Università Degli Studi Di Pisa

Total Page:16

File Type:pdf, Size:1020Kb

Università Degli Studi Di Pisa Università degli Studi di Pisa DIPARTIMENTO DI INFORMATICA Corso di Laurea in Infor ati!a TESI DI LAUREA IDENTIF"ING AND REMO$IN# A%NORMAL TRAFFIC FROM T&E UCSD NET'OR( TELESCOPE Candidata) Relatore) Elif Beraat Izgordu Luca Deri Matricola: 491044 Anno A!!ademi!o *+,-.*+,/ Index , Introdu!tion 0 * Motivation and Related 'or1 - *2, UCSD Net3or1 Teles!ope 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 5 *2* Teles!ope Usage E6a ple 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 ,+ *27 IP Address Spoofing 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 ,* *20 Overloading Ca4ture Capa!it9 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 ,0 7 Ar!:ite!ture ,; 72, Colle!ted Statisti!s 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 ,/ 72,2, Port %ased Statisti!s 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 ,/ 72,2* S!anner Statisti!s 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 ,5 72,27 Receivers Statisti!s 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 ,< 72* Algorit: s and Data Stru!tures 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 ,< 0 I plementation ** 02, ndpiReader 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 ** 02* Original Contri=ution 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 ** 02*2, Statisti!s 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 *0 027 Memor9 Con!erns 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 */ 020 Filters 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 *5 0202, Filter for Pa!1et %urst 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 *5 0202* Filter for Host %urst 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 7+ 02; Sour!e Code 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 7, ; $alidation 7* ;2, Pa!1et %urst E6a ples 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 7; ;2* Host %urst E6a ples 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 7/ - Con!lusions 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 7< 2 3 1 Introduction In t:e last 7+ 9ears Internet :as :ad a revolutionar9 i pa!t =ot: on our societ9 and on our dail9 lives2 T:ere are !ountless studies for ea!: and ever9 aspect of t:e Internet> it?s =e:aviour and evolution at a!ro- s!ale also :as =een an i portant sour!e of resear!: data@ not for onl9 !omputer s!ien!e =ut for an9 dis!i4lines@ in!luding even social s!ien!es2 T:erefore@ understanding t:e evolution of Internet infrastru!ture is ver9 i portant2 "et developing instru ents and et:ods t:at !an easure and anal9se a!ros!opi! 4:enomena on t:e Internet is not trivial2 One of t:e ost i portant aspects to understand t:e evolution of t:e Internet infrastru!ture is onitoring and stud9ing internet address spa!e utilisation2 It?s a 1no3n issue t:at IPv0 address spa!e is al ost e6:austed =ut as a atter of fa!t@ not all of t:e allocated addresses are effectivel9 in use2 As entioned in t:e stud9 of Dainotti@ %enson@ (ing@ (allitsis@ #latB@ Di itropoulos C,D EMa!ros!opi! easurement of 4atterns in IPv0 address utilisation reveals insig:ts into Internet gro3t:@ in!luding to 3:at e6tent NAT and IPv- deplo9 ent are redu!ing t:e pressure on Fand demand forG IPv0 address spa!e2H 4 In t:e !ourse of t:is stud9@ t:e 4resent s!ienti8! 3or1s 3it: t:e ai of apping a!tual utiliBation of IPv0 addresses@ t:eir li itations and :o3 t:e apping !an =e i 4roved in t:e parti!ular !ase of CAIDA Net3or1 Teles!ope[2] are going to =e introdu!ed2 T3o a44roa!:es for t:e apping problem> a!tive and passive pro=ing@ t:eir !:allenges are going to =e anal9Bed in t:e Motivations and Related 'or1 !:a4ter2 Parti!ularl9 Net3or1 Teles!ope[3D (or a dar1net@ 3:i!: is a portion of routed IP address spa!e in 3:i!: little or no legiti ate traI! e6istsG@ it?s usage for s!ienti8! inferen!es and t:e 4roblems t:at are t:reatening it?s data integrit9 are going to =e introdu!ed in t:is !:a4ter2 After introdu!ing t:e ter inolog9@ li itations of t:e !urrent a44roa!: for data sanitiBation Fin order to over!ome data integrit9 pro=lemsG and diI!ulties of 3or1ing 3it: t:e telecope data are going to =e des!ri=ed2 In t:e Ar!:ite!ture !:a4ter t:ese li itations and diI!ulties are going to s:ape our approa!: and decisions ta1en to deal 3it: t:e original 4roblem of t:is 3or1) i 4roving t:e !urrent a44roa!: for data sanitiBation2 Ne6t@ in t:e Im4lementation !:a4ter details of t:e original !ontri=ution and tec:nologies used to realiBe it are going to =e introdu!ed. At t:e end in t:e $alidation !:a4ter@ effi!ien!9 and validit9 of t:e solution is going to =e demonstrated 3it: t:e test results2 5 2 Motivation and Related Wor Until no3 t:ere :as =een t3o s!ienti8! 