Transcript Document

Network Measurements: Unused IP address space
traffic analysis at SSSUP Campus Network
Francesco Paolucci, Piero Castoldi
Research Unit at Scuola Superiore Sant’Anna, Pisa, Italy
Italy-Tunisia Research Project
sponsored by MIUR under FIRB International program
1° year plenary meeting, Tunis, March 29, 2007
Unused address space traffic
Dumping Internet traffic sent to unused IP
addresses space can give information about
attacks towards the target subnetwork.
Since there is no legitimate reason for a host to
send packets to those destinations, such
traffic provides strong evidence of malicious
activity including DDoS backscatter, port
scanning, and probe activity from active
worms.
2
Useful Tools
Two kind of tools acquire information about unused traffic:
•
Network telescopes
•
Honeypots
– They work by monitoring traffic sent to communication dead-ends such as
unallocated portions of the IP address space.
– can potentially provide early warning of a scanning-worm outbreak, and can
yield excellent forensic information
– are closely monitored network decoys serving several purposes
– they can distract adversaries from more valuable machines on a network
– they allow in-depth examination of adversaries during and after exploitation
of a honeypot.
When coupled with honeypots, telescopes can be used to interact with
potentially malicious traffic in order to determine the intent behind the
traffic, including particular vulnerabilities being exploited and follow-on
activity after a compromise succeeds.
3
SSSUP Unused traffic dumping
Scuola Superiore Sant’Anna Campus
Network
• 8 different sites in Pisa and Pontedera
NETWORK
SNIFFER &
ANALYZER
• Average incoming traffic: 25 Mbit/s
• 4 class-C address space
• Total IP address space = 1016
• Utilized IP address space = 162 (16%)
Measurements Tools
• Linux Box PC equipped with high performance INTEL
Network Interface Card
• Sniffer: Dumpcap (Wireshark Suite)
• Analyzer and offline filtering: Tshark & Wireshark
• Dumping point: Last switch to GARR Net, NO NAT, NO
FIREWALL.
4
Dumping methodology
• Only Incoming traffic tracing
• 1-hour long dumping twice a day for a week
– Most of the anomalous activities last less than 1
hour
– Day-time and Night-time traces give indications
about high and low human user traffic
characteristics
• Light online filtering
• Complex offline filtering (entire IP address
space set filter)
5
Global traffic results : 25 Mbit/s
UDP packets (13%)
TCP packets
(86%)
TCP traffic
68%
82%
High ports
(P2P,Spam)
HTTP (80)
P2P server
Port 8080
SMTP (25)
HTTPS (443)
SSH (22)
POP (110)
Messenger (1863)
FTP (21)
16%
High Ports
Edonkey 4662
4672
DNS (53)
OICQ (8000)
MSN (1863)
12%
12%
6%
2% 1% 1% 1%
0% 0%
1%
0%
About 80% of the traffic is driven by peer-to-peer applications.
Within High ports traffic (src and dst >1024) values are distributed (no particular values emerge): p2p
applications choose random high ports.
6
Unused traffic main results
• Traffic to unused addresses represents the
0,2% of the total incoming packets on the
whole subnet.
• 4 pkts/s, average rate 6 kbit/s
• Traffic activity profile is constant and
independent on the daytime (no profile
differences between day and night time)
• Almost whole traffic represents (TCP) SYN or
(UDP) spam packets
7
Packets statistics
•TCP and ICMP packets are quite short (SYN, PING = 70 byte long)
•UDP packets are longer (500 byte long)
8
Unused Traffic sources
Source IP
Packets
% Total Packets
193.194.89.102
9306
5%
193.205.39.28
5822
3%
74.7.94.205
4200
2.2%
193.111.95.32
4180
2.2%
12.161.101.51
3912
2%
221.209.110.8
3558
1.9%
207.176.236.7
3546
1.8%
221.209.110.13
3469
1.8%
222.28.80.5
3400
1.8%
202.97.238.200
3163
1.6%
9
TCP destination ports statistics
• Port 445 (Microsoft-DS Active Directory, Windows shares, Sasser worm, Agobot, Zobotworm)
• Port 135 (EPMAP (End Point Mapper) / Microsoft RPC Locator Service , Nachi or MSBlast worms)
• Port 22 (SSH SYN)
represent more than 75% of the total TCP traffic
10
UDP destination ports statistics
• Port 1026 (CAP, Calendar Access Protocol, Windows Messenger Spam)
• Port 1027 (unassigned, Messenger Spam)
• Port 1434 (MS-SQL, systems infected with the SQL Slammer )
represent 97% of the total UDP traffic
11
ICMP packets
• Type 8 (Ping request): 96 %
12
Burstiness characteristics
• Similar behaviour at day and night time
• Peaks of instantaneous 3-4 Mbit/s in 300 ms interval
events (SPAM)
• Average SCAN and ICMP 1 kbit/s events
DAY
NIGHT
13
Traffic burstiness sorted by protocol
Different behaviour between TCP, UDP and ICMP traffic
• TCP
– “Constant” bursts (1 packet, tinter= 4 s, duration= 0.2 s, rate 0.4 kbit/s)
– Burst train events (event duration = 100 s, each burst lasts 0.3 s with 200
kbit/s peak rate)
• UDP
– Isolated 0.2 s long bursts with up to 3 Mbit/s peak rate (SPAM)
• ICMP
– Similar behaviour like TCP but lower peak and average rate (PING)
14