View
216
Download
0
Category
Preview:
Citation preview
Network Measurements: Unused IP address space traffic analysis at SSSUP Campus Network
Francesco Paolucci, Piero CastoldiResearch Unit at Scuola Superiore Sant’Anna, Pisa,
Italy
Italy-Tunisia Research Project sponsored by MIUR under FIRB International program
1° year plenary meeting, Tunis, March 29, 2007
2
Unused address space traffic
Dumping Internet traffic sent to unused IP addresses space can give information about attacks towards the target subnetwork.
Since there is no legitimate reason for a host to send packets to those destinations, such traffic provides strong evidence of malicious activity including DDoS backscatter, port scanning, and probe activity from active worms.
3
Useful Tools
Two kind of tools acquire information about unused traffic:
• Network telescopes – They work by monitoring traffic sent to communication dead-ends
such as unallocated portions of the IP address space. – can potentially provide early warning of a scanning-worm
outbreak, and can yield excellent forensic information• Honeypots
– are closely monitored network decoys serving several purposes– they can distract adversaries from more valuable machines on a
network– they allow in-depth examination of adversaries during and after
exploitation of a honeypot.
When coupled with honeypots, telescopes can be used to interact with potentially malicious traffic in order to determine the intent behind the traffic, including particular vulnerabilities being exploited and follow-on activity after a compromise succeeds.
4
SSSUP Unused traffic dumping
Scuola Superiore Sant’Anna Campus Network
• 8 different sites in Pisa and Pontedera
• Average incoming traffic: 25 Mbit/s
• 4 class-C address space
• Total IP address space = 1016
• Utilized IP address space = 162 (16%)
NETWORK SNIFFER & ANALYZER
Measurements Tools
• Linux Box PC equipped with high performance INTEL Network Interface Card
• Sniffer: Dumpcap (Wireshark Suite)
• Analyzer and offline filtering: Tshark & Wireshark
• Dumping point: Last switch to GARR Net, NO NAT, NO FIREWALL.
5
Dumping methodology
• Only Incoming traffic tracing• 1-hour long dumping twice a day for a
week– Most of the anomalous activities last less than
1 hour– Day-time and Night-time traces give indications
about high and low human user traffic characteristics
• Light online filtering • Complex offline filtering (entire IP address
space set filter)
6
Global traffic results : 25 Mbit/s
6 8 %
1 6 %1 2 %
2 % 1 % 1 % 1 % 0 % 0 %
TCP traffic
High ports (P 2P ,S pam)HTTP (80)P 2P serverP ort 8080S MTP (25)HTTP S (443)S S H (22)P OP (110)Messenger (1863)FTP (21)
8 2 %
1 2 %
6 %1 % 0 %
High P ortsE donkey 4662 4672D NS (53)OIC Q (8000)MS N (1863)
TCP packets (86%) UDP packets (13%)
About 80% of the traffic is driven by peer-to-peer applications.Within High ports traffic (src and dst >1024) values are distributed (no particular values emerge): p2p applications choose random high ports.
7
Unused traffic main results
• Traffic to unused addresses represents the 0,2% of the total incoming packets on the whole subnet.
• 4 pkts/s, average rate 6 kbit/s• Traffic activity profile is constant and
independent on the daytime (no profile differences between day and night time)
• Almost whole traffic represents (TCP) SYN or (UDP) spam packets
8
Packets statistics
ICMP 14%TCP 54%
UDP 32%
Traffic Protocols distribution
0-19 20-39 40-79 80-159 160-319 320-639 640-1279 1280-2559
0
10
20
30
40
50
60
70
67,61
0,89 0,02
29,52
0,01
Packet length distribution
%
•TCP and ICMP packets are quite short (SYN, PING = 70 byte long)
•UDP packets are longer (500 byte long)
9
Source IP Packets % Total Packets
193.194.89.102
9306 5 %
193.205.39.28 5822 3%
74.7.94.205 4200 2.2%
193.111.95.32 4180 2.2%
12.161.101.51 3912 2%
221.209.110.8 3558 1.9%
207.176.236.7 3546 1.8%
221.209.110.13
3469 1.8%
222.28.80.5 3400 1.8%
202.97.238.200
3163 1.6%
Unused Traffic sources
10
54%
18%
5%3%
2%2%
2%
2%
2%1%
1%1%0%0%
7%
MIC ROS OFT D S S YN 445E P MA P S YN 135S S H 22NE TB IOS -S S N 139E C HO S YN 7P OP 3 110IMA P 143FTP 21HTTP 80V E TTTC P 78RA D MIN 4899MS -S QL -S 1433D OMA IN S YN 53S MTP 25Other
TCP destination ports statistics
• Port 445 (Microsoft-DS Active Directory, Windows shares, Sasser worm, Agobot,
Zobotworm)
• Port 135 (EPMAP (End Point Mapper) / Microsoft RPC Locator Service , Nachi or
MSBlast worms)
• Port 22 (SSH SYN)
represent more than 75% of the total TCP traffic
11
7 0 %
2 3 %
5 %
1 %
0 %1 %
C A P 10261027MS -S QL-M 1434NE TB IOS -NS 137S NMP 161Other
UDP destination ports statistics
• Port 1026 (CAP, Calendar Access Protocol, Windows Messenger Spam)
• Port 1027 (unassigned, Messenger Spam)
• Port 1434 (MS-SQL, systems infected with the SQL Slammer )
represent 97% of the total UDP traffic
12
ICMP packets
• Type 8 (Ping request): 96 %
96%
2%
1%
P ing request (type 8)TTL exceeded (type 11)D S T unreachable (type 3)
13
Burstiness characteristics
• Similar behaviour at day and night time• Peaks of instantaneous 3-4 Mbit/s in 300 ms interval events (SPAM)• Average SCAN and ICMP 1 kbit/s events
DAY NIGHT
14
Traffic burstiness sorted by protocol
Different behaviour between TCP, UDP and ICMP traffic• TCP
– “Constant” bursts (1 packet, tinter= 4 s, duration= 0.2 s, rate 0.4 kbit/s)
– Burst train events (event duration = 100 s, each burst lasts 0.3 s with 200 kbit/s peak rate)
• UDP– Isolated 0.2 s long bursts with up to 3 Mbit/s peak rate (SPAM)
• ICMP
– Similar behaviour like TCP but lower peak and average rate (PING)
Recommended