Our brief history. Management and security. Traceback by traffic pattern. R&D on Traceback technology and the derivatives

Transcription

1 R&D on Traceback technology and the derivatives Kohei OHTA Cyber Solutions Inc. Our brief history Network management and security with Nemoto Lab Cyber Solutions Inc. with Nemoto Lab. Traffic pattern technology 1999: Just one of traffic monitoring techniques for high speed network DoS crisis RAID99, pattern technology for DoS tracking Packet print based traceback Intranet security and management Start Intelligent Cluster project Cyber Solutions Inc. 1 Cyber Solutions Inc. 2 Management and security Our original concept of traceback Pattern for one of traffic monitoring techniques Pattern for DoS traceback AS1 Suspicious!! Monitor AS2 SNMP for sensor implementation Packetprint for traceback traceback Aggregation technology Fixed point monitoring Inter-domain traceback Mobile information collection Wide area traceback SNMPv3 promotion NetSkateKoban: Intranet security system Cyber Solutions Inc. 3 X Saw this? Saw this? AS1 X AS0 Yes No AS2 No X Saw this? Yes Requirement: REAL TIME! AS3 Intruder Cyber Solutions Inc. 4 Traceback by traffic pattern Packet Print: Hash-based traceback DoS Attack Input Hash Function Hash value traceback Sensor Attacker query query query Privacy Manager Alert Victim Cyber Solutions Inc. 5 Cyber Solutions Inc. 6

2 PacketChaser Source Around Here! No! Packet Trace PP Packet Trace Agent Target Do you know? Common issues for traceback How to realize world wide traceback? Different organization has different policy It is not practical to expect single traceback product covers all over the world Standard Well standardized communication Cyber Solutions Inc. 7 Cyber Solutions Inc. 8 IODEF of INCH WG@IETF for Packet/Incident Tracing The charter The purpose of the Incident Handling (INCH) working group is to define a data format for exchanging security incident information used by a CSIRT. A CSIRT is defined broadly as an entity (either a team or individual) with a security role or responsibility for a given constituency (e.g., organization, network). I-D The Incident Object Description Exchange Format Data Model and XML implementation Incident Handling: Real-time Inter-network Defense Response IRA Response Local Protocol IRA: Incident Record Agent Incident IRA IRA Cyber Solutions Inc. 9 Cyber Solutions Inc. 10 Wide-area traceback with Application: Information exchange Attacked! Security manager Console Event Occurred! Site-A Network monitor CySols,Japan Alert Response query RID server Tohoku-Univ,Japan Attacker/Route Intra traceback PacketChaser Intra-traceback ISS, India Detection Notify (Auto) Relay (Manual) (Manual) Site-A:Member Site-B:Member Site-C:Member Cyber Solutions Inc. 11 Cyber Solutions Inc. 12

3 Wide area incident analysis Point A Point B IODEF export Point Z IODEF IODEF IODEF Wide area incident DB IODEF API Network transport IODEF import Analysis and visualization Another type of tracing: Fixed Point (Target) Monitor (Illegal) traffic Understand (Illegal) traffic dynamics (What? Where? When?) Understand attack mechanisms/patterns (How? Intent? ) Routing Information Analysis with Routing information Impact area IRR map OSPF map BGP map MIB-II map Cyber Solutions Inc. 13 Cyber Solutions Inc. 14 Understand (Illegal) traffic dynamics What? Where? When? Wide context (National/International) Rate/size/source/port/time/place Trace illegal traffic Packets Understand attack mechanisms/patterns How? Intent? Events (attack sessions, packet flows) Trace events Where did the virus/worm originate? Cyber Solutions Inc. 15 Cyber Solutions Inc. 16 Provide Information Graphical context Time, Place (source/destination) Map context Network Map Geographical Map Digital data Packet Prints Event Signatures Real-time (?) Fixed point network monitoring L2 (PPPoE) 100Mbps Hub To ONU Global IP mustan-gw-2 mustan-gw-1 mustan IODETA BUFFALO DELL FreeBSD-5.4R tunnel(22/tcp) 100Mbps Hub Lab Internal LAN 10 network layer monitoring 3 application layer monitoring Cyber Solutions Inc. 17 Cyber Solutions Inc. 18

4 Malicious mail from Senders by AS Aug ~ Nov Aug ~ Nov Cyber Solutions Inc. 19 Cyber Solutions Inc. 20 AS wise view Number of malicious mails /7/ /8/2 2005/8/3-2005/8/9 2005/8/ /8/ /8/ /8/ /8/ /8/ /8/ /9/6 2005/9/7-2005/9/ /9/ /9/ /9/ /9/ /9/ /10/4 2005/10/5-2005/10/ /10/ /10/ /10/ /10/ /10/ /11/1 2005/11/2-2005/11/8 2005/11/9-2005/11/ /11/ /11/ /11/ /11/29 Cyber Solutions Inc. 21 Cyber Solutions Inc. 22 Mail from AS3462 AS 3462 in detail yahoo.com.tw avl.com.cn 21cn.com yahoo.com 263.com ms59.hinet.net turbobank.com.tw fjii.com com msa.hinet.net /7/ /8/2 2005/8/3-2005/8/9 2005/8/ /8/ /8/ /8/ /8/ /8/ /8/ /9/6 2005/9/7-2005/9/ /9/ /9/ /9/ /9/ /9/ /10/4 2005/10/5-2005/10/ /10/ /10/ /10/ /10/ /10/ /11/1 2005/11/2-2005/11/8 2005/11/9-2005/11/ /11/ /11/ /11/ /11/29 Cyber Solutions Inc. 23 Cyber Solutions Inc. 24

5 Conclusion Traceback and the related technologies are expanded Next targets World-wide Mobile Cyber Solutions Inc. 25