1 / 21

The Internet Motion Sensor: A Distributed Blackhole Monitoring System

The Internet Motion Sensor: A Distributed Blackhole Monitoring System. Authors: Michael Bailey, Evan Cooke, Farnam Jahanian, Jose Nazario, and David Watson Publication: Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, Feb. 2005.

gerd
Download Presentation

The Internet Motion Sensor: A Distributed Blackhole Monitoring System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Internet Motion Sensor: A Distributed Blackhole Monitoring System Authors: Michael Bailey, Evan Cooke, Farnam Jahanian, Jose Nazario, and David Watson Publication: Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, Feb. 2005. Presenter: Brad Mundt for CAP6133 Spring ‘08

  2. Motivation • Stability and integrity of national infrastructure • Rapid moving threats • Worms • DDOS • Routing Exploits • Globally scoped • No geographic or topological boundaries • Evolutionary threats

  3. Monitoring • Dark address space • No legitimate hosts • Misconfiguration • Attack • Challenges • Sensor coverage • Service emulation

  4. Internet Monitoring System (IMS) • Distributed globally scoped Internet threat monitoring system • Sensor network • Lightweight responder • Payload signature and caching

  5. IMS Architecture

  6. Sensor Network • Designed to measure, characterize, and track • Less in-depth information • Increase global threat visibility • Wide and distributed address blocks • 28 distinct monitored blocks • 18 physical installations • Query system to connect all sensors • Beyond scope of the paper

  7. Lightweight responder • Get responses across ports without application related information • Service agnostic: Responds to SYN requests on all ports • In UDP connection, payload can arrive in first packet • In TCP connections, payload arrives after connection

  8. Lightweight responderInfection responses by target

  9. Lightweight responder • Passive aspect captures UDP based attacks • Active aspect initiates TCP connection • Elicits payload to differentiate traffic • Many threats use same ports • IMS responds to SYN requests on all ports

  10. Lightweight responderDifferentiate Services

  11. Hashing and caching • MD5 hash the packet payload • If new • Add hash to DB • Cache payload for analysis • If already seen • Log • Also good for metrics

  12. Metrics • Worm behaviors • Virulence • Demographics • Propagation • Community Reponse • Scanning • DDOS

  13. Worm lifecycle

  14. Worm presence

  15. Scanning

  16. DDOS

  17. Summary • A globally scoped Internet monitoring system • Wide, dark address monitoring • Blackhole networking • Three components • Distributed Monitoring Infrastructure • Lightweight Active Responder • Payload Signatures and Caching

  18. Contributions • A wider scope IMS in dark address blocks • Layer 3 lightweight responder • Unique payload caching by hashing

  19. Weaknesses • Limited analysis from the lightweight responder • No layer 7 information, all layer 3 • Sensors could be identified • Fingerprinted • Blacklisted

  20. How to Improve • Anti-fingerprinting techniques • Sensor rotation • Source squelching • Blackhole masking with simulated hosts and topology • Hybrid system • Combine host-based sensors with wide address space monitors • Additional techniques for characterizing attackers • OS fingerprinting • Firepower calculations

  21. The End Thank you…

More Related