detecting security problems and internet measurement
play

Detecting Security Problems and Internet Measurement Evaluating - PDF document

Detecting Security Problems and Internet Measurement Evaluating Security Solutions The Internet as a whole is poorly CS 239 measured Advanced Topics in Network And, hence, poorly understood Security No existing network-wide


  1. Detecting Security Problems and Internet Measurement Evaluating Security Solutions • The Internet as a whole is poorly CS 239 measured Advanced Topics in Network –And, hence, poorly understood Security • No existing network-wide Peter Reiher infrastructure for measuring anything • Ad hoc attempts to get some handle on May 12, 2003 what’s going on in the network Lecture 12 Lecture 12 Page 1 Page 2 CS 239, Spring 2003 CS 239, Spring 2003 Some Security Measurement So, How to Answer These Questions Questions? • What fraction of all IP packets have spoofed • Deduce based on the evidence available addresses? • Obtain snapshots from some points in the • How many DDoSattacks occur each day? network • How many compromised machines are • Use simulation techniques there on the Internet? • Use honeypots/honeynets to attract attacks • If I installed secure BGP at 200 chosen for measurement and analysis locations, how much better would things • Install serious measurement capabilities in be? the network Lecture 12 Lecture 12 Page 3 Page 4 CS 239, Spring 2003 CS 239, Spring 2003 Idea Behind Backscatter Inferring DoS Attacks Measurement Technique • An attempt to answer question of how • DoS consists of a stream of garbage packets common DoSattacks are to a single destination • How to answer that question? • The victim doesn’t know they’re garbage, so it answers them normally – Ask people to tell you when they’re victims • Often, the attacker spoofs the source address of attack packets – Observe congestion and deduce when it’s caused by DoS – So responses go to the real machines whose addresses were spoofed – Or, use backscatter Lecture 12 Lecture 12 CS 239, Spring 2003 Page 5 CS 239, Spring 2003 Page 6 1

  2. Spoofing and DoS Attacks Using Backscatter in Practice • In principle, DoS attackers could spoof any • Set up network of test machines source address – That send and receive no legitimate • Most often, they seem to spoof randomly traffic from entire IP address space • Record every packet they receive – Choose new address from 2 32 possible • Try to identify which of them seem to be addresses for each packet legitimate responses to some packet • If enough packets are sent in attack, every machine on the Internet will see some • Identify each such packet as a backscatter responses packet in a DoS attack Lecture 12 Lecture 12 Page 7 Page 8 CS 239, Spring 2003 CS 239, Spring 2003 For Example, Practical Use of Backscatter I got a SYN/ACK from 67.123.55.40 when I didn’t • Not definitive, since anyone could have sent 46.103.96.3 100.22.73.48 5.150.134.83 131.179.192.55 send him a SYN this packet Probably someone else sent – Or could be a legitimate response to him a SYN with my source address spoofed something other than DoS Maybe there’s a DoS attack on 67.123.55.40 67.123.55.40! • More accurate if you monitor lots of SYN addresses SYN/ACK • Tricky to tell when attacks begin and end 131.179.192.55 Lecture 12 Lecture 12 Page 9 Page 10 CS 239, Spring 2003 CS 239, Spring 2003 CAIDA Backscatter Experiment Results • Run during three week-long periods in • During one week, saw 12,805 attacks 2000 • Over three weeks observed 200 million • Using /8 network backscatter packets –So they control 2 24 distinct IP –Presumably out of around 50 billion addresses, or 1/256 th of all addresses such packets • Monitored all traffic arriving for any of • More than 5000 victim addresses in these addresses more than 2000 domains Lecture 12 Lecture 12 CS 239, Spring 2003 Page 11 CS 239, Spring 2003 Page 12 2

  3. Types of Attacks Who Were the Victims? • Victim’s IP address is source address • TCP dominated in backscatter packet –94% of all attacks were TCP • Reverse lookup on that address to get • Small number were ICMP victim’s DNS name –But they represented nearly half of • Failed 30% of time the backscatter traffic • In other cases, .net and .com very • Only 2% were UDP popular for attack targets Lecture 12 Lecture 12 Page 13 Page 14 CS 239, Spring 2003 CS 239, Spring 2003 How Long Were the Attacks? How Strong Are the Attacks? • More than 90% were 10,000 pkts/sec or less • Typically one hour or less (90% of them) – 500 SYNs per second overwhelms unprotected server • But 2% of attacks more than 5 hours • 46% of attacks were that strong • 1% longer than 10 hours – 14,000 SYNs overwhelms anti-DoS • Dozens of attacks lasted for days firewall • 2.4% of attacks were that strong Lecture 12 Lecture 12 Page 15 Page 16 CS 239, Spring 2003 CS 239, Spring 2003 Other Approaches CERT • Keeps reasonably close eye on the • CERT Internet • Other network observation points • Is extremely careful about issuing • Honeynets advisories • The grapevine –Avoids panic, but delays response • Their staff observe and collect reports from other human sources Lecture 12 Lecture 12 CS 239, Spring 2003 Page 17 CS 239, Spring 2003 Page 18 3

  4. Other Network Observation Points Honeynets • Certain people maintain networks just to watch for • CAIDA, at San Diego, measures and attack traffic observes much Internet behavior – The backscatter project was a specialized – Including security-related behavior version • Other places observe some forms of – More generally, draw attackers in by promise of unprotected machine behavior – Use their behavior to learn about new problems – E.g., Oregon Routeviewproject to collect • Pretty much ad hoc research and volunteer router information from several ASs activity, so far Lecture 12 Lecture 12 Page 19 Page 20 CS 239, Spring 2003 CS 239, Spring 2003 The Grapevine Commercial Players • Sysadmins and network administrators tend • Companies like Network Associates to know each other and Symantec make it their business to • When they see problems, they talk to each know about certain kinds of problems other –Typically viruses • Word of new problems spreads quickly – Often using telephones, rather than the • Smaller companies try to build network reputation by finding and diagnosing • Much of what CERT knows about problems originates this way Lecture 12 Lecture 12 Page 21 Page 22 CS 239, Spring 2003 CS 239, Spring 2003 What Should We Do? • Is the current approach to finding security problems in the Internet adequate? • If not, what would be? • What should a system for watching for Internet threats look like? • Who would run it? • How would they do it? Lecture 12 CS 239, Spring 2003 Page 23 4

Recommend


More recommend