Visualizing network attacks
1 / 28

visualizing network attacks - PowerPoint PPT Presentation

  • Uploaded on

Visualizing Network Attacks. Eric Conrad April 2009. A picture is worth 1,000 words. Many network, security and system engineers have trained themselves to correlate complex information from text-based representation of events Like Cypher in The Matrix

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'visualizing network attacks' - paul

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Visualizing network attacks l.jpg

Visualizing Network Attacks

Eric Conrad

April 2009

A picture is worth 1 000 words l.jpg
A picture is worth 1,000 words

  • Many network, security and system engineers have trained themselves to correlate complex information from text-based representation of events

    • Like Cypher in The Matrix

  • However, many concepts lend themselves to visual interpretation

One example visual cryptanalysis of des ecb mode l.jpg
One example: visual cryptanalysis of DES ECB mode

  • The Data Encryption Standard (DES) is a block cipher with a number of modes

  • The ‘native mode,’ Electronic Code Book, does not ‘chain’ the ciphertext

    • Identical 64-bit blocks of plaintext become identical blocks of ciphertext

  • As a result, patterns may propagate

  • The other modes of DES destroy patterns by chaining the previous block of ciphertext with the next

Showing weaknesses of des ecb mode l.jpg
Showing weaknesses of DES ECB mode

  • Left image is BMP, right image is same BMP encrypted in ECB mode

Showing the effects of chaining l.jpg
Showing the effects of chaining

  • Same logo, Cipher Block Chaining (CBC) mode ciphertext on right

Davix l.jpg

DAVIX is a live CD for data analysis and visualization

Available at

Burn ISO to CD, and boot your laptop into a rich visualization environment


The davix live cd l.jpg

The DAVIX start menu links to all major tools

Visualization work is broken down into 3 processes: Capture, Process, Visualize


The davix process l.jpg
The DAVIX process

  • Capture includes tools that capture network data, like wireshark, tcpdump, etc.

  • Process includes tools that manipulate data, such as, as well as the classic Unix shell tools such as sed, awk, perl and grep

  • Visualize includes tools to display the data

A word on tools l.jpg
A word on tools

  • All tools mentioned in this paper are on the DAVIX 1.0.1 distribution

  • All graphics used in this paper were generated directly from the DAVIX live CD

  • You may download all scripts in this paper at

  • All example commands in this paper will work directly on the DAVIX live CD

Slide10 l.jpg

  • Dot is a language used to describe graphs

  • Example digraph (directed graph) in dot language, and resulting image:

    digraph directed{ A -> B -> C; B -> D; }

Turning dot into graphics l.jpg
Turning Dot into graphics

  • Graphviz (Graph Visualization Software) includes a number of programs to manipulate Dot programs


  • Includes tools that take a Dot file as input, and create a graphics file as output

  • This paper uses the Graphviz tools ‘twopi’ and ‘neato’

    • twopi uses a ‘radial model’ to lay out nodes

    • neato uses a ‘spring model’ to lay out nodes

Afterglow l.jpg

  • Afterglow takes CSV files as input and creates a Dot language file as output

  • Makes creating directed graphs very easy

  • The graph on the right was created with echo “1,2,3” | | neato –Tpng –o example.png

Two column mode l.jpg

Two-column mode has 2 types of nodes: source and target

This graph shows 2 source nodes connecting to three targets

Two-column mode

Afterglow two column example normal arp requests l.jpg
Afterglow two-column example:normal arp requests

Arp bomb scan of unused ip addresses l.jpg
‘Arp bomb’: scan of unused IP addresses

Three column mode l.jpg

Three-column mode adds an ‘event’ node

Source nodes connect to targets via ‘events’

Example event: protocol type

Three-column mode

Visualizing honeypot attacks l.jpg
Visualizing honeypot attacks

  • Let’s use the Dot language to visualize attacks vs. a honeypot

  • Data is from the Honeynet Project® Scan of the Month 27:

    • During its first week of operation, the honeypot was repeatedly compromised by attackers and worms exploiting several distinct vulnerabilities. Subsequent to a successful attack, the honeypot was joined to a large botnet.

      • Source:

  • What do the attacks look like visually?

Visual traceroute with dot l.jpg
Visual traceroute with Dot

  • Generate a route graph with Dot:

    • traceroute to the top 100 internet sites

    • Compute average time to each hop

    • Draw directed graph showing all connections within 6 hops

    • Display nodes with colors showing RTT

      • First node is blue (and larger)

      • Nodes < 15 ms are palegreen

      • Nodes < 30 ms are green

      • Nodes < 45 ms are yellow

      • Rest are red

Visualizing mitnick vs shimomura l.jpg
Visualizing Mitnick vs. Shimomura

  • One of the most famous network attacks occurred on Christmas Day, 1994, when Kevin Mitnick allegedly attacked Tsutomu Shimomura’s systems

  • The attack exploited a trust relationship between Shimomura’s ‘x-terminal’ and ‘server’

  • Shimomura analyzed the attack, and was kind enough to post a detailed post mortem of the attack to the Usenet group

    • Including tcpdump output

The players l.jpg
The players

  • 4 systems were involved in the attack:

    • the source of the attack

    • server: a host trusted by xterminal

    • x-terminal: trusted by server

    • used as spoofed source for DOS attack

      • There was no live system at this IP address at time of attack

The attack l.jpg
The attack

  • Goal was to forge a packet ‘from’ server to xterminal

    • DOSed server from

    • Harvested TCP sequence numbers from xterminal

    • Spoofed connection ‘from’ server to xterminal

      • Attacker did not see the SYN/ACK, and had to guess the sequence number used, and increment by 1 for the reply

  • Let’s use Shimomura’s analysis to see the attack visually

Rumint rumors in the network l.jpg
rumint: ‘rumors in the network’

  • Another useful DAVIX tool is rumint, a ‘PVR for Network Traffic and Security Visualization’

    • ‘rumint’ is short for ‘rumor intelligence’

    • Site:

  • Much of what IDS analysts must do is separating useful signals from noise

  • rumint is useful for ‘spotting the outlier’

Rumint text rainfall mode l.jpg

Matrix-style falling text from live network capture or pcap file

This shows botnet IRC command and control traffic

rumint ‘text rainfall’ mode