

Closer Look – Top level domains

30% not resolved .net .com Romania and Brazil

Closer Look – Number of Attacks

65% only once 18% twice 95% less than 5 times

90% were 10,000 pkts/sec or less500 SYNs per second overwhelms unprotected server

46% of attacks were that strong

14,000 SYNs overwhelms anti-DoS firewall

2.4% of attacks were that strong

Network Jails & Honeypots

Lure hackers in and keep them busy Provide "real" system Save root kits Learn latest tricks and vulnerabilities Report findings to CERT, alert intermediate

hosts

Planet Lab

Overlay network with globally dispersed nodes

Design, deploy, test “planetary-scale” services

Large test best for monitoring, measurement Many viewpoints into the Internet

Planet Lab Infrastructure

ScriptRoute

Provide a way to aggregate traceroute-like information

Reverse routes Sand boxing of script code, scheduler, rate

limiting

NetBait

Distributed query service for conventional IDS information

Identify attacks and index/store events locally

Multiple query sources Pull approach Currently still CodeRed focused

SANS

SysAdmin, Audit, Network, Security Institute

Early warning Training Internet Storm Center

CERT Coordination Center

Traditional human level coordination Careful advisories Federal funding (DoD, DHS) but non-

government US-CERT

– Additional public and private sector content– Faster advisories?

McAfee SecurityCenter

End node IDS reporting from PCs Similar to seti@home Grid or centralized? Bundled with personal firewall, risk

analyzer

Symantec DeepSight Analyzer

Parses a variety of firewall and IDS system logs Console view of multiple systems Helps admin selectively contact attacking machine

owners Reports back to central Symantec service Early alert services ($) Aimed at network admins/larger business systems

Discussion

Open Questions Internet Wide evaluation Vs Local

– Secure every component Vs Global Security Is the current approach to finding security problems in the

Internet adequate?– Human Involvement– Centralized Solution– Delay in Reporting– Placement of monitoring infrastructure

Do we need a global authority? Who should run? How would they do it? Privacy issues with jailing

References http://www.lumeta.com/ http://www.isi.edu/scan/ http://antc.uoregon.edu/route-views/ http://www.caida.org/ http://us.mcafee.com/ http://analyzer.securityfocus.com/ http://netbait.planet-lab.org/ Netbait: A Distributed Worm Detection Service, Chun and Witherspoon,ntel Research

Berkeley Technical Report IRB-TR-03-033, September 2003. A Planetlab experiment designed to detect worm activity by scattering observation points at Planetlab nodes.

Inferring Internet Denial-of-Service Activity, David Moore, Geoffrey Voelker, and Stefan Savage , 10th Usenex Security Symposium, 2001. A CAIDA paper describing the basic backscatter technique of determining various properties of DDoS attacks.

An Evening With Berferd In Which a Cracker is Lured, Endured, and Studied, Bill Cheswick, Usenex , 1992. The grandfather of all research on honeypots and honeynets.