IPAudit

1. Software for network monitoring. IPAudit

2. Question: Why did you choose IPAudit for a topic? (Probably should have asked this earlier)

3. IPAudit – Three stories • Network Monitoring • Software Development • Open Source Project Management

4. What IPAudit is • Two parts • Binary • Sniffs network and periodically writes traffic summary to a text file • Companion programs • I find these two program more generally useful – ipaudit is more specialized. • ipstrings – like strings, but for IP packets. • total – reads text records, maintains counts, averages, etc. for different fields values. • IPAudit-Web • Web accessible reports based on data collected by binary.

5. Problem that IPAudit solves • IMS based DoS attack • 1999 infected host in IMS was doing a DoS against off-campus host. • Problem: No easy method of finding host. • Manual method: log into main switch, find busy interface, consult network maps to find next switch/hub, log into it, repeat .... • Solution • Monitor traffic by IP address. Find busiest IP address directly.

6. Early Development: Ipaudit Binary • Monitored network with TCPDump and Perl scripts • Worked on dual 333Mhz Pentium II with 50% load when monitoring with 4.5mb connection. • Uconn had plans to upgrade to between 10 to 45mbs → Need faster system. • Replace with C program, the IPAudit binary • Learned: pcap library, packet structure, C select() function. • Developed: new hash function. • Existing hash functions are like black magic. • Mine is easier to understand.

7. Ipaudit Output LOCAL-IP | REMOTE-IP | | PROTOCOL | | | LOCAL-PORT | | | | REMOTE-PORT | | | | | INC-BYTES | | | | | | OUT-BYTES | | | | | | | INC-PKT | | | | | | | | OUT-PKT | | | | | | | | | FIRST-TIME | | | | | | | | | | (sort) LAST-TIME | | | | | | | | | | | FIRST-TALKER | | | | | | | | | | | | LAST-TALK | | | | | | | | | | | | | --------------- --------------- - -- ---- ----- ------ --- ---- ------------- ------------- - - 137.099.089.110 212.045.068.018 6 21 1317 278 353 5 4 09:51:08.0524 09:51:19.1243 2 2 137.099.089.110 212.045.068.018 6 21 1321 842 3389 13 16 09:51:08.7673 09:51:21.6822 2 2 137.099.089.110 212.045.068.018 6 20 1324 46120 712706 854 1261 09:51:20.4735 09:59:57.4130 1 2 137.099.089.110 212.045.068.018 6 21 1325 847 2316 13 15 09:51:21.5128 09:51:30.0712 2 2 137.099.089.110 212.045.068.018 6 21 1326 794 2386 12 15 09:51:22.0193 09:51:31.0847 2 2 137.099.089.110 212.045.068.018 6 21 1327 794 2209 12 13 09:51:22.5151 09:51:30.9838 2 2 137.099.089.110 212.045.068.018 6 20 1328 47632 709310 882 1255 09:51:28.5105 09:59:59.8142 1 1 137.099.089.110 212.045.068.018 6 20 1330 35698 536114 661 949 09:51:29.2214 09:59:59.9341 1 1 137.099.089.110 212.045.068.018 6 20 1329 33700 527624 624 934 09:51:29.6458 10:00:00.5380 1 1

8. IPStrings • Command line program to inspect IP string data > ipstrings -f "port 25" -pit -s 256 eth0 137.099.025.234 137.099.080.033 6 25 55956 11:41:43.3353 220 mta1.uits.uconn.edu ESMTP Postfix (Debian/GNU) 137.099.080.033 137.099.025.234 6 55956 25 11:41:45.5772 helo uconn.edu 137.099.025.234 137.099.080.033 6 25 55956 11:41:45.5777 250 mta1.uits.uconn.edu 137.099.080.033 137.099.025.234 6 55956 25 11:41:49.9272 mail from: Jon.Rifkin@UConn.EDU 137.099.025.234 137.099.080.033 6 25 55956 11:41:49.9280 250 2.1.0 Ok 137.099.080.033 137.099.025.234 6 55956 25 11:41:57.8978 rcpt to: Jon.Rifkin@UConn.EDU 137.099.025.234 137.099.080.033 6 25 55956 11:41:57.8997 250 2.1.5 Ok 137.099.080.033 137.099.025.234 6 55956 25 11:42:00.9272 data 137.099.025.234 137.099.080.033 6 25 55956 11:42:00.9278 354 End data with <CR><LF>.<CR><LF> 137.099.080.033 137.099.025.234 6 55956 25 11:42:07.7678 Subject: This is a test message. 137.099.080.033 137.099.025.234 6 55956 25 11:42:11.8672 To: Jon.Rifkin@UConn.EDU 137.099.080.033 137.099.025.234 6 55956 25 11:42:21.1472 From: G.W.Bush@Whitehouse.Gov 137.099.080.033 137.099.025.234 6 55956 25 11:42:47.7272 Congratulations! You are the new Homeland Security czar. 137.099.080.033 137.099.025.234 6 55956 25 11:43:00.4878 Please pick up your keys at the office tomorrow 0800. 137.099.080.033 137.099.025.234 6 55956 25 11:43:03.7678 - G.W. 137.099.025.234 137.099.080.033 6 25 55956 11:43:05.3363 250 2.0.0 Ok: queued as D6DB62CFB5 137.099.080.033 137.099.025.234 6 55956 25 11:43:07.2078 quit 137.099.025.234 137.099.080.033 6 25 55956 11:43:07.2086 221 2.0.0 Bye

9. Total > cat total.in Ford Focus White 20 Ford Taurus White 31 Ford Taurus Red 15 Chevy Aero White 17 Honda Accord Red 12 > total -s1 1 4 total.in Ford 66 Chevy 17 Honda 12 > total 1,3 4 total.in Chevy White 17 Ford White 51 Honda Red 12 Ford Red 15

10. Web based reporting: Ipaudit-Web • Web graphics and table based reports of ipaudit data. • Graph design inspired by Edward R. Tufte's “The Visual Display of Quantitative Information” • My interpretation: “Present as much raw data as possible in a way the view can recognize meaningful patterns.”

14. Ipaudit Graph

15. Live Demo • Uconn's IPAudit system • Password protected • Managed by Network Security group.

16. The IPAudit Project • Hosted on Sourceforge • since 2001 • http://sourceforge.net/projects/ipaudit • About 50,000 downloads. • Other Project Admins • jh8 – initial tar ball packaging • j4_gongloo (a couple of one-time Uconn students) – Ipaudit web site • Contributors • Charles Green – ipaudit search binary • Since 2005, only I've touched the project. • Conclude • This project does not host an active community. • Projects communities need a pro-active person.