Network Measurements: Unused IP address space traffic analysis at SSSUP Campus Network

Francesco Paolucci, Piero CastoldiResearch Unit at Scuola Superiore Sant’Anna, Pisa,

ItalyItaly-Tunisia Research Project

sponsored by MIUR under FIRB International program1° year plenary meeting, Tunis, March 29, 2007

2

Unused address space traffic

Dumping Internet traffic sent to unused IP addresses space can give information about attacks towards the target subnetwork.

Since there is no legitimate reason for a host to send packets to those destinations, such traffic provides strong evidence of malicious activity including DDoS backscatter, port scanning, and probe activity from active worms.

3

Useful Tools

Two kind of tools acquire information about unused traffic:

• Network telescopes – They work by monitoring traffic sent to communication dead-ends

such as unallocated portions of the IP address space. – can potentially provide early warning of a scanning-worm outbreak,

and can yield excellent forensic information• Honeypots

– are closely monitored network decoys serving several purposes– they can distract adversaries from more valuable machines on a

network– they allow in-depth examination of adversaries during and after

exploitation of a honeypot.

When coupled with honeypots, telescopes can be used to interact with potentially malicious traffic in order to determine the intent behind the traffic, including particular vulnerabilities being exploited and follow-on activity after a compromise succeeds.

4

SSSUP Unused traffic dumping

Scuola Superiore Sant’Anna Campus Network • 8 different sites in Pisa and Pontedera• Average incoming traffic: 25 Mbit/s• 4 class-C address space• Total IP address space = 1016• Utilized IP address space = 162 (16%)

NETWORK SNIFFER & ANALYZER

Measurements Tools• Linux Box PC equipped with high performance INTEL Network Interface Card• Sniffer: Dumpcap (Wireshark Suite) • Analyzer and offline filtering: Tshark & Wireshark• Dumping point: Last switch to GARR Net, NO NAT, NO FIREWALL.

5

Dumping methodology

• Only Incoming traffic tracing• 1-hour long dumping twice a day for a week

– Most of the anomalous activities last less than 1 hour

– Day-time and Night-time traces give indications about high and low human user traffic characteristics

• Light online filtering • Complex offline filtering (entire IP address

space set filter)

6

Global traffic results : 25 Mbit/s 68 %

16 %1 2 %

2 % 1 % 1 % 1% 0 % 0 %

TCP traffic

High ports (P 2P ,S pam)HTTP (80)P 2P serverP ort 8080S MTP (25)HTTP S (443)S S H (22)P OP (110)Messenger (1863)FTP (21)

8 2 %

12 %6 %

1 % 0 %

High P ortsE donkey 4662 4672D NS (53 )OIC Q (8000)MS N (1863)

TCP packets (86%) UDP packets (13%)

About 80% of the traffic is driven by peer-to-peer applications.Within High ports traffic (src and dst >1024) values are distributed (no particular values emerge): p2p applications choose random high ports.

7

Unused traffic main results

• Traffic to unused addresses represents the 0,2% of the total incoming packets on the whole subnet.

• 4 pkts/s, average rate 6 kbit/s• Traffic activity profile is constant and

independent on the daytime (no profile differences between day and night time)

• Almost whole traffic represents (TCP) SYN or (UDP) spam packets

8

Packets statistics

ICMP 14%TCP 54%

UDP 32%

Traffic Protocols distribution

0-19 20 -39 40- 79 80-1 59 160-31 9 32 0-6 39 640-12 79 1280-2 55 90

10

20

30

40

50

60

7067,61

0,89 0,02

29,52

0,01

Packet length distribution

%

•TCP and ICMP packets are quite short (SYN, PING = 70 byte long)•UDP packets are longer (500 byte long)

9

Source IP Packets % Total Packets

193.194.89.102

9306 5 %

193.205.39.28 5822 3%74.7.94.205 4200 2.2%

193.111.95.32 4180 2.2%12.161.101.51 3912 2%221.209.110.8 3558 1.9%207.176.236.7 3546 1.8%221.209.110.1

33469 1.8%

222.28.80.5 3400 1.8%202.97.238.20

03163 1.6%

Unused Traffic sources

10

54%

18%

5%3%

2%2%

2%2%

2%1%

1%1%0%0%

7%

MIC ROS OF T D S S YN 445E P M A P S YN 135S S H 22NE TB IOS -S S N 139E C HO S YN 7P OP 3 110IMA P 143FTP 21HTTP 80V E TTTC P 78RA D M IN 4899MS -S QL -S 1433D OM A IN S YN 53S MTP 25Other

TCP destination ports statistics

• Port 445 (Microsoft-DS Active Directory, Windows shares, Sasser worm, Agobot, Zobotworm)• Port 135 (EPMAP (End Point Mapper) / Microsoft RPC Locator Service , Nachi or MSBlast worms) • Port 22 (SSH SYN) represent more than 75% of the total TCP traffic

11

7 0%

23 %

5%

1%

0%1%C A P 10261027MS -S QL-M 1434NE TB IOS -NS 137S NMP 161Other

UDP destination ports statistics

• Port 1026 (CAP, Calendar Access Protocol, Windows Messenger Spam)• Port 1027 (unassigned, Messenger Spam) • Port 1434 (MS-SQL, systems infected with the SQL Slammer ) represent 97% of the total UDP traffic

12

ICMP packets

• Type 8 (Ping request): 96 %

96%

2%

1%

P ing request (type 8)TTL exceeded (type 11)D S T unreachable (type 3)

13

Burstiness characteristics• Similar behaviour at day and night time• Peaks of instantaneous 3-4 Mbit/s in 300 ms interval events (SPAM)• Average SCAN and ICMP 1 kbit/s events

DAY NIGHT

14

Traffic burstiness sorted by protocol

Different behaviour between TCP, UDP and ICMP traffic• TCP

– “Constant” bursts (1 packet, tinter= 4 s, duration= 0.2 s, rate 0.4 kbit/s)

– Burst train events (event duration = 100 s, each burst lasts 0.3 s with 200 kbit/s peak rate)

• UDP– Isolated 0.2 s long bursts with up to 3 Mbit/s peak rate (SPAM)

• ICMP– Similar behaviour like TCP but lower peak and average rate (PING)