Presentation is loading. Please wait.

Presentation is loading. Please wait.

The UCSD Network Telescope A Real-time Monitoring System for Tracking Internet Attacks Stefan Savage David Moore, Geoff Voelker, and Colleen Shannon Department.

Published bySybil Holland Modified over 8 years ago

Similar presentations

Presentation on theme: "The UCSD Network Telescope A Real-time Monitoring System for Tracking Internet Attacks Stefan Savage David Moore, Geoff Voelker, and Colleen Shannon Department."— Presentation transcript:

1 The UCSD Network Telescope A Real-time Monitoring System for Tracking Internet Attacks Stefan Savage David Moore, Geoff Voelker, and Colleen Shannon Department of Computer Science and Engineering & Cooperative Association for Internet Data Analysis (at SDSC) University of California, San Diego

2 Jacobs School of Engineering – Department of Computer Science and Engineering UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS Context The Internet has an open communications model –Benefits: Flexible communication, application innovation –Drawbacks: Many opportunities for abuse The Dark Side to the Internet –Denial-of-Service Attacks –Network Worms and Viruses –Automated Scanning/Break-in Tools –Etc… Question: How big a problem is it really?

3 Jacobs School of Engineering – Department of Computer Science and Engineering UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS Media – “The sky is falling… every day”

4 Jacobs School of Engineering – Department of Computer Science and Engineering UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS Consulting Groups & Surveys Consultancy estimates –“Losses … could total more than $1.2 billion” -Yankee Group report on yr 2000 DDoS attacks –Cost of Slammer worm $750M-$1B -Computer Economics report on yr 2000 DDoS attacks -Others say numbers are different -Data source, methodology, error, biases unknown -Surveys -E.g. CSI/FBI survey reported 38% of respondents encountered DoS activity in 2000 -Summary of anecdotes = good data?

5 Jacobs School of Engineering – Department of Computer Science and Engineering UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS Why is this so hard? Quantitative attack data isn’t available Inherently hard to acquire –Few content or service providers collect such data –If they do, its usually considered sensitive Infeasible to collect at Internet scale –How to monitor enough to the Internet to obtain a representative sample? –How to manage thousands of bilateral legal negotiations? Data would be out of date as soon as collected

6 Jacobs School of Engineering – Department of Computer Science and Engineering UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS Network Telescopes A way to observe global network phenomena with only local monitoring Key observation: large class of attacks use random addresses Worm’s frequently select new host to infect at random Many DoS attacks hide their source by randomizing source addresses Network Telescope –A monitor that records packets sent to a large range of unused Internet addresses –Since attacks are random, a telescope samples attacks

7 Jacobs School of Engineering – Department of Computer Science and Engineering UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS Example: Monitoring Worm Attacks Infected host scans for other vulnerable hosts by randomly generating IP addresses

8 Jacobs School of Engineering – Department of Computer Science and Engineering UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS What can we infer? How quickly the worm is spreading? Which hosts are infected and when? Where are they located? How quickly are vulnerabilities being fixed?

9 Jacobs School of Engineering – Department of Computer Science and Engineering UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS Example: Monitoring Denial-of-Service Attacks Attacker floods the victim with requests using random spoofed source IP addresses Victim believes requests are legitimate and responds to each spoofed address Network telescope can infer that a site sending unsolicited reply packets is being attacked

10 Jacobs School of Engineering – Department of Computer Science and Engineering UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS What can we infer? Number of attacks? How big are they? How long? Who is being attacked?

11 Jacobs School of Engineering – Department of Computer Science and Engineering UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS What’s special about the UCSD Network Telescope? Our Telescope is very large and size does matter –The more addresses monitored, the more accurate, quick and precise the results We have access to more than 1/256 of all Internet addresses (> 16M IP addresses) –Unprecedented insight into global attack activity –Can detect new attacks and worms in seconds with low error Special thanks to Jim Madden & Brian Kantor from UCSD Network Operations whose support makes this research possible

12 Jacobs School of Engineering – Department of Computer Science and Engineering UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS Summary High quality global estimates on Internet security events (Worms, DDoS) –~4000 DoS attacks per week; attacks on network infrastructure –Have observed worms spreading faster than 50M hosts per second Collecting ongoing longitudinal data set (20GB/day) Impact of data & methodology –Research: widely used in modeling network attacks and designing defenses –Operational Practice: identifies infected hosts and sites being attacked; variant of backscatter analysis now used by top ISPs –Policy: helps justify and prioritize resources appropriately

13 Jacobs School of Engineering – Department of Computer Science and Engineering UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS Current Work Network Honeyfarm –Cluster of dummy servers whose sole purpose is to be infected and observed –Collect detailed analysis of new attacks –Can be extended to capture non-random attacks (e.g. e-mail, instant messenger) which is weakness of telescope Automated network defenses –Automatically detect, characterize and suppress new network attacks or outbreaks –Respond orders of magnitude more quickly humans can

Download ppt "The UCSD Network Telescope A Real-time Monitoring System for Tracking Internet Attacks Stefan Savage David Moore, Geoff Voelker, and Colleen Shannon Department."

Similar presentations

Network support for DoS Protection Stefan Savage Dept of Computer Science and Engineering UC San Diego.

Network support for DoS Protection Stefan Savage Dept of Computer Science and Engineering UC San Diego.
(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.
Pie(s) in the Sky Mark Crovella Boston University Computer Science.

Pie(s) in the Sky Mark Crovella Boston University Computer Science.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
Trojan Horses/Worms Vadolas Margaritis Bantes George.

Trojan Horses/Worms Vadolas Margaritis Bantes George.
Inferring Internet Denial-of- Service Activity David Moore, Colleen Shannon, Douglas J. Brown, Geoffrey M. Voelker, and Stefan Savage Presented by Qian.

Inferring Internet Denial-of- Service Activity David Moore, Colleen Shannon, Douglas J. Brown, Geoffrey M. Voelker, and Stefan Savage Presented by Qian.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
 Unlike other forms of computer attacks, goal isn’t access or theft of information or services  The goal is to stop the service from operating o.

 Unlike other forms of computer attacks, goal isn’t access or theft of information or services  The goal is to stop the service from operating o.
Introduction to Security Computer Networks Computer Networks Term B10.

Introduction to Security Computer Networks Computer Networks Term B10.
Inferring Internet Denial-of- Service Activity David Moore, Colleen Shannon, Douglas J. Brown, Geoffrey M. Voelker, Stefan Savage Presented by Thangam.

Inferring Internet Denial-of- Service Activity David Moore, Colleen Shannon, Douglas J. Brown, Geoffrey M. Voelker, Stefan Savage Presented by Thangam.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
Self-Stopping Worms Justin Ma, Geoffrey M. Voelker, Stefan Savage Collaborative Center for Internet Epidemiology and Defenses (CCIED) Department of Computer.

Self-Stopping Worms Justin Ma, Geoffrey M. Voelker, Stefan Savage Collaborative Center for Internet Epidemiology and Defenses (CCIED) Department of Computer.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.

Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.
802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and Stefan Savage Department of Computer Science and Engineering.

Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and Stefan Savage Department of Computer Science and Engineering.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Inferring Internet Denial-of- Service Activity David Moore, Geoffrey M Voelker, Stefan Savage Presented by Yuemin Yu – CS290F – Winter 2005.

Inferring Internet Denial-of- Service Activity David Moore, Geoffrey M Voelker, Stefan Savage Presented by Yuemin Yu – CS290F – Winter 2005.

Similar presentations

Ads by Google