detection of amplifiers using active measurements
play

Detection of Amplifiers using Active Measurements Hamza Zafar - PowerPoint PPT Presentation

Aug 20, 2022 •644 likes •943 views

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Detection of Amplifiers using Active Measurements Hamza Zafar Advisor: Simon Bauer Oliver Gasser Stefan Metzger Supervisor: Prof. Dr.-Ing.

  1. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Detection of Amplifiers using Active Measurements Hamza Zafar Advisor: Simon Bauer Oliver Gasser Stefan Metzger Supervisor: Prof. Dr.-Ing. Georg Carle Technical University of Munich (TUM) Department of Informatics Chair of Network Architectures and Services Garching, 08.04.2019

  2. Agenda  Introduction  Framework  Measurements  Dashboards  Conclusion Hamza Zafar | Detection of Amplifiers using Active Measurements 2

  3. Introduction: Background  Distributed Reflective Denial-of-Service Attack (DRDoS) Figure: DRDoS attack using a botnet.  Bandwidth Amplification Factor (BAF): BAF = len ( Response payload ) len ( Request payload )  Amplifier:  Publicly available  Lacks authentication  Connection-less  BAF > 1 Hamza Zafar | Detection of Amplifiers using Active Measurements 3

  4. Introduction: Motivation  Terabit Attack Era  GitHub reported 1.35 Tbps  Arbor Networks reported 1.7 Tbps  Abuse of IoT devices  Mirai malware  Solution  No IP address spoofing, no DRDoS attacks  Reduce the number of amplifiers  Our Contribution  Framework to detect amplifiers using active network measurements Hamza Zafar | Detection of Amplifiers using Active Measurements 4

  5. Introduction: Research Questions  How to orchestrate network scans in a large network?  How to conduct network scans ethically?  Do amplifiers exhibit any characteristics?  Does the bandwidth amplification factor (BAF) changes over time?  Does the number of active amplifiers change over time? Hamza Zafar | Detection of Amplifiers using Active Measurements 5

  6. Framework: Features  REST API  Developed using Django REST Framework (DRF)  CLI Client  Increases usability  Scan Scheduling  Periodically execute network scans  Celery Task Queue used Hamza Zafar | Detection of Amplifiers using Active Measurements 6

  7. Framework: Features (cont.)  E-mail notifications  Notify about amplifiers and error messages  Network Scanner (Zmap)  Horizontal scanner (one scan per protocol)  Fast network scanner “/0 scans in under 45 minutes”  Stateless  Randomized probes  IPv6 address space scanning  Visualization Dashboards  Developed using Grafana  Home Dashboard: stats from all scans  Scan Dashboard: stats for a specific scan  Amplifier Dashboard: stats for a specific amplifier Hamza Zafar | Detection of Amplifiers using Active Measurements 7

  8. Measurements  Address ranges: TUM’s public IPv4 addresses  Scanning frequency: Twice a day  Scanning duration: Two weeks (23.02.2019 – 06.03.2019)  No. of scanned addresses: 130k  Scan execution time: approx. 17 minutes Hamza Zafar | Detection of Amplifiers using Active Measurements 8 Figure: Scanning setup

  9. Measurements: Ethical Considerations  Validate probe packet  Don’t cause harm to the devices  Use Wireshark to validate packet structure  Optimally, deploy services and capture request packets  Host a web page to express scanning intentions  Maintain a blacklist  Avoid saturating networks  Low packet rate (128 pps)  ZMap’s randomized probing  Restricted access to scan results Hamza Zafar | Detection of Amplifiers using Active Measurements 9

  10. Measurements: Results  Amplifiers detected for 5 protocols  NetBIOS, SNMP have the highest no. of amplifiers  Amplifiers decrease during the weekend  Amplifiers increase during the day Table: Min, Max and Avg. number of amplifiers Figure: No. of active amplifiers detected over a period of two weeks Hamza Zafar | Detection of Amplifiers using Active Measurements 10

