evaluation of network security may 13, 2004 moshe golan everett anderson
Post on 20-Dec-2015
215 views
TRANSCRIPT
Lumena – IPSonar
The Internet Mapping Project was started at Bell Labs in the summer of 1998.
Its long-term goal is to acquire and save Internet topological data over a long period of time.
This data has been used in the study of routing problems and changes, DDoS attacks, and graph theory.
IPSonar inject small non-intrusive measurement packets
Some Security Questions
What fraction of all IP packets have spoofed addresses?
How many DDoS attacks occur each day? How many compromised machines are
there on the Internet? If I installed Secure BGP at 200 chosen
locations, how much better would things be?
How do we answer?
Deduce based on the evidence available Obtain snapshots from some points in the
network Use simulation techniques Use honeypots/honeynets to attract attacks
for measurement and analysis Install serious measurement infrastructure
in the network
Network Measurements
LAN – We can perform measurements of traffic for
local optimization and economics
Internet– Poorly measured– Poorly Understood– Use of sampling and statistical method– Simplified assumptions
SCAN - ISI
network fault isolation– refer to the problem of pinpointing the origin of
a particular application-perceived dynamic Usage of Multicast based announce-listen
techniques for network measurements Distributed Infrastructure of Active
Instrumentation Visualization Trace back using historical views
Oregon – Route View Originally conceived as a tool for Internet operators to
obtain real-time information about the global routing system from the perspectives of several different backbones and locations around the Internet.
The Route Views router, router uses multi-hop BGP peering sessions with backbones at interesting locations. Route Views uses AS6447 in its peering sessions, and routes received from neighbors are never passed on nor used to forward traffic nor announce any prefixes.
Now a basis for many research facilities:
Contributors
Dozens of big players AOL, APAN, ATT, Abilene, Accretive,
Accretive, Army Research Lab, Broadwing, Broadwing, Broadwing, C&W USA, COMindico, Carrier1, EBONE, ELI ....... TouchAmerica, Verio, WCI Cable, X0, Zocalo, blackrose.org, netINS
Many sponsors are commercial
CAIDA
The Cooperative Association for Internet Data Analysis, provides tools and analyses promoting the engineering and maintenance of a robust, scalable global Internet infrastructure
Provides Human interaction in addition to automated systems – Use the phone
Backscatter – Basic Idea
DoS consists of a stream of packets to a specific destination
The victim answers them normally Often, the attacker spoofs the source
address of attack packets Responses go to the real machines whose
addresses were spoofed
IP spoofing
Usually uses random IP selection (2^32) Every machine has equal chance 1/(2^32) to
receive a response to a spoofed packet If enough spoof packets are sent, every
machine will receive some spoof packets
CAIDA Experiment
3 times 1 week-long periods in 2001 Using /8 network – Sample 1/256th of all
addresses or 2^24 IP addresses Monitored all traffic arriving for any of
these addresses Expectations = n/2^24
Results
During one week, saw 12,805 attacks Over three weeks observed 200 million
backscatter packets Presumably out of around 50 billion such
packets More than 5000 victim addresses in more
than 2000 domains
Closer Look – Attack Duration
90% less than an hour 2% more than 5 hours 1% over 10 hours Only dozens over a
day
Closer Look – Number of Attacks
65% only once 18% twice 95% less than 5 times
90% were 10,000 pkts/sec or less500 SYNs per second overwhelms unprotected server
46% of attacks were that strong
14,000 SYNs overwhelms anti-DoS firewall
2.4% of attacks were that strong
Network Jails & Honeypots
Lure hackers in and keep them busy Provide "real" system Save root kits Learn latest tricks and vulnerabilities Report findings to CERT, alert intermediate
hosts
Planet Lab
Overlay network with globally dispersed nodes
Design, deploy, test “planetary-scale” services
Large test best for monitoring, measurement Many viewpoints into the Internet
ScriptRoute
Provide a way to aggregate traceroute-like information
Reverse routes Sand boxing of script code, scheduler, rate
limiting
NetBait
Distributed query service for conventional IDS information
Identify attacks and index/store events locally
Multiple query sources Pull approach Currently still CodeRed focused
CERT Coordination Center
Traditional human level coordination Careful advisories Federal funding (DoD, DHS) but non-
government US-CERT
– Additional public and private sector content– Faster advisories?
McAfee SecurityCenter
End node IDS reporting from PCs Similar to seti@home Grid or centralized? Bundled with personal firewall, risk
analyzer
Symantec DeepSight Analyzer
Parses a variety of firewall and IDS system logs Console view of multiple systems Helps admin selectively contact attacking machine
owners Reports back to central Symantec service Early alert services ($) Aimed at network admins/larger business systems
Open Questions Internet Wide evaluation Vs Local
– Secure every component Vs Global Security Is the current approach to finding security problems in the
Internet adequate?– Human Involvement– Centralized Solution– Delay in Reporting– Placement of monitoring infrastructure
Do we need a global authority? Who should run? How would they do it? Privacy issues with jailing
References http://www.lumeta.com/ http://www.isi.edu/scan/ http://antc.uoregon.edu/route-views/ http://www.caida.org/ http://us.mcafee.com/ http://analyzer.securityfocus.com/ http://netbait.planet-lab.org/ Netbait: A Distributed Worm Detection Service, Chun and Witherspoon,ntel Research
Berkeley Technical Report IRB-TR-03-033, September 2003. A Planetlab experiment designed to detect worm activity by scattering observation points at Planetlab nodes.
Inferring Internet Denial-of-Service Activity, David Moore, Geoffrey Voelker, and Stefan Savage , 10th Usenex Security Symposium, 2001. A CAIDA paper describing the basic backscatter technique of determining various properties of DDoS attacks.
An Evening With Berferd In Which a Cracker is Lured, Endured, and Studied, Bill Cheswick, Usenex , 1992. The grandfather of all research on honeypots and honeynets.