1 / 13

The UCSD Network Telescope A Real-time Monitoring System for Tracking Internet Attacks 

The UCSD Network Telescope A Real-time Monitoring System for Tracking Internet Attacks . Stefan Savage David Moore, Geoff Voelker, and Colleen Shannon Department of Computer Science and Engineering & Cooperative Association for Internet Data Analysis (at SDSC)

roland
Download Presentation

The UCSD Network Telescope A Real-time Monitoring System for Tracking Internet Attacks 

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The UCSD Network TelescopeA Real-time Monitoring System for Tracking Internet Attacks  Stefan Savage David Moore, Geoff Voelker, and Colleen Shannon Department of Computer Science and Engineering & Cooperative Association for Internet Data Analysis (at SDSC) University of California, San Diego

  2. Context • The Internet has an open communications model • Benefits: Flexible communication, application innovation • Drawbacks: Many opportunities for abuse • The Dark Side to the Internet • Denial-of-Service Attacks • Network Worms and Viruses • Automated Scanning/Break-in Tools • Etc… • Question: How big a problem is it really?

  3. Media – “The sky is falling… every day”

  4. Consulting Groups & Surveys • Consultancy estimates • “Losses … could total more than $1.2 billion” • Yankee Group report on yr 2000 DDoS attacks • Cost of Slammer worm $750M-$1B • Computer Economics report on yr 2000 DDoS attacks • Others say numbers are different • Data source, methodology, error, biases unknown • Surveys • E.g. CSI/FBI survey reported 38% of respondents encountered DoS activity in 2000 • Summary of anecdotes = good data?

  5. Why is this so hard? • Quantitative attack data isn’t available • Inherently hard to acquire • Few content or service providers collect such data • If they do, its usually considered sensitive • Infeasible to collect at Internet scale • How to monitor enough to the Internet to obtain a representative sample? • How to manage thousands of bilateral legal negotiations? • Data would be out of date as soon as collected

  6. Network Telescopes • A way to observe global network phenomena with only local monitoring • Key observation: large class of attacks use random addresses • Worm’s frequently select new host to infect at random • Many DoS attacks hide their source by randomizing source addresses • Network Telescope • A monitor that records packets sent to a large range of unused Internet addresses • Since attacks are random, a telescope samples attacks

  7. Example: Monitoring Worm Attacks • Infected host scans for other vulnerable hosts by randomly generating IP addresses

  8. What can we infer? • How quickly the worm is spreading? • Which hosts are infected and when? • Where are they located? • How quickly are vulnerabilities being fixed?

  9. Example: Monitoring Denial-of-Service Attacks • Attacker floods the victim with requests using random spoofed source IP addresses • Victim believes requests are legitimate and responds to each spoofed address • Network telescope can infer that a site sending unsolicited reply packets is being attacked

  10. What can we infer? • Number of attacks? • How big are they? How long? • Who is being attacked?

  11. What’s special about the UCSD Network Telescope? • Our Telescope is very large and size does matter • The more addresses monitored, the more accurate, quick and precise the results • We have access to more than 1/256 of all Internet addresses (> 16M IP addresses) • Unprecedented insight into global attack activity • Can detect new attacks and worms in seconds with low error Special thanks to Jim Madden & Brian Kantor from UCSD Network Operations whose support makes this research possible

  12. Summary • High quality global estimates on Internet security events (Worms, DDoS) • ~4000 DoS attacks per week; attacks on network infrastructure • Have observed worms spreading faster than 50M hosts per second • Collecting ongoing longitudinal data set (20GB/day) • Impact of data & methodology • Research: widely used in modeling network attacks and designing defenses • Operational Practice: identifies infected hosts and sites being attacked; variant of backscatter analysis now used by top ISPs • Policy: helps justify and prioritize resources appropriately

  13. Current Work • Network Honeyfarm • Cluster of dummy servers whose sole purpose is to be infected and observed • Collect detailed analysis of new attacks • Can be extended to capture non-random attacks (e.g. e-mail, instant messenger) which is weakness of telescope • Automated network defenses • Automatically detect, characterize and suppress new network attacks or outbreaks • Respond orders of magnitude more quickly humans can

More Related