  11. Measurements: NetBIOS Amplifiers  Windows based protocol to allow applications to communicate on LAN  Probe NetBIOS nametable  Linux/Unix based machines found running NetBIOS  SAMBA suite  Amplifiers belong to three subnets  Subnet-1:  End user devices  Subnet-2 & subnet-3:  Printers  Mail servers  LDAP servers Figure: Number of active NetBIOS amplifiers in three subnets Hamza Zafar | Detection of Amplifiers using Active Measurements 11

  12. Measurements: SNMP Amplifiers  Simple Network Management Protocol (SNMP)  Manage and monitor network devices  Probe system description property Figure: System description string received from a Samsung printer  SNMP GetRequest vs. GetBulkRequest  Majority of SNMP amplifiers are printers Hamza Zafar | Detection of Amplifiers using Active Measurements 12

  13. Measurements: SSDP Amplifiers  Simple Service Discovery Protocol (SSDP)  Discovery and advertisement of plug-and-play devices  Probe SSDP discover request  Two Samsung printers found DNS Amplifiers  Probe DNS ANY query for google.com  One DNS open resolver found  DNS resolver caches results  BAF drops during weekend due to less records in resolver’s cache Figure: Change in BAF of amplifiers Hamza Zafar | Detection of Amplifiers using Active Measurements 13

  14. Measurements: Chargen Amplifiers  Legacy character generator protocol  Testing and network debugging  Highest BAF (74X)  Two amplifiers  Nmap scan reveals amplifiers are running:  Legacy protocols Echo , Discard  Outdated Sun Solaris 8 OS  Sun Solaris 8 enables Chargen on system startup  Sun management console found Figure: Sun Management Console Hamza Zafar | Detection of Amplifiers using Active Measurements 14

  15. Measurements  Bandwidth Amplification Factor of amplifiers: Table: BAF per protocol recorded from the last scanning iteration, all shows the average BAF of all amplifiers, 50% and 10% shows the average BAF of 50% and 10% of the worst amplifiers, respectively.  9 devices found with multiple amplification vulnerabilities Table: Combination of vulnerable protocols detected in amplifiers Hamza Zafar | Detection of Amplifiers using Active Measurements 15

  16. Framework: Dashboards Visualization Dashboards Demo Hamza Zafar | Detection of Amplifiers using Active Measurements 16

  17. Conclusion  Extensible framework for amplifier detection using active measurements  Evaluation by executing scans ethically in Munich Scientific Network  Number of amplifiers and BAF varies with time  Misconfigurations exposes devices  Internet wide scans in future could be a source of interesting insights Hamza Zafar | Detection of Amplifiers using Active Measurements 17

  18. Backup Slides Hamza Zafar | Detection of Amplifiers using Active Measurements 18

  19. Framework: Home Dashboard Hamza Zafar | Detection of Amplifiers using Active Measurements 19

  20. Framework: Scan Dashboard Hamza Zafar | Detection of Amplifiers using Active Measurements 20

  21. Framework: Amplifier Dashboard Hamza Zafar | Detection of Amplifiers using Active Measurements 21

  22. Framework: REST API  REST architecture style  Client-server “separation of concerns”  Uniform Interface  Django REST Framework (DRF)  Python based  Opensource  Pluggable components  Field validations (IP address format, port range)  CLI Client  Constructs and sends request  Increases usability Figure: Framework architecture Hamza Zafar | Detection of Amplifiers using Active Measurements 22

  23. Framework: Scan Scheduling  Scan Scheduling  Periodically execute network scans  Celery  Task Queue  Asynchronous execution of long running tasks  Publisher-Subscriber model  Celery beat scheduler  Keeps track of scans  Triggers task execution  Celery worker  Executes tasks  Stores results in database Figure: Framework architecture Hamza Zafar | Detection of Amplifiers using Active Measurements 23

  24. Framework: Network Scanner  Network Scanner  Horizontal vs. vertical scanning technique  ZMap  Fast network scanner “/0 scans in under 45 minutes”  Stateless  Decouples sending probes and receiving responses  Bypasses the TCP/IP stack  Randomized probes  IPv6 address space scanning  Blacklist feature  One scan per protocol Figure: Framework architecture Hamza Zafar | Detection of Amplifiers using Active Measurements 24

  25. Framework: Visualization  Grafana – Data visualization framework  Opensource  Support for several databases  Tables, graphs, heat-maps etc. to visualize data  Home Dashboard: stats from all scans  Scan Dashboard: stats for a specific scan  Amplifier Dashboard: stats for a specific amplifier Hamza Zafar | Detection of Amplifiers using Active Measurements 25

  26. Framework: Notifications  E-mail notifications  Sent when the scan completes or fails  Helps in tackling operational challenges of the framework Figure: Amplifiers found notification Figure: Error notification Hamza Zafar | Detection of Amplifiers using Active Measurements 26

  27. Measurements  TUM’s public IPv4 address ranges scanned  10 UDP-based protocols assessed for amplification abuse  PlanetLab static IP addresses used for scanning nodes  Scans executed twice a day Figure: Scanning setup Hamza Zafar | Detection of Amplifiers using Active Measurements 27

Recommend

Operational amplifiers Types of operational amplifiers (bioelectric amplifiers have different

Operational amplifiers Types of operational amplifiers (bioelectric amplifiers have different

Operational amplifiers Types of operational amplifiers (bioelectric amplifiers have different gain values) Low-gain amplifiers (x1 to x10) Used for buffering and impedance transformation between signal source and readout device

665 views • 28 slides
An Active Telescope for Spoo fj ng Detection Raphael Hiesgen INET, Hamburg University of Applied

An Active Telescope for Spoo fj ng Detection Raphael Hiesgen INET, Hamburg University of Applied

An Active Telescope for Spoo fj ng Detection Raphael Hiesgen INET, Hamburg University of Applied Sciences Motivation Spoofing is a problem throughout the Internet Our focus: impact on measurements Research and operations depend on

406 views • 19 slides
Detection of HTTP-GET Attack with Clustering and Information Theoretic Measurements Pawel

Detection of HTTP-GET Attack with Clustering and Information Theoretic Measurements Pawel

Problem definition Clustering Detection Measurements Result analysis Future work Detection of HTTP-GET Attack with Clustering and Information Theoretic Measurements Pawel Chwalinski Roman Belavkin Xiaochun Cheng Middlesex University

590 views • 35 slides
Distributed Measurements for Attack Detection Distributed Measurements for Attack Detection Prof.

Distributed Measurements for Attack Detection Distributed Measurements for Attack Detection Prof.

Universitt Tbingen Computer Networks and Internet Distributed Measurements for Attack Detection Distributed Measurements for Attack Detection Prof. Dr. Georg Carle Chair for Computer Networks and Internet University of Tbingen Germany

291 views • 8 slides
Directed Probing for Efficient and Accurate Active Measurements Arthur Berger 1 Robert Beverly

Directed Probing for Efficient and Accurate Active Measurements Arthur Berger 1 Robert Beverly

Directed Probing for Efficient and Accurate Active Measurements Arthur Berger 1 Robert Beverly Naval Postgraduate School 1 MIT CSAIL rbeverly@nps.edu, awberger@csail.mit.edu February 8, 2010 AIMS-2 - Workshop on Active Internet Measurements

658 views • 49 slides
a AMPLIFIERS FOR SIGNAL CONDITIONING I Input Offset Voltage <100V I Input Offset Voltage

a AMPLIFIERS FOR SIGNAL CONDITIONING I Input Offset Voltage <100V I Input Offset Voltage

PRACTICAL DESIGN TECHNIQUES FOR SENSOR SIGNAL CONDITIONING 1 Introduction 2 Bridge Circuits I 3 Amplifiers for Signal Conditioning 4 Strain, Force, Pressure, and Flow Measurements 5 High Impedance Sensors 6 Position and Motion Sensors 7

647 views • 54 slides
The effect of AM noise on correlation PM noise measurements 1/f noise in RF and microwave

The effect of AM noise on correlation PM noise measurements 1/f noise in RF and microwave