3or1 for onitoring t:e e6tent to 3:i!: allocated IP addresses are a!tuall9 used[4D2 %ot: of t:ese 3or1s :ave t:eir o3n li itations2 T:ere are t3o approa!:es t:at separate t:ese t3o s!ienti8! 3or1 funda entall9@ t:at is onitoring !an =e i 4lemented =9 a!tive or passive probing2 First 3or1 is t:e ISI’s Internet Census proJectC;D in 3:i!: address utilisation :as =een onitored via a!tivel9 s!anning t:e entire IPv0 address spa!e2 It periodi!all9 sends ICMP ec:o requestsFi2e2 pingG to ever9 single IPv0 address (e6!luding 4rivate and ulti!ast addressesG to tra!1 t:e a!tive IP address population2 A!tive s!anning approa!: :as four 4ri ar9 li itations) C-D iG t:ere is a easure ent over:ead@ ii) easurement infrastru!ture !an =e potentiall9 =la!1listed iii) net3or1s 8ltering ICMP request !ause easurement =ias@ ivG not s!ala=le for use in a future IPv- !ensus2 Second is t:e CAIDA?s UCSD Net3or1 Teles!ope C/D proJect t:roug: passive easur ents2 T:e Center for Applied Internet Data Anal9sis (CAIDAG !ondu!ts net3or1 resear!: and =uilds resear!: infrastru!ture to support large.s!ale data !olle!tion@ !uration@ and data distri=ution to t:e s!ienti8! resear!: !om unit9 C5D2 ProJe!t is realiBed =9 anal9Bing t3o t9pes of passive traI! data) FiG Internet %a!1ground Radiation 6 (I%RG 4a!1et traI! !a4tured =9 dar1nets (a1a teles!opesG> FiiG traI! (netGLo3 su aries in operational net3or1s2 Passive traI! easurements over!omes t:e !:allenges posed from a!tive probing approa!:> it doesn?t introdu!e net3or1 traI! over:ead@ doesn?t rel9 on un8ltered responses to probing and !ould appl9 to IPv- as 3ell2 It also dete!ts additional a!tive M*0 =lo!1s t:at are not detected as a!tive 3it: ISI’s a!tive probing a44roa!:2 On t:e ot:er :and, it introdu!es ne3 !:allenges to deal 3it:) C<D iG t:e li ited visi=ilit9 of a single observation point> ii) t:e 4resen!e of spoofed IP addresses in 4a!1ets t:at !an aAect results =9 i pl9ing fa1ed addresses are a!tive2 If t:e presen!e of s4oofed pa!1etsFpa!1ets 3it: a fa1e sour!e IP addressG is signi8!antl9 large (t:ousands of IP addresses per inute) it !an invalidate t:e inferen!es@ resulting in a u!: ore densel9 utilised IPv0 address spa!e2 T:erefore@ pa!1ets 3it: spoofed sour!e addresses t:reaten integrit9 of t:e data obtained from net3or1 teles!ope, =ecause an9 resear!: use of data depends on t:e sour!e address of t:e pa!1et2 CAIDA develops and evaluates tec:niKues to identif9 and remove li1el9 spoofed pa!1ets fro =ot: dar1net (unidire!tionalG and t3o-3a9 traI! data2 T:eir 3or1 focused on 8ltering large.s!ale spoofing =9 anuall9 isolating and anal9Bing suspi!ious traI! and t:en defining 8lters to remove t:em2 7 T:ese 8lters are stati! 8lters (e2g 8lter traI! 3:i!: :as TTL N *++ and not ICMP@ 8lter traI! 3it: least signi8!ant =9te sr! addr + or *;;G 3:i!: !over ost of t:e spoofed traI! !ases =ecause t:e9 !an =e deter ined =9 3ell.1no3n 4atterns 3:i!: indi!ate t:at traI! !an =e not:ing =ut spoofed2 T:e9 signi8!antl9 redu!e a ount of spoofed traI! over t:e net3or1 =ut t:ere are still large.s!ale spoofing events t:at !an invalidate t:e inferen!es2 T:is 3or1 !ontri=utes to t:e effort of i proving dar1net data usage2 Pri aril9 !ontri=uting to 8lter spoofed sour!e traI! and pa!1et =urst traI! on t:e UCSD Net3or1 Teles!ope2 T:ese non.8ltered spoofed traI! :ave !ase.speci8! reasons2 T:erefore !urrent tec:niKues of CAIDA are e6tended 3it: a d9na i! a44roa!: to deter ine and 8lter t:ose !ases t:at !ould not =e deter ined =9 stati! 8lters2 Furt:er in t:is section@ to understand =etter t:e 4roble and it?s !:allenges@ Net3or1 Teles!ope data usage is going to =e e6a ined 3it: an e6a ple2 T:en t:e issues t:at t:reaten data integrit9 are going to =e !overed; speci8!all9 IP address spoofing and 4a!1et =urst !ases2 2.1 "#$D %et&or 'elesco)e CAIDA :osts T:e UCSD Net3or1 Teles!ope @ one of t:e largest net3or1 teles!opes (a M5 net3or1 seg ent .
