ip gfgqgnfþ ttl fûg g o fþfÒg 3û fþ1 9 · • p7 6ëh 2011/11/0614:55 hz2011/11/0617:10 •...
TRANSCRIPT
IP TTLDiscriminating malicious packets using TTL in the IP header
• [1, 2]–
– DDoS
–
•
[1] Ironport. 2008 Internet Security Trends http://www.ironport.com/securitytrends/, 2008
[2] SECURELIST, Monthly Malware Statistics, February 2011, http://www.securelist.com/en/analysis/204792166/Monthly_Malware_Statistics_February_2011
2012 3 9 IP TTL 2
2012 3 9 IP TTL 3
Time To Live (TTL)
TTL = 128 TTL = 124TTL = 127 TTL = 126 TTL = 125
2012 3 9 IP TTL 4
OS TTL
OS Protocol Initial TTL
Linux 2.4 kernel ICMP 255
BSDI BSD/ OS 3.1 and 4.0 ICMP 255
Windows Server 2008 ICMP, TCP, UDP 128
Windows 7 ICMP, TCP, UDP 128
2012 3 9 IP TTL 5
Windows 7 ICMP, TCP, UDP 128
Windows XP ICMP, TCP, UDP 128
Linux RedHat9 ICMP, TCP 64
FreeBSD5 ICMP 64
MacOS X (10.5.6) ICMP, TCP, UDP 64
AIX TCP 60
Albin Sebastian, http://www.binbert.com/blog/2009/12/default-
time-to-live-ttl-values, Dec 2012.
TTL
t TTL
t OS TTLt0
OS TTL
0
2012 3 9 IP TTL 6
TTL
TTL = 110
OS Initial TTL
Linux 2.4 kernel 255
BSDI BSD/ OS 3.1 and 4.0 255
Windows Server 2008 128
Windows 7 128
Windows XP 128
Linux RedHat9 64
FreeBSD5 64
MacOS X (10.5.6) 64
2012 3 9 IP TTL 7
110128 18
t0 t
t TTL
t0
OS TTL
MacOS X (10.5.6) 64
AIX 60
30
TTL OS TTL 30
TTL
2012 3 9 IP TTL 8
TTL
TTL = 12830
TTL = 98
2012 3 9 IP TTL 9
TTL
TTL = 78TTL = 128
50
2012 3 9 IP TTL 10
TTL IPOS TTL“Normal TTL”“Abnormal TTL”
2012 3 9 IP TTL 11
64 128 25530 98 225
30 30 30
※
Abnormal TTL
TTL = 78TTL = 90TTL = 128 50
2012 3 9 IP TTL 12
TTL
TTL
Abnormal TTL
2012 3 9 IP TTL 13
• TTL
–
––
•
–
2012 3 9 IP TTL 14
Abnormal TTL
2012 3 9 IP TTL 15
Normal TTL
2012 3 9 IP TTL 16
Abnormal TTL
1.
2. IP
3. TCP 3. TCP
4. IDS
2012 3 9 IP TTL 17
•
•
1, 2
– 2011/12/10 01:40 2011/12/13 01:40
– 13
3, 4
– Normal TTL
• 2011/11/06 15:00 2011/11/15 17:00
• 7
– Abnormal TTL
• 2011/11/06 14:55 2011/11/06 17:10
• 7
2012 3 9 IP TTL 18
1.
•
• 10
2012 3 9 IP TTL 19
• 10
1.
[%]
123123123123 39.276 39.276 39.276 39.276
445445445445 3.916 3.916 3.916 3.916
[%]
445445445445 17.536 17.536 17.536 17.536
80808080 1.437 1.437 1.437 1.437
53535353 0.852 0.852 0.852 0.852
Normal TTL Abnormal TTL
2012 3 9 IP TTL 20
80808080 1.321 1.321 1.321 1.321
53535353 0.638 0.638 0.638 0.638
22222222 0.283 0.283 0.283 0.283
443443443443 0.179 0.179 0.179 0.179
161161161161 0.131 0.131 0.131 0.131
23232323 0.118 0.118 0.118 0.118
135135135135 0.081 0.081 0.081 0.081
25252525 0.034 0.034 0.034 0.034
53535353 0.852 0.852 0.852 0.852
22222222 0.383 0.383 0.383 0.383
443443443443 0.159 0.159 0.159 0.159
25252525 0.118 0.118 0.118 0.118
139139139139 0.053 0.053 0.053 0.053
110110110110 0.020 0.020 0.020 0.020
81818181 0.017 0.017 0.017 0.017
0000 0.015 0.015 0.015 0.015
※ephemeral port
2. IP
• IP
IP
2012 3 9 IP TTL 21
• IP
TTL
1 Spamhaus Block List
IP
2 Exploits Block List
IP
3 Policy Block List
SMTP
IP
http://www.spamhaus.org2012 3 9 IP TTL 22
2. IP (TCP)
60
70
80
90
100
掲載率
掲載率
掲載率
掲載率[%][%][%][%]
Abnormal TTL
2012 3 9 IP TTL 23
0
10
20
30
40
50
60
ブラックリスト
ブラックリスト
ブラックリスト
ブラックリスト掲載率
掲載率
掲載率
掲載率
TTL
3. TCP
2012 3 9 IP TTL 24
TCP
Windows 7
Windows Vista
2012 3 9 IP TTL 25
Linux
Mac OS X 10.7
OS
MacOS X 10.7
3
OS
???MWSWindows 7
Linux 2.6
2012 3 9 IP TTL 26
OS
MWS
TCP
OSMWS
MWS
※MWS
2012 3 9 IP TTL 27
TCP
OS
, , , , “TCP
, vol.52, no.6, pp.2009–2018, June, 2011.