The effect of AM noise on correlation PM noise measurements 1/f noise in RF and microwave amplifiers Enrico Rubiola, Rodolphe Boudot, Yannick Gruson FEMTO-ST Institute, Besanon, France CNRS and Universit de Franche Comt TimeNav 07

731 views • 27 slides
a STRAIN GAGE BASED MEASUREMENTS I Strain: Strain Gage, PiezoElectric Transducers I Force: Load

a STRAIN GAGE BASED MEASUREMENTS I Strain: Strain Gage, PiezoElectric Transducers I Force: Load

PRACTICAL DESIGN TECHNIQUES FOR SENSOR SIGNAL CONDITIONING 1 Introduction 2 Bridge Circuits 3 Amplifiers for Signal Conditioning I 4 Strain, Force, Pressure, and Flow Measurements 5 High Impedance Sensors 6 Position and Motion Sensors 7

483 views • 17 slides
Melting the Snow: Detecting Snowshoe Spam Domains Using Active DNS Measurements Introduction 1

Melting the Snow: Detecting Snowshoe Spam Domains Using Active DNS Measurements Introduction 1

Olivier van der Toorn <o.i.vandertoorn@utwente.nl> November 13, 2018 University of Twente, Design and Analysis of Communication Systems NOMS 2018 Melting the Snow: Detecting Snowshoe Spam Domains Using Active DNS Measurements

784 views • 75 slides
Changepoint detection in network measurements Allen B. Downey 1 Fundamental problem: Predict

Changepoint detection in network measurements Allen B. Downey 1 Fundamental problem: Predict

Changepoint detection in network measurements Allen B. Downey 1 Fundamental problem: Predict next value in time series. Applications: Protocol parameters (timeouts). Resource selection, scheduling. User feedback. 2 Two kinds of

678 views • 31 slides
Detection of topological phase transitions through entropy measurements Valeriy Gusynin

Detection of topological phase transitions through entropy measurements Valeriy Gusynin

Detection of topological phase transitions through entropy measurements Valeriy Gusynin Bogolyubov Institute for Theoretical Physics, Kyiv, Ukraine of the National Academy of Sciences of Ukraine Conference on Modern Concepts and New Materials

277 views • 25 slides
Conducting large-scale active and passive measurements of SSH deployments Oliver Gasser Master

Conducting large-scale active and passive measurements of SSH deployments Oliver Gasser Master

Conducting large-scale active and passive measurements of SSH deployments Oliver Gasser Master Thesis Advisor: Ralph Holz Chair for Network Architectures and Services Faculty of Computer Science Technische Universit at M unchen June

594 views • 17 slides
Melting the Snow Using Active DNS Measurements to Detect Snowshoe Spam Domains Olivier van der

Melting the Snow Using Active DNS Measurements to Detect Snowshoe Spam Domains Olivier van der

Melting the Snow Using Active DNS Measurements to Detect Snowshoe Spam Domains Olivier van der Toorn November 13, 2018 University of Twente, Design and Analysis of Communication Systems Introduction Olivier

825 views • 71 slides
Melting the Snow Using Active DNS Measurements to Detect Snowshoe Spam Domains Olivier van der

Melting the Snow Using Active DNS Measurements to Detect Snowshoe Spam Domains Olivier van der

Melting the Snow Using Active DNS Measurements to Detect Snowshoe Spam Domains Olivier van der Toorn February 1, 2018 University of Twente, Design and Analysis of Communication Systems Introduction Olivier

1.46k views • 90 slides
MySpeedTest: Active and Passive Measurements of Cellular Data Network Performance Sachit

MySpeedTest: Active and Passive Measurements of Cellular Data Network Performance Sachit

MySpeedTest: Active and Passive Measurements of Cellular Data Network Performance Sachit Muckaden Georgia Institute of Technology Motivation To study the effect of several possible parameters on performance Understand if and how

284 views • 10 slides
Active learning Co-training 3 Subtract-average detection score Grey-scale detection score

Active learning Co-training 3 Subtract-average detection score Grey-scale detection score

Active learning Co-training 3 Subtract-average detection score Grey-scale detection score Summary Boosting is a method for learning an accurate classifiers by combining many weak classifiers. Boosting is resistant to over-fitting .