Recommended publications
  • A Network Telescope Information Visualisation Framework
    A Network Telescope Information Visualisation Framework Submitted in partial fulfilment of the requirements of the degree of Bachelor of Science (Honours) of Rhodes University Samuel Oswald Hunter Grahamstown, South Africa November 2010 Abstract Network telescopes are able to provide a sampled view of the Internet with regard to nefarious traffic. More specifically they are able to provide empirical data based on ma- licious traffic, unbiasedly targeted towards unused address space. Network telescopes accomplish this by monitoring ranges of unused internet address space in which no le- gitimate traffic should exist. Analysis of traffic captured by network telescopes has been shown as an effective measure in characterising nefarious traffic caused by worm prop- agation and distributed denial of service attacks. By choosing the correct metrics for analysis on this traffic one is able to extract information that gives insight and a greater understanding of the current state of illegitimate traffic on the Internet. Collecting the data and extracting the information is however only the first half of the process towards understanding and interpretation of results. Through correct visualisation, large sets of data can be summarised in a compact and easily understandable format. This research focuses on the analysis, manipulation and visualisation of traffic obtained from network telescope monitoring. Analysis was achieved by outlining specific metrics that were used to extract information from captured traffic. This information was then manipulated and prepared for different methods of visualisation. An information visualisation framework named Ember was created with the goal of managing and visualising multiple data sets. The Ember framework was then used alongside existing third party libraries to create a network telescope dashboard.
    [Show full text]
  • Cloud-Based Network Telescope for Internet Background Radiation Collection
    School of Computer Science and Statistics Cloud-based network telescope for Internet background radiation collection Joseph O’Hara Supervisor: Dr. Stefan Weber A dissertation submitted in partial fulfilment of the requirements for the degree of Master in Computer Science (MCS) Submitted to the University of Dublin, Trinity College, April, 2019 Declaration I, Joseph O’Hara, declare that the following dissertation, except where otherwise stated, is entirely my own work; that it has not previously been submitted as an exercise for a degree, either in Trinity College Dublin, or in any other University; and that the library may lend or copy it or any part thereof on request. Signed: Date: i Summary Botnets are collections of individual computers that have been taken over by an adversary in order to assemble a number of devices that can be controlled to cause disruption to services in the Internet. Distribution mechanisms for botnets scan IP address ranges of the Internet in order to find vulnerable computers that can be infected and added to existing networks. Researchers monitor blocks of IP addresses to detect scanning activities and other abnormal activities in the Internet; collectively referred to as Internet Background Radiation. A tool such as a network telescope, is used to monitor unused IP address ranges that are not hosting services and are not expected to receive legitimate network traffic. This research proposes a novel network telescope design that is based on a diverse pool of IP addresses controlled by cloud computing providers. In contrast, traditional network telescope deployments that make use of a homogeneous, compact range of IP addresses, a diverse set of IP addresses offers the advantage that the assumed ’geographical’ location of the IP addresses can be spread around the world.
