The internet motion sensor a distributed blackhole monitoring system l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 21

The Internet Motion Sensor: A Distributed Blackhole Monitoring System PowerPoint PPT Presentation


  • 78 Views
  • Uploaded on
  • Presentation posted in: General

The Internet Motion Sensor: A Distributed Blackhole Monitoring System. Authors: Michael Bailey, Evan Cooke, Farnam Jahanian, Jose Nazario, and David Watson Publication: Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, Feb. 2005.

Download Presentation

The Internet Motion Sensor: A Distributed Blackhole Monitoring System

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


The internet motion sensor a distributed blackhole monitoring system l.jpg

The Internet Motion Sensor: A Distributed Blackhole Monitoring System

Authors: Michael Bailey, Evan Cooke, Farnam Jahanian, Jose Nazario, and David Watson

Publication: Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, Feb. 2005.

Presenter: Brad Mundt for CAP6133 Spring ‘08


Motivation l.jpg

Motivation

  • Stability and integrity of national infrastructure

  • Rapid moving threats

    • Worms

    • DDOS

    • Routing Exploits

  • Globally scoped

    • No geographic or topological boundaries

  • Evolutionary threats


Monitoring l.jpg

Monitoring

  • Dark address space

    • No legitimate hosts

    • Misconfiguration

    • Attack

  • Challenges

    • Sensor coverage

    • Service emulation


Internet monitoring system ims l.jpg

Internet Monitoring System (IMS)

  • Distributed globally scoped Internet threat monitoring system

    • Sensor network

    • Lightweight responder

    • Payload signature and caching


Ims architecture l.jpg

IMS Architecture


Sensor network l.jpg

Sensor Network

  • Designed to measure, characterize, and track

  • Less in-depth information

  • Increase global threat visibility

    • Wide and distributed address blocks

  • 28 distinct monitored blocks

    • 18 physical installations

  • Query system to connect all sensors

    • Beyond scope of the paper


Lightweight responder l.jpg

Lightweight responder

  • Get responses across ports without application related information

    • Service agnostic: Responds to SYN requests on all ports

  • In UDP connection, payload can arrive in first packet

  • In TCP connections, payload arrives after connection


Lightweight responder infection responses by target l.jpg

Lightweight responderInfection responses by target


Lightweight responder9 l.jpg

Lightweight responder

  • Passive aspect captures UDP based attacks

  • Active aspect initiates TCP connection

    • Elicits payload to differentiate traffic

    • Many threats use same ports

    • IMS responds to SYN requests on all ports


Lightweight responder differentiate services l.jpg

Lightweight responderDifferentiate Services


Hashing and caching l.jpg

Hashing and caching

  • MD5 hash the packet payload

    • If new

      • Add hash to DB

      • Cache payload for analysis

    • If already seen

      • Log

  • Also good for metrics


Metrics l.jpg

Metrics

  • Worm behaviors

    • Virulence

    • Demographics

    • Propagation

    • Community Reponse

  • Scanning

  • DDOS


Worm lifecycle l.jpg

Worm lifecycle


Worm presence l.jpg

Worm presence


Scanning l.jpg

Scanning


Slide16 l.jpg

DDOS


Summary l.jpg

Summary

  • A globally scoped Internet monitoring system

    • Wide, dark address monitoring

    • Blackhole networking

  • Three components

    • Distributed Monitoring Infrastructure

    • Lightweight Active Responder

    • Payload Signatures and Caching


Contributions l.jpg

Contributions

  • A wider scope IMS in dark address blocks

  • Layer 3 lightweight responder

  • Unique payload caching by hashing


Weaknesses l.jpg

Weaknesses

  • Limited analysis from the lightweight responder

    • No layer 7 information, all layer 3

  • Sensors could be identified

    • Fingerprinted

    • Blacklisted


How to improve l.jpg

How to Improve

  • Anti-fingerprinting techniques

    • Sensor rotation

    • Source squelching

    • Blackhole masking with simulated hosts and topology

  • Hybrid system

    • Combine host-based sensors with wide address space monitors

  • Additional techniques for characterizing attackers

    • OS fingerprinting

    • Firepower calculations


The end l.jpg

The End

Thank you…


  • Login