611 views • 31 slides
Active measurements to Root DNS servers especially from Asian countries Yuji Sekiya

Active measurements to Root DNS servers especially from Asian countries Yuji Sekiya

Active measurements to Root DNS servers especially from Asian countries Yuji Sekiya sekiya@wide.ad.jp Probing Use dnsprobe with dialup connection 1 probe 30 min Running three dnsprobe processes Probed between 25 th Feb. and

605 views • 27 slides
Anycast census and geolocation AIMS: Workshop on Active Internet Measurements 31 March - 2 April

Anycast census and geolocation AIMS: Workshop on Active Internet Measurements 31 March - 2 April

Anycast census and geolocation AIMS: Workshop on Active Internet Measurements 31 March - 2 April 2015 Cicalese Danilo Jordan Auge Diana Joumblatt Dario Rossi Timur Friedman Here is where the anycast instances are Demo: goo.gl/Ff8gdQ 12

338 views • 19 slides
Workshop on Active Internet Measurements CAIDA February 8-9, 2010 Julio Ibarra Center for

Workshop on Active Internet Measurements CAIDA February 8-9, 2010 Julio Ibarra Center for

Measurement Activities at AMPATH and Latin America Workshop on Active Internet Measurements CAIDA February 8-9, 2010 Julio Ibarra Center for Internet Augmented Research and Assessment Florida International University Outline About CIARA

183 views • 15 slides
Workshop on Active Internet Measurements Sam Crawford (sam@samknows.com) 9 February 2012

Workshop on Active Internet Measurements Sam Crawford (sam@samknows.com) 9 February 2012

Workshop on Active Internet Measurements Sam Crawford (sam@samknows.com) 9 February 2012 Background Company WAREHOUSE IN 2008 Regulatory work Since 2008 Since 2010 Since 2011 Since 2011 UK USA Europe Singapore United Kingdom United

268 views • 22 slides
Division (CSD) Active Internet Measurements (AIMS) 2015 Conference B. Ann Cox, PhD. Program

Division (CSD) Active Internet Measurements (AIMS) 2015 Conference B. Ann Cox, PhD. Program

DHS S&T Cyber Security Division (CSD) Active Internet Measurements (AIMS) 2015 Conference B. Ann Cox, PhD. Program Manager Cyber Security Division (CSD) HSARPA Science and Technology (S&T) Directorate CSDs Going to RSA! The

813 views • 9 slides
CyberProbe: Towards Internet-Scale Active Detection of Malicious Servers a. nappa , z. xu, m.z.

CyberProbe: Towards Internet-Scale Active Detection of Malicious Servers a. nappa , z. xu, m.z.

CyberProbe: Towards Internet-Scale Active Detection of Malicious Servers a. nappa , z. xu, m.z. rafique, j.caballero, g.gu imdea software institute success lab, texas a&m univeristy Cybercriminals use geographically distributed servers to

652 views • 24 slides
An Empirical Study on Selective Sampling in Active Learning for Splog Detection Taichi Katayama 1

An Empirical Study on Selective Sampling in Active Learning for Splog Detection Taichi Katayama 1

An Empirical Study on Selective Sampling in Active Learning for Splog Detection Taichi Katayama 1 Takehito Utsuro 1 Yuuki Sato 2 Takayuki Yoshinaka 3 Yasuhide Kawada 4 Tomohiro Fukuhara 5 1 University of Tsukuba, 2 Konami Corporation, 3 Tokyo Denki

661 views • 44 slides
The Active Card An Active Mind in an Active Body More people, More Active, More often! The

The Active Card An Active Mind in an Active Body More people, More Active, More often! The

The Active Card An Active Mind in an Active Body More people, More Active, More often! The Active vision Active The Olympic Legacy 100,000 card holders by 2012 SMART card technology Improved communications for

421 views • 21 slides

More recommend