Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Visualizing Network Attacks Eric Conrad April 2009.

Published byMiranda Lizbeth Wood Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Visualizing Network Attacks Eric Conrad April 2009."— Presentation transcript:

1 1 Visualizing Network Attacks Eric Conrad http://www.ericconrad.com April 2009

2 2 A picture is worth 1,000 words Many network, security and system engineers have trained themselves to correlate complex information from text-based representation of events –Like Cypher in The Matrix However, many concepts lend themselves to visual interpretation

3 3 One example: visual cryptanalysis of DES ECB mode The Data Encryption Standard (DES) is a block cipher with a number of modes The ‘native mode,’ Electronic Code Book, does not ‘chain’ the ciphertext –Identical 64-bit blocks of plaintext become identical blocks of ciphertext As a result, patterns may propagate The other modes of DES destroy patterns by chaining the previous block of ciphertext with the next

4 4 Showing weaknesses of DES ECB mode Left image is BMP, right image is same BMP encrypted in ECB mode

5 5 Showing the effects of chaining Same logo, Cipher Block Chaining (CBC) mode ciphertext on right

6 6 DAVIX DAVIX is a live CD for data analysis and visualization Available at http://secviz.org/ http://secviz.org/ Burn ISO to CD, and boot your laptop into a rich visualization environment

7 7 The DAVIX Live CD The DAVIX start menu links to all major tools Visualization work is broken down into 3 processes: Capture, Process, Visualize

8 8 The DAVIX process Capture includes tools that capture network data, like wireshark, tcpdump, etc. Process includes tools that manipulate data, such as afterglow.pl, as well as the classic Unix shell tools such as sed, awk, perl and grep Visualize includes tools to display the data

9 9 A word on tools All tools mentioned in this paper are on the DAVIX 1.0.1 distribution All graphics used in this paper were generated directly from the DAVIX live CD You may download all scripts in this paper at http://files.ericconrad.com/viz-current.tgz All example commands in this paper will work directly on the DAVIX live CD

10 10 Dot Dot is a language used to describe graphs Example digraph (directed graph) in dot language, and resulting image: digraph directed{ A -> B -> C; B -> D; }

11 11 Turning Dot into graphics Graphviz (Graph Visualization Software) includes a number of programs to manipulate Dot programs –http://graphviz.org/ Includes tools that take a Dot file as input, and create a graphics file as output This paper uses the Graphviz tools ‘twopi’ and ‘neato’ –twopi uses a ‘radial model’ to lay out nodes –neato uses a ‘spring model’ to lay out nodes

12 12 Afterglow Afterglow takes CSV files as input and creates a Dot language file as output Makes creating directed graphs very easy The graph on the right was created with echo “1,2,3” | afterglow.pl | neato – Tpng –o example.png

13 13 Two-column mode Two-column mode has 2 types of nodes: source and target This graph shows 2 source nodes connecting to three targets

14 14 Afterglow two-column example: normal arp requests

15 15 ‘Arp bomb’: scan of unused IP addresses

16 16 Three-column mode Three-column mode adds an ‘event’ node Source nodes connect to targets via ‘events’ Example event: protocol type

17 17 Visualizing honeypot attacks Let’s use the Dot language to visualize attacks vs. a honeypot Data is from the Honeynet Project® Scan of the Month 27: –During its first week of operation, the honeypot was repeatedly compromised by attackers and worms exploiting several distinct vulnerabilities. Subsequent to a successful attack, the honeypot was joined to a large botnet. Source: http://www.honeynet.org/scans/scan27/http://www.honeynet.org/scans/scan27/ What do the attacks look like visually?

18 18 The attacks, visually

19 19 Visual traceroute with Dot Generate a route graph with Dot: –traceroute to the top 100 internet sites –Compute average time to each hop –Draw directed graph showing all connections within 6 hops –Display nodes with colors showing RTT First node is blue (and larger) Nodes < 15 ms are palegreen Nodes < 30 ms are green Nodes < 45 ms are yellow Rest are red

20 20

21 21 Visualizing Mitnick vs. Shimomura One of the most famous network attacks occurred on Christmas Day, 1994, when Kevin Mitnick allegedly attacked Tsutomu Shimomura’s systems The attack exploited a trust relationship between Shimomura’s ‘x-terminal’ and ‘server’ Shimomura analyzed the attack, and was kind enough to post a detailed post mortem of the attack to the comp.security.misc Usenet group –Including tcpdump output

22 22 The players 4 systems were involved in the attack: –apollo.it.luc.edu: the source of the attack –server: a host trusted by xterminal –x-terminal: trusted by server –130.92.6.97: used as spoofed source for DOS attack There was no live system at this IP address at time of attack

23 23 The attack Goal was to forge a packet ‘from’ server to xterminal –DOSed server from 130.92.6.97 –Harvested TCP sequence numbers from xterminal –Spoofed connection ‘from’ server to xterminal Attacker did not see the SYN/ACK, and had to guess the sequence number used, and increment by 1 for the reply Let’s use Shimomura’s analysis to see the attack visually

24 24 Mitnick vs. Shimomura

25 25 rumint: ‘rumors in the network’ Another useful DAVIX tool is rumint, a ‘PVR for Network Traffic and Security Visualization’ –‘rumint’ is short for ‘rumor intelligence’ –Site: www.rumint.org Much of what IDS analysts must do is separating useful signals from noise rumint is useful for ‘spotting the outlier’

26 26 Analyzing honeypot with rumint

27 27 rumint ‘text rainfall’ mode Matrix-style falling text from live network capture or pcap file This shows botnet IRC command and control traffic

28 28 Any questions?

Download ppt "1 Visualizing Network Attacks Eric Conrad April 2009."

Similar presentations

Communications of the ACM (CACM), Vol. 32, No. 6, June 1989

Communications of the ACM (CACM), Vol. 32, No. 6, June 1989
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Network Attacks Mark Shtern.

Network Attacks Mark Shtern.
Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.

Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.
1 Understanding Botnet Phenomenon MITP 458 - Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.
CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.

CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.
Modes of Operation CS 795. Electronic Code Book (ECB) Each block of the message is encrypted with the same secret key Problems: If two identical blocks.

Modes of Operation CS 795. Electronic Code Book (ECB) Each block of the message is encrypted with the same secret key Problems: If two identical blocks.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 1 Security PART VII.

McGraw-Hill©The McGraw-Hill Companies, Inc., Security PART VII.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Network Debugging Organizational Communications and Technologies Prithvi Rao H. John Heinz III School of Public Policy and Management Carnegie Mellon University.

Network Debugging Organizational Communications and Technologies Prithvi Rao H. John Heinz III School of Public Policy and Management Carnegie Mellon University.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 5 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 5 Wenbing Zhao Department of Electrical and Computer Engineering.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Lecture 15 Denial of Service Attacks

Lecture 15 Denial of Service Attacks
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.

PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.
Lecture 3: Cryptographic Tools modified from slides of Lawrie Brown.

Lecture 3: Cryptographic Tools modified from slides of Lawrie Brown.
SUSE Linux Enterprise Server Administration (Course 3037) Chapter 7 Connect the SUSE Linux Enterprise Server to the Network.

SUSE Linux Enterprise Server Administration (Course 3037) Chapter 7 Connect the SUSE Linux Enterprise Server to the Network.
Block Cipher Transmission Modes CSCI 5857: Encoding and Encryption.

Block Cipher Transmission Modes CSCI 5857: Encoding and Encryption.

Similar presentations

Ads by Google