The UCSD Network Telescope A Real-time Monitoring System for Tracking Internet Attacks Stefan Savage David Moore, Geoff Voelker, and Colleen Shannon Department.

Slides:

Advertisements

Similar presentations

Network support for DoS Protection Stefan Savage Dept of Computer Science and Engineering UC San Diego.

Advertisements

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

Pie(s) in the Sky Mark Crovella Boston University Computer Science.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

Trojan Horses/Worms Vadolas Margaritis Bantes George.

Inferring Internet Denial-of- Service Activity David Moore, Colleen Shannon, Douglas J. Brown, Geoffrey M. Voelker, and Stefan Savage Presented by Qian.

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

 Unlike other forms of computer attacks, goal isn’t access or theft of information or services  The goal is to stop the service from operating o.

Introduction to Security Computer Networks Computer Networks Term B10.

Inferring Internet Denial-of- Service Activity David Moore, Colleen Shannon, Douglas J. Brown, Geoffrey M. Voelker, Stefan Savage Presented by Thangam.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

Self-Stopping Worms Justin Ma, Geoffrey M. Voelker, Stefan Savage Collaborative Center for Internet Epidemiology and Defenses (CCIED) Department of Computer.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.

Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and Stefan Savage Department of Computer Science and Engineering.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Inferring Internet Denial-of- Service Activity David Moore, Geoffrey M Voelker, Stefan Savage Presented by Yuemin Yu – CS290F – Winter 2005.

Web server security Dr Jim Briggs WEBP security1.

(Geneva, Switzerland, September 2014)

1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Barracuda Spam & Virus Firewall. Introduction to the Barracuda Spam & Virus Firewall Complete server protection –Spam Blocking (95+ percent) Extremely.

A Study of Mass- mailing Worms By Cynthia Wong, Stan Bielski, Jonathan M. McCune, and Chenxi Wang, Carnegie Mellon University, 2004 Presented by Allen.

1 Panda Malware Radar Discovering hidden threats Technical Product Presentation Name Date.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

Introduction to Honeypot, Botnet, and Security Measurement

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

Characteristics of Internet Background Radiation Authors: Ruoming Pang, Vinod Yegneswaran, Paul Barford, Vern Paxson, & Larry Peterson & Larry Peterson.

Toward Self-directed Intrusion Detection Paul Barford Assistant Professor Computer Science University of Wisconsin June, 2005.

WHAT IS VIRUS? NAE GRAND CHALLENGE SECURE CYBERSPACE.

PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.

Carleton University School of Computer Science Detecting Intra-enterprise Scanning Worms based on Address Resolution David Whyte, Paul van Oorschot, Evangelos.

Resisting Denial-of-Service Attacks Using Overlay Networks Ju Wang Advisor: Andrew A. Chien Department of Computer Science and Engineering, University.

--Harish Reddy Vemula Distributed Denial of Service.

The Internet Motion Sensor: A Distributed Blackhole Monitoring System Presented By: Arun Krishnamurthy Authors: Michael Bailey, Evan Cooke, Farnam Jahanian,

FlowScan at the University of Wisconsin Perry Brunelli, Network Services.

Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.

Attacks On systems And Networks To understand how we can protect our system and network we need to know about what kind of attacks a hacker/cracker would.

Chapter 5: General Computer Topics Department of Computer Science Foundation Year Program Umm Alqura University, Makkah Computer Skills /1436.

BOTNETS Presented By : Ramesh kumar Ramesh kumar 08EBKIT049 08EBKIT049 A BIGGEST THREAT TO INERNET.

An Analysis of Location-Hiding Using Overlay Networks Ju Wang and Andrew A. Chien Department of Computer Science and Engineering, University of California.

Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.

1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.

Defending Against Internet Worms: A Signature-Based Approach Aurthors: Yong Tang, and Shigang Chen Publication: IEEE INFOCOM'05 Presenter : Richard Bares.

Lecture 12 Page 1 CS 236, Spring 2008 Virtual Private Networks VPNs What if your company has more than one office? And they’re far apart? –Like on opposite.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore, Colleen Shannon, Geoffrey M.Voelker, Stefan Savage University of California,

What is risk online operation:  massive movement of operation to the internet has attracted hackers who try to interrupt such operation daily.  To unauthorized.

Markus Jakobsson School of Informatics Indiana University Bloomington, IN 47406, USA Jacob Ratkiewicz Dept. of Computer Science Indiana University Bloomington,

1 Introduction to Malcode, DoS Attack, Traceback, RFID Security Cliff C. Zou 03/02/06.

Topic 5: Basic Security.

AutoFocus: A Tool for Automatic Traffic Analysis Cristian Estan, University of California, San Diego.

The Dark Menace: Characterizing Network-based Attacks in the Cloud

Inferring Denial of Service Attacks David Moore, Geoffrey Volker and Stefan Savage Presented by Rafail Tsirbas 4/1/20151.

1-1 Copyright © 2014, 2011, and 2008 Pearson Education, Inc.

1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.

