370 likes | 514 Views
Evaluation of Network Security. May 13, 2004 Moshe Golan Everett Anderson. Agenda. Introduction Measuring – a general problem Network Security Evaluation Discussion References. Introduction. The problem – Bell-Lab/Lumeta Internet Mapping Project. Lumena – IPSonar.
E N D
Evaluation of Network Security May 13, 2004 Moshe Golan Everett Anderson
Agenda • Introduction • Measuring – a general problem • Network Security Evaluation • Discussion • References
Lumena – IPSonar The Internet Mapping Project was started at Bell Labs in the summer of 1998. Its long-term goal is to acquire and save Internet topological data over a long period of time. This data has been used in the study of routing problems and changes, DDoS attacks, and graph theory. IPSonar inject small non-intrusive measurement packets
Some Security Questions • What fraction of all IP packets have spoofed addresses? • How many DDoS attacks occur each day? • How many compromised machines are there on the Internet? • If I installed Secure BGP at 200 chosen locations, how much better would things be?
How do we answer? • Deduce based on the evidence available • Obtain snapshots from some points in the network • Use simulation techniques • Use honeypots/honeynets to attract attacks for measurement and analysis • Install serious measurement infrastructure in the network
Network Measurements • LAN • We can perform measurements of traffic for local optimization and economics • Internet • Poorly measured • Poorly Understood • Use of sampling and statistical method • Simplified assumptions
SCAN - ISI • network fault isolation • refer to the problem of pinpointing the origin of a particular application-perceived dynamic • Usage of Multicast based announce-listen techniques for network measurements • Distributed Infrastructure of Active Instrumentation • Visualization • Trace back using historical views
SCAN – Mercator Program Small LAN WAN
Oregon – Route View • Originally conceived as a tool for Internet operators to obtain real-time information about the global routing system from the perspectives of several different backbones and locations around the Internet. • The Route Views router, router uses multi-hop BGP peering sessions with backbones at interesting locations. Route Views uses AS6447 in its peering sessions, and routes received from neighbors are never passed on nor used to forward traffic norannounce any prefixes. • Now a basis for many research facilities:
Contributors • Dozens of big players • AOL, APAN, ATT, Abilene, Accretive, Accretive, Army Research Lab, Broadwing, Broadwing, Broadwing, C&W USA, COMindico, Carrier1, EBONE, ELI ....... TouchAmerica, Verio, WCI Cable, X0, Zocalo, blackrose.org, netINS • Many sponsors are commercial
CAIDA • The Cooperative Association for Internet Data Analysis, provides tools and analyses promoting the engineering and maintenance of a robust, scalable global Internet infrastructure • Provides Human interaction in addition to automated systems – Use the phone
Backscatter – Basic Idea • DoS consists of a stream of packets to a specific destination • The victim answers them normally • Often, the attacker spoofs the source address of attack packets • Responses go to the real machines whose addresses were spoofed
IP spoofing • Usually uses random IP selection (2^32) • Every machine has equal chance 1/(2^32) to receive a response to a spoofed packet • If enough spoof packets are sent, every machine will receive some spoof packets
CAIDA Experiment • 3 times 1 week-long periods in 2001 • Using /8 network – Sample 1/256th of all addresses or 2^24 IP addresses • Monitored all traffic arriving for any of these addresses • Expectations = n/2^24
Results • During one week, saw 12,805 attacks • Over three weeks observed 200 million backscatter packets • Presumably out of around 50 billion such packets • More than 5000 victim addresses in more than 2000 domains
Closer Look – Attack Duration • 90% less than an hour • 2% more than 5 hours • 1% over 10 hours • Only dozens over a day
Closer Look – Top level domains • 30% not resolved • .net .com • Romania and Brazil
Closer Look – Number of Attacks • 65% only once • 18% twice • 95% less than 5 times • 90% were 10,000 pkts/sec or less 500 SYNs per second overwhelms unprotected server 46% of attacks were that strong • 14,000 SYNs overwhelms anti-DoS firewall 2.4% of attacks were that strong
Network Jails & Honeypots • Lure hackers in and keep them busy • Provide "real" system • Save root kits • Learn latest tricks and vulnerabilities • Report findings to CERT, alert intermediate hosts
Planet Lab • Overlay network with globally dispersed nodes • Design, deploy, test “planetary-scale” services • Large test best for monitoring, measurement • Many viewpoints into the Internet
ScriptRoute • Provide a way to aggregate traceroute-like information • Reverse routes • Sand boxing of script code, scheduler, rate limiting
NetBait • Distributed query service for conventional IDS information • Identify attacks and index/store events locally • Multiple query sources • Pull approach • Currently still CodeRed focused
SANS • SysAdmin, Audit, Network, Security Institute • Early warning • Training • Internet Storm Center
CERT Coordination Center • Traditional human level coordination • Careful advisories • Federal funding (DoD, DHS) but non-government • US-CERT • Additional public and private sector content • Faster advisories?
McAfee SecurityCenter • End node IDS reporting from PCs • Similar to seti@home • Grid or centralized? • Bundled with personal firewall, risk analyzer
Symantec DeepSight Analyzer • Parses a variety of firewall and IDS system logs • Console view of multiple systems • Helps admin selectively contact attacking machine owners • Reports back to central Symantec service • Early alert services ($) • Aimed at network admins/larger business systems
Open Questions • Internet Wide evaluation Vs Local • Secure every component Vs Global Security • Is the current approach to finding security problems in the Internet adequate? • Human Involvement • Centralized Solution • Delay in Reporting • Placement of monitoring infrastructure • Do we need a global authority? • Who should run? • How would they do it? • Privacy issues with jailing
References • http://www.lumeta.com/ • http://www.isi.edu/scan/ • http://antc.uoregon.edu/route-views/ • http://www.caida.org/ • http://us.mcafee.com/ • http://analyzer.securityfocus.com/ • http://netbait.planet-lab.org/ • Netbait: A Distributed Worm Detection Service, Chun and Witherspoon,ntel Research Berkeley Technical Report IRB-TR-03-033, September 2003. A Planetlab experiment designed to detect worm activity by scattering observation points at Planetlab nodes. • Inferring Internet Denial-of-Service Activity, David Moore, Geoffrey Voelker, and Stefan Savage , 10th Usenex Security Symposium, 2001. A CAIDA paper describing the basic backscatter technique of determining various properties of DDoS attacks. • An Evening With Berferd In Which a Cracker is Lured, Endured, and Studied, Bill Cheswick, Usenex , 1992. The grandfather of all research on honeypots and honeynets.