characteristics of internet background radiation
DESCRIPTION
Characteristics of Internet Background Radiation. Authors : Ruoming Pang, Vinod Yegneswaran, Paul Barford, Vern Paxson, Larry Peterson. ACM Internet Measurement Conference (IMC), 2004. Presenter : Tai Do CDA6938 UCF, Spring 2007. Introduction. Background Radiation: - PowerPoint PPT PresentationTRANSCRIPT
Characteristics of Internet Background Radiation
ACM Internet Measurement Conference (IMC), 2004
Authors: Ruoming Pang, Vinod Yegneswaran, Paul Barford, Vern
Paxson, Larry Peterson
Presenter: Tai Do
CDA6938
UCF, Spring 2007
Introduction
• Background Radiation:– Traffic sent to unused addresses.
– Nonproductive traffic: malicious (flooding backscatter, hostile scan, spam) OR benign (misconfigurations).
– Pervasive nature (hence “background”).
Backscatter
Source: [MVS01]
Introduction
• Goals of Characterization:–What is all this nonproductive traffic
trying to do?
–How can we filter it out to detect new types of malicious activity?
Outline
• Introduction
• Measurement Methodology– Filtering– Responders– Experimental Setup
• Data Analysis
• Concluding Remarks
Measurement Methodology(Filtering)
• Enormous volume of data:– 30,000 packets/sec of background radiation
on a Class A network.
• Source-Destination Filtering:– Assumption: background radiation sources
posses the same degree of affinity to monitored IP addresses
– For each source, keep the connections to N destinations.
Measurement Methodology(Filtering)
Measurement Methodology(Filtering)
Measurement Methodology(Active Responders)
• Why Active Responders?– Elicit further activity from scanners.– Differentiate different types of background
radiation.
• Stateless Responder: based on Active Sink.
• Stateful Responder: based on Honeyd.
Measurement Methodology(Application-Level Responders)
• Data-driven: – Which responders to build is based on observed
traffic volumes.
• Application-level Responders:– Not only adhere to the structure of the underlying
protocol, but also to know what to say.
• New types of activities emerge over time, responders also need to evolve.
• What degree can we automate the development process of responders?
Measurement Methodology(Application-Level Responders)
• Responders developed for:– HTTP (port 80)– NetBIOS (port 137/139),– CIFS/SMB (port 139/445)– DCE/RPC [10] (port 135/1025 and CIFS
named pipes)– Dameware (port 6129). – Backdoors installed by MyDoom (port
3127) and Beagle (port 2745)
Measurement Methodology(Experimental Setup)
• Two different systems: iSink, and LBL Sink.• Traces collected from three sites:
– Class A network (large)– UW campus (medium)– Lawrence Berkeley Lab (LBL) (small)
• Same forms of application response.• Different underlying mechanisms.• Support two kinds of data analysis:
– Passive analysis: no filter, no responder– Active analysis: with filter, and responder
Experimental Setup: iSink
Experimental Setup: LBL Sink
Outline
• Introduction
• Measurement Methodology
• Data Analysis– Passive Analysis– Active Analysis
• Activities in Background Radiation• Characteristics of Sources
• Concluding Remarks
Passive MeasurementTraffic Composition
• What is the type and volume of observed traffic without actively responding to any packet?
• Findings:– TCP dominates in all three networks
(comparing to ICMP and UDP)– TCP/SYN packets constitute a significant
portion of the background radiation traffic.– A small number of ports are the targets of a
majority of TCP/SYN packets.
Activities in Background Radiation
• Study dominant activities on the popular ports. • Traffic is divided by ports:
– Consider all connections between a source-destination pair on a given destination port.
• Background Radiation concentrates on a small number of ports:– Only look at the most popular ports.– Many popular ports are also used by the normal traffic
use application semantic level.
• Investigate 12 ports.
TCP Port 80 (HTTP)
• Targeted against Microsoft IIS server.
• Dominant activity is a WebDAV buffer-overrun exploit.
TCP Port 80 (HTTP)Port 80 Activities
Characteristics of Sources
• Study background radiation activities coming from the same source IP (activity vector).
• Activity vector in three dimensions:– Across ports– Across destination networks– Over time
• Caveat: – DHCP: hosts might be assigned different addresses
over time.
Sources Across portActivities across ports may give a better picture of a source’s goals
Agobot Sources: UW 1
Sources Across port
• Top two exploits are extensively observed across all 4 networks.
Sources Seen Over Time
• Witty did not persist over a month: deliberately damages its host.
• Blaster’s grip on hosts is quite tenacious.
Outline
• Introduction
• Measurement Methodology
• Data Analysis
• Concluding Remarks
Strengths of the paper
• First attempt to characterize background radiation.
• Good Measurement Methodology:– Effective filtering technique.– Detailed set of active responders for popular ports.
• Meaningful Data Analysis:– Passive Analysis: activities concentrate on few
popular ports.– Active Analysis: Extreme dynamism in many aspects
of background radiation.
Limitations of the paper
• The filtering could be biased.– The same kind of activity to all destination IP
addresses.– Fail to capture multi-vector worms that pick one
exploit per IP address.
• DHCP problem makes source IP address less accurate as source identity.
• To what extent the development of application-level responders can be automated?
Thank you.
Questions?
References
• [Barford2004] Paul Barford. Trends in Internet Measurement. PPT from U. of Wisconsin, Fall 2004.
• [MVS01] Moore, Geoffrey M. Voelker, and Stefan Savage. Inferring Internet Denial-of-Service Activity. In Proceedings of the 10th USENIX Security Symposium, pages 9--22. USENIX, August 2001.
Some jargons
• Named pipe: supports inter-process communication. FIFO. System-persistent.
• CIFS: Common Interface File System. • DCE/RPC: Distributed Computing Environment/Remote
Procedure Call• SAMR: Security Account Manager Remote service• srvsvc: server service• msmsgri32.exe: ???• SMB: • Autorooter: similar to worms, without self-propagation