14. Zota — Bscatter Measurement - Computer Sciencejeffay/courses/nidsS05/slides/14-Measurement.pdf · Campus Enterprise Sink (CES) iSink received unsolicited traffic for 100,000

The UNIVERSITY of NORTH CAROLINA at CHAPEL HILL

Intrusion Detection –Backscatter and Global

Analysis

Stefan Zota


Introduction

How prevalent are DoS attacks?

Quantitative analysis

Long term predictions andrecurring patterns of attacks

Measurement and GlobalAnalysis


Outline

Challenges

Methods for Measuring DoS attacks

Firewall Logs

Network Telescopes

Internet Sinks

Backscatter

Background Radiation

Conclusions


Outline

Challenges


Firewall Logs

Network Telescopes

Internet Sinks

Backscatter


Conclusions


Challenges

Attackers find ingenious ways of compromisingremote hostsAttackers give public access to the tools used sothe hacking community improvesThe size and complexity of the Internet makeimpossible to remove all vulnerabilitiesThe sharing of information between networks iscomplicated due to privacy issuesVery little understanding of intrusion activity on aglobal basisVery hard to detect the length of an attack orcombined protocol attacks


Examples of FlowAnomalies

Barford and Plonka identify three categories:

Network Operation Anomalies

Flash Crowd Anomalies

Network Abuse Anomalies


Network OperationAnomalies

Outages, configuration changes, environmentallimits


Flash Crowd Anomalies

Rapid rise in traffic flows to a particulardestination with a gradual drop-off in time


Network Abuse Anomalies

Identify DoS flowflood attacks andport scans

They may not beapparent in bit orpacket ratemeasurements


Outline

Challenges


Firewall Logs

Network Telescopes

Internet Sinks

Backscatter


Conclusions


Goals

Characterization of the “non-productive” ormalicious traffic

Develop a methodology for measuringintrusions

Filtering large traffic volume

Designing scalable flexible architectures

Building responders


Overview of Methods ofMeasuring DoS attacks

Firewall LogsStarting from a dataset like DSHIELD

Network TelescopesLarge chunks of unused, globally routable IP space

Internet SinksUnsolicited traffic for unused addresses

Passive and Active Monitoring

BackscatterAnalysis of source addresses for attacks

Background RadiationTraffic to unused addresses (similar to Network Telescopes)


DSHIELD

Distributed Intrusion Detection System

An attempt to collect data about cracker activityfrom the Internet

Data contains:Tops of worst offenders

Port scans

Block lists

Port report

IP Info

Subnet Report

Easy to filter packets


Network Telescopes

Chunk of globally routed IP address space

Little or no legitimate traffic

Unexpected traffic arriving at the networktelescope can imply remote network/securityevents

It contains a lot of statistical and random data

It is good for seeing explosions not small events


Internet Sinks

Monitors unused or dark IP

Packets for those addresses may be dropped bygateways or border routers

The size of the address space monitored is veryimportant

Usually class A and B

Includes an active componentGenerates packets as response to incoming traffic

Extensible and scalable


Backscatter

Most denial of service attacks select sourceaddresses at random for each sent packet

Shaft, TFT, Trinoo, Stackeldraht, Mstream, Trinity

It detects only attacks that use spoofed IP’s

A router or an intermediate device may generatean ICMP response to the attack

AssumptionThe victim responses are equi-probably distributed across theentire Internet space


Backscatter



Monitor unused addresses

Detect non-productive trafficMalicious: flooding backscatter, scans, worms

Benign: misconfigurations

What is all this nonproductive traffic trying to do?

How can we filter and detect new types ofmalicious activity?


