1 / 28

Visualizing Network Attacks

Visualizing Network Attacks. Eric Conrad http://www.ericconrad.com April 2009. A picture is worth 1,000 words. Many network, security and system engineers have trained themselves to correlate complex information from text-based representation of events Like Cypher in The Matrix

paul
Download Presentation

Visualizing Network Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Visualizing Network Attacks Eric Conrad http://www.ericconrad.com April 2009

  2. A picture is worth 1,000 words • Many network, security and system engineers have trained themselves to correlate complex information from text-based representation of events • Like Cypher in The Matrix • However, many concepts lend themselves to visual interpretation

  3. One example: visual cryptanalysis of DES ECB mode • The Data Encryption Standard (DES) is a block cipher with a number of modes • The ‘native mode,’ Electronic Code Book, does not ‘chain’ the ciphertext • Identical 64-bit blocks of plaintext become identical blocks of ciphertext • As a result, patterns may propagate • The other modes of DES destroy patterns by chaining the previous block of ciphertext with the next

  4. Showing weaknesses of DES ECB mode • Left image is BMP, right image is same BMP encrypted in ECB mode

  5. Showing the effects of chaining • Same logo, Cipher Block Chaining (CBC) mode ciphertext on right

  6. DAVIX is a live CD for data analysis and visualization Available at http://secviz.org/ Burn ISO to CD, and boot your laptop into a rich visualization environment DAVIX

  7. The DAVIX start menu links to all major tools Visualization work is broken down into 3 processes: Capture, Process, Visualize The DAVIX Live CD

  8. The DAVIX process • Capture includes tools that capture network data, like wireshark, tcpdump, etc. • Process includes tools that manipulate data, such as afterglow.pl, as well as the classic Unix shell tools such as sed, awk, perl and grep • Visualize includes tools to display the data

  9. A word on tools • All tools mentioned in this paper are on the DAVIX 1.0.1 distribution • All graphics used in this paper were generated directly from the DAVIX live CD • You may download all scripts in this paper at http://files.ericconrad.com/viz-current.tgz • All example commands in this paper will work directly on the DAVIX live CD

  10. Dot • Dot is a language used to describe graphs • Example digraph (directed graph) in dot language, and resulting image: digraph directed{ A -> B -> C; B -> D; }

  11. Turning Dot into graphics • Graphviz (Graph Visualization Software) includes a number of programs to manipulate Dot programs • http://graphviz.org/ • Includes tools that take a Dot file as input, and create a graphics file as output • This paper uses the Graphviz tools ‘twopi’ and ‘neato’ • twopi uses a ‘radial model’ to lay out nodes • neato uses a ‘spring model’ to lay out nodes

  12. Afterglow • Afterglow takes CSV files as input and creates a Dot language file as output • Makes creating directed graphs very easy • The graph on the right was created with echo “1,2,3” | afterglow.pl | neato –Tpng –o example.png

  13. Two-column mode has 2 types of nodes: source and target This graph shows 2 source nodes connecting to three targets Two-column mode

  14. Afterglow two-column example:normal arp requests

  15. ‘Arp bomb’: scan of unused IP addresses

  16. Three-column mode adds an ‘event’ node Source nodes connect to targets via ‘events’ Example event: protocol type Three-column mode

  17. Visualizing honeypot attacks • Let’s use the Dot language to visualize attacks vs. a honeypot • Data is from the Honeynet Project® Scan of the Month 27: • During its first week of operation, the honeypot was repeatedly compromised by attackers and worms exploiting several distinct vulnerabilities. Subsequent to a successful attack, the honeypot was joined to a large botnet. • Source: http://www.honeynet.org/scans/scan27/ • What do the attacks look like visually?

  18. The attacks, visually

  19. Visual traceroute with Dot • Generate a route graph with Dot: • traceroute to the top 100 internet sites • Compute average time to each hop • Draw directed graph showing all connections within 6 hops • Display nodes with colors showing RTT • First node is blue (and larger) • Nodes < 15 ms are palegreen • Nodes < 30 ms are green • Nodes < 45 ms are yellow • Rest are red

  20. Visualizing Mitnick vs. Shimomura • One of the most famous network attacks occurred on Christmas Day, 1994, when Kevin Mitnick allegedly attacked Tsutomu Shimomura’s systems • The attack exploited a trust relationship between Shimomura’s ‘x-terminal’ and ‘server’ • Shimomura analyzed the attack, and was kind enough to post a detailed post mortem of the attack to the comp.security.misc Usenet group • Including tcpdump output

  21. The players • 4 systems were involved in the attack: • apollo.it.luc.edu: the source of the attack • server: a host trusted by xterminal • x-terminal: trusted by server • 130.92.6.97: used as spoofed source for DOS attack • There was no live system at this IP address at time of attack

  22. The attack • Goal was to forge a packet ‘from’ server to xterminal • DOSed server from 130.92.6.97 • Harvested TCP sequence numbers from xterminal • Spoofed connection ‘from’ server to xterminal • Attacker did not see the SYN/ACK, and had to guess the sequence number used, and increment by 1 for the reply • Let’s use Shimomura’s analysis to see the attack visually

  23. Mitnick vs. Shimomura

  24. rumint: ‘rumors in the network’ • Another useful DAVIX tool is rumint, a ‘PVR for Network Traffic and Security Visualization’ • ‘rumint’ is short for ‘rumor intelligence’ • Site: www.rumint.org • Much of what IDS analysts must do is separating useful signals from noise • rumint is useful for ‘spotting the outlier’

  25. Analyzing honeypot with rumint

  26. Matrix-style falling text from live network capture or pcap file This shows botnet IRC command and control traffic rumint ‘text rainfall’ mode

  27. Any questions?

More Related