210 likes | 387 Views
Detection of malicious Traffic on Backbone Links via Packet Header Analysis . Wolfgang John and Tomas Olovsson Department of Computer Science and Engineering Chalmers University of Technology G öteborg, Sweden. Introduction. Traffic filtering is often done locally
E N D
Detection of malicious Traffic on Backbone Links via Packet Header Analysis Wolfgang John and Tomas OlovssonDepartment of Computer Science and EngineeringChalmers University of TechnologyGöteborg, Sweden
Introduction • Traffic filtering is often done locally • Backbone provides broader view • What is happening „in the wild“? • Old, well known attack types? • Distributed attacks to several hosts/networks? • What to expect on ingress hosts? • How good is pure packet header analysis?
Introduction: Outline • Packet headers considered • Fields and potential problems • Dataset • Measurement location • Transport protocol breakdown • Anomalies observed • IP (+fragmentation), TCP, UDP, ICMP • Discussion and highlights • Summary and Conclusions
Packet Headers • IP header structure
Packet Headers (2) • TCP header structure
Packet Headers (3) • UDP header structure • ICMP header structure
Outline (2) • Packet headers considered • Fields and potential problems • Dataset • Measurement location • Transport protocol breakdown • Anomalies observed • IP (+fragmentation), TCP, UDP, ICMP • Discussion • Summary and Conclusions
Dataset: Measurement location Internet • 2x 10 Gbit/s (OC-192) • capturing headers only • IP addresses anonymized • 554 traces in late 2006 • 10 min. intervals during 3 months Stockholm Student-Net Regional ISPs Göteborg Göteborgs Univ. Chalmers Univ. Other smaller Universities and Institutes
Dataset (2) • Transport protocol breakdown CAIDA‘s DatCat: SUNET fall 2006 https://imdc.datcat.org/collection/1-04HQ-3=SUNET+OC+192+Traces+fall+2006 Original Datagram IP IP IP Seg. 4 Segment 2 Segment 3 IP IP Segment 1 Fragment 3 Fragment 1 Fragment 4 Fragment 2 Fragment Series
Outline (3) • Packet headers considered • Fields and potential problems • Dataset • Measurement location • Transport protocol breakdown • Anomalies observed • IP (+fragmentation), TCP, UDP, ICMP • Discussion • Summary and Conclusions
Anomalies observed • IP header anomalies • Two intervals with one million packets to four destinations Source IP of private class C (192.168/16) ICMP echo replies, 228 bytes DoS attack? • No exploits of IP source route • Land attack
Anomalies observed (2) • IP fragmenation inconsistencies IP ID values of zero are over-represented! • one host inside a University five campaigns to five destinations with series of 6-7 fragments Iterating over entire port range half of the series with inconsistencies (holes etc.) hijacked host performing DoS (Frag attack!) • 42 hosts are the main target 1/5 of all fragment series to these hosts are incomplete many gaps only 8 byte long! DDoS? Or just packet loss? • 35 different times and different hosts! Not only overlaps, but also gasp Overlapping fragments fill gaps – on wrong places! 8 – 48 bytes overlapping fragments on consistent offsets Hardware/Software error? Common attack tool? • Good news: Ping-of-death, sPing, IceNewk etc. not observed!
Anomalies observed (3) • TCP header anomalies • Two or more field anomalies within the same TCP header • 21 % in RST/ACK packets from port 80 • 79 % in SYN/ACK packets …. SYN/ACK attacks? • source and desination ports of zero equally shared mainly SYN packets in host scanning campaigns • Mahoney et al: FIN without ACK can reveal port-sweeps Not supported by our data!! Mainly to P2P ports – pure FIN after SYN connection attempts
Anomalies observed (4) • UDP header anomalies • From UDP port zero: around 30 scanning campaigns of /24 ranges to port numbers 1025 and 1026 Windows messenger spam!
Anomalies observed (5) • ICMP header observations • two hosts sending 46 million “host redirects” during 12 days DoS attacks like Winfreez
Anomalies observed (6) • ICMP header observations contd. • No Ping-of-Death type attacks • No obvious attack with ICMP dest. unreachable (Smack) • No ICMP timestamp attacks (like moyari13) • No large scale usage of invalid ICMP types(Twinge or Trash attacks)
Outline (4) • Packet headers considered • Fields and potential problems • Dataset • Measurement location • Transport protocol breakdown • Anomalies observed • IP (+fragmentation), TCP, UDP, ICMP • Discussion • Summary and Conclusions
Summary and Conclusions • Systematic listing of header anomalies • Occurences in real backbone traffic • Many old attacks still out there • but some formerly popular attacks vanished • Constant ”noise” of anomalous packets • Some major campaigns of malicious activities detected
Summary and Conclusions (2) • Pure packet header analysis reveals a substantial amount of malicious activity • Watch out for • IP ID of zero • port numbers of zero • Strange TCP flags • Reserved IP addresses • Unusual ICMP activity
Summary and Conclusions (3) • Next steps • Study potential of IP ID, SEQ and ACK numbers and port numbers for detection • Get access to payload data / broadcast addr. • Anomalous applications headers? • Malicious code? • Correlate packets (flows) • Scannings, DDoS campaigns? • What happens before? After? ....
More Information:http://www.chalmers.se/cse/EN/people/john-wolfgangor Email: johnwolf@chalmers.se Questions?