The Dark Oracle: Perspective-Aware Unused and Unreachable Address Discovery

Similar documents
Characterizing Dark DNS Behavior

The BGP Visibility Scanner

The BGP Visibility Scanner

Understanding IPv6 Internet Background Radia6on

StrobeLight: Lightweight Availability Mapping and Anomaly Detection. James Mickens, John Douceur, Bill Bolosky Brian Noble

Shedding Light on the Configuration of Dark Addresses

3/10/2011. Copyright Link Technologies, Inc.

Tracking Global Threats with the Internet Motion Sensor

Implementing IP Addressing Services

Implementing IP Addressing Services. Accessing the WAN Chapter 7

Routing Basics ISP/IXP Workshops

OSSIR. 8 Novembre 2005

Network Policy Enforcement

BGP101. Howard C. Berkowitz. (703)

Chapter 7: Routing Dynamically. Routing & Switching

Routing Concepts. IPv4 Routing Forwarding Some definitions Policy options Routing Protocols

Examination. IP routning på Internet och andra sammansatta nät, DD2491 IP routing in the Internet and other complex networks, DD2491

IPv6 Module 16 An IPv6 Internet Exchange Point

COURSE PROJECT SEM ATTENTION ALL ADVANCED DIPLOMA & BACHELOR STUDENTS

Introduction to IP Routing. Geoff Huston

Campus Networking Workshop CIS 399. Core Network Design

Foreword xxiii Preface xxvii IPv6 Rationale and Features

Insights on IPv6 Security

TDC 363 Introduction to LANs

Configuring EIGRP. Overview CHAPTER

CCNA Boot Camp. Course Description

A novel design for maximum use of public IP Space by ISPs one IP per customer

debug ip ospf database external default-metric subnet area 0 stub distribute-list in Serial0/1

Chapter 5. Security Components and Considerations.

Routing Basics ISP/IXP Workshops

Toward Understanding Distributed Blackhole Placement

Fast and Evasive Attacks: Highlighting the Challenges Ahead

Ethernet Fabrics- the logical step to Software Defined Networking (SDN) Frank Koelmel, Brocade

Module 1b IS-IS. Prerequisites: The setup section of Module 1. The following will be the common topology used for the first series of labs.

Module 16 An Internet Exchange Point

Darknet Traffic Monitoring using Honeypot

Routing Basics. Routing Concepts. IPv4. IPv4 address format. A day in a life of a router. What does a router do? IPv4 Routing

IPv6 Module 4 OSPF to IS-IS for IPv6

Top-Down Network Design, Ch. 7: Selecting Switching and Routing Protocols. Top-Down Network Design. Selecting Switching and Routing Protocols

IPv6 Pollution Traffic Analysis

Network Defense Applications Using Stationary and Event-Driven IP Sinkholes

Multihoming with BGP and NAT

Multicast Technology White Paper

Hotspots: The Root Causes of Non- Uniformity in Self-Propagating Malware

Measuring IPv6 Adoption

Setting Up OER Network Components

Illegitimate Source IP Addresses At Internet Exchange Points

BGP Multihoming ISP/IXP Workshops

Advanced Computer Networking. CYBR 230 Jeff Shafer University of the Pacific. IPv6

BGP Multihoming. ISP/IXP Workshops

Static and Default Routes

Examination. ANSWERS IP routning på Internet och andra sammansatta nät, DD2491 IP routing in the Internet and other complex networks, DD2491

Routing Protocol Type Primarily IGP or EGP RIP Distance-Vector IGP EIGRP OSPF IS-IS BGP

CMPE 80N: Introduction to Networking and the Internet


CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 12

IP Routing. Bharat S. Chaudhari International Institute of Information Technology Pune, India

3-2 GHOST Sensor: Development of a Proactive Cyber-attack Observation Platform

A Measurement Study of BGP Misconfiguration

IT220 Network Standards & Protocols. Unit 8: Chapter 8 The Internet Protocol (IP)

Chapter 4: outline. 4.5 routing algorithms link state distance vector hierarchical routing. 4.6 routing in the Internet RIP OSPF BGP

Cisco Implementing Cisco IP Routing v2.0 (ROUTE)

RSC Part II: Network Layer 3. IP addressing (2nd part)

EIGRP. About EIGRP. CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.7 1

Help I need more IPv6 addresses!

Lecture 3. The Network Layer (cont d) Network Layer 1-1

IPv6 Addressing. There are three types of IPV6 Addresses. Unicast:Multicast:Anycast

Stateful Failover Technology White Paper

IPv6 Module 11 Advanced Router Configuration

Routing Protocol comparison

CPSC 826 Internetworking. The Network Layer: Routing & Addressing Outline. The Network Layer

Update from the RIPE NCC

Route Filtering. Types of prefixes in IP core network: Internal Prefixes External prefixes. Downstream customers Internet prefixes

Changes to Underlying Architecture Impact Universal Search Results

Lab Configuring IPv6 Static and Default Routes (Solution)

[Actual4Exams] Actual & valid exam test dumps for your successful pass

IP - The Internet Protocol. Based on the slides of Dr. Jorg Liebeherr, University of Virginia

Scope and Sequence: CCNA Exploration v4.0

Implementing Cisco IP Routing

Routing Basics. ISP Workshops. Last updated 10 th December 2015

Objectives. Review: Classful addresses. RIPv1 Characteristics. RIP Operation. RIP version 1

Configuring Cisco Adaptive Security Appliance for SIP Federation

Building the Routing Table. Introducing the Routing Table Directly Connected Networks Static Routing Dynamic Routing Routing Table Principles

Lab10: NATing. addressing conflicts, routers must never route private IP addresses.

