240 likes | 340 Views
Mapping Internet Sensors with Probe Response Attacks. Authors: John Bethencourt, Jason Franklin, Mary Vernon Published At: Usenix Security Symposium, 2005 Presented By: Anvita Priyam. Internet Sensor Networks. Used as a tool to detect malicious internet traffic.
E N D
Mapping Internet Sensors with Probe Response Attacks Authors: John Bethencourt, Jason Franklin, Mary Vernon Published At: Usenix Security Symposium, 2005 Presented By: Anvita Priyam
Internet Sensor Networks • Used as a tool to detect malicious internet traffic. e.g. honeypots, log analysis centers • They publish public reports without disclosing sensor locations. • Maintaining sensor anonymity is critical
Overview • Central Idea • Internet Storm Center(ISC) Background • Probe response attack • Countermeasures • Weaknesses • Suggestions
Central Idea • This paper presents an attack technique, “Probe Response” • It is capable of determining the location of internet sensors that publicly display statistics. • It uses SANS internet storm center as case study.
Motivation for attack • Focus is on internet sensors that enable collaborative intrusion detection through wide area perspective of internet. logs source central Statistics Repository
Case Study: The SANS Internet Storm Center (ISC) • System that collects data from internet sensors and publishes public reports. • It analyzes and aggregates this information and automatically publishes several types of reports. • These reports are useful in detecting new worms and blacklisting hosts controlled malicious users.
Port Report • Attacks are primarily concerned with port reports. • For each port the report gives three statistics: > Number of reports: total entries in the log > Number of sources: distinct source IP addresses with given port > Number of targets: distinct destination IP addresses
Probe Response Attack- The Big Picture • Core Idea – Probe an IP address with activity that will be reported to the ISC. NO YES YES NO ATTACKER Sends Packets Check the Reports Look for next IP Address Monitored?? Host is submitting logs To the ISC Reported??
Basic Probe Response Algorithm • Consists of two stages • First Stage > Begins with an ordered list of IP addresses (0,1,2…) to check. > All invalid or unroutable addresses are filtered out > SYN packets are sent on port Pi to each address in Si.
First Stage (cont’d) • Wait for 2 hours and retrieve port report • Intervals lacking activity are discarded • Remaining intervals are sent to 2nd stage with number of monitored addresses in each
Second Stage • Repeats until the attack is complete • Distribute the ports among remaining intervals • Divide each interval into subintervals • Send packets to every subinterval except the last
Second Stage (cont’d) • For each subinterval of remaining interval we retrieve the report • Number in last subinterval= (total in that interval-number in other subintervals) • Empty subintervals Are discarded • Remaining subintervals are new set of remaining intervals • Continue to divide until only monitored or unmonitored addresses are left
Dealing with noise • Sources other than attacker may be sending packets to monitored address with same destination ports • This increases the number of targets reported • Causes the algorithm to produce both false positives and false negatives • However, for a large number of ports this is low. • Use Report Noise Cancellation factor- send multiple number of packets & while reviewing the reports divide by the same factor
Simulation of Attack • First scenario- determine exact set of monitored addresses (accurate but time consuming) • Second scenario- finding superset and subset of monitored addresses • Use three different attackers • T1- 1.544Mbps upload bandwidth • T3- 38.4 Mbps upload bandwidth • OC6- 384 Mbps upload bandwidth
Finding a Superset • Maximum false positive rate= 0.94 • Report noise cancellation factor= 4 • Runtime of attacks is reduced from 112 to 78 hours • Accepts around 3.5 million false positives which had little effect on number of probes
Finding a Subset • Maximum false negative rate= 0.001 • Report noise cancellation factor= 2 • Reduces the runtime from 33 days and 17 hours to 15 days and 18 hours • Reduces the number of probes sent from 9.5 billion to 4.4 billion • But misses 26% of the sensors
Countermeasures • Hashing- some or all of the fields • Encryption- encrypting a field with a key not publicly available • Private reports- limit the info in the reports • Query limiting- limit the rate at which they can be downloaded • Sampling- sample the logs coming in for analysis before generating reports
Weaknesses • Uses adaptive probe response algorithm as each round depends on the result of the previous one • The countermeasures suggested are not very effective
Suggestions • Developing and evaluating a non-adaptive approach • Come up with more effective countermeasure