Traffic analysis and risk assessment of a medium sized isp
Download
1 / 9

Traffic Analysis and Risk - PowerPoint PPT Presentation


  • 363 Views
  • Updated On :

Traffic Analysis and Risk Assessment of a Medium-Sized ISP. Alan W. Rateliff, II Florida Internet Service Provider Approximately 2000 ADSL users Connections between 256kb/s and 5Mb/s Traffic monitoring between ADSL aggregation device and Internet. The Tool.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Traffic Analysis and Risk' - issac


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Traffic analysis and risk assessment of a medium sized isp
Traffic Analysis and RiskAssessment of a Medium-Sized ISP

Alan W. Rateliff, II

  • Florida Internet Service Provider

  • Approximately 2000 ADSL users

  • Connections between 256kb/s and 5Mb/s

  • Traffic monitoring between ADSL aggregation device and Internet


The tool
The Tool

  • Selected ISP customer DSL traffic is sent to Q-Radar using a network switch “monitor” port

  • Analyzes captures to identify potentially malicious traffic

  • Three primary activities used as presentation basis

www.q1labs.com


Traffic anomolies
Traffic Anomolies

  • Protocol and port mismatch500kb/s bursts

  • Remote system port scanning1.2Mb/s bursts

  • Internet Relay Chat bot-net controls> 59,000 events over 12-day period

  • Honorable Mentions

    • “Direct-to-MX” SMTP transactions (spam, etc.)‏

    • P2P Networking (BitTorrent, eDonkey, etc.)‏


Protocol port mismatches
Protocol/Port Mismatches

  • Protocol communication on a non-common port

  • Evades port-blocking and monitoring

    • Firewalls and ACLs

    • Simple IDS

  • IANA maintains official list of commonly used or well-known ports

  • Examples of legitimate port mismatches:

    • SMTP (port 25) on port 587

    • HTTP (port 80) on port 8080


Remote system port scans
Remote System Port Scans

  • First stages of attack on a remote system

  • Probes for services actively accepting connections

  • Services are probed for known vulnerabilities

  • Can detect services on non-standard ports

  • Can identify operating systems

  • F/OSS Scanner: nmap (insecure.org)‏


Internet relay chat irc connections
Internet Relay Chat (IRC) Connections

  • Internet-based “chat rooms” called “channels”

  • Bot-net clients connect and idle in protected channels

  • Bot Master issues commands to clients via protected channel

  • Standard IRC port is 6667(Defined by RFC 1459 and 2812)‏

  • Can make use of port mismatching


Mitigating violations

Con

Potential information leaks

Potentially subject to disclosure

Information could be abused

Other privacy concerns

Mitigating Violations

Pro

  • Increases end-user security and satisfaction

  • Decreases network loads

  • Increases network usability


Discussion
Discussion

  • Strict policy and legal controls and enforcement can mitigate privacy concerns

  • Other pros and cons

  • Questions and comments


ad