Beyond the IPv4 Internet. Geoff Huston Chief Scientist, APNIC

Security in inter-domain routing

Advisory Guidelines for 6to4 Deployment

Internet Network Protocols IPv4/ IPv6

Empirical Analysis of the Effects and the Mitigation of IPv4 Address Exhaustion

Interconnecting Cisco Networking Devices Part 1 (ICND1) Course Overview

Transparent or Routed Firewall Mode

BTEC Level 3 Extended Diploma

ipv6 mobile home-agent (global configuration)

IPv6 Module 6 ibgp and Basic ebgp

Route Filtering. Types of prefixes in IP core network: Internal Prefixes External prefixes. Downstream customers Internet prefixes

Actualtests Q

Study Guide. Module Two

Computer Networking Introduction

IPv6 in 60 minutes. aarnet Australia's Academic and Research Network

CSCD58 WINTER 2018 WEEK 6 - NETWORK LAYER PART 1. Brian Harrington. February 13, University of Toronto Scarborough

Transcription:

The Dark Oracle: Perspective-Aware Unused and Unreachable Address Discovery Evan Cooke *, Michael Bailey *, Farnam Jahanian *, Richard Mortier *University of Michigan Microsoft Research - 1 - NSDI 2006

Honeynet Monitoring Unused Internet addresses form the basis for a broad class of security systems: honeynet monitoring Honeypots Darknets Telescopes Goal today is to dramatically expand the scope of this class of systems by redefining what we mean by unused Internet addresses - 2 - The Dark Oracle Perspective-Aware Unused and Unreachable Address Discovery NSDI 2006

A Closer Look At Address Usage White= Used Black= Unused All IPv4 67% of IPv4 addresses not announced via BGP - 3 - The Dark Oracle Perspective-Aware Unused and Unreachable Address Discovery NSDI 2006

A Closer Look At Address Usage White= Used Black= Unused All IPv4 Organization 67% of IPv4 addresses not announced via BGP 58% of addresses in an organization not internally routed - 4 - The Dark Oracle Perspective-Aware Unused and Unreachable Address Discovery NSDI 2006

A Closer Look At Address Usage White= Used Black= Unused All IPv4 Organization Subnet 67% of IPv4 addresses not announced via BGP 58% of addresses in an organization not internally routed 65% of addresses allocated to a DHCP server not used - 5 - The Dark Oracle Perspective-Aware Unused and Unreachable Address Discovery NSDI 2006

Honeynets Sample of existing projects: Honeynet Project ~ /32 (1 address) honeyd ~ /24 (255 addresses) Potemkin Honeypot Farm ~ /16 (65K addresses) Observations: Very small % of available addresses Contagious blocks of unused addresses Only globally advertised and globally reachable addresses - 6 - The Dark Oracle Perspective-Aware Unused and Unreachable Address Discovery NSDI 2006

Automatic Address Discovery Our Goal: 1. Redefine unused addresses as dark addresses 2. Develop a methodology for automatically discovering dark addresses 3. Route traffic to those addresses to honeynet monitoring systems Vision: Pervasive Honeynets Give honeynets the visibility of 1,000 s honeypots distributed inside and outside the network - 7 - The Dark Oracle Perspective-Aware Unused and Unreachable Address Discovery NSDI 2006

Redefining Dark Space Honeynets typically configured to monitor globally advertised and globally reachable unused addresses Attacker 68.0.0.1 Honeypot Acme co. Internet - 8 - The Dark Oracle Perspective-Aware Unused and Unreachable Address Discovery NSDI 2006

Unused and Unreachable Addresses We propose a dark address should be defined as an unused or unreachable address - 9 - The Dark Oracle Perspective-Aware Unused and Unreachable Address Discovery NSDI 2006

Unused and Unreachable Addresses We propose a dark address should be defined as an unused or unreachable address Attacker Firewall/ NAT Internet 10.0.0.1 X Honeypot Acme co. Unreachable Address - 10 - The Dark Oracle Perspective-Aware Unused and Unreachable Address Discovery NSDI 2006

Perspective-Aware With this expanded definition we can adopt the perspective of a specific network and construct incoming and outgoing honeynets Outgoing Honeypot Acme co. Firewall/ NAT Internet Attacker 10.0.0.1 Incoming X Unreachable Address - 11 - The Dark Oracle Perspective-Aware Unused and Unreachable Address Discovery NSDI 2006

Architecture Leverage distributed address allocation data External Routing (e.g. BGP) Internal Routing (e.g. OSPF) Host Config. (e.g. DHCP) Organizational Network Address Manager Honeynet/ HoneyFarm - 12 - The Dark Oracle Perspective-Aware Unused and Unreachable Address Discovery NSDI 2006

