detecting abuse of abandoned internet resources
play

Detecting Abuse of Abandoned Internet Resources Tim Schmidt - PowerPoint PPT Presentation

Chair for Network Architectures and Services Technische Universit at M unchen Detecting Abuse of Abandoned Internet Resources Tim Schmidt Betreuer: Dipl. Inf. Johann Schlamp, Dipl. Ing. Quirin Scheitle 12.08.2015 Chair for Network


  1. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Detecting Abuse of Abandoned Internet Resources Tim Schmidt Betreuer: Dipl. Inf. Johann Schlamp, Dipl. Ing. Quirin Scheitle 12.08.2015 Chair for Network Architectures and Services Department of Informatics Technische Universit¨ at M¨ unchen Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 1

  2. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Overview Basics Existing Work RIR Models Timeline & Outlook Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 2

  3. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Overview Basics Existing Work RIR Models Timeline & Outlook Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 3

  4. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Regional Internet Registry (RIR) Manages and assigns Internet Number Resources such as: ◮ IP Address spaces (IPv4 and v6) ◮ AS Numbers Note There are five Regional Internet Registries, compare next slide. Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 4

  5. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Areas of Responsibility Figure: RIR regions 1 1 Source: nro.net Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 5

  6. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Overview Basics Existing Work RIR Models Timeline & Outlook Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 6

  7. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Existing Work Note My work is based on Christian Eckert’s master’s thesis: ”Ein Fruehwarnsystem fuer AS Hijacking” (TUM, 2013) → C. Eckert implemented a parser for RIPE data (dumpfiles) → My implementation uses parts of his code → The TUM Chair for Network Architectures and Services provides dumpfiles for every RIR, updated daily. Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 7

  8. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Detecting Abandoned Resources 1. Domain information 2. Maintainer relations 3. Organisation relations 4. No. of relations Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 8

  9. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Detecting Abandoned Resources 1. Domain information → domain expired? 2. Maintainer relations 3. Organisation relations 4. No. of relations Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 9

  10. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Detecting Abandoned Resources 1. Domain information → domain expired? 2. Maintainer relations → maintainer nonexistent / inactive? 3. Organisation relations 4. No. of relations Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 10

  11. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Detecting Abandoned Resources 1. Domain information → domain expired? 2. Maintainer relations → maintainer nonexistent / inactive? 3. Organisation relations → org. nonexistent / inactive? 4. No. of relations Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 11

  12. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Detecting Abandoned Resources 1. Domain information → domain expired? 2. Maintainer relations → maintainer nonexistent / inactive? 3. Organisation relations → org. nonexistent / inactive? 4. No. of relations → low degree of connectivity? Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 12

  13. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Detecting Abandoned Resources 1. Domain information → domain expired? 2. Maintainer relations → maintainer nonexistent / inactive? 3. Organisation relations → org. nonexistent / inactive? 4. No. of relations → low degree of connectivity? Scoring-System Based on those aspects determine a score for possibility that resource is abandoned and or abused / hijacked. Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 13

  14. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Dumpfile Example: Objects (1) Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 14

  15. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Dumpfile Example: Objects (2) Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 15

  16. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Dumpfile Example: Objects (3) Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 16

  17. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Tasks 1. Analyze and understand the structure of the dump data for all RIRs 2. Map data from the other RIRs to generic data model (based on RIPE) 3. Adapt existing RIPE-parser code to the four remaining RIRs 4. Use the same database format for compatibility: neo4j 5. Evaluate Data based on existing model for abuse detection Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 17

  18. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Overview Basics Existing Work RIR Models Timeline & Outlook Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 18

  19. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen RIPE Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 19

  20. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen APNIC Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 20

  21. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen AFRINIC Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 21

  22. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen LACNIC Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 22

  23. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen ARIN Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 23

  24. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Generic Model Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 24

  25. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen RIR Object types Figure: Number of object types for all RIRs Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 25

  26. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Overview Basics Existing Work RIR Models Timeline & Outlook Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 26

  27. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Timeline Figure: Timeline Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 27

  28. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Outlook What needs to be done: → Feed data to neo4j database Parsed data is already in correct format! → Implement cronjobs for daily parsing / updates → Evaluation Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 28

  29. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Any questions? Feel free to ask! Tim Schmidt – Detecting Abuse of Abandoned Internet Resources 29

Recommend


More recommend