1 Virtual Dark IP for Internet Threat Detection Akihiro Shimoda & Shigeki Goto Waseda University

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

Introduction1-1 Chapter 1: roadmap 1.1 What is the Internet? 1.2 Network edge  end systems, access networks, links 1.3 Network core  circuit switching,

1 Internet Traffic Measurement and Modeling Carey Williamson Department of Computer Science University of Calgary.

Inferring Internet Denial-of-Service Activity Authors: David Moore, Geoffrey M. Voelker and Stefan Savage; University of California, San Diego Publish:

Spam By Dan Sterrett. Overview ► What is spam? ► Why it’s a problem ► The source of spam ► How spammers get your address ► Preventing Spam ► Possible.

Internet Quarantine: Requirements for Containing Self-Propagating Code

Authors – Johannes Krupp, Michael Backes, and Christian Rossow(2016)

Introduction to Internet Worm

Presentation transcript:

The UCSD Network Telescope A Real-time Monitoring System for Tracking Internet Attacks Stefan Savage David Moore, Geoff Voelker, and Colleen Shannon Department of Computer Science and Engineering & Cooperative Association for Internet Data Analysis (at SDSC) University of California, San Diego

Jacobs School of Engineering – Department of Computer Science and Engineering UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS Context The Internet has an open communications model –Benefits: Flexible communication, application innovation –Drawbacks: Many opportunities for abuse The Dark Side to the Internet –Denial-of-Service Attacks –Network Worms and Viruses –Automated Scanning/Break-in Tools –Etc… Question: How big a problem is it really?

Jacobs School of Engineering – Department of Computer Science and Engineering UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS Media – “The sky is falling… every day”

Jacobs School of Engineering – Department of Computer Science and Engineering UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS Consulting Groups & Surveys Consultancy estimates –“Losses … could total more than $1.2 billion” -Yankee Group report on yr 2000 DDoS attacks –Cost of Slammer worm $750M-$1B -Computer Economics report on yr 2000 DDoS attacks -Others say numbers are different -Data source, methodology, error, biases unknown -Surveys -E.g. CSI/FBI survey reported 38% of respondents encountered DoS activity in Summary of anecdotes = good data?

Jacobs School of Engineering – Department of Computer Science and Engineering UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS Why is this so hard? Quantitative attack data isn’t available Inherently hard to acquire –Few content or service providers collect such data –If they do, its usually considered sensitive Infeasible to collect at Internet scale –How to monitor enough to the Internet to obtain a representative sample? –How to manage thousands of bilateral legal negotiations? Data would be out of date as soon as collected

Jacobs School of Engineering – Department of Computer Science and Engineering UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS Network Telescopes A way to observe global network phenomena with only local monitoring Key observation: large class of attacks use random addresses Worm’s frequently select new host to infect at random Many DoS attacks hide their source by randomizing source addresses Network Telescope –A monitor that records packets sent to a large range of unused Internet addresses –Since attacks are random, a telescope samples attacks

Jacobs School of Engineering – Department of Computer Science and Engineering UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS Example: Monitoring Worm Attacks Infected host scans for other vulnerable hosts by randomly generating IP addresses

Jacobs School of Engineering – Department of Computer Science and Engineering UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS What can we infer? How quickly the worm is spreading? Which hosts are infected and when? Where are they located? How quickly are vulnerabilities being fixed?

Jacobs School of Engineering – Department of Computer Science and Engineering UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS Example: Monitoring Denial-of-Service Attacks Attacker floods the victim with requests using random spoofed source IP addresses Victim believes requests are legitimate and responds to each spoofed address Network telescope can infer that a site sending unsolicited reply packets is being attacked

Jacobs School of Engineering – Department of Computer Science and Engineering UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS What can we infer? Number of attacks? How big are they? How long? Who is being attacked?

Jacobs School of Engineering – Department of Computer Science and Engineering UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS What’s special about the UCSD Network Telescope? Our Telescope is very large and size does matter –The more addresses monitored, the more accurate, quick and precise the results We have access to more than 1/256 of all Internet addresses (> 16M IP addresses) –Unprecedented insight into global attack activity –Can detect new attacks and worms in seconds with low error Special thanks to Jim Madden & Brian Kantor from UCSD Network Operations whose support makes this research possible

Jacobs School of Engineering – Department of Computer Science and Engineering UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS Summary High quality global estimates on Internet security events (Worms, DDoS) –~4000 DoS attacks per week; attacks on network infrastructure –Have observed worms spreading faster than 50M hosts per second Collecting ongoing longitudinal data set (20GB/day) Impact of data & methodology –Research: widely used in modeling network attacks and designing defenses –Operational Practice: identifies infected hosts and sites being attacked; variant of backscatter analysis now used by top ISPs –Policy: helps justify and prioritize resources appropriately

Jacobs School of Engineering – Department of Computer Science and Engineering UCSD CSE COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALYSIS Current Work Network Honeyfarm –Cluster of dummy servers whose sole purpose is to be infected and observed –Collect detailed analysis of new attacks –Can be extended to capture non-random attacks (e.g. , instant messenger) which is weakness of telescope Automated network defenses –Automatically detect, characterize and suppress new network attacks or outbreaks –Respond orders of magnitude more quickly humans can