Security

Internet Measurement CourseSeyed Majid ZahediJan, 2010Chapter 9

04/20/23 1

Role of Internet Measurement in Security

Number of users, applications and hosts is increasing

Number of attempts to break into networks is increasing too

Internet measurement plays an important role Coordinating information across large networks

04/20/23 2

Type of Attacks

Link-flooding high-bandwidth Low-bandwidth (aimed at particular

applications) High-volume attack from a single source High-volume attack from a collection of

distributed sources Periodic, coordinated or spaced at uneven

intervals (to escape easy detection)

04/20/23 3

Type of Attacks (…)

Stepping stone attacks Compromised machine used to launch attacks later

Man-in-the-middle Exploiting trust-based relationship between peers

04/20/23 4

Attackers Identity

Masquerade their identity Usurp others’ identity Spoofing the source address and set it to be

the attack victim’s address (reflector attacks)

04/20/23 5

Motivation for Attacks

Juvenile pleasure of displaying the ability to carry out attacks

Work on behalf of spammers High payback of attacks

04/20/23 6

Damage of Attacks

Waste resource from computing to human Services become unavailable

Partially or entirely The effects may persist long after attack Many of the affected users may switch to a

different service provider

04/20/23 7

Today's Attacks

Some time it is very simple The widely prevalent denial of service attacks

have toolkits It is possible to obtain the botnet with the

attacks pre-configured on them Only variable is the set of targets

04/20/23 8

False Positive

An event signalling an IDS to produce an alarm when no attack has taken place

04/20/23 9

Measurement at all Layers

At packet-level Inter-arrival times Packet size Protocol choices Patterns of interaction between end points

Source and destination IP addresses and ports

At higher levels ON/OFF patterns of connection Differences in flow level attributes

04/20/23 10

Measurement at all Layers (…) Graph-based DNS characterization

Skewed access patterns of short TCP exchanges Firewall logs

Look for outliers Router-based Access Control List(ACL) filtering

Provide information of false positives Rate-limiting mechanisms

Monitoring to examine downgraded traffic leading to poor performance

04/20/23 11

Measurement at all Layers (…) Passive monitoring of BGP update message

in conjunction with topology information Detect presence of anomalies

At the application layer Everything from contents of protocols header to

payload In P2P

Tracking upload vs. download ratio to identify freeloaders In Games

Detecting user’s identity hijackers or players cheating about their current coordinates

04/20/23 12

Intrusion Detection

Deviation from a norm Norm based on historical access patterns and the

policy of the site Filtering and blocking traffic Gathering additional information about

attackers Use statistical inf. Analyzing multiple layers

before forwarding the packets

04/20/23 13

Intrusion Detection (…)

Use statistical measurement techniques Monitoring traffic levels at different parts of

network Use intrusion detection tools with basic

measurement components built into them

04/20/23 14

Intranet Measurements

Administrative entities depending on Nature of traffic inside of network Kinds of attacks witnessed Importance of the assets being protected

Significant deviations aren’t always potential security Brief outage of DNS server Flash crowd event because of sudden interest in

a web site

04/20/23 15

Internet measurements need to be able to distinguish between different abnormal

scenarios

04/20/23 16

SNMP

Polling data, flow-level information Gathering data periodically (every 5 min) at

various routers Obtain variety of traffic statistics

Packet counters Number of bytes traversing

Weakness: Anomalies that are less than the interval will not

be captured

04/20/23 17

SNMP (…)

Use of SNMP and flow data to DoS attacks Wavelet-based Frequency and time Section 6.3.3

04/20/23 18

Some Concerns

Volume of flow data becomes large Only sampled data obtained Sampling can be simply statistical Some transactions bay transpire before a

flow record is written out Analysis done post-facto rather than online

04/20/23 19

Thresholds

Thresholds are not always the best way Probe packets sent by attacking IP

Flow record don’t have any of body of packets Higher level application logs is needed

Set reasonable thresholds of outgoing traffic vs. incoming traffic Constraints and past statistics

04/20/23 20

Gateway Measurement

Local Measurements at firewalls Can tools be overwhelmed in flooding attacks?