Finding Unused Addresses Why is it hard to get more unused addresses: 1.Address allocation information distributed across devices, applications, domains 2.Address allocations change quickly (e.g. mobile users) - 13 - The Dark Oracle Perspective-Aware Unused and Unreachable Address Discovery NSDI 2006

Potential Sources of Global Addresses Allocation Proceeds Many unused addresses at each step in the address allocation process (unused = black) - 14 - The Dark Oracle Perspective-Aware Unused and Unreachable Address Discovery NSDI 2006

Leveraging Internal Data Find globally unique and local routable addresses - 15 - The Dark Oracle Perspective-Aware Unused and Unreachable Address Discovery NSDI 2006

Address Allocation Data Sources We find three major classes of potential sources of address allocation information 1. External Routing Data e.g. BGP 2. Internal Routing Data e.g. OSPF, ISIS, RIP 3. Host Configuration Data e.g. DHCP, LDAP - 16 - The Dark Oracle Perspective-Aware Unused and Unreachable Address Discovery NSDI 2006

Address Misclassification But, what if you make a mistake and misclassify an address as dark or used? Two possible ways this can happen: 1. State between data source and data reader become out of sync 2. Inaccurate data source Can help prevent by: sampling often add delay to the used to dark transition - 17 - The Dark Oracle Perspective-Aware Unused and Unreachable Address Discovery NSDI 2006

The Dark Oracle We implemented a prototype address discovery platform call the Dark Oracle Inputs BGP feed from RouteView project as source of external routing data OSPF listener as source of internal routing data DHCP server monitor as source of host config data Outputs A locally-accurate map of dark addresses - 18 - The Dark Oracle Perspective-Aware Unused and Unreachable Address Discovery NSDI 2006

The Honeynet We passively captured packet to the dark addresses from the Dark Oracle Traffic was capture using: 1. Darktrap: A userland program to differentiate dark traffic from live traffic from a route span port 2. Blackhole Route: A fall-through route Routing Table 1.2.3.0/24 1.2.7.0/24 1.2.0.0/16 0.0.0.0/0 Blackhole Route 1.2.3.0/24 ISP Router EECS Dept. Subnet Blackhole:1.2.0.0/16 Darknet Capture 1.2.7.0/24 English Dept. Subnet - 19 - The Dark Oracle Perspective-Aware Unused and Unreachable Address Discovery NSDI 2006

Evaluation Plan Analyze the stability, density, and quantity of the addresses from the three data sources Deploy the Dark Oracle on academic, enterprise, and ISP networks Compare the resulting visibility to an existing honeynet - 20 - The Dark Oracle Perspective-Aware Unused and Unreachable Address Discovery NSDI 2006

Data Source Eval: External Routing Data Bogon List RIPE + ARIN Allocations BGP from RouteViews More accurate information reveals significantly more and better external reachability information - 21 - The Dark Oracle Perspective-Aware Unused and Unreachable Address Discovery NSDI 2006

Data Source Eval: External Routing Data Over the 1 month period the average change in addresses per 4-hours was 0.01-0.001% of IPv4 (~/16) Very small error incurred by sampling less frequently (0.04% error if sampled once per day) - 22 - The Dark Oracle Perspective-Aware Unused and Unreachable Address Discovery NSDI 2006

Data Source Eval: Host Config We monitored DHCP server that managed 5120 addresses, 70% of those addresses never alloc! An address newly classified as dark remained for an average of 8.85 days - 23 - The Dark Oracle Perspective-Aware Unused and Unreachable Address Discovery NSDI 2006

Dark Oracle Deployment Deployed Dark Oracle on a live network with ~10,000 hosts Darktrap run on 3Ghz system connected to a span port from a centrally located Cisco Catalyst 6500 (DHCP/BGP addresses) Blackhole route (OSPF addresses) - 24 - The Dark Oracle Perspective-Aware Unused and Unreachable Address Discovery NSDI 2006

Addresses Discovered Huge Outgoing Honeypot Large % Of Unused Addresses At Each Level - 25 - The Dark Oracle Perspective-Aware Unused and Unreachable Address Discovery NSDI 2006

Honeynet Detection Results Traditional /24 Darknet - 26 - The Dark Oracle Perspective-Aware Unused and Unreachable Address Discovery NSDI 2006

Honeynet Detection Results Infected/ Misconfigured Sources From the Same Network! - 27 - The Dark Oracle Perspective-Aware Unused and Unreachable Address Discovery NSDI 2006

Conclusion By becoming perspective-aware and monitoring external reachability data we can construct incoming and outgoing honeynets Automatic address discovery provides order-ofmagnitude more unused addresses compared to existing honeynet allocation systems Pervasive honeynet are better at detecting targeted attacks and are resistant to fingerprinting - 28 - The Dark Oracle Perspective-Aware Unused and Unreachable Address Discovery NSDI 2006

Questions - 29 - The Dark Oracle Perspective-Aware Unused and Unreachable Address Discovery NSDI 2006

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback