Mapping Internet Sensors with Probe Response Attacks

Similar documents
Mapping Internet Sensors with Probe Response Attacks

Revisiting Bloom Filters Payload attribution via Hierarchiecal Bloom Filters Kulesh Shanmugasundaram, Herve Bronnimann, Nasir Memon

/08/$ IEEE 630

Fast and Evasive Attacks: Highlighting the Challenges Ahead

Configuring Anomaly Detection

Worm Detection, Early Warning and Response Based on Local Victim Information

Demystifying Service Discovery: Implementing an Internet-Wide Scanner

Basic Concepts in Intrusion Detection

Configuring Anomaly Detection

Configuring Anomaly Detection

Intrusion Detection by Combining and Clustering Diverse Monitor Data

CSE 565 Computer Security Fall 2018

On the Effectiveness of Distributed Worm Monitoring

IPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 12

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

CS Review. Prof. Clarkson Spring 2016

Security Gap Analysis: Aggregrated Results

CYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta

Different attack manifestations Network packets OS calls Audit records Application logs Different types of intrusion detection Host vs network IT

Detecting Spam Zombies By Monitoring Outgoing Messages

Very Fast Containment of Scanning Worms. Nicholas Weaver, Stuart Staniford, Vern Paxson ICSI, Nevis Networks, ICSI & LBNL

Anonymization of Network Traces Using Noise Addition Techniques

Introduction to Security. Computer Networks Term A15

Hotspots: The Root Causes of Non- Uniformity in Self-Propagating Malware

Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng

CS Review. Prof. Clarkson Spring 2017

A Knowledge-based Alert Evaluation and Security Decision Support Framework 1

Project Proposal. ECE 526 Spring Modified Data Structure of Aho-Corasick. Benfano Soewito, Ed Flanigan and John Pangrazio

Multidimensional Investigation of Source Port 0 Probing

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

WIDS Technology White Paper

A Survey of BGP Security Review

Developing the Sensor Capability in Cyber Security

Scrutinizer Flow Analytics

The UCSD Network Telescope

Project Proposal. ECE 526 Spring Modified Data Structure of Aho-Corasick. Benfano Soewito, Ed Flanigan and John Pangrazio

Firewalls, Tunnels, and Network Intrusion Detection

Distributed Denial of Service (DDoS)

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

BotCatch: Botnet Detection Based on Coordinated Group Activities of Compromised Hosts

Load Balancing Technology White Paper

DDOS Attack Prevention Technique in Cloud

Usage of Honeypot to Secure datacenter in Infrastructure as a Service data

Bloom Filters. References:

DoS Attacks. Network Traceback. The Ultimate Goal. The Ultimate Goal. Overview of Traceback Ideas. Easy to launch. Hard to trace.

Information Security Specialist. IPS effectiveness

EECS 3214 Final Exam Winter 2017 April 19, 2017 Instructor: S. Datta. 3. You have 180 minutes to complete the exam. Use your time judiciously.

Privacy-Preserving Quantification of Cross-Domain Network Reachability

Strongly Anonymous Communications in Mobile Ad Hoc Networks

Global DDoS Measurements. Jose Nazario, Ph.D. NSF CyberTrust Workshop

CE Advanced Network Security


0x1A Great Papers in Computer Security

The Reconnaissance Phase

Best Practices With IP Security.

Mitigating Outgoing Spam, DoS/DDoS Attacks and Other Security Threats

A Collaborative Network Security Management System in Metropolitan Area Network

Symantec Security Monitoring Services

ISC2. Exam Questions CISSP. Certified Information Systems Security Professional (CISSP) Version:Demo

Virtual CMS Honey pot capturing threats In web applications 1 BADI ALEKHYA, ASSITANT PROFESSOR, DEPT OF CSE, T.J.S ENGINEERING COLLEGE

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 9 Performing Vulnerability Assessments

Metrics for Security and Performance in Low-Latency Anonymity Systems

Fundamental Questions to Answer About Computer Networking, Jan 2009 Prof. Ying-Dar Lin,

CSE 565 Computer Security Fall 2018

Incorporating Network Flows in Intrusion Incident Handling and Analysis

The Dark Oracle: Perspective-Aware Unused and Unreachable Address Discovery

Detecting Specific Threats

Covert Channels Towards a Qual Project

Polygraph: Automatically Generating Signatures for Polymorphic Worms

PrecisionAccess Trusted Access Control

CE Advanced Network Security Anonymity II

Network Analysis of Point of Sale System Compromises

Chapter 10: Security. 2. What are the two types of general threats to computer security? Give examples of each.

surveillance & anonymity cs642 computer security adam everspaugh

Introduction Challenges with using ML Guidelines for using ML Conclusions

ECE 697J Advanced Topics in Computer Networks

this security is provided by the administrative authority (AA) of a network, on behalf of itself, its customers, and its legal authorities

NetDefend Firewall UTM Services

Safely Measuring Tor. Rob Jansen U.S. Naval Research Laboratory Center for High Assurance Computer Systems

Intelligent and Secure Network

CIS Controls Measures and Metrics for Version 7

Overview Intrusion Detection Systems and Practices

RAPTOR: Routing Attacks on Privacy in Tor. Yixin Sun. Princeton University. Acknowledgment for Slides. Joint work with

interface Question 1. a) Applications nslookup/dig Web Application DNS SMTP HTTP layer SIP Transport layer OSPF ICMP IP Network layer

iloc: An invisible LOCalization Attack to Internet Threat Monitoring Systems

WHITE PAPER HIGH-FIDELITY THREAT INTELLIGENCE: UNDERSTANDING FALSE POSITIVES IN A MULTI-LAYER SECURITY STRATEGY

Analyzing Dshield Logs Using Fully Automatic Cross-Associations

0x1A Great Papers in Computer Security

Database Discovery: Identifying Hidden Risks and Sensitive Data

Standard Content Guide

Means for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content

It s Flow Time! The Role and Importance of Flow Monitoring in Network Operations and Security

On the State of the Inter-domain and Intra-domain Routing Security

n Explain penetration testing concepts n Explain vulnerability scanning concepts n Reconnaissance is the first step of performing a pen test

Managing Latency in IPS Networks

McAfee Network Security Platform

9. Security. Safeguard Engine. Safeguard Engine Settings

Administration of Symantec Cyber Security Services (July 2015) Sample Exam

CIS Top 20 #12 Boundary Defense. Lisa Niles: CISSP, Director of Solutions Integration

Transcription:

Mapping Internet Sensors with Probe Response Attacks Computer Sciences Department University of Wisconsin, Madison

Introduction Outline Background Example Attack Introduction to the Attack Basic Probe Response Algorithm Attack Simulation Internet Storm Center Distribution Other Internet Sensor Network Distributions Generalizing the Attack Covert Channels Other Networks Countermeasures Conclusion

Introduction Internet Sensor Networks Definition An Internet sensor network is a collection of systems which monitor the Internet and produce statistics related to Internet traffic patterns and anomalies. Example categories of Internet sensors include: security log collection and analysis centers such as the SANS Internet Storm Center, mynetwatchman, and Symantec s DeepSight network collaborative intrusion detection systems Internet sinks and network telescopes such as the University of Michigan s Internet Motion Sensor and CAIDA

Introduction Usage of Internet Sensor Networks Internet sensors are useful for distributed intrusion detection and monitoring such as: quickly detecting worm outbreaks enabling a wide area perspective of the Internet aggregating rare events from globally distributed monitors classifying the pervasiveness of threats like port scans, DoS attacks, and botnet activity

Introduction Data Integrity, Sensor Anonymity, and Privacy Critical Assumption The integrity of an Internet sensor network is based upon the critical assumption that the IP addresses of systems that serve as sensors are secret. The results of violating this assumption include: integrity of the data produced by network is greatly reduced potential loss of anonymity and privacy of sensors

Introduction Maintaining Privacy Current attempts to maintain the privacy of organizations submitting logs to Internet sensor networks include the following: Techniques black marker approach eliminating sensitive fields from published reports hashing using a hash function on fields of a report bloom filters encoding data in an efficient data structure for set membership tests and set unions permutations applying a prefix-preserving permutation to IP addresses

Introduction Attacks and Countermeasures Probe Response Attacks new class of attacks called probe response attacks capable of compromising the anonymity and privacy of individual sensors in an Internet sensor network. Countermeasures We also provide countermeasures which are effective in preventing probe response attacks.

Background SANS Internet Storm Center

Background Case Study: the ISC SANS Internet Storm Center To evaluate the threat of probe response attacks in greater detail, we analyzed the feasibility of mapping a real-life Internet sensor network, the ISC. one of the most important existing systems which collects and analyzes data from Internet sensors challenging to map large number of sensors (over 680,000 IP addresses monitored) IP addresses broadly scattered in address space

Background ISC Sensors Currently, ISC collects packet filter (firewall) logs. logs primarily contain failed connection attempts over 2,000 organizations and individuals participate logs typically uploaded hourly Sample Packet Filter Log Date and Time Source IP Source Port Dest. IP Dest. Port 1/04/05 10:32:15 209.237.231.200 1956 64.15.205.183 132 1/04/05 10:30:41 216.187.103.168 4659 169.229.60.105 80 1/04/05 10:30:02 24.177.122.32 3728 216.187.103.169 194 1/04/05 10:28:24 24.168.152.10 518 209.112.228.200 1027

Background ISC Analysis and Reports The ISC publishes several types of reports and statistics - we focus on the port reports. Port Reports port reports list the amount of activity on each destination port this type of report is typical of the reports published by Internet sensor networks in general Sample Port Report Port Reports Sources Targets 325 99321 65722 39 1025 269526 51710 47358 139 875993 42595 180544 3026 395320 35683 40808 135 3530330 155705 270303 225 8657692 366825 268953 5000 202542 36207 37689 6346 2523129 271789 2558

Example Attack Introduction to the Attack Procedure to Discover Monitored Addresses Core Idea for each IP address i do probe i with reportable activity a wait for next report to be published check for activity a in report end for Details only one TCP packet necessary for each probe bandwidth requirements of sending a packet to every possible address will be addressed in discussion of simulations

Example Attack Introduction to the Attack Procedure to Discover Monitored Addresses Problem There are too many addresses to check one after another. most participants only submit logs to the ISC every hour there are about 2.1 billion valid, routable IP addresses Solution Check many addresses in parallel. only a small portion of addresses are monitored, so send same probe to many addresses if no activity is reported they can all be ruled out otherwise report reveals the number of monitored addresses since activity reported by port, send probes with different ports to run many independent tests at the same time

Example Attack Basic Probe Response Algorithm Detailed Procedure: First Stage IP address space S 1 S 2 S 3... S n............... packets packets packets on port p on port p3 on port p 1 2 packets on port p n begin with list of 2.1 billion valid IP addresses to check divide up into n search intervals S 1, S 2,... S n send SYN packet on port p i to each address in S i wait two hours and retrieve port report rule out intervals corresponding to ports with no activity

Example Attack Basic Probe Response Algorithm Detailed Procedure: Second Stage 1 2 R i... n k............ n k +1... packets are sent here nothing is sent here distribute ports among k remaining intervals R 1, R 2,... R k for each R i divide into n k + 1 subintervals send a probe on port pj to each address in the jth subinterval not necessary to probe last subinterval (instead infer number of monitored addresses from total for interval) if subinterval full, add to list and discard repeat second stage with non-empty subintervals until all addresses are marked as monitored or unmonitored

Example Attack Basic Probe Response Algorithm Example Run With Six Ports 2 0 3 2 0 0 Stage 1 1 1 0 0 1 2 0 1 1 Stage 2 0 1 0 1 0 1 1 0 1 0

Example Attack Basic Probe Response Algorithm External Activity Problem What if other activity is present in port reports? External activity may be considered noise which obscures the signal in the port reports. Solution Use a noise cancellation technique. use ports that consistently have less than k reports per time interval send k SYN packets in each probe use the reports field of the port report divide number of reports by k and round down

Attack Simulation Internet Storm Center Distribution Attack Simulation Overview We provide detailed results of a simulated probe response attack on the ISC including: time required to complete number of packets sent attack progress (percentage of monitored addresses discovered) Additional Simulation Results mapping distributions of addresses other than the ISC distribution consequences of a successful mapping attack

Attack Simulation Internet Storm Center Distribution Adversarial Models Adversarial Models for Simulation T1 attacker 1.544 Mbps of upload bandwidth Fractional T3 attacker 38.4 Mbps of upload bandwidth OC6 attacker 384 Mbps of upload bandwidth our algorithm is not dependent upon a particular Internet connection or attacker configuration can be executed on a single machine or a distributed collection of machines (botnet) time to complete is dependent only on upload bandwidth does not require significant state or complete TCP connections

Attack Simulation Internet Storm Center Distribution Attack Details Details of fractional T3 attacker mapping the addresses monitored by the ISC. Probes Sent 1.6e+10 Attack Progress 1 packets sent 1.4e+10 1.2e+10 1e+10 8e+09 6e+09 4e+09 2e+09 fraction of monitored addresses found 0.8 0.6 0.4 0.2 0 0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5 time (days) 0 0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5 time (days)

Attack Simulation Other Internet Sensor Network Distributions Random Sensor Sets Simulation Results previous simulations show that probe response attacks can map the ISC but what about other sets of monitored addresses Generalized Sets of Addresses feasibility of mapping other sets of monitored addresses depends in part on how they are clustered to extend our results we work with generalized sets of address generate random sets of monitored IP addresses vary the degree to which the addresses are clustered

Attack Simulation Other Internet Sensor Network Distributions Random Sensor Sets Clustering Model a cluster is set of sensors with sequential IP addresses model cluster size with Pareto distribution model sizes of gaps between clusters with exponential distribution Results with parameters set to match actual ISC addresses, time to map is roughly the same with larger average cluster sizes mapping becomes easier with smaller average cluster sizes mapping takes longer, but remains feasible

Attack Simulation Other Internet Sensor Network Distributions Random Sensor Sets Totally Random Addresses as an extreme case, we map a set of addresses choosen uniformally at random (i.e., each address is monitored with equal probability) this may be considered a worst case for the attacker Results attack remains feasible under the T3 attacker model, about 9 days necessary to map 680,000 addresses

Attack Simulation Other Internet Sensor Network Distributions Simulation Summary bandwidth set of addresses data sent time to map OC6 ISC 1,300GB 2 days, 22 hours T3 ISC 687GB 4 days, 16 hours T1 ISC 440GB 33 days, 17 hours T3 average cluster size 10 600GB 2 days T3 average cluster size 1.6 1, 100GB 8 days T3 totally random 860GB 9 days Key Simulation Results Probe response attacks are a serious threat. both a real set of monitored IP addresses and various synthetic sets can be mapped in reasonable time attacker capabilities determine efficiency, but mapping is possible even with very limited resources

Attack Simulation Other Internet Sensor Network Distributions Results of Successful Attack Consequences The consequences of an attacker successfully mapping the addresses monitored are severe. attacker may avoid monitored addresses in malicious activities (e.g., port scanning) worms may avoid monitored addresses and go undetected sensors may be flooded with errant data Recovery very difficult to recover from a successful mapping attack data from publicly published list of monitored addresses can not be considered an accurate picture of Internet activity.

Generalizing the Attack Covert Channels Covert Channels in Reports In our attack, an attacker gains information by: sending probes with different destination ports to different IP addresses considering which ports have activity reported using activity reported to determine the set of IP addresses that could have possibly received probes Probe Response Attack Covert Channel In this way, the destination port appearing in the packet sent out and later in the port reports is used by the attacker as a covert channel in a message to themselves.

Generalizing the Attack Covert Channels Example Covert Channels Covert Channels many possible fields of information appearing in reports are suitable for use as covert channels characteristics of attacks or probes may be reported in almost any field which an attacker can influence using covert channels an attacker can encode partial information about a destination IP address in a packet Example Fields Time / date Source IP Source port Destination subnet Destination port Captured payload data

Generalizing the Attack Covert Channels Symantec s DeepSight

Generalizing the Attack Other Networks Other Networks Symantec s DeepSight reports include time, source IP and port, destination port, and number of other sensors affected by attack requires attacker to submit a log containing each unique probe easily mapped by encoding destination IP address in source IP address of probe Simulation Results network bandwidth probes sent time to map DeepSight - 2.1 billion single pass of probes mynetwatchman - 2.1 billion single pass of probes SANS ISC T3 14 billion 4 days 16 hours

Generalizing the Attack Other Networks Symantec s DeepSight Report

Countermeasures Current Countermeasures Hashing, Encryption, and Permutations simply hashing report fields is vulnerable to dictionary attack encrypting a field with a key not publicly available is effective, but reduces utility of fields prefix-preserving permutations obscure IP addresses while still allowing useful analysis Bloom Filters allow for space efficient set membership tests configurable false positive rate vulnerable to iterative probe response attacks as a result of the exponentially decreasing number of false positives These current methods of anonymization do not prevent probe resonse attacks.

