Beyond a sensor. Towards the Globalization of SURFids. FIRST 20 th Annual Conference Vancouver, Canada

Size: px

Start display at page:

Download "Beyond a sensor. Towards the Globalization of SURFids. FIRST 20 th Annual Conference Vancouver, Canada"

Arron Walton
6 years ago
Views:

1 Beyond a sensor Towards the Globalization of SURFids Wim.Biemolt@surfnet.nl FIRST 20 th Annual Conference Vancouver, Canada

2 1 SURFnet6

3 2 SURFcert

4 3 18 th Annual FIRST Conference

Goals - Understanding: - types of malicious network traffic within a LAN - amount of malicious network traffic within a LAN - spreading of worms - Setting up:

5 Goals - Understanding: - types of malicious network traffic within a LAN - amount of malicious network traffic within a LAN - spreading of worms - Setting up: - a scalable IDS solution - an IDS that is easy to manage and maintain - Comparing results with other sensors - Limit malicious outbound traffic from SURFnet 4

6 Why build something new? - Sensor must be maintenance free - IDS must be scalable and easy to manage - No False Positives! - cannot use snort - Design IDS based on high speed networks - LAN - WAN - Design IDS should be able to analyze L2 traffic 5

7 6 Global overview

Sensor - remastered Knoppix distribution - USB boot - OpenVPN between Sensor and Central Server - Portability. - Familiar daemon-style usage. - No kernel modifications required.

8 Sensor - remastered Knoppix distribution - USB boot - OpenVPN between Sensor and Central Server - Portability. - Familiar daemon-style usage. - No kernel modifications required. - State-of-the-art cryptography - provided by the OpenSSL library - Comfortable with dynamic addresses or NAT. - Supports most operating systems - Linux, Windows, Mac OS X, BSD, and Solaris. 7

9 Needed - Computer system - USB boot - 1 NIC - DHCP or Static IP (2x) - OpenVPN session - through local firewall (TCP 1194) - HTTPS session - through local firewall (TCP 4443) 8

10 Servers - Tunnel server - OpenVPN tunnel to sensor - Manage X509 certificates/keys of sensors - Source-based routing - Logging server - Postgresql - Web interface - Show statistics of sensors (groups/individual) - Show statistics of different attacks - Ranking of sensors - Mail logging - IDMEF 9

11 Honeypot - Based on nepenthes - a low-interaction honeypot mimics the replies generated by vulnerable services in order to collect the first stage exploit - Modules - Resolve DNS asynchronous - Emulate vulnerabilities - Download files - Submit the downloaded files - Trigger events - Shellcode handler 10

handles client LAN attack on tap device Nepenthes logs attack Sensor is booted OpenVPN

12 Working of SURFids Attacker/Worm/Virus/Hacker Attacks IP on server Layer 2 tunnel (tap device) DHCP Nepenthes request simulates trough weakness tunnel Nepenthes Binds IP of handles client LAN attack on tap device Nepenthes logs attack Sensor is booted OpenVPN is started Uses tcp port 1194 Works with NAT!! Web interface makes data representable 11

13 12 Multiple VLAN support

14 Users - Wisconsin University (USA) - NTT-CERT (Japan) - GOVCERT.NL - SITEC (Sweden) - HEANET (Ireland) - ArCERT (Argentina) 13

15 Partnership - GOVCERT.NL - Knowledge sharing - Add additional resources - Additional monitoring technics - Future development - Letter of intent 14

16 Current IDS setup Client LAN Sensor Loggingserver Webserver Dbserver Public Server LAN Internet 1st VPN Tunnel 1st VPN Tunnel Tunnelserver + load balancing Private Server LAN Nepenthes Client LAN Client LAN Argos Sensor 15

17 Logical design

18 17 Sensors deployed

19 Results - What do we see - Automated attacks - No end-user interaction - Attacks on OS and applications - Scans - Probes - Offered malware - What we don t see - Targeted attacks - System hacking

