The UCSD Network Telescope

Similar documents
On the Effectiveness of Distributed Worm Monitoring

Tracking Global Threats with the Internet Motion Sensor

Network Security Issues and New Challenges

An study of the concepts necessary to create, as well as the implementation of, a flexible data processing and reporting engine for large datasets.

Best Practices With IP Security.

Worldwide Detection of Denial of Service (DoS) Attacks

Outwitting the Witty Worm Exploiting Underlying Structure for Detailed Reconstruction of an Internet-Scale Event

Introduction to Security. Computer Networks Term A15

Denial of Service, Traceback and Anonymity

Understanding the Evolving Internet

DENIAL OF SERVICE ATTACKS

Global DDoS Measurements. Jose Nazario, Ph.D. NSF CyberTrust Workshop

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Fast and Evasive Attacks: Highlighting the Challenges Ahead

Characterizing Dark DNS Behavior

Yubin Li Florida International University. Zesheng Chen Florida International University. Chao Chen Indiana University Purdue University Fort Wayne

0x1A Great Papers in Computer Security

Flooding Attacks by Exploiting Persistent Forwarding Loops

Mapping Internet Sensors with Probe Response Attacks

Implementation of an Automated Virus Response System

Prolexic Attack Report Q4 2011

Rob Sherwood Bobby Bhattacharjee Ryan Braud. University of Maryland. Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.

Worm Detection, Early Warning and Response Based on Local Victim Information

Security+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks

Introduction to DDoS Attacks

Mapping Internet Sensors with Probe Response Attacks

Detection of DNS Traffic Anomalies in Large Networks

Alberto Dainotti

Computer and Network Security

SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet

A Survey of Defense Mechanisms Against DDoS Flooding A

Automated Analysis and Aggregation of Packet Data

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Security: Worms. Presenter: AJ Fink Nov. 4, 2004

Intelligent and Secure Network

KNOM Tutorial Internet Traffic Matrix Measurement and Analysis. Sue Bok Moon Dept. of Computer Science

Distributed Denial of Service (DDoS)

Chapter 7. Denial of Service Attacks

DDOS Attack Prevention Technique in Cloud

Security activities in Japan towards the future standardization. Cybersecurity

Computer Security: Principles and Practice

Phishing Activity Trends Report November, 2004

2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008

Exam : Title : Security Solutions for Systems Engineers(SSSE) Version : Demo

Lecture 6: Worms, Viruses and DoS attacks. II. Relationships between Biological diseases and Computers Viruses/Worms

Flow-Level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone

DoS Cyber Attack on a Government Agency in Europe- April 2012 Constantly Changing Attack Vectors

Multi-phase IRC Botnet & Botnet Behavior Detection Model

Analysis of Country-wide Internet Outages Caused by Censorship

Security Gap Analysis: Aggregrated Results

Internet Security Threat Report Volume XIII. Patrick Martin Senior Product Manager Symantec Security Response October, 2008

Phishing Activity Trends Report March, 2005

Analysis of Denial of Service Attack

Basic Concepts in Intrusion Detection

Estimating Persistent Spread in High-speed Networks Qingjun Xiao, Yan Qiao, Zhen Mo, Shigang Chen

Exploiting Underlying Structure for Detailed Reconstruction of an Internet-scale Event

DDoS Protector. Simon Yu Senior Security Consultant. Block Denial of Service attacks within seconds CISSP-ISSAP, MBCS, CEH

( ) 2016 NSFOCUS

Radware DefensePro DDoS Mitigation Release Notes Software Version Last Updated: December, 2017

Very Fast Containment of Scanning Worms. Nicholas Weaver, Stuart Staniford, Vern Paxson ICSI, Nevis Networks, ICSI & LBNL

Network Awareness and Network Security

activities CAIDA = Cooperative Association for Internet Data Analysis Marina Fomenkov, CAIDA 2nd CAIDA-WIDE-CASFI workshop Seoul, April 4, 2009

Example. Section: PS 709 Examples of Calculations of Reduced Hours of Work Last Revised: February 2017 Last Reviewed: February 2017 Next Review:

Flashback.. Internet design goals. Security Part One: Attacks and Countermeasures. Why did they leave it out? Security Vulnerabilities

Packet-level Simulations of the Flash Worm and the Compact Flash Worm

Enhancing Telescope Imagery

Our Narrow Focus Computer Networking Security Vulnerabilities. IP-level vulnerabilities

Distributed Denial of Service

Correlation Based Approach with a Sliding Window Model to Detect and Mitigate Ddos Attacks

Phishing Activity Trends

Cisco Webex Cloud Connected Audio

Software Systems for Surveying Spoofing Susceptibility

Phishing Activity Trends Report August, 2006

Dixit Verma Characterization and Implications of Flash Crowds and DoS attacks on websites

DDoS PREVENTION TECHNIQUE

IPv6- IPv4 Threat Comparison v1.0. Darrin Miller Sean Convery

EE 122: Network Security

DDoS Managed Security Services Playbook

Traffic Optimization for ExaScale Science Applications

Example: Simple Forensics

Phishing Activity Trends Report August, 2005

OpenCache. A Platform for Efficient Video Delivery. Matthew Broadbent. 1 st Year PhD Student

Darknet Traffic Monitoring using Honeypot

Overview of nicter - R&D project against Cyber Attacks in Japan -

Phishing Activity Trends Report January, 2005

Software Systems for Surveying Spoofing Susceptibility

An Analysis of Correlations of Intrusion Alerts in an NREN

Day In The Life of the Internet 2008 Data Collection Event.