    [Show full text]
  • Network Telescopes: Technical Report
    Network Telescopes: Technical Report David Moore∗;y, Colleen Shannon∗, Geoffrey M. Voelkery, Stefan Savagey Abstract A network telescope is a portion of routed IP address space in which little or no legitimate traffic exists. Monitoring unexpected traffic arriving at a network telescope provides the opportunity to view remote network security events such as various forms of flooding denial-of-service attacks, infection of hosts by Internet worms, and network scanning. In this paper, we examine the effects of the scope and locality of network telescopes on accurate measurement of both pandemic incidents (the spread of an Internet worm) and endemic incidents (denial-of-service attacks) on the Internet. In particular, we study the relationship between the size of the network telescope and its ability to detect network events, characterize its precision in determining event duration and rate, and discuss practical considerations in the deployment of network telescopes. I. INTRODUCTION Data collection on the Internet today is a formidable task. It is either impractical or impossible to collect data in enough locations to construct a global view of this dynamic, amorphous system. Over the last three years, a new measurement approach – network telescopes [1] – has emerged as the predominant mechanism for quantifying Internet- wide security phenomena such as denial-of-service attacks and network worms. Traditional network telescopes infer remote network behavior and events in an entirely passive manner by examining spurious traffic arriving for non-existent hosts at a third-party network. While network telescopes have been used in observing anomalous behavior and probing [2], [3], [4], to infer distant denial-of-service attacks [5], [6], and to track Internet worms [7], [8], [9], [10], [11], to date there has been no systematic analysis of the extent to which information collected locally accurately portrays global events.
    [Show full text]
  • UNIVERSITY of CALIFORNIA, SAN DIEGO Leveraging Internet
    UNIVERSITY OF CALIFORNIA, SAN DIEGO Leveraging Internet Background Radiation for Opportunistic Network Analysis A dissertation submitted in partial satisfaction of the requirements for the degree of Doctor of Philosophy in Computer Science by Karyn Benson Committee in charge: kc claffy, Chair Alex C. Snoeren, Co-Chair Alberto Daniotti George Papen Stefan Savage Geoffrey M. Voelker 2016 Copyright Karyn Benson, 2016 All rights reserved. The Dissertation of Karyn Benson is approved and is acceptable in qual- ity and form for publication on microfilm and electronically: Co-Chair Chair University of California, San Diego 2016 iii TABLE OF CONTENTS Signature Page ........................................................ iii Table of Contents ..................................................... iv List of Figures ........................................................ viii List of Tables ......................................................... xi Acknowledgements .................................................... xiii Vita ................................................................. xviii Abstract of the Dissertation ............................................. xx Chapter 1 Introduction ............................................... 1 1.1 IBR Datasets ................................................. 6 1.2 Contributions ................................................. 6 1.3 Organization .................................................. 8 Chapter 2 Related work .............................................. 10 2.1 Outcomes when using
    [Show full text]
  • Network Telescopes: the Flocon Files