Firewalls logs Habitual offending source IP addresses Most commonly probed applications and ports

number

04/20/23 21

Example: TCP: 3‐Way Handshake

04/20/23 22

TCP SYN flooding

Each arriving SYN stores state at the server FlowID, timer info, Sequence number, flow control

status, out‐of‐band data, MSS, other options agreed to

Attacker sends many connection requests

04/20/23 23

TCP SYN flooding (…)

04/20/23 24

Intrusion Detection Systems (IDS) Large Internet Service Providers position IDS

at the perimeter of their network Some ISPs position IDS in front of certain

customer Set of signatures to watch for traffic that

violate the expected patterns Specific patterns of known attacks (probes on certain ports) information about attackers Choice of protocol Temporal and packet size distribution

04/20/23 25

IDS (…)

Database can be used Reducing impact of false positives System-wide blacklist

Post-facto analysis Coordination between multiple IDSes

04/20/23 26

Techniques at Firewalls

Access control list Source IP addresses Destination addresses Linux ipchains Cisco’s IOS

ISS and nmap Probe packets to test firewalls Simulate the attacks without damage

04/20/23 27

Inter-domain Measurement Inter-domain attacks have large and serious

impacts Compromise BGP table

Black holing a significant fraction of traffic Combination of model of AS connectivity and

passive monitoring of BGP message Detect man-in-the-middle attack Examine AS_PATH attribute of BGP update

message

04/20/23 28

Some Concerns about Violations Misconfigurations and violations Examining prefixes that appear to originate

from more than one AS

04/20/23 29

Address space Hijacking

When an AS announce either mistakenly or deliberately address space that is not owned

by it

04/20/23 30

Classifying DoS Attacks

Flooding a link or a particular application Numerous simultaneous requests DDoS

Backscatter technique Spoofing the source of the attacks

Picking them randomly Responses are spread across the Internet

Large space

04/20/23 31

Classifying DoS Attacks (…) Another technique

Monitor peering links bidirectional between ISPs tcpdump

Capture packet headers to examine exceeded thresholds

Number of distinct sources that are attempting to communicate with the same host

04/20/23 32

Classifying DoS Attacks (…) Frameworks to classify Dos Attacks by:

Headers Speed with which attacks grow Distinguishing single and multi-sources attacks

04/20/23 33

Honeypots

Resource whose value lies in its unauthorized use

Example : advertising a set of addresses that are currently not in active use There are no active hosts connected to them for

the purpose of traditional Internet activity Dark addresses

Traffic arrives are considered to be malicious

04/20/23 34

Monitoring the Honeypots

Passive listen to honeypots Active response to malicious

Sending SYN-ACK to incoming SYN Emulating a login session or whole kernel

Additional details about attack traffic AS associated with Temporal patterns Protocol of preference Prefix to which the Source address

Locate spam email originators

04/20/23 35

Honeyfram

Centralized collection of honeypots Detect worms automatically

A set of k honeypots If 1/k of vulnerable machines are infected

04/20/23 36

Network Telescope

Certain kinds of victims and misconfigurations from the distance

Genii : second generation of honeypots Reduce effort to deploy honeypots Harder to detect

Genii uses : Separate secure network -> making the gateway

difficult to detect Absence of MAC

04/20/23 37

Mobile Honeypots (…)

Information about darkness of the prefixes is made available to upstream Ases

Prefixes would change periodically via BGP announcements

ASes also participating in the scheme Control information passed down about the

originators towards destination Use COMMUNITY attribute field

04/20/23 38

Mobile Honeypots (…)

04/20/23 39

Weakness of Honeypots

Blackhat community Reverse black listing

Speed of discovering in honeypots vs. whitehats and blackhats

04/20/23 40

Malware

Unwanted advertisement spyware – software in advertently

downloaded onto a machine to monitor certain user activities

Backdoors – holes created for later exploitation

Virus Worms

04/20/23 41

Virus vs. Worm

Virus requires users participation Viruses may spread slowly as direct participation

by a user is required Worm exploits known flaws in an operating

system

04/20/23 42

Worms

Enter through reasonably well-known security holes (buffer overflow)

Place arbitrary code at that address to be executed next

Measurements : How target lists are chosen The set of possible entry points How quickly they could spread

04/20/23 43

Worms (…)

Scanning of large portion of the Internet Speed of spreading :

Varies with worm First worm (Morris worm)

Measurements about speed : Dynamic prevention methods Identifying potential hosts

Slow scanning to gather the hitlist

04/20/23 44

Intrusion Detection

Combination of measurements and statistics If the number of false positives exceeded a

threshold the overall value of alerts begins to diminish and real threats may be ignored by administrators

ISPs have been traditionally reluctant to share information about attacks

04/20/23 45

Third-party Company

Monitor attacks inside companies Coordinate attacks across the Internet for

early warning system Formulate signatures Compile statistics Vulnerability databases Possible counter measures Authenticating participants’ messagees

04/20/23 46

Dark Prefix traffic

iSink Passive monitoring Active response Scalable by stateless kernel module

Internet Motion Sensor Passively monitor Active response Store data in data base

04/20/23 47

Application-level Measurement Mitigating attacks Firewalls are the first line of defense

Large ISPs and Spam : Partition SMTP senders by trusted, unknown and

suspicious

04/20/23 48