CSE 565 Computer Security Fall 2018

2020: Time to Shutdown DDoS?

CSE 565 Computer Security Fall 2018

Jaal: Towards Network Intrusion Detection at ISP Scale

ddos-guard.net Protecting your business DDoS-GUARD: Distributed protection against distributed attacks

Example: LBL Forensics

Beyond Blind Defense: Gaining Insights from Proactive App Sec

Scalability, Fidelity, and Containment in the Potemkin Virtual Honeyfarm

Phishing Discussion. Pete Scheidt Lead Information Security Analyst California ISO

Lecture 12. Application Layer. Application Layer 1

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

AAD - ASSET AND ANOMALY DETECTION DATASHEET

Transcription:

The UCSD Network Telescope Colleen Shannon cshannon @ caida.org NSF CIED Site Visit November 22, 2004 UCSD CSE

Motivation Blocking technologies for automated exploits is nascent and not widely deployed Research in this area is critical Measurement of current events complements this research Stay in touch with recent trends (worms are faster and more malicious; botnets are stealthy and widely utilized) Identify new anomalous behavior (whether malicious or simply broken infrastructure) 2

Network Telescope Chunk of (globally) routed IP address space Little or no legitimate traffic (or easily filtered) Unexpected traffic arriving at the network telescope can imply remote network/security events Generally good for seeing explosions, not small events Depends on random component in spread 3

Network Telescope: Denial-of-Service Attacks Attacker floods the victim with requests using random spoofed source IP addresses Victim believes requests are legitimate and responds to each spoofed address We observe 1/256 th of all victim responses to spoofed addresses 4

Denial-of-Service Attacks Three Years 140 120 Unique Victim IPs/hour 100 80 60 40 20 0 02/01 2001 04/06 2001 06/25 2001 08/16 2001 05/09 2002 06/29 2002 12/11 2002 11/06 2003 02/25 2004 Time 5

Network Telescope: Worm Attacks Infected host scans for other vulnerable hosts by randomly generating IP addresses We monitor 1/256 th of all IPv4 addresses We see 1/256 th of all worm traffic of worms with no bias and no bugs 6

Geographic Spread of Witty 7

Network Telescope Current Status Continuously collected/archived data 15 months of trace data (Since August 12, 2003) 16 months of flow data (Since July 11, 2003) 0.75 TB/month (8 TB total) 50 researchers currently using February 2001 dataset Industry Collaboration Bandwidth Donation Address Space Donations Connectivity upgrade 8

Network Telescope Bandwidth Donation September 2004: Network Telescope is 1/3 of all inbound traffic to UCSD Inbound traffic drives 95 th percentile charges Net cost to UCSD for bandwidth: ~$2500/month October 2004: Limelight networks donates all inbound connectivity to the UCSD Network Telescope: ~$30,000/year No ports blocked inbound to the Network Telescope 9

Network Telescope Address Space Donation Current Assets /8 network (Fall 2001) /16 network (Winter 2004) Donations in progress Two more /16 networks Five+ /24 networks Value in additional address space Interspersed with end user and content hosting networks, increasing the diversity of our view Mix of locally deployed and remotely announced space Accurate epidemiology who was targeted and when? 10

Address Space vs. Detection Time 10 pps events (Code-Red approx. this rate) Detection probability: 5% 50% 95% /8 (1 in 256 sampling) 1.3 sec 18 sec 1.3 min /14 1.4 min 19 min 1.4 hours /15 3 min 38 min 2.7 hours /16 (1 in 65,536 sampling) 6 min 1.3 hours 5.5 hours /19 45 min 10 hours 1.8 days /24 (1 in ~16.7M sampling) 24 hours 14 days 58 days 11

Network Telescope Connectivity Upgrade UCSD campus network reconfigured to support: Separate GigE interfaces for all currently monitored address blocks Administrative interface with differently routed path to telescope infrastructure (preserves access during a flash event) Automatic exclusion from UCSD network security measures 12

Network Telescope - Future Honeyfarm deployment Traffic characterization for IDS testbed PREDICT Data Repository December 2004 Network Telescope Observation Station Early 2005 13

DHS Predict Project Goal: Get current, relevant (therefore sensitive) network security data to researchers ~Six centers around the country coordinating many more data sources (commercial security companies, commercial ISPs, POPs, and co-location/data centers) Researchers able to apply for data access in early 2004 14

DHS Predict Data Distribution New Datasets Coming soon: Code-Red and Witty worm datasets Raw trace data Flow files IP counts over time Hostnames and geographic information 2001-2004 Denial-of-Service backscatter dataset ~One week of data every 3-6 months over 3 years Raw backscatter trace data Attack Flow files (restricted access) Raw telescope traces Existing/continuing collections: OC48 traces from large ISPs Active topology measurement data 15

Network Telescope Observation Station Real-time view of Network Telescope activity Publicly accessible Aggregated view protects individual privacy Prototype collecting data for more than a year Final user interface implementation in progress Coming soon! 16

Network Telescope Observation Station 17

Denial-of-Service Attacks: 1 hour 18

Denial-of-Service Attacks 1 Month 19

Global Attack Traffic 1 Week 20

Global Attack Traffic 1 Year 21

Conclusions Active collaborations with UCSD, industry, and research communities paying off Bandwidth Address space Community resource: backscatter dataset available; current backscatter and worm datasets coming soon Rapid response to current events (SCO DoS attack, Witty Worm) 22

Acknowledgements Technical support of Network Telescope at UCSD: Brian Kantor, Jim Madden, and Pat Wilson Support for this work was provided by: NSF, Cisco Systems, DHS, DARPA, and CAIDA members 23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback