MonNet – a project for network and traffic monitoring

Detection of malicious Traffic on Backbone Links via Packet Header Analysis

Wolfgang John and Tomas OlovssonDepartment of Computer Science and Engineering

Chalmers University of TechnologyGöteborg, Sweden

2008-05-20TNC 2008

Introduction

• Traffic filtering is often done locally

• Backbone provides broader view

• What is happening „in the wild“?– Old, well known attack types?– Distributed attacks to several hosts/networks?– What to expect on ingress hosts?

• How good is pure packet header analysis?

2008-05-20TNC 2008

Introduction: Outline

1. Packet headers considered• Fields and potential problems

2. Dataset• Measurement location• Transport protocol breakdown

3. Anomalies observed• IP (+fragmentation), TCP, UDP, ICMP• Discussion and highlights

4. Summary and Conclusions

2008-05-20TNC 2008

Packet Headers

• IP header structure

2008-05-20TNC 2008

Packet Headers (2)

• TCP header structure

2008-05-20TNC 2008

Packet Headers (3)

• UDP header structure

• ICMP header structure

2008-05-20TNC 2008

Outline (2)

1. Packet headers considered• Fields and potential problems

2. Dataset• Measurement location• Transport protocol breakdown

3. Anomalies observed• IP (+fragmentation), TCP, UDP, ICMP• Discussion

4. Summary and Conclusions

2008-05-20TNC 2008

Dataset: Measurement location

Internet

Internet

Regional

ISPsRegional

ISPsGöteborg

Stockholm

Other smaller Universities and Institutes

Göteborgs Univ.

Student-Net

• 2x 10 Gbit/s (OC-192)• capturing headers only• IP addresses anonymized• 554 traces in late 2006• 10 min. intervals during 3 months

Chalmers Univ.

2008-05-20TNC 2008

Dataset (2)

• Transport protocol breakdown

CAIDA‘s DatCat: SUNET fall 2006https://imdc.datcat.org/collection/1-04HQ-3=SUNET+OC+192+Traces+fall+2006

IPv4 TCP UDP ICMP GRE ESPPackets 27,873,847,645 89.7% 9.8% 0.3% 0.1% 0.1%

Fragments 255,470,635 0.2% 99.3% 0.0% 0.0% 0.4%Frag. Series 20,752,539 1.5% 95.7% 0.0% 0.1% 2.7%

IP Original Datagram

IPSegment 1 IPSegment 2IP Segment 3IP Seg. 4

Fragment 1 Fragment 2 Fragment 3 Fragment 4

Fragment Series

2008-05-20TNC 2008

Outline (3)

1. Packet headers considered• Fields and potential problems

2. Dataset• Measurement location• Transport protocol breakdown

3. Anomalies observed• IP (+fragmentation), TCP, UDP, ICMP• Discussion

4. Summary and Conclusions

2008-05-20TNC 2008

Anomalies observed

• IP header anomalies

Index # packets TCP UDP ICMP DescriptionI 123 104 11 8 Insufficient actual packet lengthII,III 0 0 0 0 IP version and IP header length fieldsIV 105 102 0 3 IP total datagram length fieldV 321 9 309 3 source IP addr. = destination IP addr.VI 2,663,891 185,863 33,780 2,444,232 Reserved address spaceXIII 265,324 42,632 222,667 4 Invalid IP flagsXIV 8,067,930 896,790 1,915,931 5,199,576 Small TTL values (<10)XV, XVI 21,991 0 18,721 2,318 IP options

• Two intervals with one million packets to four destinations Source IP of private class C (192.168/16) ICMP echo replies, 228 bytes DoS attack?

• No exploits of IP source route• Land attack

2008-05-20TNC 2008

• IP fragmenation inconsistencies

IP ID values of zero are over-represented!• one host inside a University five campaigns to five destinations with series of 6-7 fragments Iterating over entire port range half of the series with inconsistencies (holes etc.) hijacked host performing DoS (Frag attack!)

• 42 hosts are the main target 1/5 of all fragment series to these hosts are incomplete many gaps only 8 byte long! DDoS? Or just packet loss?

• 35 different times and different hosts! Not only overlaps, but also gasp Overlapping fragments fill gaps – on wrong places! 8 – 48 bytes overlapping fragments on consistent offsets Hardware/Software error? Common attack tool?

