210 likes | 348 Views
The Internet Motion Sensor: A Distributed Blackhole Monitoring System. Authors: Michael Bailey, Evan Cooke, Farnam Jahanian, Jose Nazario, and David Watson Publication: Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, Feb. 2005.
E N D
The Internet Motion Sensor: A Distributed Blackhole Monitoring System Authors: Michael Bailey, Evan Cooke, Farnam Jahanian, Jose Nazario, and David Watson Publication: Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, Feb. 2005. Presenter: Brad Mundt for CAP6133 Spring ‘08
Motivation • Stability and integrity of national infrastructure • Rapid moving threats • Worms • DDOS • Routing Exploits • Globally scoped • No geographic or topological boundaries • Evolutionary threats
Monitoring • Dark address space • No legitimate hosts • Misconfiguration • Attack • Challenges • Sensor coverage • Service emulation
Internet Monitoring System (IMS) • Distributed globally scoped Internet threat monitoring system • Sensor network • Lightweight responder • Payload signature and caching
Sensor Network • Designed to measure, characterize, and track • Less in-depth information • Increase global threat visibility • Wide and distributed address blocks • 28 distinct monitored blocks • 18 physical installations • Query system to connect all sensors • Beyond scope of the paper
Lightweight responder • Get responses across ports without application related information • Service agnostic: Responds to SYN requests on all ports • In UDP connection, payload can arrive in first packet • In TCP connections, payload arrives after connection
Lightweight responder • Passive aspect captures UDP based attacks • Active aspect initiates TCP connection • Elicits payload to differentiate traffic • Many threats use same ports • IMS responds to SYN requests on all ports
Hashing and caching • MD5 hash the packet payload • If new • Add hash to DB • Cache payload for analysis • If already seen • Log • Also good for metrics
Metrics • Worm behaviors • Virulence • Demographics • Propagation • Community Reponse • Scanning • DDOS
Summary • A globally scoped Internet monitoring system • Wide, dark address monitoring • Blackhole networking • Three components • Distributed Monitoring Infrastructure • Lightweight Active Responder • Payload Signatures and Caching
Contributions • A wider scope IMS in dark address blocks • Layer 3 lightweight responder • Unique payload caching by hashing
Weaknesses • Limited analysis from the lightweight responder • No layer 7 information, all layer 3 • Sensors could be identified • Fingerprinted • Blacklisted
How to Improve • Anti-fingerprinting techniques • Sensor rotation • Source squelching • Blackhole masking with simulated hosts and topology • Hybrid system • Combine host-based sensors with wide address space monitors • Additional techniques for characterizing attackers • OS fingerprinting • Firepower calculations
The End Thank you…