security internet measurement course seyed majid zahedi jan, 2010 chapter 9 10/16/20151
TRANSCRIPT
Role of Internet Measurement in Security
Number of users, applications and hosts is increasing
Number of attempts to break into networks is increasing too
Internet measurement plays an important role Coordinating information across large networks
04/20/23 2
Type of Attacks
Link-flooding high-bandwidth Low-bandwidth (aimed at particular
applications) High-volume attack from a single source High-volume attack from a collection of
distributed sources Periodic, coordinated or spaced at uneven
intervals (to escape easy detection)
04/20/23 3
Type of Attacks (…)
Stepping stone attacks Compromised machine used to launch attacks later
Man-in-the-middle Exploiting trust-based relationship between peers
04/20/23 4
Attackers Identity
Masquerade their identity Usurp others’ identity Spoofing the source address and set it to be
the attack victim’s address (reflector attacks)
04/20/23 5
Motivation for Attacks
Juvenile pleasure of displaying the ability to carry out attacks
Work on behalf of spammers High payback of attacks
04/20/23 6
Damage of Attacks
Waste resource from computing to human Services become unavailable
Partially or entirely The effects may persist long after attack Many of the affected users may switch to a
different service provider
04/20/23 7
Today's Attacks
Some time it is very simple The widely prevalent denial of service attacks
have toolkits It is possible to obtain the botnet with the
attacks pre-configured on them Only variable is the set of targets
04/20/23 8
False Positive
An event signalling an IDS to produce an alarm when no attack has taken place
04/20/23 9
Measurement at all Layers
At packet-level Inter-arrival times Packet size Protocol choices Patterns of interaction between end points
Source and destination IP addresses and ports
At higher levels ON/OFF patterns of connection Differences in flow level attributes
04/20/23 10
Measurement at all Layers (…) Graph-based DNS characterization
Skewed access patterns of short TCP exchanges Firewall logs
Look for outliers Router-based Access Control List(ACL) filtering
Provide information of false positives Rate-limiting mechanisms
Monitoring to examine downgraded traffic leading to poor performance
04/20/23 11
Measurement at all Layers (…) Passive monitoring of BGP update message
in conjunction with topology information Detect presence of anomalies
At the application layer Everything from contents of protocols header to
payload In P2P
Tracking upload vs. download ratio to identify freeloaders In Games
Detecting user’s identity hijackers or players cheating about their current coordinates
04/20/23 12
Intrusion Detection
Deviation from a norm Norm based on historical access patterns and the
policy of the site Filtering and blocking traffic Gathering additional information about
attackers Use statistical inf. Analyzing multiple layers
before forwarding the packets
04/20/23 13
Intrusion Detection (…)
Use statistical measurement techniques Monitoring traffic levels at different parts of
network Use intrusion detection tools with basic
measurement components built into them
04/20/23 14
Intranet Measurements
Administrative entities depending on Nature of traffic inside of network Kinds of attacks witnessed Importance of the assets being protected
Significant deviations aren’t always potential security Brief outage of DNS server Flash crowd event because of sudden interest in
a web site
04/20/23 15
Internet measurements need to be able to distinguish between different abnormal
scenarios
04/20/23 16
SNMP
Polling data, flow-level information Gathering data periodically (every 5 min) at
various routers Obtain variety of traffic statistics
Packet counters Number of bytes traversing
Weakness: Anomalies that are less than the interval will not
be captured
04/20/23 17
SNMP (…)
Use of SNMP and flow data to DoS attacks Wavelet-based Frequency and time Section 6.3.3
04/20/23 18
Some Concerns
Volume of flow data becomes large Only sampled data obtained Sampling can be simply statistical Some transactions bay transpire before a
flow record is written out Analysis done post-facto rather than online
04/20/23 19
Thresholds
Thresholds are not always the best way Probe packets sent by attacking IP
Flow record don’t have any of body of packets Higher level application logs is needed
Set reasonable thresholds of outgoing traffic vs. incoming traffic Constraints and past statistics
04/20/23 20
Gateway Measurement
Local Measurements at firewalls Can tools be overwhelmed in flooding attacks?