OS
TCP
MWS
2012 3 9 IP TTL 28
, , , , “TCP, , vol.52, no.6, pp.2009–2018,
June, 2011.
3
OS
2012 3 9 IP TTL 29
OS
MWS
TCP
3. TCP
• TCP p0f [3]
TCP
•
2012 3 9 IP TTL 30
1. OS
2. OS
3. MWS
3
[3] the new p0f, projecthttp://lcamtuf.coredump.cx/p0f.shtml
3. TCP
7%7%
Normal TTL Abnormal TTL
2012 3 9 IP TTL 31
KNOWN
UNKNOWN
MWS
OS
OS
45%29%
26%86%
7%
4. Snort
• ,
(IDS) Snort
2012 3 9 IP TTL 32
(IDS) Snort
• Normal TTL Abnormal TTL
4. Snort
TTL [%]
2012 3 9 IP TTL 33
Normal TTL 67,849,218 34,440 0.05
Abnormal TTL 69,169,306 1,658,923 2.40
<<
4
Abnormal TTL Normal TTL
2012 3 9 IP TTL 34
• Abnormal TTL
––
• IPv6
H. Stern, “The Rise and Fall of Reactor Mailer,” Proc. MIT Spam Conference 2009, Mar 2009.
2012 3 9 IP TTL 35
ご清聴ご清聴ありがとうございました
2012 3 9 IP TTL 36
2012 3 9 IP TTL 37
IP Time To Live
• IP 8
• TTL
1 TTL 01 TTL 0
•
2012 3 9 IP TTL 38
Abnormal TTL
Case a.
– e.g.
Case b.
– e.g. traceroute– e.g. traceroute
– e.g. Firewalk
Case c.
– e.g. TTL
2012 3 9 IP TTL 39
2
1
/16
2012 3 9 IP TTL 40
2. IP (TCP)
60
70
80
90
100
掲載率
掲載率
掲載率
掲載率[%][%][%][%]
2012 3 9 IP TTL 41
0
10
20
30
40
50
60
ブラックリスト
ブラックリスト
ブラックリスト
ブラックリスト掲載率
掲載率
掲載率
掲載率
TTL
2. IP (UDP)
掲載率
掲載率
掲載率
掲載率[%][%][%][%]
2012 3 9 IP TTL 42
ブラックリスト
ブラックリスト
ブラックリスト
ブラックリスト掲載率
掲載率
掲載率
掲載率
2. IP ICMP
掲載率
掲載率
掲載率
掲載率[%][%][%][%]
2012 3 9 IP TTL 43
ブラックリスト
ブラックリスト
ブラックリスト
ブラックリスト掲載率
掲載率
掲載率
掲載率
•
CPU
• Srizbi Reactor Mailer
FKM
2012 3 9 IP TTL 44
Normal TTL
ICMP PING NMAP 1,211,825,939
Experimental Tcp Options found 158,495,513
Bad Traffic Same Src/Dst IP 6,793,931
ICMP Filtered Sweep 4,501,196
ICMP L3retriever Ping 3,153,346
2012 3 9 IP TTL 45
ICMP L3retriever Ping 3,153,346
ICMP PING CyberKit 2.2 Windows 1,832,286
ICMP superscan echo 1,380,471
TCP Filtered Portsweep 1,071,781
TCP Filtered Distributed Portscan 746,593
TCP Portsweep 615,631
Abnormal TTL
ICMP PING NMAP 1,183,100,342
Experimental Tcp Options found 134,417,917
Bad Traffic Same Src/Dst IP 5,782,901
ICMP Filtered Sweep 3,651,514
ICMP L3retriever Ping 2,816,113
2012 3 9 IP TTL 46
ICMP L3retriever Ping 2,816,113
ICMP PING CyberKit 2.2 Windows 1,832,286
ICMP superscan echo 1,155,422
TCP Filtered Portsweep 832,897
TCP Filtered Distributed Portscan 746,593
BAD-TRAFFIC udp port 0 traffic 281,317
10000000
100000000
1000000000
TTL
2012 3 9 IP TTL 47
1
10
100
1000
10000
100000
1000000
TTL
Hop-Count Filtering :TTL IP
Host A IP A
TTL
IP A 110
IP B 235
2012 3 9 IP TTL 48
Host B IP B
Host A’ IP C
C. Jin, H. Wang, and K. G. Shin, “Hop-count filtering: An effective defense against spoofed DDoS traffic,”
Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS ’03), pp.30–
41, New York, America, Oct. 2003.