SW+T StealthWatch + Therminator

Download Report

Transcript SW+T StealthWatch + Therminator

ECE-8843
http://www.csc.gatech.edu/copeland/jac/8843/
Prof. John A. Copeland
[email protected]
404 894-5177
fax 404 894-0035
Office: GCATT Bldg 579
email or call for office visit, or call Kathy Cheek, 404 894-5696
Slide Set 12 - Network Traffic Visualization
Bandwidth Usage versus Time
2
TCP and UDP Port Usage Visualization
3
Result of Google “udp 27015”
•
•
27015 is the default port number for various Sierra Online/Valve
multi-player online games -- "Halflife", among others.
•
•
•
•
Any game client may also be a server, or optionally the user may run a
game workstation in "dedicated" server mode. There are also various
"dedicated" servers that run under Windows NT, Linux, FreeBSD (in Linux
emulation mode, iirc), etc.
•
•
•
•
Due to the somewhat decentralized nature of this architecture, there have
sprung up several sites and software packages designed to help users find
and join a game on a server that is playing the game or map that they
prefer, is closest to them from a RTT sense, etc.
•
•
•
Your probes on 27015/udp are most likely game locator servers or clients,
or the game client itself looking for servers or requesting information
regarding servers past or present.
4
Result of Google “tcp 6881”
BitTorrent is a peer-to-peer network
•
BitTorrent is not just a concept, but has a functioning implementation,
already capable of swarming downloads across unreliable networks. This is
the result of over two years of intensive development. http://bitconjurer.org/BitTorrent/introduction.html
5
Therminator Traffic Visualization
In the “Therminator” technology, each host is associated with one of eight sets of
hosts associated with a “Bucket.” The Bucket can hold zero to fifteen “Balls.”
Bucket Set number calculation:
Host is Server for present connection: - add 1 (001) Client or Server?
Host was seen during last few days:
- add 2 (010) New or Old Friend?
Host IP address is on our local network: - add 4 (100) Outside or Inside?
e.g., a Client, New Friend (first seen today), Outside Host is in Bucket Set 0 (binary 000).
For programming purposes the eight Buckets are up-down counters whose value is
limited to the range zero to fifteen.
A packet going from a Host in Bucket Set 5 to a Host in Bucket Set 7 would cause the
following to happen (if Bucket 5 has less than 15 and Bucket 7 has at least 1 Ball):
“Put a Ball in Bucket 5”
“Remove a Ball from Bucket 7”
=
=
“Increment Counter 5”
“Decrement Counter 7”
6
7
8
Unfinished Flash Tutorial provided by Lee Hartley of Lancope, Inc.
9
Time (30 minutes)
The SW+T present version uses 2-d graphics to display Therminator generate “State Distribution” and “Bucket Fill”
numbers versus time, with a 30-second time interval (upper graphs). The lower graph and event log enable the
network security analyst to determine the cause of the peaks shown in the “State Distribution” graph.
10
Peaks in the “State Distribution” indicate significant unbalance
in the network traffic.
11
“Bucket Counts” indicate which type of hosts sent more packets than they received (larger
bar, 25% max) and which received more that they sent (smaller bar, may disappear)
12
Var^2
Phantom
Hosts
Graphs that can help identify the cause of network events. The Var^2 curve is similar to the
“State Distribution” graph. The Phantom Hosts curve has peaks when unused IP addresses
are scanned. “Packets” peaks when there is a short-packet flood attack.
13
The “Events Log” generated by StealthWatch can precisely identify the cause of network
events. It shows the most active Scans, Flows, and Hosts for each 30-seconds. Here we see
host 219.178.8.5 has sent 741 packets at 1:55:30, but received none. There is no
14
corresponding Flow, so these packets were sent to multiple subnets and IP addresses.
Now that we have an IP address to investigate, so we use StealthWatch to do a “Host
Snapshot”. We find that the host is scanning for open TCP-445 ports and several other TCP
ports (1430, 4679, 4681, 4685, ...)
15
We do a “whois” lookup on the IP address to find the network administrator that can be
informed of a likely compromised host on his network, or a malicious user. If we are
worried about these scans, and do not need to communicate with the offending host or
his whole domain, we can signal the firewall or router to drop packets coming from that
location.
16
With “Flow Filter”
Here there are large FTP file transfers every 20 to 40 minutes that that last about 90 seconds, these create peaks in
the State Distribution curves similar to an attack or fast scan. To mitigate this effect, we use a “Flow Filter,” that
skips packets from any flow that has done a proper handshake and meets the criteria for a normal flow.
The above shows the results from a fast TCP port 80 scan by a host in England (at 21:55-22:05 PST). This shows
up as rectangular peaks in State Distribution (upper left), and in non-flow packets and Var^2 (lower-left).
17
Without “Flow Filter”
This display, taken at the same time without Flow Filter shows the results for the same fast TCP port 80 scan
which is now partially obscured by two FTP file transfers (at 21:44-21:46 and 21:54-21:57 PST).
18
StealthWatch + Therminator (SW+T) Basics
The source host and the destination host are determined to belong to one of eight categories, depending on the yes/no decisions of
three logic "switches." For example "Client/Server", "Old Friend/New Friend (Stranger)", "Known (Inside)/Unknown (outside)".
Bucket Count Graph (upper right)
The colored bars in the upper right graph represent the number of packets sent less the number received by each of these categories
(called "Bucket Count"). These Bucket Counts are constrained. They start at 7 during each 30-sec time period and can not go negative
or exceed 15. When a color disappears it means that hosts in that category have received more packets than they sent (could contain
victims). When a bar doubles in size (25% height), it means that hosts in that category have sent more packets than they received
(could contain attackers).
State Count Graph (upper left)
Each packet results in a "State," which is represented by the 8 Bucket Count values (b0,b1,b2,b3,b4,b5,b6,b7). A count is keep of how
many times each state is occupied during the 30-second time period. Because of the constraints on bi, a high-speed DoS Attack or
high-speed network scan will cause a few states to have high occupancy numbers. The stacked bar graph shows for each time period
the occupancy numbers of the 12 most highly occupied states. The peaks indicate when significant events have occurred.
Events Log (lower left)
High-speed data file transfers can also cause State-Count peaks, as well as high-speed scans, SYN floods, fragment floods, distributed
DoS, UDP worm spreads, ... . To determine the cause of a peak, consult the Event Log which provides data from the underlying
StealthWatch system. Listed here for each 30-second period are the most active Hosts (number of packets or increase in CI), Scans
(number of new CI points), and Flows (number of packets). In SW 3.0, Hosts with a high increase in Victim-CI points will also be
shown.
Status Graphs (upper right)
Three things are presently plotted that help analysis (the values also appear in the Events Log). The number of total packets can show
if an appreciable increase in packets on a network occurs (seen with short-packet DOS attacks more than with file transfers). The
"Missed IPs" peaks when high-speed network scans send many packets to non-existent hosts (unused IP addresses). The VAR2 value
is a mean-square variation of the State Occupancy Values, which has been found as another way to detect significant network events.
19