Transcript ipaudit
IPAUDIT
An Analyst’s Perspective…
Phil Rodrigues
University of Connecticut
MIT Security Camp
Aug 15, 2002
Goals
• Show how I use IPAUDIT everyday
– Start the morning knowing nothing
– Use IPAudit to identify network anomalies and
investigate them
– Go home at night knowing a little bit more
• Also: an overview of UConn’s security
practices
Outline
• Web Graphs
– Quick glance, looking for major issues
• Web Reports
– Detailed look at suspicious anomalies
• Console
– Thorough investigation of security incidents
Web Graphs
• Network Traffic
• Incoming / Outgoing Scans
• Busiest Hosts
Web Graphs: Traffic
• Plot of 30 minute total, inbound, and
outbound traffic (bytes)
• Useful for large network anomalies: hightraffic transfers, D/DOS attacks, etc
Web Graphs: Incoming Scans
• Shows local host connections that are either
Only-Received, Only-Sent, or Sent-andReceived (normal)
• Only-Received detects incoming scans
• Only-Sent detects spoofed outbound attacks
Incoming Scans: Only-Received
• Only-Received detects incoming scans
– Anomaly where a single remote address sends
to a large amount of local addresses
– Most of these local address receive data but do
not send any back
– Displayed as a large red spike
Incoming Scans: Only-Sent
• Only-Sent detects spoofed outbound attacks
– Anomaly where a large number of local
addresses send data to a single remote address
– Most of these local addresses are sending data
but have not received any (most of them do not
exist)
– Displayed as a large blue spike
– Can trace a spoofed address to a smaller
network but not to a single computer
Web Graphs: Outgoing Scans
• Shows remote host connections that are either
Only-Received, Only-Sent, or Sent-and-Received
(normal)
• Only-Received detects outgoing scans
– Anomaly where a large amount of remote addresses
receive data from one local address but do not reply
Web Graphs: Busiest Hosts
• Busiest local / remote hosts per 30 minutes.
– Large “wide” anomalies usually indicate a
hacked box (one-to-many, ftp/dcc), or
occasionally DOS attacks (one-to-one).
– Single spikes are usually legit file-transfers
(one-to-one, fast I2 ftp transfers)
Web Reports
• 30 Minute
– Detailed view of immediate incidents
• Daily
– Summary of top talkers/scanners
• Weekly/Monthly
– Accumulated totals of high traffic users
Web Reports: 30 Minute
• Incoming / Outgoing Scans
• Local / Remote Traffic
• Busiest Traffic Pairs
30 Minute: Scans
• Incoming: Good for informational purposes
• Outgoing:
– Compromised local computers scan external
networks sequentially for new targets
– Virus infected local computers scan external
addresses randomly for new hosts
– P2P “super-node” activity where one local
address is relaying search requests for many
different remote addresses
30 Minute: Local/Remote Traffic
• Normal ratio file-transfers: the top talkers /
listeners usually get examined for TCP port
details
• One-sided transfers (highlighted in yellow
or red) indicate an in/out DOS (or UDP
streams)
30 Minute: Traffic Pairs
• Who is talking to Who?
• Is that one busy local computer talking to
many others? (hacked) to one other across
I2? (research)
• Gives a good geographical indicator:
rr.ny.com, wanado.fr (hacked) vs nasa.gov,
cornell.edu (research)
Web Reports: Daily
• Local/Remote Traffic
– Shows large, slower accumulated traffic that 30
min reports may have not have alerted us to
• Incoming/Outgoing Scans
– Shows large, slower scans that 30 min missed
– A slow scan of the entire class B would show
up here, but good chance 30 min report or
SNORT would not catch it
Web Reports: Weekly/Monthly
• Traffic
– Just for measuring traffic, usually for
bandwidth management
– Allows for the slow accumulation of traffic
Console
• 30min files
– Records all IP connection info per 30 mins
• RAW files
– Records partial payload of selected TCP ports
– telnet, ftp, smtp, irc, icmp
Console: 30min
• General Overview
– grep|vi a full 30min file for one IP, to get a
sense of what was going on:
•
•
•
•
Web surfing vs Nimda infection
P2P activity vs X-DCC transfers
Streaming video vs UDP DOS attacks
Failed logons vs password cracking
Console: 30min
• Detailed investigations
– Start with an anomaly, then look to see what
happened immediately before it for clues as to
how they may have gotten in.
– Determine the IP that was responsible for the
intrusion, then see what else they were doing in
the previous few days.
Console: Raw
• Detailed investigations
–
–
–
–
–
telnet, ftp, smtp, irc, icmp
Specific telnet commands (darn SSH)
ftp users/passwords and files (darn SCP)
irc conversations, channel/handle passwords
email headers for spam, etc issues
Successes: Graphs
• Detection of D/DOS attacks or extremely
popular (aka illicit) file servers
• Detection of new mass events like Code
Red or Nimda
• Detection of infected/compromised hosts
that are scanning external networks
Successes: Reports
• Frequent updates allow fast response to
large-traffic or high scan intrusions
• Easy click-through from high-level reports
to specific connection details
• Detection of moderate rate DOS attacks
• Summary of in/outbound scans that were
too slow detect looking at a single time
Successes: Console
• Linux tools (grep, awk, uniq, sort, total, etc)
allow for fast creation of detailed reports
• Fairly easy to get complete picture of an
intrusion by looking at before/after events
– Spoofed attacks: Look at time the attack started
and scan for suspicious activity from a similar
IP, which is probably the compromised host
Limitations
• Small-scale events get lost in background
noise of busy network
• Takes 30 minutes to see new events
• Limited ability to see payload information
• SNORT: happens to complement this nicely
Summary
• Web Graphs
– Quick glance at the network – if it is quiet there
things can’t be *that* bad.
• Web Reports
– Summary of an hour, day, or week events, to
help target suspicious anomalies
• Console
– Detailed investigation of incidents
Links
• IPAUDIT:
– http://ipaudit.sourceforge.net
– http://ipaudit.sf.net
• UConn Network Reports
– http://turkey.ucc.uconn.edu
• Email:
– [email protected]
– [email protected]