traffic analysis and risk assessment of a medium sized isp n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Traffic Analysis and Risk Assessment of a Medium-Sized ISP PowerPoint Presentation
Download Presentation
Traffic Analysis and Risk Assessment of a Medium-Sized ISP

Loading in 2 Seconds...

play fullscreen
1 / 9

Traffic Analysis and Risk Assessment of a Medium-Sized ISP - PowerPoint PPT Presentation


  • 365 Views
  • Uploaded on

Traffic Analysis and Risk Assessment of a Medium-Sized ISP. Alan W. Rateliff, II Florida Internet Service Provider Approximately 2000 ADSL users Connections between 256kb/s and 5Mb/s Traffic monitoring between ADSL aggregation device and Internet. The Tool.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Traffic Analysis and Risk Assessment of a Medium-Sized ISP' - issac


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
traffic analysis and risk assessment of a medium sized isp
Traffic Analysis and RiskAssessment of a Medium-Sized ISP

Alan W. Rateliff, II

  • Florida Internet Service Provider
  • Approximately 2000 ADSL users
  • Connections between 256kb/s and 5Mb/s
  • Traffic monitoring between ADSL aggregation device and Internet
the tool
The Tool
  • Selected ISP customer DSL traffic is sent to Q-Radar using a network switch “monitor” port
  • Analyzes captures to identify potentially malicious traffic
  • Three primary activities used as presentation basis

www.q1labs.com

traffic anomolies
Traffic Anomolies
  • Protocol and port mismatch500kb/s bursts
  • Remote system port scanning1.2Mb/s bursts
  • Internet Relay Chat bot-net controls> 59,000 events over 12-day period
  • Honorable Mentions
    • “Direct-to-MX” SMTP transactions (spam, etc.)‏
    • P2P Networking (BitTorrent, eDonkey, etc.)‏
protocol port mismatches
Protocol/Port Mismatches
  • Protocol communication on a non-common port
  • Evades port-blocking and monitoring
    • Firewalls and ACLs
    • Simple IDS
  • IANA maintains official list of commonly used or well-known ports
  • Examples of legitimate port mismatches:
    • SMTP (port 25) on port 587
    • HTTP (port 80) on port 8080
remote system port scans
Remote System Port Scans
  • First stages of attack on a remote system
  • Probes for services actively accepting connections
  • Services are probed for known vulnerabilities
  • Can detect services on non-standard ports
  • Can identify operating systems
  • F/OSS Scanner: nmap (insecure.org)‏
internet relay chat irc connections
Internet Relay Chat (IRC) Connections
  • Internet-based “chat rooms” called “channels”
  • Bot-net clients connect and idle in protected channels
  • Bot Master issues commands to clients via protected channel
  • Standard IRC port is 6667(Defined by RFC 1459 and 2812)‏
  • Can make use of port mismatching
mitigating violations
Con

Potential information leaks

Potentially subject to disclosure

Information could be abused

Other privacy concerns

Mitigating Violations

Pro

  • Increases end-user security and satisfaction
  • Decreases network loads
  • Increases network usability
discussion
Discussion
  • Strict policy and legal controls and enforcement can mitigate privacy concerns
  • Other pros and cons
  • Questions and comments