Overview 2 XS4ALL Darknet Research question Argus Research - PowerPoint PPT Presentation

Overview 2 XS4ALL Darknet Research question Argus Research Results Zero day warning system Internet Security Index Conclusion Future work Rob Buijs Project Darklight Michael Rave

XS4ALL Darknet 3 Darknets Traffic to the XS4ALL darknet For everyone Not used XS4ALL space For XS4ALL customers Not used XS4ALL space Bogon IP’s Argus No response Rob Buijs Project Darklight Michael Rave

XS4ALL Darknet 4 Rob Buijs Project Darklight Michael Rave

Research question 5 “What information can be gained from the captured XS4ALL Darknet streams, and could it be used as a zero day warning system?” Rob Buijs Project Darklight Michael Rave

Argus 6 Real time flow monitor Fields Source and destination IP address Source and destination port Type protocol Start time UDP first 712 bytes payload 4 Months of data Argus tools Rob Buijs Project Darklight Michael Rave

Research - Patterns 7 Port scans IP scans IP patterns Port patterns Time patterns Rob Buijs Project Darklight Michael Rave

Research - Protocol usage 8 Average Protocol Usage TCP UDP ICMP 37% 3686 56% 0 IGMP ARP RTCP IPv6 6% ESP Rob Buijs Project Darklight Michael Rave

Research - Time pattern 9 Average amount of packets per hour 200000 175000 150000 125000 100000 75000 50000 25000 0 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 1 2 3 4 5 6 Rob Buijs Project Darklight Michael Rave

Research - Origin 10 Why Misconfiguration Viruses, worms and malware Scans From where Countries Customers Non customers Rob Buijs Project Darklight Michael Rave

Research - Traffic streams 11 Rob Buijs Project Darklight Michael Rave

Research - Country origin 12 Country origin of traffic to not used XS4ALL space 1% 2% 2% NL 3% 3% FR DE 6% PL IT GN ES HU 80% CN IL Rob Buijs Project Darklight Michael Rave

Research - Country origin 13 Country origin of traffic to not used XS4ALL space, without XS4ALL customers 2% NL 3% FR 3% IT 5% GB 57% PL 6% ES HU CN 16% IL KR Rob Buijs Project Darklight Michael Rave

Research - Analysis 14 Top N Baseline Trends Rob Buijs Project Darklight Michael Rave

Research - Port analysis 15 Top N 65535 8000 4662 137 135 80 0 ICMP 350000 300000 250000 200000 150000 100000 50000 0 Day 1 Day 2 Day 3 Day 4 Day 5 Day 6 Day 7 Day 8 Day 9 Day 10 Rob Buijs Project Darklight Michael Rave

Research - Port trends 16 The coming of the SAV worm Rob Buijs Project Darklight Michael Rave

Research - Port trend analysis 17 Trends calculation with baseline Effective to detect upcoming popularity of ports Important to define minimum port frequency Otherwise: 62.50% - Portnumber: 12149 - Port amount: 13 - Overallaverage: 8 40.00% - Portnumber: 12186 - Port amount: 7 - Overallaverage: 5 34.21% - Portnumber: 12183 - Port amount: 51 - Overallaverage: 38 25.00% - Portnumber: 12165 - Port amount: 10 - Overallaverage: 8 18.52% - Portnumber: 12210 - Port amount: 32 - Overallaverage: 27 18.18% - Portnumber: 12204 - Port amount: 13 - Overallaverage: 11 16.67% - Portnumber: 12188 - Port amount: 7 - Overallaverage: 6 Rob Buijs Project Darklight Michael Rave

Zero day warning system 18 Identify and notify upcoming threats in an early stage Trend analysis of darknet data Top N analysis Rob Buijs Project Darklight Michael Rave

Internet security index 19 Total amount Rapid increase Port rating IP rating Rob Buijs Project Darklight Michael Rave

Conclusion 20 IP origin, country of IP address Protocol usage Time patterns Port patterns Zero day warning day Trend analysis Top N Rob Buijs Project Darklight Michael Rave

Future work 21 Cooperate with Dshield / Internet Storm Center Build zero day warning system Build internet security index Build abuse messages system Rob Buijs Project Darklight Michael Rave

Questions 22 ? Rob Buijs Project Darklight Michael Rave