Anomalies observed (2)

Index #series TCP UDP ICMP DescriptionVII-IX 1,651,324 0 1,651,324 0 Exceptional fragmentation eventVII, XXI 71 71 0 0 Series with short first fragmentVIII 80,981 18,117 61,001 1,723 Single packet "series"IX 29,939 685 29,217 37 Incomplete series ("gaps")X 37 5 32 0 Series with overlapping fragmentsXI 1,864 1,285 579 0 Series with duplicated fragmentsXII 0 0 0 0 Series exceeding 64K IP length

• Good news: Ping-of-death, sPing, IceNewk etc. not observed!

2008-05-20TNC 2008

Anomalies observed (3)

• TCP header anomalies

Index # segments DescriptionXVII - XXVII 9,757 Garbled TCP headerXVII 72 TCP length shortXVIII 114,876 Reserved bits setXIX 6,180 TCP port zeroXX a 178,993 Invalid signaling flagsXX b 81,982 pure FIN (no ACK)XXII 29,369 SYN with dataXXIII 389,060 ACK number of zeroXXIV 440 Urgent pointer setXXV - XXVII 9,038 TCP option errors

• Two or more field anomalies within the same TCP header• 21 % in RST/ACK packets from port 80• 79 % in SYN/ACK packets …. SYN/ACK attacks?• source and desination ports of zero equally shared mainly SYN packets in host scanning campaigns• Mahoney et al: FIN without ACK can reveal port-sweeps Not supported by our data!! Mainly to P2P ports – pure FIN after SYN connection attempts

2008-05-20TNC 2008

Anomalies observed (4)

• UDP header anomalies

Index # packets DescriptionXVII 67 UDP length fieldXIX 17,242 UDP port zero

• From UDP port zero: around 30 scanning campaigns of /24 ranges to port numbers 1025 and 1026 Windows messenger spam!

2008-05-20TNC 2008

Anomalies observed (5)

• ICMP header observationsICMP type # packets Percent Description

0 5,927,990 6.10% Echo Reply3 11,964,456 12.31% Destination unreachable4 37,899 0.04% Source Quench5 46,437,420 47.77% Redirect6 1 0.00% Alternate Host Address8 16,287,609 16.76% Echo

11 10,160,608 10.45% Time Exceeded12 60 0.00% Parameter Problem13 63 0.00% Timestamp14 60 0.00% Timestamp Reply15 2 0.00% Information Request17 10 0.00% Address Mask Request

Undefined 33,517 0.03% Undefined ICMP type or codeInvalid length 6,354,886 6.54% Valid type and code, but invalid length

• two hosts sending 46 million “host redirects” during 12 days DoS attacks like Winfreez

2008-05-20TNC 2008

Anomalies observed (6)

• ICMP header observations contd.

– No Ping-of-Death type attacks– No obvious attack with ICMP dest. unreachable (Smack)– No ICMP timestamp attacks (like moyari13)– No large scale usage of invalid ICMP types

(Twinge or Trash attacks)

2008-05-20TNC 2008

Outline (4)

1. Packet headers considered• Fields and potential problems

2. Dataset• Measurement location• Transport protocol breakdown

3. Anomalies observed• IP (+fragmentation), TCP, UDP, ICMP• Discussion

4. Summary and Conclusions

2008-05-20TNC 2008

Summary and Conclusions

• Systematic listing of header anomalies

• Occurences in real backbone traffic

• Many old attacks still out there– but some formerly popular attacks vanished

• Constant ”noise” of anomalous packets

• Some major campaigns of malicious activities detected

2008-05-20TNC 2008

Summary and Conclusions (2)

• Pure packet header analysis reveals a substantial amount of malicious activity

• Watch out for– IP ID of zero– port numbers of zero – Strange TCP flags– Reserved IP addresses– Unusual ICMP activity

2008-05-20TNC 2008

Summary and Conclusions (3)

• Next steps– Study potential of IP ID, SEQ and ACK

numbers and port numbers for detection– Get access to payload data / broadcast addr.

• Anomalous applications headers?• Malicious code?

– Correlate packets (flows)• Scannings, DDoS campaigns?• What happens before? After? ....

MonNet – a project for network and traffic monitoring

More Information:

http://www.chalmers.se/cse/EN/people/john-wolfgang

or Email: johnwolf@chalmers.se

Questions?