Published on October 7, 2007
Internet Security Monitoring: Internet Security Monitoring Monitoring and Coordination of Intrusion Detection Security Monitoring: Security Monitoring Network security is the most important problem of today’s network - Attacks and Intrusions: Virus, Worm, Spyware, Spam,… Function of security monitoring - To characterize, monitor, and track these threats - Critical to the smooth running of individual organizations and the Internet as a whole Current Practice for Protecting against Intrusions: Current Practice for Protecting against Intrusions Firewalls - Choke points that filter traffic at network gateways based on local security policies, real-time filtering - Drawbacks: static strategy and can’t detect new types of threats Network Intrusion Detection System (NIDS) - Passively observe the local network traffic at network ingress/egress points - Use standard methods to detect intrusions, including misuse detection, statistical anomalies, information retrieval, data mining, inductive learning, … - Drawbacks: high false alarm rates and perspective from a single vantage point One Promising Approach of Network Monitoring: One Promising Approach of Network Monitoring To collect data from traffic to unused (or dark) address space - Other than misconfigurations, packets destined to unused addresses are almost always malicious, thus false alarms (false positives) are minimized. - A detection tool that monitors unused addresses can actively respond to connection requests, thus enables the capture of data packets with attack-specific information. Selected Researches on Internet monitoring: Selected Researches on Internet monitoring V Yegneswaran, etc. “On the Design and Use of Internet Sinks for Network Abuse Monitoring”, In Proceedings of Symposium on Recent Advances in Intrusion Detection (RAID), 2004. - The Internet Sink system measures packet traffic on unused IP addresses. Michael Bailey, etc. “The Internet Motion Sensor: A Distributed Blackhole Monitoring System”, In Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS), 2005. - IMS has a distributed monitoring infrastructure, lightweight active responder, payload signatures and caching mechanism. V Yegneswaran, etc. “Global Intrusion Detection in the DOMINO Overlay System”, In Proceedings of NDSS, 2004. - An architecture for a distributed intrusion detection system that fosters collaboration among heterogeneous nodes organized as an overlay network. V Yegneswaran, etc. “Internet Intrusions: Global Characteristics and Prevalence”, In Proceedings of ACM SIGMETRICS, June 2003. - Systematically analyzing a set of firewall logs collected over four months from over 1600 different networks world wide. “On the Design and Use of Internet Sinks for Network Abuse Monitoring”: “On the Design and Use of Internet Sinks for Network Abuse Monitoring” Goal of iSink - To address the problem of designing and deploying a system for monitoring large unused address, such as class A telescopes with 16M IP addresses. - To create a highly scalable backplane with sufficient interactivity to filter out known worms, attacks and misconfiguration. Characteristics of iSink - Use both active and passive components - Maintain as little state as possible in active responders - Use sampling techniques in both active and passive components to increase scalability Internet Sink Implementation: Internet Sink Implementation Passive Monitor - based on Argus, which allows for flow level monitoring of sink traffic Active Sink - based on Click modular, includes: Poll Device, IP Classifier and Windows Responder NAT Filter - reduce the volume of traffic generated by active responders; route requests to appropriate responders and filters requests that attempt to exploit known vulnerabilities or misconfiguration VMware Honeynets - commodity operating system running on VMware NIDS - used to evaluate the packet logs collected at the filter Campus Enterprise iSink Case Study: Campus Enterprise iSink Case Study Campus-Enterprise Sink - located inside one AS, advised via the local interior routing protocol - sees traffic from local sources and from sources in remote networks - received unsolicited traffic destined for approximately 100,000 unused IPv4 addresses within 4 sparsely-moderately utilized class-B networks in campus Traffic observed from local sources - enterprise network management traffic - traffic from misconfigured hosts - malicious probes and worm traffic Campus Enterprise iSink (Cont.): Campus Enterprise iSink (Cont.) Traffic observed from only remote sources Service Provider iSink Case Study: Service Provider iSink Case Study Service-Provider Sink - an ISP router, located at the campus’ service-provider, served as the gateway - received unsolicited traffic destined for 16 million IPv4 address in one class A network Traffic observed in a typical week at the service-provider iSink Conclusion: the location of iSink in IP address space is important Service Provider iSink (Cont.): Service Provider iSink (Cont.) Investigating Unique Periodic Probes - Most of the periodicity observed in the TCP flows could be isolated to sources scanning two services (port 139 and 445) simultaneously - Passive logs provided three additional clues: 1) scans typically involve 256 successive IP addresses that span a /24 boundary 2) the probes had a period of roughly 2.5 hours 3) the small timescale periodicity seemed to be super imposed over a diurnal periodic behavior at larger timescales. - Development of NetBIOS and SMB responders and observing the packet logs generated by the active response system Conclusion - Be able to isolate it to the LovGate worm - The scanning process is deterministic - Conjecture that gaps occur due to approximately synchronized clocks in the wide area Service Provider iSink (Cont.): Service Provider iSink (Cont.) Analysis of Backscatter Packets - TCP packets with ACK/RST dominate as might be expected - Vertical lines that correspond to less common short duration spikes of SYN/ACK and SYN/ACK/RST. - ICMP TTL exceeded packets could be attributed to either loops or DoS floods with a low initial TTL. Backscatter made up a small percentage (under 5%) of the overall traffic seen on the service provider sink Service Provider iSink (Cont.): Service Provider iSink (Cont.) SMTP Hot-spot - From passive measurements, they identified an SMTP hot-spot there was one IP address that was attracting a disproportionately large number of SMTP scans (20-50 scans