Darknet As a Source of Cyber Threat Intelligence: Investigating Distributed and Reflection Denial of Service Attacks
Total Page:16
File Type:pdf, Size:1020Kb
Darknet as a Source of Cyber Threat Intelligence: Investigating Distributed and Reflection Denial of Service Attacks Claude Fachkha A Thesis in The Department of Electrical and Computer Engineering Presented in Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy at Concordia University Montreal, Quebec, Canada November 2015 c Claude Fachkha, 2015 CONCORDIA UNIVERSITY SCHOOL OF GRADUATE STUDIES This is to certify that the thesis prepared By: Claude Fachkha Darknet as a Source of Cyber Threat Intelligence: Entitled: Investigating Distributed and Reflection Denial of Service Attacks and submitted in partial fulfilment of the requirements for the degree of Doctor of Philosophy complies with the regulations of the University and meets the accepted standards with respect to originality and quality. Signed by the final examining committee: 'U'HERUDK'\VDUW*DOH Chair 'U0RKDPPDG=XONHUQLQH External Examiner 'U-RH\3DTXHW External to Program 'U5DFKLGD'VVRXOL Examiner 'U5RFK+*OLWKR Examiner 'U0RXUDG'HEEDEL Thesis Supervisor Approved by 'U$EGHO5D]LN6HEDN Chair of Department or Graduate Program Director 'U$PLU$VLI Dean of Faculty ABSTRACT Cyberspace has become a massive battlefield between computer criminals and com- puter security experts. In addition, large-scale cyber attacks have enormously ma- tured and became capable to generate, in a prompt manner, significant interruptions and damage to Internet resources and infrastructure. Denial of Service (DoS) attacks are perhaps the most prominent and severe types of such large-scale cyber attacks. Furthermore, the existence of widely available encryption and anonymity techniques greatly increases the difficulty of the surveillance and investigation of cyber attacks. In this context, the availability of relevant cyber monitoring is of paramount im- portance. An effective approach to gather DoS cyber intelligence is to collect and analyze traffic destined to allocated, routable, yet unused Internet address space known as darknet. In this thesis, we leverage big darknet data to generate insights on various DoS events, namely, Distributed DoS (DDoS) and Distributed Reflection DoS (DRDoS) activities. First, we present a comprehensive survey of darknet. We primarily define and characterize darknet and indicate its alternative names. We further list other trap-based monitoring systems and compare them to darknet. In addition, we provide a taxonomy in relation to darknet technologies and identify research gaps that are related to three main darknet categories: deployment, traffic analysis, and visualization. Second, we characterize darknet data. Such informa- tion could generate indicators of cyber threat activity as well as provide in-depth understanding of the nature of its traffic. Particularly, we analyze darknet pack- ets distribution, its used transport, network and application layer protocols and iii Darknet as a Source of Cyber Threat Intelligence pinpoint its resolved domain names. Furthermore, we identify its IP classes and destination ports as well as geo-locate its source countries. We further investigate darknet-triggered threats. The aim is to explore darknet inferred threats and cat- egorize their severities. Finally, we contribute by exploring the inter-correlation of such threats, by applying association rule mining techniques, to build threat asso- ciation rules. Specifically, we generate clusters of threats that co-occur targeting a specific victim. Third, we propose a DDoS inference and forecasting model that aims at providing insights to organizations, security operators and emergency re- sponse teams during and after a DDoS attack. Specifically, this work strives to predict, within minutes, the attacks’ features, namely, intensity/rate (packets/sec) and size (estimated number of compromised machines/bots). The goal is to under- stand the future short-term trend of the ongoing DDoS attacks in terms of those features and thus provide the capability to recognize the current as well as future similar situations and hence appropriately respond to the threat. Further, our work aims at investigating DDoS campaigns by proposing a clustering approach to infer various victims targeted by the same campaign and predicting related features. To achieve our goal, our proposed approach leverages a number of time series and fluc- tuation analysis techniques, statistical methods and forecasting approaches. Fourth, we propose a novel approach to infer and characterize Internet-scale DRDoS attacks by leveraging the darknet space. Complementary to the pioneer work on inferring DDoS activities using darknet, this work shows that we can extract DoS activities without relying on backscattered analysis. The aim of