visualizing network attacks l.
Skip this Video
Download Presentation
Visualizing Network Attacks

Loading in 2 Seconds...

play fullscreen
1 / 28

Visualizing Network Attacks - PowerPoint PPT Presentation

  • Uploaded on

Visualizing Network Attacks. Eric Conrad April 2009. A picture is worth 1,000 words. Many network, security and system engineers have trained themselves to correlate complex information from text-based representation of events Like Cypher in The Matrix

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Visualizing Network Attacks' - paul

Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
visualizing network attacks

Visualizing Network Attacks

Eric Conrad

April 2009

a picture is worth 1 000 words
A picture is worth 1,000 words
  • Many network, security and system engineers have trained themselves to correlate complex information from text-based representation of events
    • Like Cypher in The Matrix
  • However, many concepts lend themselves to visual interpretation
one example visual cryptanalysis of des ecb mode
One example: visual cryptanalysis of DES ECB mode
  • The Data Encryption Standard (DES) is a block cipher with a number of modes
  • The ‘native mode,’ Electronic Code Book, does not ‘chain’ the ciphertext
    • Identical 64-bit blocks of plaintext become identical blocks of ciphertext
  • As a result, patterns may propagate
  • The other modes of DES destroy patterns by chaining the previous block of ciphertext with the next
showing weaknesses of des ecb mode
Showing weaknesses of DES ECB mode
  • Left image is BMP, right image is same BMP encrypted in ECB mode
showing the effects of chaining
Showing the effects of chaining
  • Same logo, Cipher Block Chaining (CBC) mode ciphertext on right
DAVIX is a live CD for data analysis and visualization

Available at

Burn ISO to CD, and boot your laptop into a rich visualization environment

the davix live cd
The DAVIX start menu links to all major tools

Visualization work is broken down into 3 processes: Capture, Process, Visualize

the davix process
The DAVIX process
  • Capture includes tools that capture network data, like wireshark, tcpdump, etc.
  • Process includes tools that manipulate data, such as, as well as the classic Unix shell tools such as sed, awk, perl and grep
  • Visualize includes tools to display the data
a word on tools
A word on tools
  • All tools mentioned in this paper are on the DAVIX 1.0.1 distribution
  • All graphics used in this paper were generated directly from the DAVIX live CD
  • You may download all scripts in this paper at
  • All example commands in this paper will work directly on the DAVIX live CD
  • Dot is a language used to describe graphs
  • Example digraph (directed graph) in dot language, and resulting image:

digraph directed{ A -> B -> C; B -> D; }

turning dot into graphics
Turning Dot into graphics
  • Graphviz (Graph Visualization Software) includes a number of programs to manipulate Dot programs
  • Includes tools that take a Dot file as input, and create a graphics file as output
  • This paper uses the Graphviz tools ‘twopi’ and ‘neato’
    • twopi uses a ‘radial model’ to lay out nodes
    • neato uses a ‘spring model’ to lay out nodes
  • Afterglow takes CSV files as input and creates a Dot language file as output
  • Makes creating directed graphs very easy
  • The graph on the right was created with echo “1,2,3” | | neato –Tpng –o example.png
two column mode
Two-column mode has 2 types of nodes: source and target

This graph shows 2 source nodes connecting to three targets

Two-column mode
three column mode
Three-column mode adds an ‘event’ node

Source nodes connect to targets via ‘events’

Example event: protocol type

Three-column mode
visualizing honeypot attacks
Visualizing honeypot attacks
  • Let’s use the Dot language to visualize attacks vs. a honeypot
  • Data is from the Honeynet Project® Scan of the Month 27:
    • During its first week of operation, the honeypot was repeatedly compromised by attackers and worms exploiting several distinct vulnerabilities. Subsequent to a successful attack, the honeypot was joined to a large botnet.
      • Source:
  • What do the attacks look like visually?
visual traceroute with dot
Visual traceroute with Dot
  • Generate a route graph with Dot:
    • traceroute to the top 100 internet sites
    • Compute average time to each hop
    • Draw directed graph showing all connections within 6 hops
    • Display nodes with colors showing RTT
      • First node is blue (and larger)
      • Nodes < 15 ms are palegreen
      • Nodes < 30 ms are green
      • Nodes < 45 ms are yellow
      • Rest are red
visualizing mitnick vs shimomura
Visualizing Mitnick vs. Shimomura
  • One of the most famous network attacks occurred on Christmas Day, 1994, when Kevin Mitnick allegedly attacked Tsutomu Shimomura’s systems
  • The attack exploited a trust relationship between Shimomura’s ‘x-terminal’ and ‘server’
  • Shimomura analyzed the attack, and was kind enough to post a detailed post mortem of the attack to the Usenet group
    • Including tcpdump output
the players
The players
  • 4 systems were involved in the attack:
    • the source of the attack
    • server: a host trusted by xterminal
    • x-terminal: trusted by server
    • used as spoofed source for DOS attack
      • There was no live system at this IP address at time of attack
the attack
The attack
  • Goal was to forge a packet ‘from’ server to xterminal
    • DOSed server from
    • Harvested TCP sequence numbers from xterminal
    • Spoofed connection ‘from’ server to xterminal
      • Attacker did not see the SYN/ACK, and had to guess the sequence number used, and increment by 1 for the reply
  • Let’s use Shimomura’s analysis to see the attack visually
rumint rumors in the network
rumint: ‘rumors in the network’
  • Another useful DAVIX tool is rumint, a ‘PVR for Network Traffic and Security Visualization’
    • ‘rumint’ is short for ‘rumor intelligence’
    • Site:
  • Much of what IDS analysts must do is separating useful signals from noise
  • rumint is useful for ‘spotting the outlier’