per second). - Hot-spots in unused address space are typically good indicators of misconfiguration. - Set up an SMTP responder on the target IP address and captured the incoming email. - This revealed the source of the email to be misconfigured wireless-router/firewall systems from a major vendor. The emails are actual firewall logs! Service Provider iSink (Cont.): Service Provider iSink (Cont.) Experiences with Recent Worms - Detected the advent of recent worms such as Sasser - Due to the Active Sink, it is possible to distinguish existing worm traffic on the commonly exploited ports such as port 445 from new worm activity “The Internet Motion Sensor: A Distributed Blackhole Monitoring System”: “The Internet Motion Sensor: A Distributed Blackhole Monitoring System” The Internet Motion Sensor - A globally scoped Internet monitoring system whose goal is to measure, characterize, and track a broad range of Internet threats - Based on the monitoring of unused or dark address space Difference - While iSink has combined sensors of different measurement fidelities, the goal of IMS is to gain global threat visibility rather than in-depth information on the specific mechanisms of a threat Challenges: Challenges Sensor coverage - IPv4 space is limited and there are a small number of large unused address blocks available for instrumentation - It has been shown that address blocks in different networks see different threat traffic Thus, sensor size and topological location are important components of sensor coverage. Service emulation - If the sensors do not directly involve live hosts, then what services to emulate and at what level to emulate them? - The immense number services on the Internet today So, there must be a tradeoff. Three Novel Components of IMS: Three Novel Components of IMS A distributed monitoring infrastructure - increases visibility into global threats A lightweight active responder - provides enough interactivity that traffic on the same service can be differentiated independent of application semantics A payload signatures and caching mechanism - avoids recording duplicated payloads - reduces overhead and assists in the identification of new payloads Distributed Blackhole Network: Distributed Blackhole Network Consists of a set of distributed blackhole sensors, each monitoring a dedicated range of unused IP address space Built from address blocks of various sizes Placed in a variety of topologically diverse locations Current distributed IMS deployment consists of 28 distinct address blocks at 18 physical installations Packet observed by a Collection of Sensors: Packet observed by a Collection of Sensors Different blackholes observe different magnitudes and types of traffic Lightweight Responder: Lightweight Responder Main responsibility: to elicit payloads for TCP connections An Blaster example Deployment: Deployment Current distributed IMS deployment consists of 28 distinct address blocks at 18 physical installations Contains lightweight responders across all ports and a data query engine to support distribution A portal server acts as a query aggregator forwarding queries to each sensor and forwarding back the responses, and provide real-time views of threat traffic Lightweight Responder: Differentiate Services: Lightweight Responder: Differentiate Services Extraction and classification of a new threat for a highly trafficked service Lightweight Responder: Service Agnostic: Lightweight Responder: Service Agnostic To enable insight into less popular services - A management application that may not be widely deployed. The population deploying this service might only be several thousand hosts on the global Internet and the obscurity of the service may mean it is unmonitored. - Many Backdoor ports on existing worms and viruses are less well know services. MD5 Checksuming and Caching of Request Payloads: MD5 Checksuming and Caching of Request Payloads When a blackhole sensor receives a packet with a payload it first computes the MD5 checksum of the payload (without network headers) and compares it against the checksum of all the other packets it has seen If the checksum, or signature, has already been recorded, the passive capture component logs the signature but does not store the payload If the signature is new, the payload is stored and the signature is added to the database of signatures seen Advantages - provides a factor of two in storage savings - a simple, fast signature mechanism Observations and Experiences: Observations and Experiences Internet Worms - The 7-day period of observations surrounding the release of the Blaster worm indicates a clear 3-phased cycle. - The first worm phase is the growth phase in which the number of scans increased from a baseline rate to hundreds of thousands per hour. The second phase is the decay phase in which in the number of observed probes drops as large-scale filtering was implemented to halt the worm’s spread and cleanup started. The third phase of worm activity is the persistence phase which for the Blaster worm has continued through 2004. Observations and Experiences (Cont.): Observations and Experiences (Cont.) Scanning - One artifact of more recent worms is that after compromising a system, these worms commonly install backdoors in the system they infect - The IMS has the ability to respond as if these new services were running, allowing the collection of the scan payload - Starting on approximately March 20, 2004, IMS began tracking significant amounts of scanning on backdoor ports left by widespread variants of the Bagle and My-Doom mail-based worms. Observations and Experiences (Cont.): Observations and Experiences (Cont.) Distributed Denial of Service Attacks - On December 10, 2003, shortly after 4PM EST a long lived denial of service attack began against a single web server address for The SCO Group (www.sco.com) - Because these attacks utilized spoofed source addresses, the IMS system was able to observe some of the backscatter from the attacks Distributed Denial of Service Attacks (Cont.): Distributed Denial of Service Attacks (Cont.) Denial of service attacks represent an interesting demonstration of the utility of the IMS and the need for address diversity Because attacks may randomize their sources addresses over the entire Internet, smaller swaths of address space may not be able to accurately determine the scope and magnitude of an attack (e.g. a /24 may only see .000005% of the backscatter, while a /8 may see .5%).