    Network Telescopes: Flocon Stream of Conciousness The FloCon Files • There are "reseachers" seriously interested in pieces of operational problems. – anomaly detection, early worm detection – flow aggregation, line-speed summarization – distributed data collection – modeling of "normal" traffic • However, they can really use your help to understand the David Moore, Colleen Shannon questions you currently ask and what you'd like to ask, but can't now. {dmoore,cshannon}@caida.org University California, San Diego – Department of Computer Science www.caida.org UCSD CSE UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS What is CAIDA? Current Project Areas • Cooperative Association for Internet Data Analysis • Routing topology and behavior • Passive monitoring and workload characterization • Goals include measuring and understanding the global • Internet Measurement Data Catalog Internet. • Bandwidth estimation • Develop measurement and analysis tools • Flow collection and efficient aggregation • Security: DoS and Internet worms, syslog/SSH • Collect and provide Internet data: topology, header traces, • DNS performance and anomalies bandwidth testlab, network security, DNS • Visualization • Visualization of the network • P2P traffic detection and modelling University California, San Diego – Department of Computer Science University California, San Diego – Department of Computer Science UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS 1 Tools What is a "Network
    [Show full text]
  • An Internet-Wide View of ICS Devices
    Author copy. Accepted for publication. Do not redistribute. An Internet-Wide View of ICS Devices Ariana Mirian† Zane Ma‡ David Adrian† Matthew Tischer‡ Thasphon Chuenchujit‡ Tim Yardley‡ Robin Berthier‡ Joshua Mason‡ Zakir Durumeric†‡ J. Alex Halderman† Michael Bailey‡ † University of Michigan ‡ University of Illinois at Urbana-Champaign Abstract—Industrial control systems have become ubiquitous, environmental systems in industries ranging from hotels and enabling the remote, electronic control of physical equipment and airports to water treatment plants and government buildings. sensors. Originally designed to operate on closed networks, the Next, we investigate who is scanning for vulnerable industrial protocols used by these devices have no built-in security. However, despite this, an alarming number of systems are connected to control systems by analyzing the traffic received by a large net- the public Internet and an attacker who finds a device often work telescope containing roughly one million IPv4 addresses can cause catastrophic damage to physical infrastructure. We in August 2015 and launching high-interaction ICS honeypots consider two aspects of ICS security in this work: (1) what devices to observe what commands actors run against systems they find. have been inadvertently exposed on the public Internet, and (2) Unique from previous work on Internet-wide scanning [17], we who is searching for vulnerable systems. First, we implement five common SCADA protocols in ZMap and conduct a survey find that only a small handful of organizations are performing of the public IPv4 address space finding more than 60 K publicly regular scans—over 98% of SCADA traffic originates from accessible systems. Second, we use a large network telescope and ten organizations that are primarily scanning for Modbus high-interaction honeypots to find and profile actors searching and BACnet devices.
    [Show full text]
  • Network Telescope Frédéric Beck, Olivier Festor, Radu State
    High Security Laboratory - Network Telescope Frédéric Beck, Olivier Festor, Radu State To cite this version: Frédéric Beck, Olivier Festor, Radu State. High Security Laboratory - Network Telescope. [Technical Report] 2008. inria-00337568 HAL Id: inria-00337568 https://hal.inria.fr/inria-00337568 Submitted on 7 Nov 2008 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. INSTITUT NATIONAL DE RECHERCHE EN INFORMATIQUE ET EN AUTOMATIQUE High Security Laboratory - Network Telescope Fr´ed´eric Beck, Olivier Festor and Radu State N° 9999 March 2007 Theme` COM High Security Laboratory - Network Telescope Fr´ed´eric Beck, Olivier Festor and Radu State Th`eme COM — Syst`emes communicants Projet MADYNES Rapport technique n° 9999 — March 2007 — 219 pages Abstract: Key-words: security, network, telescope, malware Unit´ede recherche INRIA Lorraine LORIA, Technopˆole de Nancy-Brabois, Campus scientifique, 615, rue du Jardin Botanique, BP 101, 54602 Villers-L`es-Nancy (France) Laboratoire de Haute S´ecurit´een Informatique - T´el´escope R´eseau R´esum´e: Mots-cl´es : s´ecurit´e, r´eseau, t´el´escope, malware LHSI - Network Telescope 3 Contents 1 Introduction 6 2 LHSI 7 2.1 Requirements ...................................