this work is to extract cyber security intelligence related to DRDoS activities such as intensity, rate and geo- location in addition to various network-layer and flow-based insights. To achieve this task, the proposed approach exploits certain DDoS parameters to detect the attacks and the expectation maximization and k-means clustering techniques in an attempt to identify campaigns of DRDoS attacks. Finally, we conclude this work by providing some discussions and pinpointing some future work. iv DEDICATION I dedicate this thesis to my parents, Antonio and Georgette, my brothers Jean and Gilbert, and my sister Nathalie. Thank you for your unconditional support with my studies. I am honored to be a member of your peaceful and lovely family. Thanks for standing by me and giving me an ever-lasting chance to prove and improve myself through all my walks of life. I love you all. v ACKNOWLEDGEMENTS - I would primarily like to express my gratitude to my academic father and supervi- sor, Professor Mourad Debbabi, for the training and guidance during my graduate studies. Thanks for giving me the chance to work and grow with you. Furthermore, thanks for teaching me on perfectionism and dedication in the workplace throughout your professionalism and distinguished leadership skills. - I thank National Cyber-Forensics & Training Alliance (NCFTA) Canada for pro- viding facilities for conducting research, this work would not be possible without their active supports. I thank Farsight Security, Inc. and in particular, Dr. Paul Vixie, for access to rich data feeds. - I would also like to express my appreciation towards the students, faculty and staff of Concordia University. I thank them for providing crucial aid and constant support throughout my graduate studies at Concordia University. - I wish to extend my utmost gratitude to all my lab-mates and friends for their wonderful participation and cooperation. In particular, I would like to thank my friend, colleague and teammate, Dr. Elias Bou-Harb, who acted as a real brother during my PhD studies. - Furthermore, I would like to thank my partner Flora for being so kind and loving. - Last but not least, I would like to thank God, the natural power of creation, for giving me strength, courage, dedication, determination, patience, as well as guid- ance in conducting this long research study, despite all difficulties. vi TABLE OF CONTENTS LISTOFFIGURES................................ x LISTOFTABLES................................. xii 1 Introduction 1 1.1 Objectives ................................. 4 1.2 Contributions ............................... 4 1.3Organization............................... 5 2 Background 6 2.1 Darknet Definitions ............................ 6 2.2Trap-BasedMonitoringSystems..................... 7 2.3DarknetInferredCyberThreats.....................10 2.4DarknetOperation............................ 12 2.5 DoS Attack Techniques .......................... 15 2.5.1 Protocol-based Flooding Attacks ................ 16 2.5.2 Protocol-basedReflectionAttacks................ 18 2.5.3 Summary ............................. 20 2.6 DoS Defense Mechanisms ......................... 21 2.6.1 AttackPreventionandMitigation................ 21 2.6.2 AttackDetection......................... 22 2.6.3 Attack Attribution ........................ 23 2.6.4 Summary ............................. 24 3DarknetTaxonomy 25 3.1DarknetDeployment........................... 26 3.1.1 DarknetVariants......................... 28 3.1.2 Deployment Techniques ..................... 29 vii 3.1.3 Sensor Placement Techniques .................. 31 3.1.4 Sensor Identification Techniques ................. 33 3.1.5 Data Handling Techniques .................... 35 3.1.6 Projects .............................. 35 3.1.7 Summary ............................. 39 3.2DarknetAnalysis............................. 41 3.2.1 DataAnalysis........................... 41 3.2.2 ThreatAnalysis.......................... 49 3.2.3 Events............................... 70 3.2.4 Summary ............................. 72 3.3DarknetVisualization........................... 74 3.3.1 Summary ............................. 79 3.4RelatedSurveys.............................. 80 4 Darknet Investigation 82 4.1DarknetMeasurements..........................83 4.1.1 InsideDarknet.......................... 84 4.1.2 Case Studies ............................ 85 4.2 Darknet Profiling ............................. 88 4.2.1 ThreatAnalysis.......................... 93 4.3ThreatsCorrelation............................ 95 4.3.1 Approach............................. 95 4.4 Empirical Evaluation ...........................100 4.5RelatedWork...............................104 4.6 Summary .................................105 5 Prediction Model for DDoS Activities 107 5.1AttackPrediction.............................110 5.1.1 Extracting Backscattered