140 likes | 151 Views
This research project focuses on analyzing the traffic sent to unused IP addresses in order to identify potential malicious activity, including DDoS attacks, port scanning, and active worm probes. The study utilizes network telescopes and honeypots to gather information and interact with the traffic. The findings show that the majority of the traffic consists of TCP SYN and UDP spam packets, with common TCP destination ports including 445 (Microsoft-DS), 135 (EPMAP), and 22 (SSH SYN). ICMP packets primarily consist of ping requests. Burstiness characteristics of the traffic show consistent patterns throughout day and night, with peaks of high traffic indicating spam events.
E N D
Network Measurements: Unused IP address space traffic analysis at SSSUP Campus Network Francesco Paolucci, Piero Castoldi Research Unit at Scuola Superiore Sant’Anna, Pisa, Italy Italy-Tunisia Research Project sponsored by MIUR under FIRB International program 1° year plenary meeting, Tunis, March 29, 2007
Unused address space traffic Dumping Internet traffic sent to unused IP addresses space can give information about attacks towards the target subnetwork. Since there is no legitimate reason for a host to send packets to those destinations, such traffic provides strong evidence of malicious activity including DDoS backscatter, port scanning, and probe activity from active worms.
Useful Tools Two kind of tools acquire information about unused traffic: • Network telescopes • They work by monitoring traffic sent to communication dead-ends such as unallocated portions of the IP address space. • can potentially provide early warning of a scanning-worm outbreak, and can yield excellent forensic information • Honeypots • are closely monitored network decoys serving several purposes • they can distract adversaries from more valuable machines on a network • they allow in-depth examination of adversaries during and after exploitation of a honeypot. When coupled with honeypots, telescopes can be used to interact with potentially malicious traffic in order to determine the intent behind the traffic, including particular vulnerabilities being exploited and follow-on activity after a compromise succeeds.
SSSUP Unused traffic dumping • Scuola Superiore Sant’Anna Campus Network • 8 different sites in Pisa and Pontedera • Average incoming traffic: 25 Mbit/s • 4 class-C address space • Total IP address space = 1016 • Utilized IP address space = 162 (16%) NETWORK SNIFFER & ANALYZER • Measurements Tools • Linux Box PC equipped with high performance INTEL Network Interface Card • Sniffer: Dumpcap (Wireshark Suite) • Analyzer and offline filtering: Tshark & Wireshark • Dumping point: Last switch to GARR Net, NO NAT, NO FIREWALL.
Dumping methodology • Only Incoming traffic tracing • 1-hour long dumping twice a day for a week • Most of the anomalous activities last less than 1 hour • Day-time and Night-time traces give indications about high and low human user traffic characteristics • Light online filtering • Complex offline filtering (entire IP address space set filter)
Global traffic results : 25 Mbit/s UDP packets (13%) TCP packets (86%) About 80% of the traffic is driven by peer-to-peer applications. Within High ports traffic (src and dst >1024) values are distributed (no particular values emerge): p2p applications choose random high ports.
Unused traffic main results • Traffic to unused addresses represents the 0,2% of the total incoming packets on the whole subnet. • 4 pkts/s, average rate 6 kbit/s • Traffic activity profile is constant and independent on the daytime (no profile differences between day and night time) • Almost whole traffic represents (TCP) SYN or (UDP) spam packets
Packets statistics • TCP and ICMP packets are quite short (SYN, PING = 70 byte long) • UDP packets are longer (500 byte long)
TCP destination ports statistics • Port 445 (Microsoft-DS Active Directory, Windows shares, Sasser worm, Agobot, Zobotworm) • Port 135 (EPMAP (End Point Mapper) / Microsoft RPC Locator Service , Nachi or MSBlast worms) • Port 22 (SSH SYN) • represent more than 75% of the total TCP traffic
UDP destination ports statistics • Port 1026 (CAP, Calendar Access Protocol, Windows Messenger Spam) • Port 1027 (unassigned, Messenger Spam) • Port 1434 (MS-SQL, systems infected with the SQL Slammer) • represent 97% of the total UDP traffic
ICMP packets • Type 8 (Ping request): 96 %
Burstiness characteristics • Similar behaviour at day and night time • Peaks of instantaneous 3-4 Mbit/s in 300 ms interval events (SPAM) • Average SCAN and ICMP 1 kbit/s events NIGHT DAY
Traffic burstiness sorted by protocol Different behaviour between TCP, UDP and ICMP traffic • TCP • “Constant” bursts (1 packet, tinter= 4 s, duration= 0.2 s, rate 0.4 kbit/s) • Burst train events (event duration = 100 s, each burst lasts 0.3 s with 200 kbit/s peak rate) • UDP • Isolated 0.2 s long bursts with up to 3 Mbit/s peak rate (SPAM) • ICMP • Similar behaviour like TCP but lower peak and average rate(PING)