The Internet Motion Sensor

Information about The Internet Motion Sensor

Published on October 7, 2007

Author: Arley33

Source: authorstream.com

Content

The Internet Motion Sensor: A Distributed Blackhole Monitoring System:  The Internet Motion Sensor: A Distributed Blackhole Monitoring System Presented By: Arun Krishnamurthy Authors: Michael Bailey, Evan Cooke, Farnam Jahanian, Jose Nazario, David Watson. 12th Annual Network and Distributed System Security Symposium (NDSS'05) Presentation Outline:  Presentation Outline The Threat Problem Why the Internet Motion Sensor (IMS) was created? Introduction to IMS What is it? What is it supposed to do? What are the components? Observations What nasty stuff did IMS find? My comments and Conclusion What rocked? What sucked? Suggestions for improvement? The Threat Problem:  The Threat Problem A network that is always connected is highly vulnerable to threats. Threats Properties: Globally Scoped. Can have no patches or fixes. Evolutionary. Can spread through the entire network within minutes. The Threat Problem:  The Threat Problem Promising Method to Investigate Threats: Monitor unused or dark address space. Issues: Sensor Coverage. Visibility of the system into Internet threats. Service Emulation What services to emulate and at what level to emulate them? The Internet Motion Sensor (What is it?):  The Internet Motion Sensor (What is it?) Definition: A globally scoped Internet monitoring system whose objective is to measure, characterize, and track threats. Goals: Maintain a level of interactivity that can differentiate traffic on the same service. Provide visibility into Internet threats beyond address, geographical, and operational boundaries. Enable characterization of emerging threats while minimizing incremental effort. The Internet Motion Sensor (Architecture – Basic Idea):  The Internet Motion Sensor (Architecture – Basic Idea) Consist of a set of distributed blackhole sensors, each monitoring a dedicated range of unused IP address space. Blackhole sensors contain passive and active component. Passive Component: Records packets sent to sensor’s address space. Responds to specific packets to elicit more data from source. Active Component: Designed to extract the first payload of data across the major protocols. The Internet Motion Sensor (Architecture – Diagram):  The Internet Motion Sensor (Architecture – Diagram) The Internet Motion Sensor (Architecture - Main Components):  The Internet Motion Sensor (Architecture - Main Components) Distributed Blackhole Network Used to increase visibility into global threats. Lightweight Active Responder Provides enough interactivity that traffic on the same service can be differentiated independent of application semantics. Payload Signatures & Caching Used to avoid recording duplicate payloads. The Internet Motion Sensor (Distributed Blackhole Network):  The Internet Motion Sensor (Distributed Blackhole Network) A large distributed sensor network built from address blocks of many sizes that are scattered throughout the network. Using Moore’s Telescopes Analogy, blocks of larger sizes have a broader detection coverage. Different sensors observe different magnitudes and types of traffic. /16 Address Sensor /8 Address Sensor The Internet Motion Sensor (Lightweight Responder):  The Internet Motion Sensor (Lightweight Responder) Main responsibility is to elicit payloads for TCP connections. Two key contributions: Ability to elicit payloads to differentiate traffic. Ability to get responses across ports without application semantic information. The Internet Motion Sensor (Lightweight Responder – Other Characteristics):  The Internet Motion Sensor (Lightweight Responder – Other Characteristics) Differentiate Services: By using payload signatures, IMS can identify the presence of new worms even in extremely noisy conditions. Service Agnostic: Enables insight into less popular services. Example: Backdoor ports on existing worms One Limitation: IMS provides little or no information on threats that depend on application level responses. The Internet Motion Sensor (Payload Signatures and Caching):  The Internet Motion Sensor (Payload Signatures and Caching) Basic idea: Check the MD5 checksum of the payload. If the checksum is found in cache, then Only log the signature. (DO NOT store the payload.) Else Store both payload and signature. With a 96% cache hit rate, this method saves over 100 GB/day per address sensor!!! The Internet Motion Sensor (Payload Signatures and Caching Example):  The Internet Motion Sensor (Payload Signatures and Caching Example) 9e107d9d372bb6826bd81d3542bt569g MD5 Signature + Payload Blackhole Sensor The Internet Motion Sensor (Payload Signatures and Caching Example):  The Internet Motion Sensor (Payload Signatures and Caching Example) e56d4cd98f00b204e9800998ecf8427e MD5 Signature + Payload Blackhole Sensor The Internet Motion Sensor (Payload Signatures and Caching Example):  The Internet Motion Sensor (Payload Signatures and Caching Example) 9e107d9d372bb6826bd81d3542bt569g MD5 Signature + Payload Blackhole Sensor The Internet Motion Sensor (Observations):  The Internet Motion Sensor (Observations) An IMS prototype developed at University of Michigan consisted of 28 address sensors at 18 physical locations. 