Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Detecting Abuse of Abandoned Internet Resources Tim Schmidt Betreuer: Dipl. Inf. Johann Schlamp, Dipl. Ing. Quirin Scheitle 12.08.2015 Chair for Network Architectures and Services Department of Informatics Technische Universit¨ at M¨ unchen Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 1
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Overview Basics Existing Work RIR Models Timeline & Outlook Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 2
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Overview Basics Existing Work RIR Models Timeline & Outlook Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 3
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Regional Internet Registry (RIR) Manages and assigns Internet Number Resources such as: ◮ IP Address spaces (IPv4 and v6) ◮ AS Numbers Note There are five Regional Internet Registries, compare next slide. Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 4
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Areas of Responsibility Figure: RIR regions 1 1 Source: nro.net Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 5
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Overview Basics Existing Work RIR Models Timeline & Outlook Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 6
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Existing Work Note My work is based on Christian Eckert’s master’s thesis: ”Ein Fruehwarnsystem fuer AS Hijacking” (TUM, 2013) → C. Eckert implemented a parser for RIPE data (dumpfiles) → My implementation uses parts of his code → The TUM Chair for Network Architectures and Services provides dumpfiles for every RIR, updated daily. Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 7
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Detecting Abandoned Resources 1. Domain information 2. Maintainer relations 3. Organisation relations 4. No. of relations Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 8
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Detecting Abandoned Resources 1. Domain information → domain expired? 2. Maintainer relations 3. Organisation relations 4. No. of relations Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 9
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Detecting Abandoned Resources 1. Domain information → domain expired? 2. Maintainer relations → maintainer nonexistent / inactive? 3. Organisation relations 4. No. of relations Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 10
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Detecting Abandoned Resources 1. Domain information → domain expired? 2. Maintainer relations → maintainer nonexistent / inactive? 3. Organisation relations → org. nonexistent / inactive? 4. No. of relations Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 11
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Detecting Abandoned Resources 1. Domain information → domain expired? 2. Maintainer relations → maintainer nonexistent / inactive? 3. Organisation relations → org. nonexistent / inactive? 4. No. of relations → low degree of connectivity? Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 12
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Detecting Abandoned Resources 1. Domain information → domain expired? 2. Maintainer relations → maintainer nonexistent / inactive? 3. Organisation relations → org. nonexistent / inactive? 4. No. of relations → low degree of connectivity? Scoring-System Based on those aspects determine a score for possibility that resource is abandoned and or abused / hijacked. Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 13
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Dumpfile Example: Objects (1) Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 14
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Dumpfile Example: Objects (2) Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 15
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Dumpfile Example: Objects (3) Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 16
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Tasks 1. Analyze and understand the structure of the dump data for all RIRs 2. Map data from the other RIRs to generic data model (based on RIPE) 3. Adapt existing RIPE-parser code to the four remaining RIRs 4. Use the same database format for compatibility: neo4j 5. Evaluate Data based on existing model for abuse detection Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 17
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Overview Basics Existing Work RIR Models Timeline & Outlook Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 18
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen RIPE Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 19
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen APNIC Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 20
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen AFRINIC Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 21
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen LACNIC Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 22
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen ARIN Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 23
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Generic Model Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 24
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen RIR Object types Figure: Number of object types for all RIRs Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 25
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Overview Basics Existing Work RIR Models Timeline & Outlook Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 26
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Timeline Figure: Timeline Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 27
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Outlook What needs to be done: → Feed data to neo4j database Parsed data is already in correct format! → Implement cronjobs for daily parsing / updates → Evaluation Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 28
Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Any questions? Feel free to ask! Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 29
Recommend
More recommend