Countermeasures Information Limiting One approach to prevent probe response attacks is to limit the information provided in public reports in some way. private reports eliminate public reports entirely effective, but severely limits utility of network top lists only publish most significant events provides some useful information, but not complete picture of Internet phenomena may allow attackers to consistently avoid detection by keeping their activity below thresholds query limiting slow queries against public reports may require monetary payment, computational puzzle, or CAPTCHA to perform query will only slow down mapping attacks

Countermeasures Sampling Countermeasure Random Input Sampling Technique Randomly sample the logs coming into the analysis center before generating reports to increase the probability of false negatives. For example: suppose an analysis center discards every log it receives with probability 4 5 large scale phenomena such as worm outbreaks and port scanning should remain visible in the reports however, a probe response attack becomes more difficult because the probability of a single probe resulting in a false negative for the attacker would be 4 5

Countermeasures Sampling Countermeasure Overcoming Random Input Sampling to reduce the probability of a false negative, the attacker would need to send multiple probes for instance, to reduce the false negative rate of 4 5 to 1%, an attacker would need to a twenty-fold increase in bandwidth Stage 1 2 0 3 2 0 1 1 0 0 1 2 0 1 1 3 S Stage 2 S 0 1 0 1 0 1 1 0 1 0 S

Countermeasures Scan Prevention IPv6 increases IP addresses from 32 bits to 128 bits greatly reduces the feasibility of TCP/UDP scanning effective countermeasure if deployed correctly widespread adoption is out of our control S 1... S 2 IPv6 address space S 3........................ packets packets packets on port p on port p on port p 1 2 3

Countermeasures Delayed Reporting Another strategy in preventing mapping is delaying the publication of public reports. publish reports reflecting old data (e.g., last week s data) forces attacker to either wait a long period between iterations of attack or use non-adaptive algorithm a sufficiently long delay will make an adaptive attack infeasible non-adaptive (or offline) algorithms do not base the probes of the current rounds on previous rounds much larger search space likely to use many more probes and take much longer more detailed investigation remains as future work delaying reports greatly reduces effectiveness of Internet sensor network in providing real-time notification of new phenomena

Countermeasures Eliminating Inadvertent Exposure Inadvertent Exposure publishing information about the specific distribution of addresses monitored by an Internet sensor network aids attacker by reducing the number of probes necessary if a sensor network publishes the fact that they monitor a /8, the number of probes required for an attack drop from around 8 billion to 256 probes Sample Distribution Organization Size Regional ISP /24, /24 Large Enterprise /18 Academic Network /22, /23 National ISP /8 Broadband Provider /17, /22, /23

Conclusion Conclusion Internet sensor networks monitor the health of the Internet. Secrecy of the monitored addresses is essential to the effectiveness of the sensor network. Probe response attacks can be used to quickly and efficiently locate Internet sensors. Scan prevention, sampling, and limited and delayed reporting can be effective countermeasures against probe response attacks. Final Advice Internet sensor networks should be designed to resist probe response attacks.

Conclusion Questions? Related Work Privacy-Preserving Sharing and Correlation of Security Alerts by Lincoln, Porras, and Shmatikov. Proceedings of the 13th USENIX Security Symposium, 2004. Vulnerabilities of Passive Internet Threat Monitors by Yoichi Shinoda, Ko Ikai, Motomu Itoh. Proceedings of the 14th USENIX Security Symposium, August 2005.

Conclusion Resources for Further Information USENIX Security 05 Mapping Internet Sensors with Probe Response Attacks by John Bethencourt, Jason Franklin, and Mary Vernon. CIPART Project http://www.cs.wisc.edu/ vernon/cipart.html Presentation Slides http://www.cs.wisc.edu/ jfrankli/ Coauthor Information John Bethencourt Affiliation: University of Wisconsin, Madison Email: bethenco@cs.wisc.edu Professor Mary Vernon Affiliation: University of Wisconsin, Madison Email: vernon@cs.wisc.edu

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback