Chair for Network Architectures and Services Technische Universität München IP Spoofing Detection Through Time to Live Header Analysis Final Talk BSc Informatics Arno Hilke Supervisor : Prof. Dr.-Ing. Georg Carle Advisors : Quirin Scheitle, Oliver Gasser, Paul Emmerich, Felix von Eye April 27, 2016 Chair for Network Architectures and Services Department of Informatics Technische Universität München Arno Hilke – IP Spoofing Detection Through TTL Header Analysis 1
Chair for Network Architectures and Services Technische Universität München Introduction Motivation Background Research Questions Approach Results Intermediate Format Flow Characteristics TTL Stability Future Work Conclusion Arno Hilke – IP Spoofing Detection Through TTL Header Analysis 2
Chair for Network Architectures and Services Technische Universität München Motivation Goal detect anomalies passively ◮ TTL already available in packet header ◮ may be aided by active measurements → cf. Till Wickenheiser: „Correlating inbound Time to Live ֒ header data to network characteristics“ Basic Idea path lengths likely differ between authentic source and MWN, and adversary and MWN ◮ premise: source and MWN have communicated before ◮ adversary could test different TTL values, or try to measure paths → but more effort, especially when using many IP addresses ֒ Arno Hilke – IP Spoofing Detection Through TTL Header Analysis 3
Chair for Network Architectures and Services Technische Universität München Background Time to Live (TTL) 8 bit field in IPv4/IPv6 header (Hop Count for IPv6) ◮ decreased by every router ◮ packet discarded when zero ◮ prevents loops IP spoofing forging the source address of IP packet ◮ attacker does not care about responses ◮ conceal true source ◮ e.g. DNS amplification attack Arno Hilke – IP Spoofing Detection Through TTL Header Analysis 4
Chair for Network Architectures and Services Technische Universität München Research Questions Analyse captured data in respect to the following questions: ◮ Is TTL analysis for spoofing/anomaly detection viable? ◮ Are incoming TTL values for individual hosts or flows stable? ◮ Are TTL values sufficiently spread, so that the chance of the spoofed packet having coincidentally the correct TTL value is reasonably low? ◮ Can hosts be grouped together, e.g. as subnets? ◮ Is there a different behaviour between IPv4 and IPv6? ◮ Are there differences between TCP and UDP? Arno Hilke – IP Spoofing Detection Through TTL Header Analysis 5
Chair for Network Architectures and Services Technische Universität München Approach Challenge analyse 9 TiB of data efficiently in respect to research questions ◮ raw data: per IPv4 packet 18 byte, ordered by time of arrival Table: Raw data format for one packet Ext. IP Protocol Ext. port Int. port TTL Timestamp 4 B/16 B 1 B 2 B 2 B 1 B 8 B Arno Hilke – IP Spoofing Detection Through TTL Header Analysis 6
Chair for Network Architectures and Services Technische Universität München Solution create intermediate data format to accelerate run time of analysis programs ◮ reduce timestamps from 8 B to 4 B ◮ aggregate packets to flows Flow Definition used in this thesis: ◮ identified by ext. IP address, protocol, int. and ext. port ◮ times out 10 minutes after last received packet Arno Hilke – IP Spoofing Detection Through TTL Header Analysis 7
Chair for Network Architectures and Services Technische Universität München Intermediate Data Format Table: Intermediate data format for one flow Ext. IP Start End Ext. port Int. port Prot. # Dist. TTLs 4 B/16 B 4 B 4 B 2 B 2 B 1 B 1 B � Start TTL End TTL # Packets TTL value per dis- tinct TTL 4 B 4 B 4 B 1 B ◮ instead of 18 B per IPv4 packet, 18 B + 13 B per distinct TTL for each flow Arno Hilke – IP Spoofing Detection Through TTL Header Analysis 8
Chair for Network Architectures and Services Technische Universität München Evaluation ◮ analyse intermediate data in respect to research questions → create CSV files with aggregated, specific data ֒ ◮ packets per flow ◮ flow duration ◮ TTL values in flow ◮ unique IP addresses ◮ use python to evaluate CSV data ◮ additionally matplotlib for diagram generation Arno Hilke – IP Spoofing Detection Through TTL Header Analysis 9
Chair for Network Architectures and Services Technische Universität München Results Memory Reduction Table: Memory consumption for raw and intermediate data Raw data Intermediate data Total 9.2 TiB 258.9 GiB (2.7%) IPv4 8.2 TiB 232.7 GiB (2.8%) IPv6 1.0 TiB 26.1 GiB (2.5%) Data Distribution ◮ 93% of recorded packets and flows were IPv4 ◮ 86% of captured packets employed TCP ◮ 49% of flows used TCP Arno Hilke – IP Spoofing Detection Through TTL Header Analysis 10
Chair for Network Architectures and Services Technische Universität München Packet Distribution ◮ most flows consist of only a few packets ◮ more than 80% of UDP flows consist of only one packet ◮ similar behaviour for IPv4 and IPv6 Arno Hilke – IP Spoofing Detection Through TTL Header Analysis 11
Chair for Network Architectures and Services Technische Universität München Flow Duration ◮ ~90% of TCP flows are longer than respective UDP flows, highest 10% roughly the same ◮ IPv6/TCP flows are longer than IPv4/TCP flows Arno Hilke – IP Spoofing Detection Through TTL Header Analysis 12
Chair for Network Architectures and Services Technische Universität München TTL Stability Table: Percentage of flows with only one TTL IPv4 IPv6 Flows All TCP UDP All TCP UDP All 96.33% 93.56% 99.01% 98.49% 96.41% 99.83% > 1 packet 93.03% 92.55% 95.16% 96.37% 95.80% 98.74% ◮ TTL values in flows are relatively stable ◮ two to five distinct TTLs increasingly unlikely, more than five very rare Arno Hilke – IP Spoofing Detection Through TTL Header Analysis 13
Chair for Network Architectures and Services Technische Universität München Future Work Further evaluations for TTL Stability ◮ adjacency of TTL values ◮ frequency of TTL values Additional Levels of Evaluation ◮ utilise port numbers to infer applications ◮ analyse on host/IP address level Other Data Sets ◮ different time period ◮ other or more L4 protocols (e.g. ICMP , SCTP) ◮ different vantage point in the internet ⇒ evaluate TTL based filter mechanism conclusively and possibly realise it Arno Hilke – IP Spoofing Detection Through TTL Header Analysis 14
Chair for Network Architectures and Services Technische Universität München Conclusion ◮ ~96% of flows have only one TTL value ◮ UDP flows are more stable than TCP flows ◮ IPv4/TCP flows are more stable for higher packet counts in comparison ◮ viability of TTL filtering can’t be conclusively assessed yet ◮ evaluations show decent conditions, possibly with some restrictions Arno Hilke – IP Spoofing Detection Through TTL Header Analysis 15
Chair for Network Architectures and Services Technische Universität München Thank you for your attention! Any questions? Arno Hilke – IP Spoofing Detection Through TTL Header Analysis 16
Recommend
More recommend