Outline

Challenges


Firewall Logs

Network Telescopes

Internet Sinks

Backscatter


Conclusions


Firewall Logs

Internet Intrusions: Global Characteristics andPrevalence

Data collected in 1600 networks in a 4 month period byDSHIELD.ORG

Each entry is recorded by firewalls and port scan logs recordedby NIDS (primarily Snort)

Asses the daily volume of intrusion attempts

Use the results to project intrusion activity in the entire Internet

Investigate utility of sharing intrusion detection information


Scans

VerticalSequential or random scan of multiple ports (5 or more) of asingle IP from the same source during one hour periodSurvey of well-known vulnerabilities (strobe scans)

HorizontalScan from a single source to multiple IP on the same portLooking for the same vulnerability

CoordinatedScans from multiple sources (5 or more) aimed at a particularport of destinations in the same /24 during one hour periodAggressive, active collaborative peers

StealthLow frequency horizontal and vertical scans.Minimum threshold for average interscan distance


Port Distribution


Persistence of WormActivity


Top Sources (1)


Top Sources (2)


Top Sources (3)


Scan Types


Stealth Scan Types


Global Prevalence

Highly dynamic scanning patterns

How the volume of scans have changed over thelast year?

Project daily scans to entire InternetAverage scans per IP * Total Number of IP

Assumption: uniformity

Daily scan rates 25B/day

Relatively steady rates for port 80 scans (decreasing)

Relatively steady rates for non-worm scans (increasing 25%)


Implications of SharedInformation

Refinement extent provided by additional data

Relative entropy

Marginal utility metricReduction of uncertainty resulting from the next experimentadded to the aggregate set

Offline/Online

Experiments to evaluate the marginal utility ofintrusion detection log sharing for worst offendersand port identification

Select randomly days and logs from dataset andtry to estimate the gain in aggregation


Marginal Utility (1)


Marginal Utility (2)


Summary

1M – 3M scans per day

Widely distributed sources

Power law distribution for the number of events

Large amounts of scans for port 80

60-70% of non-worm scans are horizontal

A lot of daily vertical scan episodes

Coordinated worst offenders are responsible for asignificant fraction of all scanning activity

The collaboration benefit is sensitive to the sizeand diversity of the peering group


Outline

Challenges


Firewall Logs

Network Telescopes

Internet Sinks

Backscatter


Conclusions


Network Telescopes (1)

Assumerandom IPgenerationscanning


Network Telescopes (2)

Size of the telescope is important for:Detect events that generate fewer packets

Better accuracy in determining the attack interval

The probability of detecting events increases withthe size of the telescope

Increase the size by using distributed telescopes

Advantages:Reduces dependency on reaching a single block

Traffic load may be distributed over multiple sites

May avoid being skipped by some IP generation algorithms

DisadvantagesSynchronization

Data distribution


Network Telescopes Size(1)


Network Telescopes – CodeRed


Daily Non-Worm Scan Rate


Daily Port 80 Scan Rate


Outline

Challenges


Firewall Logs

Network Telescopes

Internet Sinks

Backscatter


Conclusions


Internet Sinks

iSink capabilities:Trace packets

Respond actively

Masquerade as several applications

Fingerprint source hosts

Sample packets

Monitor 4 class B and one class A for 4 monthsStateless and sampling increases the scalability

B classes - holes between active subnets

Main objectivea highly interactive scalable backplane for filtering attacks,misconfigurations and attacks


Architecture

3 main camponents:Argus - Passive Monitor• generic libpcap based on IP network auditing tool

• flow level monitoring of sink traffic

Click - Active Sink• Poll device

• IP Classifier for routing ARP, ICMP and TCP packets

• Windows Responder

NAT Filter• Reduce traffic responder generated traffic volume

• Routes requests to appropriate responders

• Filter requests – connections to first N destinations IPs targeted bythe source

VMware Honeynets – commodity VMware systems

NIDS – evaluate packet logs collected at the filter


Architecture


iSink Deployment

Campus Enterprise Sink (CES)iSink received unsolicited traffic for 100,000 IP

Configure a “black-hole” intra-campus router to advertise theclass B aggregate routes into the intra-campus OSPF

iSink has not participated to intra-campus routing

iSink is a destination of a static route

Unsolicited traffic falls to /16 routes, iSink

Occasionally traffic for used addresses may fall to iSinkbecause of inexistent routes

Service Provider Sink (SPS)Unsolicited traffic for 16 million IP (class A)