Firewalls logs Habitual offending source IP addresses Most commonly probed applications and ports
number
04/20/23 21
TCP SYN flooding
Each arriving SYN stores state at the server FlowID, timer info, Sequence number, flow control
status, out‐of‐band data, MSS, other options agreed to
Attacker sends many connection requests
04/20/23 23
Intrusion Detection Systems (IDS) Large Internet Service Providers position IDS
at the perimeter of their network Some ISPs position IDS in front of certain
customer Set of signatures to watch for traffic that
violate the expected patterns Specific patterns of known attacks (probes on certain ports) information about attackers Choice of protocol Temporal and packet size distribution
04/20/23 25
IDS (…)
Database can be used Reducing impact of false positives System-wide blacklist
Post-facto analysis Coordination between multiple IDSes
04/20/23 26
Techniques at Firewalls
Access control list Source IP addresses Destination addresses Linux ipchains Cisco’s IOS
ISS and nmap Probe packets to test firewalls Simulate the attacks without damage
04/20/23 27
Inter-domain Measurement Inter-domain attacks have large and serious
impacts Compromise BGP table
Black holing a significant fraction of traffic Combination of model of AS connectivity and
passive monitoring of BGP message Detect man-in-the-middle attack Examine AS_PATH attribute of BGP update
message
04/20/23 28
Some Concerns about Violations Misconfigurations and violations Examining prefixes that appear to originate
from more than one AS
04/20/23 29
Address space Hijacking
When an AS announce either mistakenly or deliberately address space that is not owned
by it
04/20/23 30
Classifying DoS Attacks
Flooding a link or a particular application Numerous simultaneous requests DDoS
Backscatter technique Spoofing the source of the attacks
Picking them randomly Responses are spread across the Internet
Large space
04/20/23 31
Classifying DoS Attacks (…) Another technique
Monitor peering links bidirectional between ISPs tcpdump
Capture packet headers to examine exceeded thresholds
Number of distinct sources that are attempting to communicate with the same host
04/20/23 32
Classifying DoS Attacks (…) Frameworks to classify Dos Attacks by:
Headers Speed with which attacks grow Distinguishing single and multi-sources attacks
04/20/23 33
Honeypots
Resource whose value lies in its unauthorized use
Example : advertising a set of addresses that are currently not in active use There are no active hosts connected to them for
the purpose of traditional Internet activity Dark addresses
Traffic arrives are considered to be malicious
04/20/23 34
Monitoring the Honeypots
Passive listen to honeypots Active response to malicious
Sending SYN-ACK to incoming SYN Emulating a login session or whole kernel
Additional details about attack traffic AS associated with Temporal patterns Protocol of preference Prefix to which the Source address
Locate spam email originators
04/20/23 35
Honeyfram
Centralized collection of honeypots Detect worms automatically
A set of k honeypots If 1/k of vulnerable machines are infected
04/20/23 36
Network Telescope
Certain kinds of victims and misconfigurations from the distance
Genii : second generation of honeypots Reduce effort to deploy honeypots Harder to detect
Genii uses : Separate secure network -> making the gateway
difficult to detect Absence of MAC
04/20/23 37
Mobile Honeypots (…)
Information about darkness of the prefixes is made available to upstream Ases
Prefixes would change periodically via BGP announcements
ASes also participating in the scheme Control information passed down about the
originators towards destination Use COMMUNITY attribute field
04/20/23 38
Weakness of Honeypots
Blackhat community Reverse black listing
Speed of discovering in honeypots vs. whitehats and blackhats
04/20/23 40
Malware
Unwanted advertisement spyware – software in advertently
downloaded onto a machine to monitor certain user activities
Backdoors – holes created for later exploitation
Virus Worms
04/20/23 41
Virus vs. Worm
Virus requires users participation Viruses may spread slowly as direct participation
by a user is required Worm exploits known flaws in an operating
system
04/20/23 42
Worms
Enter through reasonably well-known security holes (buffer overflow)
Place arbitrary code at that address to be executed next
Measurements : How target lists are chosen The set of possible entry points How quickly they could spread
04/20/23 43
Worms (…)
Scanning of large portion of the Internet Speed of spreading :
Varies with worm First worm (Morris worm)
Measurements about speed : Dynamic prevention methods Identifying potential hosts
Slow scanning to gather the hitlist
04/20/23 44
Intrusion Detection
Combination of measurements and statistics If the number of false positives exceeded a
threshold the overall value of alerts begins to diminish and real threats may be ignored by administrators
ISPs have been traditionally reluctant to share information about attacks
04/20/23 45
Third-party Company
Monitor attacks inside companies Coordinate attacks across the Internet for
early warning system Formulate signatures Compile statistics Vulnerability databases Possible counter measures Authenticating participants’ messagees
04/20/23 46
Dark Prefix traffic
iSink Passive monitoring Active response Scalable by stateless kernel module
Internet Motion Sensor Passively monitor Active response Store data in data base
04/20/23 47