3 events captured: Internet Worms Scanning Distributed Denial of Service (DDoS) Attacks The Internet Motion Sensor (Internet Worms):  The Internet Motion Sensor (Internet Worms) IMS detection of various behaviors from worms: Worm Virulence How much traffic resulted from worm? What routers/paths got congested? Worm Demographics Number of hosts infected? Operating System and other information of host? Worm Propagation How does the worm select next target? Community Response What organizations reacted the fastest? Who is still infected? The Internet Motion Sensor (The Blaster Worm):  The Internet Motion Sensor (The Blaster Worm) Description: Affected Windows 2000/XP systems running DCOM RPC services and used a buffer overflow attack to run code on target machine. In a 7 day period, IMS detected 3 Phases: 1st Phase – Growth 2nd Phase – Decay 3rd Phase – Persistence The Internet Motion Sensor (The Blaster Worm – Phases Diagram):  The Internet Motion Sensor (The Blaster Worm – Phases Diagram) The Internet Motion Sensor (The Blaster Worm):  The Internet Motion Sensor (The Blaster Worm) Other observation: The Blaster Worm sends an exploit on TCP port 135, then follows with some commands on TCP port 4444. Conclusion from Blaster Worm observations: IMS provides data that can differentiate between different variants of worms. Passive blackhole sensors can not do that! The Internet Motion Sensor (Blaster Worm Captured):  The Internet Motion Sensor (Blaster Worm Captured) The Internet Motion Sensor (Blaster Worm Captured):  The Internet Motion Sensor (Blaster Worm Captured) The Internet Motion Sensor (Blaster Worm Captured):  The Internet Motion Sensor (Blaster Worm Captured) The Internet Motion Sensor (Scanning):  The Internet Motion Sensor (Scanning) Attackers scan for vulnerable services to exploit them. Beagle and MyDoom Worm: SMTP worms that began spreading in 2004. Listens to port 2745 (Beagle) and port 3127 (MyDoom) for backdoors to load malicious software. Conclusion from observations: Lightweight Responder allowed IMS to detect the backdoor ports. Since both worms have variants, having the responder made it less time consuming than creating handcrafted service modules for each variant. The Internet Motion Sensor (Beagle and MyDoom Scanning Activity Chart):  The Internet Motion Sensor (Beagle and MyDoom Scanning Activity Chart) The Internet Motion Sensor (Distributed Denial of Service):  The Internet Motion Sensor (Distributed Denial of Service) These attacks rely on many end hosts to consume network resources. The SCO Group Attack: Attacked www.sco.com on December 10, 2003 Attacked 3 web servers, an FTP server, and a SMTP server. Since the attackers used spoofed IP addresses, IMS was able to observe some backscatter from these attacks. Conclusion from observation: Showed the need for address diversity (having different blocks of many sizes). The Internet Motion Sensor (Backscatter Diagram from SCO Attack):  The Internet Motion Sensor (Backscatter Diagram from SCO Attack) The Internet Motion Sensor (Strengths):  The Internet Motion Sensor (Strengths) IMS’ variety of address blocks allows it to find various worms that passive sensors can not detect. Payload Signature and Caching System can save over 100GB of memory per sensor per day! The Internet Motion Sensor (Weaknesses):  The Internet Motion Sensor (Weaknesses) Provides little or no information on threats that depend on application level responses. NetBIOS services requires RPC bind() before being able to do RPC request(). IMS can detect RPC bind(), but not RPC request() since no application level response was sent. Requires a relatively powerful machine. x86 machine with at least 1GB RAM.1 1 From Internet Motion Sensor FAQ Site. http://ims.eecs.umich.edu/faq/index.html The Internet Motion Sensor (Suggestions for Improvement):  The Internet Motion Sensor (Suggestions for Improvement) Find a way to get information on threats that depend of application level responses. Get IMS to fully learn the behavior of worms so it can automatically develop patches. The Internet Motion Sensor (Conclusion):  The Internet Motion Sensor (Conclusion) The IMS uses a variety of blackhole sensors of various sizes to track, characterize, and measure threats. It can detect various types of threats that passive sensors can’t detect! It would be great to run if you have a relatively powerful computer!