ISP advertised class A via BGP to

SNMP measurements at switch ports for computing Arguspacket loss


CES Inbound Traffic


SPS Inbound Traffic


Backscatter Packets


Unique Periodic Probes

TCP flow periodicity can be isolated to sourcesscanning port 139 (Server Message Block overNetBIOS) and port 445 (SMB)

Scans involve 256 IP from a /24

Probes have an one hour period

Small scale periodicity super imposed over a daily periodicity

They have built responders for NetBIOS and SMBThe scanning process was done by LovGate worm• Email propagation, at execution, it copies itself to kernel66.dll,

iexplore.exe etc, Backdoor (dropping a trojan) waiting on port20168

• Dictionary attack

Setup a controlled experimentDeterministic scanning

Small periods of synchronization


SMTP Host-spot

One IP attracting large number of SMTP scans4,5 million scans from 14,000 unique IP in 10 days

Uncommon TCP SYN fingerprint

All were DSL and cable modem hosts

They have setup a SMTP responder

The source was a misconfigured wireless router

Uninitialized garbage value converted to IPaddress

They have looked for the printed ASCII version ofthe IP address and it in all versions of firmwarefor the device


Scalability


Sampling

Reduced bandwidth

Improved scalability

Simplified data management and analysis

Adaptation of “Heavy hitters” sampling

Subnet selection

Memory constrained Sample and HoldIdentifies flows larger threshold

Random sampling (uniform class A traffic)

Hash containing flow id and byte count

Sampling rate based on empirical observation oftraffic

Larger blacklists easier to estimate


Summary

Clear evidence of well documented worms

New worm detection

Different overall characteristics between class Band A

iSink commodity PC hardware has the ability tomonitor and respond to 20,000 connectionrequests per second (peek class A traffic)


Outline

Challenges


Firewall Logs

Network Telescopes

Internet Sinks

Backscatter


Conclusions


Backscatter

Random source selection for each packet

Attack tools: Shaft, TFN, trinoo, Stackeldraht,mstream, Trinity

Equi probable distribution of victim responsesacross all the Internet space

AssumptionsAddress uniformity

Reliable delivery

Backscatter hypothesis

Ingress filtering

Reflector attacks


Flow Based Classification

Classification for individual attacks

Fixed flow lifetime (5 minutes interval)Conservative timeout suggests fewer longer attacks

Shorter timeout suggests a large number of shorter attacks

Discard all flows with less 100 packets and aduration less than 60seconds

Used to avoid random Internet misconfigurations?


Event Based Classification

Used for highly variable attacks

Examine time-domain qualities on the victim IPNumber of simultaneous attacks

Distribution of attack rates

Divide the trace in one minute periods

An attack event = victim emits 10 backscatterpackets during a minute


Breakdown of responseprotocols


Breakdown of victim portnumbers


Cumulative distributions ofestimated attack rates


Attack Impact

No dominant mode for address distributionA2 testing may be prevented

500 SYN packets overwhelm a server38% of uniform random attacks

46% of event attacks

14,000 SYN packets overwhelm a specializedfirewall

0.3% of uniform random attacks

2.4% of event attacks

They cannot asses the victim connectivity loss


Cumulative Distribution ofAttack Durations


Probability Density ofAttack Durations


Victim Classification

Significant fraction directed against homemachines (IRC channels)

2-3% target network infrastructure (name servers)

1-3% target routers

.net, .com and .ro are the main TLD attacked

Uniform AS distribution, more variation than TLD

95% of the victims were attacked less than 5times

A couple of victims were attacked more than 50times


Outline

Challenges


Firewall Logs

Network Telescopes

Internet Sinks

Backscatter


Conclusions


Methodology ofBackground Radiation

Filtering138 hosts scan more than half of LBL IP’s

Can we include all unsuccessful connections?

Separating unwanted traffic from benign or transientfailure traffic

Goal: provide a complete characterization of radiation=> construction of classifiers

Active RespondersEngage hosts

Elicit particular intentions from remote sources


Taming Traffic Volume

Scalability for responses on the order ofbillions of addresses

Source Connection FilteringKeep first N connections initiated by each source

Source Port FilteringKeep N connections for each source/destination portpair

Source Payload FilteringKeep one instance for each type of activity per source

Source/Destination FilteringKeep N connections per each source/destination pair


Application LevelResponders

Data Driven Approach

Responders for the most common form oftraffic

HTTP

NetBIOS

CIFS/SMB

DCE/RPC

Dameware

Emulate few backdoors (MyDoom, Beagle)

Do not provide understanding of binary code


Top Level Responders


Honeynet Architecture


Traffic Composition

Snapshots80 hour traces collected at UW Campus on /19 network

One week trace at LBL on 10 contiguous /24 networks

One week trace at Class A with 1/10 sampling

99% of TCP packets are TCP/SYN

8 ports (445, 80, 135) account for 83%


Radiation activity at LBL


Port Classification

Rank by the number of IP’sFilter bias against sources that try to reach multipledestinations

Assume destination symmetry

Focus on the popularity

Multi-source activity is intentional

Per session activity

Analyze application semantic levelbackground radiation distribution


Port Activity(1)

TCP HTTP 80 - against Microsoft IIS:WebDAV, Nimda, Code Red II, Agobot

TCP DCE/RPC 135/1025 – against EndpointMapper:

Blaster, Welchia, RPC170

TCP CIFS 139/445 – against NetBiosSession Service for CIFS:

Locator, Epmapper, Samr-exe, W32-Xibo

TCP Dameware 135/1025 – againstDameware Remote Control

TCP Virus Backdoors 3127/2745/4751 –MyDoom, Beagle (MZ marked files)


Port Activity(2)

TCP Exploit Follow-Ups 1981/4444/9996 –two step worms: Blaster, Sasser, Agobot,Welchia

UDP 53 – malformed DNS requests:

UDP 137 – NetBios standard name queries

UDP WM Pop-Up Spam 1026/2027 –DCE/RPC exploits

UDP 1434 – Slammer

TCP 1433 – MS-SQL

TCP 5000 – Universal Plug and Play


Summary

Diurnal cycles in volume (bursty arrivals)

Prevalence and variability of radiation

Majority of traffic targets services withfrequently exploited vulnerabilities

Domination for TCP SYN/RST packets

Consistent source activities across ports

Extremely dynamic traffic (daily)For benign traffic, major shifts on lengthy times


Outline

Challenges


Firewall Logs

Network Telescopes

Internet Sinks

Backscatter


Conclusions


Conclusions (1)

Scalable architectures for large number ofmonitored IP’s (class A or multiple class B)

Combination of passive and active measurements

A large variety of filtering methods. Importantassumptions

Big differences between traces temporally andspatially

A lot of place for improvement on data drivenactive responders


Conclusions (2)

Large number of intrusions (scans, exploits,worms) – millions per dayWidely distributed sources of attackHorizontal scans cover 70% of all scanningDyurnal (daily cycles), extremely dynamic trafficBlacklists (worst offenders) can prevent majorityof attacksFrequent exploited vulnerabilities

Prevalence of Internet DoS attacks


References

Internet Intrusions: Global Characteristics and Prevalence,Vinod Yegneswaran, Paul Barford, Johannes Ullrich

On the Design and Use of Internet Sinks for Network

Abuse Monitoring, Vinod Yegneswaran, Paul Barford, Dave Plonka

On the Marginal Utility of Network TopologyMeasurements, Paul Barford, Azer Bestavros, John Byers, Mark Crovella

Characteristics of Network Traffic Flow Anomalies, PaulBarford and David Plonka

Network Telescopes, David Moore

Inferring Internet Denial-of-Service Activity, David Moore

Inferring Internet Denial-of-Service Activity, David Moore

Characteristics of Internet Background Radiation, RuomingPang, Vinod Yegneswaran

Documents

14. Zota — Bscatter Measurement - Computer Sciencejeffay/courses/nidsS05/slides/14-Measurement.pdf · Campus Enterprise Sink (CES) iSink received unsolicited traffic for 100,000