1 / 15

The Afterglow Effect and Peer 2 Peer Networks

The Afterglow Effect and Peer 2 Peer Networks. Jay Radcliffe June 2010 GIAC: GSEC Gold, GCIH Gold, GCIA Gold, GCFA, GLEG, GLIT, GSPA, GLDR, GPEN, GWAPT. Objective. How statistical analysis can be used to view network connections?

moeshe
Download Presentation

The Afterglow Effect and Peer 2 Peer Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Afterglow Effect and Peer 2 Peer Networks Jay Radcliffe June 2010 GIAC: GSEC Gold, GCIH Gold, GCIA Gold, GCFA, GLEG, GLIT, GSPA, GLDR, GPEN, GWAPT SANS Technology Institute - Candidate for Master of Science Degree

  2. Objective • How statistical analysis can be used to view network connections? • What type of connection patterns can be found in peer to peer afterglow traffic? • Can any type of pattern or markers be identified that could indicate malicious post-termination connections? SANS Technology Institute - Candidate for Master of Science Degree

  3. What is P2P Networking? • Peer to Peer networking is a distributed architecture designed to make file sharing more efficient. • Bit Torrent is a P2P methodology using trackers to track who is participating in the sharing of a single torrent which may contain one or more files. SANS Technology Institute - Candidate for Master of Science Degree

  4. P2P Afterglow • An “Afterglow” connection is one that occurs after the client has terminated the P2P session. • The tracker will remove the IP address from the list of participating clients after a certain period of time, usually less then 20 minutes SANS Technology Institute - Candidate for Master of Science Degree

  5. Test Setup • Client sits behind a firewall with a monitoring box running snort • Snort rules setup to record new TCP connections (SYN only) and UDP connections on the specified unique port number SANS Technology Institute - Candidate for Master of Science Degree

  6. Test Conditions • Initiate a Bit Torrent P2P session using a Fedora Installation DVD ISO image. Terminate torrent session after twelve hours. • Continue monitoring for 14 hours after termination tracking afterglow connections SANS Technology Institute - Candidate for Master of Science Degree

  7. Test Data Results • Connections will be tallied in 10 minute increments (00:00-00:10: 20 connections) SANS Technology Institute - Candidate for Master of Science Degree

  8. Results (Quantitative) • Data had non-standard distribution. This skews typical statistical analysis. • All three test runs had wide variance in standard deviation and skew. SANS Technology Institute - Candidate for Master of Science Degree

  9. Results (Qualitative) SANS Technology Institute - Candidate for Master of Science Degree

  10. Results (Source Country) • Using Whois/ARIN data to lookup the source countries of the afterglow connections SANS Technology Institute - Candidate for Master of Science Degree

  11. Unique Anomaly SANS Technology Institute - Candidate for Master of Science Degree

  12. Unique Anomaly • Theories on why there are spikes every two hours: • Unique client code (Timeout/retry, cached client list) • Dropped or Filtered Traffic • Malicious Retry to verify disconnection SANS Technology Institute - Candidate for Master of Science Degree

  13. Study Limitations • Limited number of Trial runs • Identical “safe” torrent files • Wide variance in data connection rates SANS Technology Institute - Candidate for Master of Science Degree

  14. Ideas for follow-up research Client identification (Certain P2P clients might have a fingerprint or signature) Packet Analysis (Flags or structure in Afterglow connections to identify malicious or non-typical connections) Traffic Analysis (Do other protocols/attacks exhibit similar patterns like 2 hour retry with 5 attempts) Torrent Variance (Movies, music, etc.) Directions for the Future SANS Technology Institute - Candidate for Master of Science Degree

  15. Summary • Certain qualitative statistical analysis can be used to look at network traffic for anomalies and patterns. Quantitative analysis is more difficult. • Unexplained connection patterns exist in P2P afterglow connections. SANS Technology Institute - Candidate for Master of Science Degree

More Related