1 / 37

Evaluation of Network Security

Evaluation of Network Security. May 13, 2004 Moshe Golan Everett Anderson. Agenda. Introduction Measuring – a general problem Network Security Evaluation Discussion References. Introduction. The problem – Bell-Lab/Lumeta Internet Mapping Project. Lumena – IPSonar.

ayla
Download Presentation

Evaluation of Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Evaluation of Network Security May 13, 2004 Moshe Golan Everett Anderson

  2. Agenda • Introduction • Measuring – a general problem • Network Security Evaluation • Discussion • References

  3. Introduction

  4. The problem – Bell-Lab/LumetaInternet Mapping Project

  5. Lumena – IPSonar The Internet Mapping Project was started at Bell Labs in the summer of 1998. Its long-term goal is to acquire and save Internet topological data over a long period of time. This data has been used in the study of routing problems and changes, DDoS attacks, and graph theory. IPSonar inject small non-intrusive measurement packets

  6. Some Security Questions • What fraction of all IP packets have spoofed addresses? • How many DDoS attacks occur each day? • How many compromised machines are there on the Internet? • If I installed Secure BGP at 200 chosen locations, how much better would things be?

  7. How do we answer? • Deduce based on the evidence available • Obtain snapshots from some points in the network • Use simulation techniques • Use honeypots/honeynets to attract attacks for measurement and analysis • Install serious measurement infrastructure in the network

  8. Measuring – a General Problem

  9. Network Measurements • LAN • We can perform measurements of traffic for local optimization and economics • Internet • Poorly measured • Poorly Understood • Use of sampling and statistical method • Simplified assumptions

  10. SCAN - ISI • network fault isolation • refer to the problem of pinpointing the origin of a particular application-perceived dynamic • Usage of Multicast based announce-listen techniques for network measurements • Distributed Infrastructure of Active Instrumentation • Visualization • Trace back using historical views

  11. SCAN – Mercator Program Small LAN WAN

  12. Oregon – Route View • Originally conceived as a tool for Internet operators to obtain real-time information about the global routing system from the perspectives of several different backbones and locations around the Internet. • The Route Views router, router uses multi-hop BGP peering sessions with backbones at interesting locations. Route Views uses AS6447 in its peering sessions, and routes received from neighbors are never passed on nor used to forward traffic norannounce any prefixes. • Now a basis for many research facilities:

  13. Contributors • Dozens of big players • AOL, APAN, ATT, Abilene, Accretive, Accretive, Army Research Lab, Broadwing, Broadwing, Broadwing, C&W USA, COMindico, Carrier1, EBONE, ELI ....... TouchAmerica, Verio, WCI Cable, X0, Zocalo, blackrose.org, netINS • Many sponsors are commercial

  14. CAIDA • The Cooperative Association for Internet Data Analysis, provides tools and analyses promoting the engineering and maintenance of a robust, scalable global Internet infrastructure • Provides Human interaction in addition to automated systems – Use the phone

  15. Evaluating Network securityTechniques

  16. Backscatter – Basic Idea • DoS consists of a stream of packets to a specific destination • The victim answers them normally • Often, the attacker spoofs the source address of attack packets • Responses go to the real machines whose addresses were spoofed

  17. An Example – Prof Reiher

  18. IP spoofing • Usually uses random IP selection (2^32) • Every machine has equal chance 1/(2^32) to receive a response to a spoofed packet • If enough spoof packets are sent, every machine will receive some spoof packets

  19. Assumptions

  20. CAIDA Experiment • 3 times 1 week-long periods in 2001 • Using /8 network – Sample 1/256th of all addresses or 2^24 IP addresses • Monitored all traffic arriving for any of these addresses • Expectations = n/2^24

  21. Results • During one week, saw 12,805 attacks • Over three weeks observed 200 million backscatter packets • Presumably out of around 50 billion such packets • More than 5000 victim addresses in more than 2000 domains

  22. Closer Look – Types of Attack

  23. Closer Look – Attack Duration • 90% less than an hour • 2% more than 5 hours • 1% over 10 hours • Only dozens over a day

  24. Closer Look – Top level domains • 30% not resolved • .net .com • Romania and Brazil

  25. Closer Look – Number of Attacks • 65% only once • 18% twice • 95% less than 5 times • 90% were 10,000 pkts/sec or less 500 SYNs per second overwhelms unprotected server 46% of attacks were that strong • 14,000 SYNs overwhelms anti-DoS firewall 2.4% of attacks were that strong

  26. Network Jails & Honeypots • Lure hackers in and keep them busy • Provide "real" system • Save root kits • Learn latest tricks and vulnerabilities • Report findings to CERT, alert intermediate hosts

  27. Planet Lab • Overlay network with globally dispersed nodes • Design, deploy, test “planetary-scale” services • Large test best for monitoring, measurement • Many viewpoints into the Internet

  28. Planet Lab Infrastructure

  29. ScriptRoute • Provide a way to aggregate traceroute-like information • Reverse routes • Sand boxing of script code, scheduler, rate limiting

  30. NetBait • Distributed query service for conventional IDS information • Identify attacks and index/store events locally • Multiple query sources • Pull approach • Currently still CodeRed focused

  31. SANS • SysAdmin, Audit, Network, Security Institute • Early warning • Training • Internet Storm Center

  32. CERT Coordination Center • Traditional human level coordination • Careful advisories • Federal funding (DoD, DHS) but non-government • US-CERT • Additional public and private sector content • Faster advisories?

  33. McAfee SecurityCenter • End node IDS reporting from PCs • Similar to seti@home • Grid or centralized? • Bundled with personal firewall, risk analyzer

  34. Symantec DeepSight Analyzer • Parses a variety of firewall and IDS system logs • Console view of multiple systems • Helps admin selectively contact attacking machine owners • Reports back to central Symantec service • Early alert services ($) • Aimed at network admins/larger business systems

  35. Discussion

  36. Open Questions • Internet Wide evaluation Vs Local • Secure every component Vs Global Security • Is the current approach to finding security problems in the Internet adequate? • Human Involvement • Centralized Solution • Delay in Reporting • Placement of monitoring infrastructure • Do we need a global authority? • Who should run? • How would they do it? • Privacy issues with jailing

  37. References • http://www.lumeta.com/ • http://www.isi.edu/scan/ • http://antc.uoregon.edu/route-views/ • http://www.caida.org/ • http://us.mcafee.com/ • http://analyzer.securityfocus.com/ • http://netbait.planet-lab.org/ • Netbait: A Distributed Worm Detection Service, Chun and Witherspoon,ntel Research Berkeley Technical Report IRB-TR-03-033, September 2003. A Planetlab experiment designed to detect worm activity by scattering observation points at Planetlab nodes. • Inferring Internet Denial-of-Service Activity, David Moore, Geoffrey Voelker, and Stefan Savage , 10th Usenex Security Symposium, 2001. A CAIDA paper describing the basic backscatter technique of determining various properties of DDoS attacks. • An Evening With Berferd In Which a Cracker is Lured, Endured, and Studied, Bill Cheswick, Usenex , 1992. The grandfather of all research on honeypots and honeynets.

More Related