20 Menu

21 Attacks

22 Malware Downloaded

23 Sensor Status

24 Traffic

25 Statistics - Exploit statistics - UDP/TCP port statistics - Malware filenames - Download protocol - Attack OS 24

26 25 Exploits

27 26 UDP/TCP ports

28 27 Malware filenames

29 28 Download protocol

30 29 Attack OS

31 30 Attack sources

32 31 Attack sources

33 My reports

34 My reports - mail

35 My reports - RSS

36 35 Netflow

37 Stats

38 Netflow processing

39 Possible malicious attack Top 10 Dst Port ordered by flows: Proto Dst Port Flows Packets Bytes pps bps bpp any any any any any any any any any any Summary: total flows: 6604, total bytes: , total packets: 6790

40 Malicious attack Top 10 Dst Port ordered by flows: Proto Dst Port Flows Packets Bytes pps bps bpp any any any any any any any any any any Summary: total flows: 6483, total bytes: , total packets: 6659

41 Malware offered Top 10 Dst Port ordered by flows: Proto Dst Port Flows Packets Bytes pps bps bpp any any any any any any any any any any Summary: total flows: 6784, total bytes: , total packets: 6961

42 Malware downloaded Top 10 Dst Port ordered by flows: Proto Dst Port Flows Packets Bytes pps bps bpp any any any any any any any any any any Summary: total flows: 471, total bytes: 74361, total packets: 589

43 Developments - Redesigned webinterface - Improved reporting - RSS reports - Multiple honeypot - Argos integration - Layer 2 detection - ARP poisoning attack detection - Rogue DHCP server detection - IP exclusions - CWSandbox support 42

44 ARP

45 Detected Protocols

46 45 IP exclusion

47 Argos Overview raise alert when tainted data is used to divert control flow Applications network data is tainted in Argos emulator when data is copied propagate taint Guest OS Emulator Host OS correlate network trace and memory to nerate signature network data logged and sent to app Signature

48 Argos Overview taint tags really point to bytes in network trace Applications Guest OS Emulator Host OS network trace

49 Argos Overview forensics: find out more about process Forensics Applications Snitch then sends it to host machine Guest OS Snitch send detailed info about process under attack to Snitch attack detected dump tainted memory Argos Emulator Host OS Signature Post-Processing Sub-system

50 Argos

51 Attack detail

52 Snort - Added value - Placement - Integration

53 Snort before Argos Client LAN Sensor Loggingserver Webserver Dbserver Public Server LAN Internet 1st VPN Tunnel 1st VPN Tunnel Tunnelserver + load balancing Private Server LAN Nepenthes Client LAN Client LAN Argos Sensor 52

54 Results - Over 90% of the attacks registered by Argos were detected by Snort - Other attacks also recognized

55 Snort on tunnel server Client LAN Sensor Loggingserver Webserver Dbserver Public Server LAN Internet 1st VPN Tunnel 1st VPN Tunnel Tunnelserver + load balancing Private Server LAN Nepenthes Client LAN Client LAN Argos Sensor 54

56 Results - Over 90% of the attacks registered by Nepenthes were detected by Snort - Identification of 10% of the possible malicious attacks

57 Recent issues

58 Version

59 Future goals - Correlation - Data between the different (honey) projects. - Data provided by other teams! - HoneyClients - Build a network of honey-clients - Catch 0-Day attacks on IE and other browsers - Watch for active exploitation of known and new client-side vulnerabilities - Honey-clients are fed with URL s from SPAM and other sources

60 Conclusion - SURFids - Successful solution - Very easy to deploy - Actively developed 59

Firewalls, Tunnels, and Network Intrusion Detection

Firewalls, Tunnels, and Network Intrusion Detection 1 Intrusion Detection Systems Intrusion Actions aimed at compromising the security of the target (confidentiality, integrity, availability of computing/networking