Visualizing Network Attacks
Download
Report
Transcript Visualizing Network Attacks
Visualizing Network Attacks
Eric Conrad
http://www.ericconrad.com
April 2009
1
A picture is worth 1,000 words
• Many network, security and system
engineers have trained themselves to
correlate complex information from
text-based representation of events
– Like Cypher in The Matrix
• However, many concepts lend
themselves to visual interpretation
2
One example: visual cryptanalysis
of DES ECB mode
• The Data Encryption Standard (DES) is a
block cipher with a number of modes
• The ‘native mode,’ Electronic Code Book, does
not ‘chain’ the ciphertext
– Identical 64-bit blocks of plaintext become
identical blocks of ciphertext
• As a result, patterns may propagate
• The other modes of DES destroy patterns by
chaining the previous block of ciphertext with
the next
3
Showing weaknesses of
DES ECB mode
• Left image is BMP, right image is
same BMP encrypted in ECB mode
4
Showing the effects of chaining
• Same logo, Cipher Block Chaining
(CBC) mode ciphertext on right
5
DAVIX
• DAVIX is a live CD
for data analysis and
visualization
• Available at
http://secviz.org/
• Burn ISO to CD, and
boot your laptop
into a rich
visualization
environment
6
The DAVIX Live CD
• The DAVIX start
menu links to all
major tools
• Visualization work
is broken down
into 3 processes:
Capture, Process,
Visualize
7
The DAVIX process
• Capture includes tools that capture
network data, like wireshark, tcpdump,
etc.
• Process includes tools that manipulate
data, such as afterglow.pl, as well as
the classic Unix shell tools such as sed,
awk, perl and grep
• Visualize includes tools to display the
data
8
A word on tools
• All tools mentioned in this paper are on the
DAVIX 1.0.1 distribution
• All graphics used in this paper were
generated directly from the DAVIX live CD
• You may download all scripts in this paper at
http://files.ericconrad.com/viz-current.tgz
• All example commands in this paper will work
directly on the DAVIX live CD
9
Dot
• Dot is a language used to describe
graphs
• Example digraph (directed graph) in dot
language, and resulting image:
digraph directed{
A -> B -> C;
B -> D;
}
10
Turning Dot into graphics
• Graphviz (Graph Visualization Software)
includes a number of programs to manipulate
Dot programs
– http://graphviz.org/
• Includes tools that take a Dot file as input,
and create a graphics file as output
• This paper uses the Graphviz tools ‘twopi’ and
‘neato’
– twopi uses a ‘radial model’ to lay out nodes
– neato uses a ‘spring model’ to lay out nodes
11
Afterglow
• Afterglow takes CSV files as
input and creates a Dot
language file as output
• Makes creating directed graphs
very easy
• The graph on the right was
created with echo “1,2,3” |
afterglow.pl | neato –
Tpng –o example.png
12
Two-column mode
• Two-column
mode has 2 types
of nodes: source
and target
• This graph shows
2 source nodes
connecting to
three targets
13
Afterglow two-column example:
normal arp requests
14
‘Arp bomb’: scan of
unused IP addresses
15
Three-column mode
• Three-column
mode adds an
‘event’ node
• Source nodes
connect to targets
via ‘events’
• Example event:
protocol type
16
Visualizing honeypot attacks
• Let’s use the Dot language to visualize
attacks vs. a honeypot
• Data is from the Honeynet Project® Scan of
the Month 27:
– During its first week of operation, the honeypot
was repeatedly compromised by attackers and
worms exploiting several distinct vulnerabilities.
Subsequent to a successful attack, the honeypot
was joined to a large botnet.
• Source: http://www.honeynet.org/scans/scan27/
• What do the attacks look like visually?
17
The attacks, visually
18
Visual traceroute with Dot
• Generate a route graph with Dot:
– traceroute to the top 100 internet sites
– Compute average time to each hop
– Draw directed graph showing all
connections within 6 hops
– Display nodes with colors showing RTT
•
•
•
•
•
First node is blue (and larger)
Nodes < 15 ms are palegreen
Nodes < 30 ms are green
Nodes < 45 ms are yellow
Rest are red
19
20
Visualizing Mitnick vs. Shimomura
• One of the most famous network attacks
occurred on Christmas Day, 1994, when Kevin
Mitnick allegedly attacked Tsutomu
Shimomura’s systems
• The attack exploited a trust relationship
between Shimomura’s ‘x-terminal’ and ‘server’
• Shimomura analyzed the attack, and was kind
enough to post a detailed post mortem of the
attack to the comp.security.misc Usenet
group
– Including tcpdump output
21
The players
• 4 systems were involved in the attack:
– apollo.it.luc.edu: the source of the attack
– server: a host trusted by xterminal
– x-terminal: trusted by server
– 130.92.6.97: used as spoofed source for
DOS attack
• There was no live system at this IP address at time of
attack
22
The attack
• Goal was to forge a packet ‘from’ server to
xterminal
– DOSed server from 130.92.6.97
– Harvested TCP sequence numbers from xterminal
– Spoofed connection ‘from’ server to xterminal
• Attacker did not see the SYN/ACK, and had to guess the
sequence number used, and increment by 1 for the reply
• Let’s use Shimomura’s analysis to see the
attack visually
23
Mitnick vs. Shimomura
24
rumint: ‘rumors in the network’
• Another useful DAVIX tool is rumint, a
‘PVR for Network Traffic and Security
Visualization’
– ‘rumint’ is short for ‘rumor intelligence’
– Site: www.rumint.org
• Much of what IDS analysts must do is
separating useful signals from noise
• rumint is useful for ‘spotting the outlier’
25
Analyzing honeypot with rumint
26
rumint ‘text rainfall’ mode
• Matrix-style falling
text from live
network capture
or pcap file
• This shows botnet
IRC command
and control traffic
27
Any questions?
28