1 / 29

Characteristics of Internet Background Radiation

Characteristics of Internet Background Radiation. Authors : Ruoming Pang, Vinod Yegneswaran, Paul Barford, Vern Paxson, Larry Peterson. ACM Internet Measurement Conference (IMC), 2004. Presenter : Tai Do CDA6938 UCF, Spring 2007. Introduction. Background Radiation:

chick
Download Presentation

Characteristics of Internet Background Radiation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Characteristics of Internet Background Radiation Authors: Ruoming Pang, Vinod Yegneswaran, Paul Barford, Vern Paxson, Larry Peterson ACM Internet Measurement Conference (IMC), 2004 Presenter: Tai Do CDA6938 UCF, Spring 2007

  2. Introduction • Background Radiation: • Traffic sent to unused addresses. • Nonproductive traffic: malicious (flooding backscatter, hostile scan, spam) OR benign (misconfigurations). • Pervasive nature (hence “background”).

  3. Backscatter Source: [MVS01]

  4. Introduction • Goals of Characterization: • What is all this nonproductive traffic trying to do? • How can we filter it out to detect new types of malicious activity?

  5. Outline • Introduction • Measurement Methodology • Filtering • Responders • Experimental Setup • Data Analysis • Concluding Remarks

  6. Measurement Methodology(Filtering) • Enormous volume of data: • 30,000 packets/sec of background radiation on a Class A network. • Source-Destination Filtering: • Assumption: background radiation sources posses the same degree of affinity to monitored IP addresses • For each source, keep the connections to N destinations.

  7. Measurement Methodology(Filtering)

  8. Measurement Methodology(Filtering)

  9. Measurement Methodology(Active Responders) • Why Active Responders? • Elicit further activity from scanners. • Differentiate different types of background radiation. • Stateless Responder: based on Active Sink. • Stateful Responder: based on Honeyd.

  10. Measurement Methodology(Application-Level Responders) • Data-driven: • Which responders to build is based on observed traffic volumes. • Application-level Responders: • Not only adhere to the structure of the underlying protocol, but also to know what to say. • New types of activities emerge over time, responders also need to evolve. • What degree can we automate the development process of responders?

  11. Measurement Methodology(Application-Level Responders) • Responders developed for: • HTTP (port 80) • NetBIOS (port 137/139), • CIFS/SMB (port 139/445) • DCE/RPC [10] (port 135/1025 and CIFS named pipes) • Dameware (port 6129). • Backdoors installed by MyDoom (port 3127) and Beagle (port 2745)

  12. Measurement Methodology(Experimental Setup) • Two different systems: iSink, and LBL Sink. • Traces collected from three sites: • Class A network (large) • UW campus (medium) • Lawrence Berkeley Lab (LBL) (small) • Same forms of application response. • Different underlying mechanisms. • Support two kinds of data analysis: • Passive analysis: no filter, no responder • Active analysis: with filter, and responder

  13. Experimental Setup: iSink

  14. Experimental Setup: LBL Sink

  15. Outline • Introduction • Measurement Methodology • Data Analysis • Passive Analysis • Active Analysis • Activities in Background Radiation • Characteristics of Sources • Concluding Remarks

  16. Passive MeasurementTraffic Composition • What is the type and volume of observed traffic without actively responding to any packet? • Findings: • TCP dominates in all three networks (comparing to ICMP and UDP) • TCP/SYN packets constitute a significant portion of the background radiation traffic. • A small number of ports are the targets of a majority of TCP/SYN packets.

  17. Activities in Background Radiation • Study dominant activities on the popular ports. • Traffic is divided by ports: • Consider all connections between a source-destination pair on a given destination port. • Background Radiation concentrates on a small number of ports: • Only look at the most popular ports. • Many popular ports are also used by the normal traffic  use application semantic level. • Investigate 12 ports.

  18. TCP Port 80 (HTTP) • Targeted against Microsoft IIS server. • Dominant activity is a WebDAV buffer-overrun exploit.

  19. TCP Port 80 (HTTP) Port 80 Activities

  20. Characteristics of Sources • Study background radiation activities coming from the same source IP (activity vector). • Activity vector in three dimensions: • Across ports • Across destination networks • Over time • Caveat: • DHCP: hosts might be assigned different addresses over time.

  21. Sources Across port Activities across ports may give a better picture of a source’s goals Agobot Sources: UW 1

  22. Sources Across port • Top two exploits are extensively observed across all 4 networks.

  23. Sources Seen Over Time • Witty did not persist over a month: deliberately damages its host. • Blaster’s grip on hosts is quite tenacious.

  24. Outline • Introduction • Measurement Methodology • Data Analysis • Concluding Remarks

  25. Strengths of the paper • First attempt to characterize background radiation. • Good Measurement Methodology: • Effective filtering technique. • Detailed set of active responders for popular ports. • Meaningful Data Analysis: • Passive Analysis: activities concentrate on few popular ports. • Active Analysis: Extreme dynamism in many aspects of background radiation.

  26. Limitations of the paper • The filtering could be biased. • The same kind of activity to all destination IP addresses. • Fail to capture multi-vector worms that pick one exploit per IP address. • DHCP problem makes source IP address less accurate as source identity. • To what extent the development of application-level responders can be automated?

  27. Thank you. Questions?

  28. References • [Barford2004] Paul Barford. Trends in Internet Measurement. PPT from U. of Wisconsin, Fall 2004. • [MVS01] Moore, Geoffrey M. Voelker, and Stefan Savage. Inferring Internet Denial-of-Service Activity. In Proceedings of the 10th USENIX Security Symposium, pages 9--22. USENIX, August 2001.

  29. Some jargons • Named pipe: supports inter-process communication. FIFO. System-persistent. • CIFS: Common Interface File System. • DCE/RPC: Distributed Computing Environment/Remote Procedure Call • SAMR: Security Account Manager Remote service • srvsvc: server service • msmsgri32.exe: ??? • SMB: • Autorooter: similar to worms, without self-propagation

More Related