Transcript ppt

Characteristics of Internet
Background Radiation
Authors: Ruoming Pang, Vinod
Yegneswaran, Paul Barford, Vern
Paxson, Larry Peterson
ACM Internet Measurement
Conference (IMC), 2004
Presenter: Tai Do
CDA6938
UCF, Spring 2007
Introduction
• Background Radiation:
– Traffic sent to unused addresses.
– Nonproductive traffic: malicious (flooding
backscatter, hostile scan, spam) OR
benign (misconfigurations).
– Pervasive nature (hence “background”).
Backscatter
Source: [MVS01]
Introduction
• Goals of Characterization:
–What is all this nonproductive traffic
trying to do?
–How can we filter it out to detect
new types of malicious activity?
Outline
• Introduction
• Measurement Methodology
– Filtering
– Responders
– Experimental Setup
• Data Analysis
• Concluding Remarks
Measurement Methodology
(Filtering)
• Enormous volume of data:
– 30,000 packets/sec of background radiation
on a Class A network.
• Source-Destination Filtering:
– Assumption: background radiation sources
posses the same degree of affinity to
monitored IP addresses
– For each source, keep the connections to N
destinations.
Measurement Methodology
(Filtering)
Measurement Methodology
(Filtering)
Measurement Methodology
(Active Responders)
• Why Active Responders?
– Elicit further activity from scanners.
– Differentiate different types of background
radiation.
• Stateless Responder: based on Active
Sink.
• Stateful Responder: based on Honeyd.
Measurement Methodology
(Application-Level Responders)
• Data-driven:
– Which responders to build is based on observed
traffic volumes.
• Application-level Responders:
– Not only adhere to the structure of the underlying
protocol, but also to know what to say.
• New types of activities emerge over time,
responders also need to evolve.
• What degree can we automate the development
process of responders?
Measurement Methodology
(Application-Level Responders)
• Responders developed for:
– HTTP (port 80)
– NetBIOS (port 137/139),
– CIFS/SMB (port 139/445)
– DCE/RPC [10] (port 135/1025 and CIFS
named pipes)
– Dameware (port 6129).
– Backdoors installed by MyDoom (port
3127) and Beagle (port 2745)
Measurement Methodology
(Experimental Setup)
• Two different systems: iSink, and LBL Sink.
• Traces collected from three sites:
– Class A network (large)
– UW campus (medium)
– Lawrence Berkeley Lab (LBL) (small)
• Same forms of application response.
• Different underlying mechanisms.
• Support two kinds of data analysis:
– Passive analysis: no filter, no responder
– Active analysis: with filter, and responder
Experimental Setup: iSink
Experimental Setup: LBL Sink
Outline
• Introduction
• Measurement Methodology
• Data Analysis
– Passive Analysis
– Active Analysis
• Activities in Background Radiation
• Characteristics of Sources
• Concluding Remarks
Passive Measurement
Traffic Composition
• What is the type and volume of observed
traffic without actively responding to any
packet?
• Findings:
– TCP dominates in all three networks
(comparing to ICMP and UDP)
– TCP/SYN packets constitute a significant
portion of the background radiation traffic.
– A small number of ports are the targets of a
majority of TCP/SYN packets.
Activities in Background Radiation
• Study dominant activities on the popular ports.
• Traffic is divided by ports:
– Consider all connections between a sourcedestination pair on a given destination port.
• Background Radiation concentrates on a small
number of ports:
– Only look at the most popular ports.
– Many popular ports are also used by the normal traffic
 use application semantic level.
• Investigate 12 ports.
TCP Port 80 (HTTP)
• Targeted against Microsoft IIS server.
• Dominant activity is a WebDAV bufferoverrun exploit.
TCP Port 80 (HTTP)
Port 80 Activities
Characteristics of Sources
• Study background radiation activities coming
from the same source IP (activity vector).
• Activity vector in three dimensions:
– Across ports
– Across destination networks
– Over time
• Caveat:
– DHCP: hosts might be assigned different addresses
over time.
Sources Across port
Activities across ports may give a better picture of a source’s goals
Agobot Sources: UW 1
Sources Across port
• Top two exploits are extensively observed
across all 4 networks.
Sources Seen Over Time
• Witty did not persist over a month: deliberately damages
its host.
• Blaster’s grip on hosts is quite tenacious.
Outline
•
•
•
•
Introduction
Measurement Methodology
Data Analysis
Concluding Remarks
Strengths of the paper
• First attempt to characterize background
radiation.
• Good Measurement Methodology:
– Effective filtering technique.
– Detailed set of active responders for popular ports.
• Meaningful Data Analysis:
– Passive Analysis: activities concentrate on few
popular ports.
– Active Analysis: Extreme dynamism in many aspects
of background radiation.
Limitations of the paper
• The filtering could be biased.
– The same kind of activity to all destination IP
addresses.
– Fail to capture multi-vector worms that pick one
exploit per IP address.
• DHCP problem makes source IP address less
accurate as source identity.
• To what extent the development of applicationlevel responders can be automated?
Thank you.
Questions?
References
• [Barford2004] Paul Barford. Trends in
Internet Measurement. PPT from U. of
Wisconsin, Fall 2004.
• [MVS01] Moore, Geoffrey M. Voelker, and
Stefan Savage. Inferring Internet Denialof-Service Activity. In Proceedings of the
10th USENIX Security Symposium, pages
9--22. USENIX, August 2001.
Some jargons
• Named pipe: supports inter-process communication.
FIFO. System-persistent.
• CIFS: Common Interface File System.
• DCE/RPC: Distributed Computing Environment/Remote
Procedure Call
• SAMR: Security Account Manager Remote service
• srvsvc: server service
• msmsgri32.exe: ???
• SMB:
• Autorooter: similar to worms, without self-propagation