Transcript ipaudit
IPAUDIT An Analyst’s Perspective… Phil Rodrigues University of Connecticut MIT Security Camp Aug 15, 2002 Goals • Show how I use IPAUDIT everyday – Start the morning knowing nothing – Use IPAudit to identify network anomalies and investigate them – Go home at night knowing a little bit more • Also: an overview of UConn’s security practices Outline • Web Graphs – Quick glance, looking for major issues • Web Reports – Detailed look at suspicious anomalies • Console – Thorough investigation of security incidents Web Graphs • Network Traffic • Incoming / Outgoing Scans • Busiest Hosts Web Graphs: Traffic • Plot of 30 minute total, inbound, and outbound traffic (bytes) • Useful for large network anomalies: hightraffic transfers, D/DOS attacks, etc Web Graphs: Incoming Scans • Shows local host connections that are either Only-Received, Only-Sent, or Sent-andReceived (normal) • Only-Received detects incoming scans • Only-Sent detects spoofed outbound attacks Incoming Scans: Only-Received • Only-Received detects incoming scans – Anomaly where a single remote address sends to a large amount of local addresses – Most of these local address receive data but do not send any back – Displayed as a large red spike Incoming Scans: Only-Sent • Only-Sent detects spoofed outbound attacks – Anomaly where a large number of local addresses send data to a single remote address – Most of these local addresses are sending data but have not received any (most of them do not exist) – Displayed as a large blue spike – Can trace a spoofed address to a smaller network but not to a single computer Web Graphs: Outgoing Scans • Shows remote host connections that are either Only-Received, Only-Sent, or Sent-and-Received (normal) • Only-Received detects outgoing scans – Anomaly where a large amount of remote addresses receive data from one local address but do not reply Web Graphs: Busiest Hosts • Busiest local / remote hosts per 30 minutes. – Large “wide” anomalies usually indicate a hacked box (one-to-many, ftp/dcc), or occasionally DOS attacks (one-to-one). – Single spikes are usually legit file-transfers (one-to-one, fast I2 ftp transfers) Web Reports • 30 Minute – Detailed view of immediate incidents • Daily – Summary of top talkers/scanners • Weekly/Monthly – Accumulated totals of high traffic users Web Reports: 30 Minute • Incoming / Outgoing Scans • Local / Remote Traffic • Busiest Traffic Pairs 30 Minute: Scans • Incoming: Good for informational purposes • Outgoing: – Compromised local computers scan external networks sequentially for new targets – Virus infected local computers scan external addresses randomly for new hosts – P2P “super-node” activity where one local address is relaying search requests for many different remote addresses 30 Minute: Local/Remote Traffic • Normal ratio file-transfers: the top talkers / listeners usually get examined for TCP port details • One-sided transfers (highlighted in yellow or red) indicate an in/out DOS (or UDP streams) 30 Minute: Traffic Pairs • Who is talking to Who? • Is that one busy local computer talking to many others? (hacked) to one other across I2? (research) • Gives a good geographical indicator: rr.ny.com, wanado.fr (hacked) vs nasa.gov, cornell.edu (research) Web Reports: Daily • Local/Remote Traffic – Shows large, slower accumulated traffic that 30 min reports may have not have alerted us to • Incoming/Outgoing Scans – Shows large, slower scans that 30 min missed – A slow scan of the entire class B would show up here, but good chance 30 min report or SNORT would not catch it Web Reports: Weekly/Monthly • Traffic – Just for measuring traffic, usually for bandwidth management – Allows for the slow accumulation of traffic Console • 30min files – Records all IP connection info per 30 mins • RAW files – Records partial payload of selected TCP ports – telnet, ftp, smtp, irc, icmp Console: 30min • General Overview – grep|vi a full 30min file for one IP, to get a sense of what was going on: • • • • Web surfing vs Nimda infection P2P activity vs X-DCC transfers Streaming video vs UDP DOS attacks Failed logons vs password cracking Console: 30min • Detailed investigations – Start with an anomaly, then look to see what happened immediately before it for clues as to how they may have gotten in. – Determine the IP that was responsible for the intrusion, then see what else they were doing in the previous few days. Console: Raw • Detailed investigations – – – – – telnet, ftp, smtp, irc, icmp Specific telnet commands (darn SSH) ftp users/passwords and files (darn SCP) irc conversations, channel/handle passwords email headers for spam, etc issues Successes: Graphs • Detection of D/DOS attacks or extremely popular (aka illicit) file servers • Detection of new mass events like Code Red or Nimda • Detection of infected/compromised hosts that are scanning external networks Successes: Reports • Frequent updates allow fast response to large-traffic or high scan intrusions • Easy click-through from high-level reports to specific connection details • Detection of moderate rate DOS attacks • Summary of in/outbound scans that were too slow detect looking at a single time Successes: Console • Linux tools (grep, awk, uniq, sort, total, etc) allow for fast creation of detailed reports • Fairly easy to get complete picture of an intrusion by looking at before/after events – Spoofed attacks: Look at time the attack started and scan for suspicious activity from a similar IP, which is probably the compromised host Limitations • Small-scale events get lost in background noise of busy network • Takes 30 minutes to see new events • Limited ability to see payload information • SNORT: happens to complement this nicely Summary • Web Graphs – Quick glance at the network – if it is quiet there things can’t be *that* bad. • Web Reports – Summary of an hour, day, or week events, to help target suspicious anomalies • Console – Detailed investigation of incidents Links • IPAUDIT: – http://ipaudit.sourceforge.net – http://ipaudit.sf.net • UConn Network Reports – http://turkey.ucc.uconn.edu • Email: – [email protected] – [email protected]