1 / 21

Detection of malicious Traffic on Backbone Links via Packet Header Analysis

Detection of malicious Traffic on Backbone Links via Packet Header Analysis . Wolfgang John and Tomas Olovsson Department of Computer Science and Engineering Chalmers University of Technology G öteborg, Sweden. Introduction. Traffic filtering is often done locally

feoras
Download Presentation

Detection of malicious Traffic on Backbone Links via Packet Header Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Detection of malicious Traffic on Backbone Links via Packet Header Analysis Wolfgang John and Tomas OlovssonDepartment of Computer Science and EngineeringChalmers University of TechnologyGöteborg, Sweden

  2. Introduction • Traffic filtering is often done locally • Backbone provides broader view • What is happening „in the wild“? • Old, well known attack types? • Distributed attacks to several hosts/networks? • What to expect on ingress hosts? • How good is pure packet header analysis?

  3. Introduction: Outline • Packet headers considered • Fields and potential problems • Dataset • Measurement location • Transport protocol breakdown • Anomalies observed • IP (+fragmentation), TCP, UDP, ICMP • Discussion and highlights • Summary and Conclusions

  4. Packet Headers • IP header structure

  5. Packet Headers (2) • TCP header structure

  6. Packet Headers (3) • UDP header structure • ICMP header structure

  7. Outline (2) • Packet headers considered • Fields and potential problems • Dataset • Measurement location • Transport protocol breakdown • Anomalies observed • IP (+fragmentation), TCP, UDP, ICMP • Discussion • Summary and Conclusions

  8. Dataset: Measurement location Internet • 2x 10 Gbit/s (OC-192) • capturing headers only • IP addresses anonymized • 554 traces in late 2006 • 10 min. intervals during 3 months Stockholm Student-Net Regional ISPs Göteborg Göteborgs Univ. Chalmers Univ. Other smaller Universities and Institutes

  9. Dataset (2) • Transport protocol breakdown CAIDA‘s DatCat: SUNET fall 2006 https://imdc.datcat.org/collection/1-04HQ-3=SUNET+OC+192+Traces+fall+2006 Original Datagram IP IP IP Seg. 4 Segment 2 Segment 3 IP IP Segment 1 Fragment 3 Fragment 1 Fragment 4 Fragment 2 Fragment Series

  10. Outline (3) • Packet headers considered • Fields and potential problems • Dataset • Measurement location • Transport protocol breakdown • Anomalies observed • IP (+fragmentation), TCP, UDP, ICMP • Discussion • Summary and Conclusions

  11. Anomalies observed • IP header anomalies • Two intervals with one million packets to four destinations Source IP of private class C (192.168/16) ICMP echo replies, 228 bytes DoS attack? • No exploits of IP source route • Land attack

  12. Anomalies observed (2) • IP fragmenation inconsistencies IP ID values of zero are over-represented! • one host inside a University five campaigns to five destinations with series of 6-7 fragments Iterating over entire port range half of the series with inconsistencies (holes etc.) hijacked host performing DoS (Frag attack!) • 42 hosts are the main target 1/5 of all fragment series to these hosts are incomplete many gaps only 8 byte long! DDoS? Or just packet loss? • 35 different times and different hosts! Not only overlaps, but also gasp Overlapping fragments fill gaps – on wrong places! 8 – 48 bytes overlapping fragments on consistent offsets Hardware/Software error? Common attack tool? • Good news: Ping-of-death, sPing, IceNewk etc. not observed!

  13. Anomalies observed (3) • TCP header anomalies • Two or more field anomalies within the same TCP header • 21 % in RST/ACK packets from port 80 • 79 % in SYN/ACK packets …. SYN/ACK attacks? • source and desination ports of zero equally shared mainly SYN packets in host scanning campaigns • Mahoney et al: FIN without ACK can reveal port-sweeps Not supported by our data!! Mainly to P2P ports – pure FIN after SYN connection attempts

  14. Anomalies observed (4) • UDP header anomalies • From UDP port zero: around 30 scanning campaigns of /24 ranges to port numbers 1025 and 1026 Windows messenger spam!

  15. Anomalies observed (5) • ICMP header observations • two hosts sending 46 million “host redirects” during 12 days DoS attacks like Winfreez

  16. Anomalies observed (6) • ICMP header observations contd. • No Ping-of-Death type attacks • No obvious attack with ICMP dest. unreachable (Smack) • No ICMP timestamp attacks (like moyari13) • No large scale usage of invalid ICMP types(Twinge or Trash attacks)

  17. Outline (4) • Packet headers considered • Fields and potential problems • Dataset • Measurement location • Transport protocol breakdown • Anomalies observed • IP (+fragmentation), TCP, UDP, ICMP • Discussion • Summary and Conclusions

  18. Summary and Conclusions • Systematic listing of header anomalies • Occurences in real backbone traffic • Many old attacks still out there • but some formerly popular attacks vanished • Constant ”noise” of anomalous packets • Some major campaigns of malicious activities detected

  19. Summary and Conclusions (2) • Pure packet header analysis reveals a substantial amount of malicious activity • Watch out for • IP ID of zero • port numbers of zero • Strange TCP flags • Reserved IP addresses • Unusual ICMP activity

  20. Summary and Conclusions (3) • Next steps • Study potential of IP ID, SEQ and ACK numbers and port numbers for detection • Get access to payload data / broadcast addr. • Anomalous applications headers? • Malicious code? • Correlate packets (flows) • Scannings, DDoS campaigns? • What happens before? After? ....

  21. More Information:http://www.chalmers.se/cse/EN/people/john-wolfgangor Email: johnwolf@chalmers.se Questions?

More Related