1 / 24

Mapping Internet Sensors with Probe Response Attacks

This paper presents an attack technique called "Probe Response" that can determine the location of publicly displayed internet sensors. The paper discusses the motivation for the attack, provides a case study on the SANS Internet Storm Center, and suggests countermeasures and weaknesses. The paper concludes with suggestions for developing a non-adaptive approach and more effective countermeasures.

Download Presentation

Mapping Internet Sensors with Probe Response Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Mapping Internet Sensors with Probe Response Attacks Authors: John Bethencourt, Jason Franklin, Mary Vernon Published At: Usenix Security Symposium, 2005 Presented By: Anvita Priyam

  2. Internet Sensor Networks • Used as a tool to detect malicious internet traffic. e.g. honeypots, log analysis centers • They publish public reports without disclosing sensor locations. • Maintaining sensor anonymity is critical

  3. Overview • Central Idea • Internet Storm Center(ISC) Background • Probe response attack • Countermeasures • Weaknesses • Suggestions

  4. Central Idea • This paper presents an attack technique, “Probe Response” • It is capable of determining the location of internet sensors that publicly display statistics. • It uses SANS internet storm center as case study.

  5. Motivation for attack • Focus is on internet sensors that enable collaborative intrusion detection through wide area perspective of internet. logs source central Statistics Repository

  6. Case Study: The SANS Internet Storm Center (ISC) • System that collects data from internet sensors and publishes public reports. • It analyzes and aggregates this information and automatically publishes several types of reports. • These reports are useful in detecting new worms and blacklisting hosts controlled malicious users.

  7. Port Report • Attacks are primarily concerned with port reports. • For each port the report gives three statistics: > Number of reports: total entries in the log > Number of sources: distinct source IP addresses with given port > Number of targets: distinct destination IP addresses

  8. Example

  9. Probe Response Attack- The Big Picture • Core Idea – Probe an IP address with activity that will be reported to the ISC. NO YES YES NO ATTACKER Sends Packets Check the Reports Look for next IP Address Monitored?? Host is submitting logs To the ISC Reported??

  10. Basic Probe Response Algorithm • Consists of two stages • First Stage > Begins with an ordered list of IP addresses (0,1,2…) to check. > All invalid or unroutable addresses are filtered out > SYN packets are sent on port Pi to each address in Si.

  11. First Stage (cont’d) • Wait for 2 hours and retrieve port report • Intervals lacking activity are discarded • Remaining intervals are sent to 2nd stage with number of monitored addresses in each

  12. Second Stage • Repeats until the attack is complete • Distribute the ports among remaining intervals • Divide each interval into subintervals • Send packets to every subinterval except the last

  13. Second Stage (cont’d) • For each subinterval of remaining interval we retrieve the report • Number in last subinterval= (total in that interval-number in other subintervals) • Empty subintervals Are discarded • Remaining subintervals are new set of remaining intervals • Continue to divide until only monitored or unmonitored addresses are left

  14. Example

  15. Dealing with noise • Sources other than attacker may be sending packets to monitored address with same destination ports • This increases the number of targets reported • Causes the algorithm to produce both false positives and false negatives • However, for a large number of ports this is low. • Use Report Noise Cancellation factor- send multiple number of packets & while reviewing the reports divide by the same factor

  16. Simulation of Attack • First scenario- determine exact set of monitored addresses (accurate but time consuming) • Second scenario- finding superset and subset of monitored addresses • Use three different attackers • T1- 1.544Mbps upload bandwidth • T3- 38.4 Mbps upload bandwidth • OC6- 384 Mbps upload bandwidth

  17. Results

  18. Results

  19. Results

  20. Finding a Superset • Maximum false positive rate= 0.94 • Report noise cancellation factor= 4 • Runtime of attacks is reduced from 112 to 78 hours • Accepts around 3.5 million false positives which had little effect on number of probes

  21. Finding a Subset • Maximum false negative rate= 0.001 • Report noise cancellation factor= 2 • Reduces the runtime from 33 days and 17 hours to 15 days and 18 hours • Reduces the number of probes sent from 9.5 billion to 4.4 billion • But misses 26% of the sensors

  22. Countermeasures • Hashing- some or all of the fields • Encryption- encrypting a field with a key not publicly available • Private reports- limit the info in the reports • Query limiting- limit the rate at which they can be downloaded • Sampling- sample the logs coming in for analysis before generating reports

  23. Weaknesses • Uses adaptive probe response algorithm as each round depends on the result of the previous one • The countermeasures suggested are not very effective

  24. Suggestions • Developing and evaluating a non-adaptive approach • Come up with more effective countermeasure

More Related