1 / 9

Traffic Analysis and Risk Assessment of a Medium-Sized ISP

Traffic Analysis and Risk Assessment of a Medium-Sized ISP. Alan W. Rateliff, II Florida Internet Service Provider Approximately 2000 ADSL users Connections between 256kb/s and 5Mb/s Traffic monitoring between ADSL aggregation device and Internet. The Tool.

issac
Download Presentation

Traffic Analysis and Risk Assessment of a Medium-Sized ISP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Traffic Analysis and RiskAssessment of a Medium-Sized ISP Alan W. Rateliff, II • Florida Internet Service Provider • Approximately 2000 ADSL users • Connections between 256kb/s and 5Mb/s • Traffic monitoring between ADSL aggregation device and Internet

  2. The Tool • Selected ISP customer DSL traffic is sent to Q-Radar using a network switch “monitor” port • Analyzes captures to identify potentially malicious traffic • Three primary activities used as presentation basis www.q1labs.com

  3. Traffic Anomolies • Protocol and port mismatch500kb/s bursts • Remote system port scanning1.2Mb/s bursts • Internet Relay Chat bot-net controls> 59,000 events over 12-day period • Honorable Mentions • “Direct-to-MX” SMTP transactions (spam, etc.)‏ • P2P Networking (BitTorrent, eDonkey, etc.)‏

  4. Protocol/Port Mismatches • Protocol communication on a non-common port • Evades port-blocking and monitoring • Firewalls and ACLs • Simple IDS • IANA maintains official list of commonly used or well-known ports • Examples of legitimate port mismatches: • SMTP (port 25) on port 587 • HTTP (port 80) on port 8080

  5. Remote System Port Scans • First stages of attack on a remote system • Probes for services actively accepting connections • Services are probed for known vulnerabilities • Can detect services on non-standard ports • Can identify operating systems • F/OSS Scanner: nmap (insecure.org)‏

  6. Internet Relay Chat (IRC) Connections • Internet-based “chat rooms” called “channels” • Bot-net clients connect and idle in protected channels • Bot Master issues commands to clients via protected channel • Standard IRC port is 6667(Defined by RFC 1459 and 2812)‏ • Can make use of port mismatching

  7. Con Potential information leaks Potentially subject to disclosure Information could be abused Other privacy concerns Mitigating Violations Pro • Increases end-user security and satisfaction • Decreases network loads • Increases network usability

  8. Discussion • Strict policy and legal controls and enforcement can mitigate privacy concerns • Other pros and cons • Questions and comments

More Related