Mapping Internet Sensors with Probe Response Attacks
description
Transcript of Mapping Internet Sensors with Probe Response Attacks
Mapping Internet Sensors with Probe Response Attacks
Authors: John Bethencourt, Jason Franklin, Mary VernonPublished At: Usenix Security Symposium, 2005Presented By: Anvita Priyam
Internet Sensor Networks
Used as a tool to detect malicious internet traffic.
e.g. honeypots, log analysis centers
They publish public reports without disclosing sensor locations.
Maintaining sensor anonymity is critical
Overview
Central Idea Internet Storm Center(ISC) Background Probe response attack Countermeasures Weaknesses Suggestions
Central Idea
This paper presents an attack technique, “Probe Response”
It is capable of determining the location of internet sensors that publicly display statistics.
It uses SANS internet storm center as case study.
Motivation for attack
Focus is on internet sensors that enable collaborative intrusion detection through wide area perspective of internet.
logs
source central Statistics Repository
0
10
20
3040
50
60
7080
90
1st Qtr 2nd Qtr 3rd Qtr 4th Qtr
East
West
North
Case Study: The SANS Internet Storm Center (ISC)
System that collects data from internet sensors and publishes public reports.
It analyzes and aggregates this information and automatically publishes several types of reports.
These reports are useful in detecting new worms and blacklisting hosts controlled malicious users.
Port Report
Attacks are primarily concerned with port reports.
For each port the report gives three statistics: > Number of reports: total entries in the log > Number of sources: distinct source IP addresses
with given port > Number of targets: distinct destination IP addresses
Example
Probe Response Attack- The Big Picture
Core Idea – Probe an IP address with activity that will be reported to the ISC.
NO YES
YES
NO
ATTACKERSends Packets
Monitored??Look for next IPAddress
Check the Reports
Reported??Host is submitting logsTo the ISC
Basic Probe Response Algorithm
Consists of two stages First Stage > Begins with an ordered
list of IP addresses (0,1,2…) to check.
> All invalid or unroutable addresses are filtered out
> SYN packets are sent on port Pi to each address in Si.
First Stage (cont’d)
Wait for 2 hours and retrieve port report
Intervals lacking activity are discarded
Remaining intervals are sent to 2nd stage with number of monitored addresses in each
Second Stage
Repeats until the attack is complete
Distribute the ports among remaining intervals
Divide each interval into subintervals
Send packets to every subinterval except the last
Second Stage (cont’d)
For each subinterval of remaining interval we retrieve the report
Number in last subinterval= (total in that interval-number in other
subintervals) Empty subintervals Are discarded Remaining subintervals are new set of
remaining intervals Continue to divide until only monitored or
unmonitored addresses are left
Example
Dealing with noise
Sources other than attacker may be sending packets to monitored address with same destination ports
This increases the number of targets reported Causes the algorithm to produce both false
positives and false negatives However, for a large number of ports this is low. Use Report Noise Cancellation factor- send
multiple number of packets & while reviewing the reports divide by the same factor
Simulation of Attack
First scenario- determine exact set of monitored addresses (accurate but time consuming)
Second scenario- finding superset and subset of monitored addresses
Use three different attackers T1- 1.544Mbps upload bandwidth T3- 38.4 Mbps upload bandwidth OC6- 384 Mbps upload bandwidth
Results
Results
Results
Finding a Superset
Maximum false positive rate= 0.94
Report noise cancellation factor= 4
Runtime of attacks is reduced from 112 to 78 hours
Accepts around 3.5 million false positives which had little effect on number of probes
Finding a Subset
Maximum false negative rate= 0.001 Report noise cancellation factor= 2 Reduces the runtime from 33 days and 17
hours to 15 days and 18 hours Reduces the number of probes sent from 9.5
billion to 4.4 billion But misses 26% of the sensors
Countermeasures
Hashing- some or all of the fields Encryption- encrypting a field with a key not
publicly available Private reports- limit the info in the reports Query limiting- limit the rate at which they can
be downloaded Sampling- sample the logs coming in for
analysis before generating reports
Weaknesses
Uses adaptive probe response algorithm as each round depends on the result of the previous one
The countermeasures suggested are not very effective
Suggestions
Developing and evaluating a non-adaptive approach
Come up with more effective countermeasure