Related presentations


Other presentations created by Arley33

Cold Weather Safety
02. 01. 2008
0 views

Cold Weather Safety

TEN RULES OF FIREARM SAFETY
26. 02. 2008
0 views

TEN RULES OF FIREARM SAFETY

How to succeed
02. 10. 2007
0 views

How to succeed

Xraydiffraction 2007
12. 10. 2007
0 views

Xraydiffraction 2007

CHM1222Chromatograph yTheory
16. 10. 2007
0 views

CHM1222Chromatograph yTheory

student chap21
17. 10. 2007
0 views

student chap21

Imperialism and World War I
22. 10. 2007
0 views

Imperialism and World War I

kr spam hacking status
11. 09. 2007
0 views

kr spam hacking status

tiger
11. 09. 2007
0 views

tiger

019
11. 09. 2007
0 views

019

tsg0502 10
09. 10. 2007
0 views

tsg0502 10

atomsmoleculesandions
16. 10. 2007
0 views

atomsmoleculesandions

wipo ip mct 05 3
25. 10. 2007
0 views

wipo ip mct 05 3

Adam Smith Krestinskiy
26. 10. 2007
0 views

Adam Smith Krestinskiy

ROK CP
11. 09. 2007
0 views

ROK CP

R LANQUAR FEMIP
23. 10. 2007
0 views

R LANQUAR FEMIP

rmode potsdam04
15. 11. 2007
0 views

rmode potsdam04

how to spot a turkey
26. 11. 2007
0 views

how to spot a turkey

052407 Gascon
14. 12. 2007
0 views

052407 Gascon

15 whiteCWppt
22. 11. 2007
0 views

15 whiteCWppt

PPA724 queries
28. 09. 2007
0 views

PPA724 queries

IPv6 Forum World Congress Europe
07. 01. 2008
0 views

IPv6 Forum World Congress Europe

v short lcg
17. 10. 2007
0 views

v short lcg

click construct
02. 11. 2007
0 views

click construct

symp apr 02 page e
15. 10. 2007
0 views

symp apr 02 page e

Model PÃster horitzontal
16. 11. 2007
0 views

Model PÃster horitzontal

NTS 101
16. 02. 2008
0 views

NTS 101

ENG 40B DR Mathias P Point
20. 02. 2008
0 views

ENG 40B DR Mathias P Point

Nichols Schwartz 05 Bowenian
24. 02. 2008
0 views

Nichols Schwartz 05 Bowenian

swartz
17. 10. 2007
0 views

swartz

ON VECTOR 022707 final
19. 10. 2007
0 views

ON VECTOR 022707 final

EducationalPowerpoint
19. 11. 2007
0 views

EducationalPowerpoint

lectures256p3
07. 12. 2007
0 views

lectures256p3

W03 Late Ming 3 Lives b
26. 03. 2008
0 views

W03 Late Ming 3 Lives b

germany 1 27 05
07. 04. 2008
0 views

germany 1 27 05

EH HL3 MP TWG1
30. 03. 2008
0 views

EH HL3 MP TWG1

ustrans
10. 04. 2008
0 views

ustrans

CAP12PP2
13. 04. 2008
0 views

CAP12PP2

Dr Jongkon
14. 04. 2008
0 views

Dr Jongkon

WEBS0104
16. 04. 2008
0 views

WEBS0104

Deb Tairas presentation
17. 04. 2008
0 views

Deb Tairas presentation

silverman 06
19. 02. 2008
0 views

silverman 06

SAB EPEAT 050608
28. 04. 2008
0 views

SAB EPEAT 050608

Macsim Mihai
18. 03. 2008
0 views

Macsim Mihai

martes manyana 5a presentacion
28. 12. 2007
0 views

martes manyana 5a presentacion

korea otonwu06
11. 09. 2007
0 views

korea otonwu06

larsen jsm2003
29. 10. 2007
0 views

larsen jsm2003

PHYCS 199B Oct 29 2002
15. 10. 2007
0 views

PHYCS 199B Oct 29 2002

Ryan Henry
23. 12. 2007
0 views

Ryan Henry

ewilaya eforumALAMI 2007
23. 10. 2007
0 views

ewilaya eforumALAMI 2007

ELAN
05. 10. 2007
0 views

ELAN

BELIZE
22. 10. 2007
0 views

BELIZE

Sheena Kim
11. 09. 2007
0 views

Sheena Kim

moscow11
15. 10. 2007
0 views

moscow11

Gavrilova PAA 2005
12. 10. 2007
0 views

Gavrilova PAA 2005

mirror darts
29. 12. 2007
0 views

mirror darts

bruxelles dd
17. 10. 2007
0 views

bruxelles dd

EC Baron DCC abridged
11. 03. 2008
0 views

EC Baron DCC abridged

Image53967
07. 01. 2008
0 views

Image53967

GSA dlese teaching boxes
30. 10. 2007
0 views

GSA dlese teaching boxes

Illarionovs Projections
26. 10. 2007
0 views

Illarionovs Projections