    [Show full text]
  • Visual Analysis of Network Traffic – Interactive Monitoring, Detection
    Visual Analysis of Network Traffic – Interactive Monitoring, Detection, and Interpretation of Security Threats Dissertation zur Erlangung des akademischen Grades des Doktors der Naturwissenschaften an der Universitat¨ Konstanz im Fachbereich Informatik und Informationswissenschaft Universität Konstanz Universität Konstanz vorgelegt von Florian Mansmann Universität Konstanz Abstract The Internet has become a dangerous place: malicious code gets spread on personal comput- ers across the world, creating botnets ready to attack the network infrastructure at any time. Monitoring network traffic and keeping track of the vast number of security incidents or other anomalies in the network are challenging tasks. While monitoring and intrusion detection systems are widely used to collect operational data in real-time, attempts to manually analyze their output at a fine-granular level are often tedious, require exhaustive human resources, or completely fail to provide the necessary insight due to the complexity and the volume of the underlying data. This dissertation represents an effort to complement automatic monitoring and intrusion detection systems with visual exploration interfaces that empower human analysts to gain deeper insight into large, complex, and dynamically changing data sets. In this context, one key aspect of visual analysis is the refinement of existing visualization methods to improve their scalability with respect to a) data volume, b) visual limitations of computer screens, and c) human perception capacities. In addition to that, developmet of innovative visualization metaphors for viewing network data is a further key aspect of this thesis. In particular, this dissertation deals with scalable visualization techniques for detailed anal- ysis of large network time series. By grouping time series according to their logical intervals in pixel visualizations and by coloring them for better discrimination, our methods enable accurate comparisons of temporal aspects in network security data sets.
    [Show full text]
  • Analyzing Network Traffic from a Class B Darknet
    Kevin Chen, Jennifer Tu, Alex Vandiver Analyzing Network Traffic from a Class B Darknet December 9, 2004 [email protected] Kevin Chen, Jennifer Tu, Alex Vandiver [email protected] December 9, 2004 Analyzing Network Traffic from a Class B Darknet Contents 1 Introduction 4 2 Prior work 4 3 Goals 5 4 Methods 5 4.1 Networkarchitecture.. .. .. .. .. .. .. .. ....... 5 4.2 Hardwareandkernel ............................... ..... 6 4.3 Packetcapture ................................... .... 6 5 Tools review 6 5.1 Snort........................................... 6 5.2 ACID ............................................ 7 5.3 CoralReef ....................................... ... 7 5.4 ntop ............................................ 8 5.5 Argus ........................................... 8 5.6 Othertools ...................................... ... 8 6 Results 9 6.1 Basicstatistics ................................. ...... 9 6.2 Analysis........................................ 10 6.3 Perlscripts ..................................... 12 7 Future work 13 8 Conclusion 13 2 Kevin Chen, Jennifer Tu, Alex Vandiver [email protected] December 9, 2004 Analyzing Network Traffic from a Class B Darknet 9 Acknowledgements 13 List of Tables 1 Top 10 TCP and UDP ports, by number of packets . ...... 10 2 Other well-known commonly attacked ports . ......... 10 3 Hosts generating the most requests on UDP port 137, NetBIOS ............ 12 List of Figures 1 TCP activity, broken down by destination host and port . ............ 9 2 DailyvariationsinICMPtraffic. ...... 11 3 Average weekly traffic patterns show a clear event at 11:30am EST.......... 11 4 Diagonal patterns in port and host attack patterns are indications of a poor ran- domizeratwork ...................................... 11 3 Kevin Chen, Jennifer Tu, Alex Vandiver [email protected] December 9, 2004 Analyzing Network Traffic from a Class B Darknet 1 Introduction Darknets are “a portion of routed, allocated IP space in which no active services or servers reside.”[2] They are dark because packets go in but nothing comes out.
