1 Visualizing Network Attacks Eric Conrad April 2009

2 A picture is worth 1,000 words Many network, security and system engineers have trained themselves to correlate complex information from text-based representation of events –Like Cypher in The Matrix However, many concepts lend themselves to visual interpretation

3 One example: visual cryptanalysis of DES ECB mode The Data Encryption Standard (DES) is a block cipher with a number of modes The ‘native mode,’ Electronic Code Book, does not ‘chain’ the ciphertext –Identical 64-bit blocks of plaintext become identical blocks of ciphertext As a result, patterns may propagate The other modes of DES destroy patterns by chaining the previous block of ciphertext with the next

4 Showing weaknesses of DES ECB mode Left image is BMP, right image is same BMP encrypted in ECB mode

5 Showing the effects of chaining Same logo, Cipher Block Chaining (CBC) mode ciphertext on right

6 DAVIX DAVIX is a live CD for data analysis and visualization Available at Burn ISO to CD, and boot your laptop into a rich visualization environment

7 The DAVIX Live CD The DAVIX start menu links to all major tools Visualization work is broken down into 3 processes: Capture, Process, Visualize

8 The DAVIX process Capture includes tools that capture network data, like wireshark, tcpdump, etc. Process includes tools that manipulate data, such as afterglow.pl, as well as the classic Unix shell tools such as sed, awk, perl and grep Visualize includes tools to display the data

9 A word on tools All tools mentioned in this paper are on the DAVIX distribution All graphics used in this paper were generated directly from the DAVIX live CD You may download all scripts in this paper at All example commands in this paper will work directly on the DAVIX live CD

10 Dot Dot is a language used to describe graphs Example digraph (directed graph) in dot language, and resulting image: digraph directed{ A -> B -> C; B -> D; }

11 Turning Dot into graphics Graphviz (Graph Visualization Software) includes a number of programs to manipulate Dot programs – Includes tools that take a Dot file as input, and create a graphics file as output This paper uses the Graphviz tools ‘twopi’ and ‘neato’ –twopi uses a ‘radial model’ to lay out nodes –neato uses a ‘spring model’ to lay out nodes

12 Afterglow Afterglow takes CSV files as input and creates a Dot language file as output Makes creating directed graphs very easy The graph on the right was created with echo “1,2,3” | afterglow.pl | neato – Tpng –o example.png

13 Two-column mode Two-column mode has 2 types of nodes: source and target This graph shows 2 source nodes connecting to three targets

14 Afterglow two-column example: normal arp requests

15 ‘Arp bomb’: scan of unused IP addresses

16 Three-column mode Three-column mode adds an ‘event’ node Source nodes connect to targets via ‘events’ Example event: protocol type

17 Visualizing honeypot attacks Let’s use the Dot language to visualize attacks vs. a honeypot Data is from the Honeynet Project® Scan of the Month 27: –During its first week of operation, the honeypot was repeatedly compromised by attackers and worms exploiting several distinct vulnerabilities. Subsequent to a successful attack, the honeypot was joined to a large botnet. Source: What do the attacks look like visually?

18 The attacks, visually

19 Visual traceroute with Dot Generate a route graph with Dot: –traceroute to the top 100 internet sites –Compute average time to each hop –Draw directed graph showing all connections within 6 hops –Display nodes with colors showing RTT First node is blue (and larger) Nodes < 15 ms are palegreen Nodes < 30 ms are green Nodes < 45 ms are yellow Rest are red

20

21 Visualizing Mitnick vs. Shimomura One of the most famous network attacks occurred on Christmas Day, 1994, when Kevin Mitnick allegedly attacked Tsutomu Shimomura’s systems The attack exploited a trust relationship between Shimomura’s ‘x-terminal’ and ‘server’ Shimomura analyzed the attack, and was kind enough to post a detailed post mortem of the attack to the comp.security.misc Usenet group –Including tcpdump output

22 The players 4 systems were involved in the attack: –apollo.it.luc.edu: the source of the attack –server: a host trusted by xterminal –x-terminal: trusted by server – : used as spoofed source for DOS attack There was no live system at this IP address at time of attack

23 The attack Goal was to forge a packet ‘from’ server to xterminal –DOSed server from –Harvested TCP sequence numbers from xterminal –Spoofed connection ‘from’ server to xterminal Attacker did not see the SYN/ACK, and had to guess the sequence number used, and increment by 1 for the reply Let’s use Shimomura’s analysis to see the attack visually

24 Mitnick vs. Shimomura

25 rumint: ‘rumors in the network’ Another useful DAVIX tool is rumint, a ‘PVR for Network Traffic and Security Visualization’ –‘rumint’ is short for ‘rumor intelligence’ –Site: Much of what IDS analysts must do is separating useful signals from noise rumint is useful for ‘spotting the outlier’

26 Analyzing honeypot with rumint

27 rumint ‘text rainfall’ mode Matrix-style falling text from live network capture or pcap file This shows botnet IRC command and control traffic

28 Any questions?