Detection of malicious Traffic on Backbone Links via Packet Header Analysis - PowerPoint PPT Presentation
Title:
Detection of malicious Traffic on Backbone Links via Packet Header Analysis
Description:
Title: MonNet A project for network and traffic monitoring Last modified by: wj Document presentation format: On-screen Show Other titles: Times New Roman Arial Comic ... – PowerPoint PPT presentation
Number of Views:42
Avg rating:3.0/5.0
Title: Detection of malicious Traffic on Backbone Links via Packet Header Analysis
1
Detection of malicious Traffic on Backbone Links
via Packet Header Analysis
- Wolfgang John and Tomas OlovssonDepartment of
Computer Science and EngineeringChalmers
University of TechnologyGöteborg, Sweden
2
Introduction
- Traffic filtering is often done locally
- Backbone provides broader view
- What is happening in the wild?
- Old, well known attack types?
- Distributed attacks to several hosts/networks?
- What to expect on ingress hosts?
- How good is pure packet header analysis?
3
Introduction Outline
- Packet headers considered
- Fields and potential problems
- Dataset
- Measurement location
- Transport protocol breakdown
- Anomalies observed
- IP (fragmentation), TCP, UDP, ICMP
- Discussion and highlights
- Summary and Conclusions
4
Packet Headers
- IP header structure
5
Packet Headers (2)
- TCP header structure
6
Packet Headers (3)
- UDP header structure
- ICMP header structure
7
Outline (2)
- Packet headers considered
- Fields and potential problems
- Dataset
- Measurement location
- Transport protocol breakdown
- Anomalies observed
- IP (fragmentation), TCP, UDP, ICMP
- Discussion
- Summary and Conclusions
8
Dataset Measurement location
Internet
- 2x 10 Gbit/s (OC-192)
- capturing headers only
- IP addresses anonymized
- 554 traces in late 2006
- 10 min. intervals during 3 months
Stockholm
Student-Net
Regional ISPs
Göteborg
Göteborgs Univ.
Chalmers Univ.
Other smaller Universities and Institutes
9
Dataset (2)
- Transport protocol breakdown
- CAIDAs DatCat SUNET fall 2006
- https//imdc.datcat.org/collection/1-04HQ-3SUNET
OC192Tracesfall2006
IP
Original Datagram
IP
IP
Segment 2
IP
Segment 3
Seg. 4
Segment 1
IP
Fragment 1
Fragment 3
Fragment 4
Fragment 2
Fragment Series
10
Outline (3)
- Packet headers considered
- Fields and potential problems
- Dataset
- Measurement location
- Transport protocol breakdown
- Anomalies observed
- IP (fragmentation), TCP, UDP, ICMP
- Discussion
- Summary and Conclusions
11
Anomalies observed
- IP header anomalies
- Two intervals with one million packets to four
destinations Source IP of private class C
(192.168/16) ICMP echo replies, 228 bytes DoS
attack?
- No exploits of IP source route
- Land attack
12
Anomalies observed (2)
- IP fragmenation inconsistencies
- IP ID values of zero are over-represented!
- one host inside a University five campaigns to
five destinations with series of 6-7 fragments
Iterating over entire port range half of the
series with inconsistencies (holes etc.) - hijacked host performing DoS (Frag attack!)
- 42 hosts are the main target 1/5 of all
fragment series to these hosts are incomplete
many gaps only 8 byte long! DDoS? Or just
packet loss?
- 35 different times and different hosts! Not
only overlaps, but also gasp Overlapping
fragments fill gaps on wrong places! 8 48
bytes overlapping fragments on consistent
offsets Hardware/Software error? Common attack
tool?
- Good news Ping-of-death, sPing, IceNewk etc.
not observed!
13
Anomalies observed (3)
- TCP header anomalies
- Two or more field anomalies within the same TCP
header
- 21 in RST/ACK packets from port 80
- 79 in SYN/ACK packets . SYN/ACK attacks?
- source and desination ports of zero equally
shared mainly SYN packets in host scanning
campaigns
- Mahoney et al FIN without ACK can reveal
port-sweeps Not supported by our data!!
Mainly to P2P ports pure FIN after SYN
connection attempts
14
Anomalies observed (4)
- UDP header anomalies
- From UDP port zero around 30 scanning
campaigns of /24 ranges to port numbers 1025
and 1026 Windows messenger spam!
15
Anomalies observed (5)
- ICMP header observations
- two hosts sending 46 million host redirects
during 12 days DoS attacks like Winfreez
16
Anomalies observed (6)
- ICMP header observations contd.
- No Ping-of-Death type attacks
- No obvious attack with ICMP dest. unreachable
(Smack) - No ICMP timestamp attacks (like moyari13)
- No large scale usage of invalid ICMP
types(Twinge or Trash attacks)
17
Outline (4)
- Packet headers considered
- Fields and potential problems
- Dataset
- Measurement location
- Transport protocol breakdown
- Anomalies observed
- IP (fragmentation), TCP, UDP, ICMP
- Discussion
- Summary and Conclusions
18
Summary and Conclusions
- Systematic listing of header anomalies
- Occurences in real backbone traffic
- Many old attacks still out there
- but some formerly popular attacks vanished
- Constant noise of anomalous packets
- Some major campaigns of malicious activities
detected
19
Summary and Conclusions (2)
- Pure packet header analysis reveals a substantial
amount of malicious activity - Watch out for
- IP ID of zero
- port numbers of zero
- Strange TCP flags
- Reserved IP addresses
- Unusual ICMP activity
20
Summary and Conclusions (3)
- Next steps
- Study potential of IP ID, SEQ and ACK numbers and
port numbers for detection - Get access to payload data / broadcast addr.
- Anomalous applications headers?
- Malicious code?
- Correlate packets (flows)
- Scannings, DDoS campaigns?
- What happens before? After? ....
21
More Informationhttp//www.chalmers.se/cse/EN/p
eople/john-wolfgangor Email johnwolf_at_chalmers.s
e
- Questions?
Recommended
CrystalGraphics Presentations