    [Show full text]
  • Detecting Pandemic and Endemic Incidents Through Network Telescopes: Security Analysis
    Detecting Pandemic and Endemic Incidents through Network Telescopes: Security Analysis Author: Fotis Gagadis Supervisor: Dr. Stephen Wolthusen Technical Report RHUL-MA-2008-12 22 January 2008 Department of Mathematics Royal Holloway, University of London Egham, Surrey TW20 0EX, England http://www.rhul.ac.uk/mathematics/techreports Abstract Moore et al., from the C ooperative Association for I nternet Data Analysis (CAIDA), proposed in recent years another measurement and monitoring method for the network and Internet. Network Telescopes are used to detect malicious traffic events generated from Denial of Service attacks, worm infected hosts and misconfiguration. This report is focused on endemic and pandemic incidents (DoS, Worm) and how these incidents observed through different Darknet topologies and statistical models. Furthermore, network telescopes effectiveness will be examined for broader understanding and eval- uation. Acknowledgments The MSc Thesis is dedicated to my mother, who without her help, support and great efforts I would not succeed up till now. Moreover, I would like to thank one more person who is very important to my life (right now at least :-( ), Haru Yoshimoto. Thank you very much for your kindness, support, love, affection and efforts all these months. I hope your dreams become true. This project would not become true without you. Thank you. Furthermore, I would like to thank all my friends and relatives for their support Dimitris Koukas (or else the Boss), Spiros Pappas, Kostas Ntasiotis (or else Remali), Gaven Watson (the Dr.), Chris McLaughlin (thanks for everything mate), Akis Telis (my cousin), Alex Makropoulos, Eftichis Tsikouras, Panos Elliopoulos and to all the friends that I forgot(sorry is 5 a.m.
    [Show full text]
  • Selected NSF Investments in Research Infrastructure NSF’S Investments in Equipment, Facilities, Shared Cyberinfrastructure and Centers Ensure That the U.S
    SELECTED INVESTMENTS TeraShake is the largest and most detailed simulation of ground motion during a major earthquake along the San Andreas Fault in southern California. Researchers used the 10 terafl ops DataStar supercomputer and large-scale data resources of the San Diego Supercomputer Center (SDSC) at the University of California, San Diego to produce the simulation. The center is a partner site in the TeraGrid. TeraShake is a vivid example of cyberinfrastructure’s ability to advance science and engineering. Credit: Marcus Thiebaux, Information Sciences Institute, USC Selected NSF Investments in Research Infrastructure NSF’s investments in equipment, facilities, shared cyberinfrastructure and centers ensure that the U.S. maintains a world-class science and engineering research infrastructure that is second to none. Th e scale of what we support ranges from small and mid-size instruments in the laboratories of U.S. academic institutions to unique national centers and multiuser facilities to global computer- sensor-communication networks and international partnerships that build and operate state-of-the- art equipment, facilities and experimental tools. Th e following are examples of NSF investments in research infrastructure (including leading-edge facilities in planning or under construction) and the research they enable, organized by broad theme areas. Th ese examples are representative of the investments made by NSF in research infrastructure, but they are not intended to serve as a complete list of everything we support. Many of the agency’s smaller awards are omitted. Also, NSF is making new awards on a continuous basis. A more comprehensive (but still not complete) list of NSF research infrastructure investments is found in Appendix I.
    [Show full text]
  • NSF-Supported Research Infrastructure
    On the cover: a collage illustrating NSF-supported research infrastructure. Top row, from left to right: Ranger, the new high performance computing system at the Texas Advanced Computing Center at the University of Texas at Austin; the National High Magnetic Field Laboratory’s 45 tesla hybrid magnet; and the fi rst commercial prototype of a super-resolution optical microscope based on structured illumination, installed at the Center for Biophotonics Science and Technology at the University of California, Davis; middle row: the Tsunami Wave Basin at Oregon State University; a visualization of a protein from the Protein Data Bank, shown on a confi gurable wall for projecting images at the California Institute for Telecommunications and Information Technology at the University of California, San Diego; and the Amundsen-Scott South Pole Station with the ceremonial South Pole in the foreground; bottom row: researchers in the Arkansas Nanoscience Program using scanning probe microscopy; the High-Performance Instrumented Airborne Platform for Environmental Research (HIAPER), the nation’s most advanced aircraft for environmental research; and an artist’s conception of the Atacama Large Millimeter Array (ALMA), the giant international observatory under construction in the Atacama Desert in northern Chile. Credit: Top row, from left to right: TACC, The University of Texas at Austin; Florida State University; Thomas Huser, Center for Biophotonics Science and Technology, University of California, Davis. Middle row: College of Engineering, Oregon State
    [Show full text]