Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Internet Motion Sensor: A Distributed Blackhole Monitoring System Authors: Michael Bailey, Evan Cooke, Farnam Jahanian, Jose Nazario, and David Watson.

Published byMichael Russell Dorsey Modified over 8 years ago

Similar presentations

Presentation on theme: "The Internet Motion Sensor: A Distributed Blackhole Monitoring System Authors: Michael Bailey, Evan Cooke, Farnam Jahanian, Jose Nazario, and David Watson."— Presentation transcript:

1 The Internet Motion Sensor: A Distributed Blackhole Monitoring System Authors: Michael Bailey, Evan Cooke, Farnam Jahanian, Jose Nazario, and David Watson Publication: Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, Feb. 2005. Presenter: Brad Mundt for CAP6133 Spring ‘08

2 Motivation Stability and integrity of national infrastructure Rapid moving threats Worms DDOS Routing Exploits Globally scoped No geographic or topological boundaries Evolutionary threats

3 Monitoring Dark address space No legitimate hosts Misconfiguration Attack Challenges Sensor coverage Service emulation

4 Internet Monitoring System (IMS) Distributed globally scoped Internet threat monitoring system Sensor network Lightweight responder Payload signature and caching

5 IMS Architecture

6 Sensor Network Designed to measure, characterize, and track Less in-depth information Increase global threat visibility Wide and distributed address blocks 28 distinct monitored blocks 18 physical installations Query system to connect all sensors Beyond scope of the paper

7 Lightweight responder Get responses across ports without application related information Service agnostic: Responds to SYN requests on all ports In UDP connection, payload can arrive in first packet In TCP connections, payload arrives after connection

8 Lightweight responder Infection responses by target

9 Lightweight responder Passive aspect captures UDP based attacks Active aspect initiates TCP connection Elicits payload to differentiate traffic Many threats use same ports IMS responds to SYN requests on all ports

10 Lightweight responder Differentiate Services

11 Hashing and caching MD5 hash the packet payload If new Add hash to DB Cache payload for analysis If already seen Log Also good for metrics

12 Metrics Worm behaviors Virulence Demographics Propagation Community Reponse Scanning DDOS

13 Worm lifecycle

14 Worm presence

15 Scanning

16 DDOS

17 Summary A globally scoped Internet monitoring system Wide, dark address monitoring Blackhole networking Three components Distributed Monitoring Infrastructure Lightweight Active Responder Payload Signatures and Caching

18 Contributions A wider scope IMS in dark address blocks Layer 3 lightweight responder Unique payload caching by hashing

19 Weaknesses Limited analysis from the lightweight responder No layer 7 information, all layer 3 Sensors could be identified Fingerprinted Blacklisted

20 How to Improve Anti-fingerprinting techniques Sensor rotation Source squelching Blackhole masking with simulated hosts and topology Hybrid system Combine host-based sensors with wide address space monitors Additional techniques for characterizing attackers OS fingerprinting Firepower calculations

21 The End Thank you…

Download ppt "The Internet Motion Sensor: A Distributed Blackhole Monitoring System Authors: Michael Bailey, Evan Cooke, Farnam Jahanian, Jose Nazario, and David Watson."

Similar presentations

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
The Internet Motion Sensor: A Distributed Blackhole Monitoring System Michael Bailey*, Evan Cooke*, Farnam Jahanian* †, Jose Nazario †, David Watson* Presenter:

The Internet Motion Sensor: A Distributed Blackhole Monitoring System Michael Bailey*, Evan Cooke*, Farnam Jahanian* †, Jose Nazario †, David Watson* Presenter:
IPv6 Background Radiation Geoff Huston APNIC R&D.

IPv6 Background Radiation Geoff Huston APNIC R&D.
1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)

1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)
- 1 - Data Reduction for the Scalable Automated Analysis of Distributed Darknet Traffic Michael Bailey, Evan Cooke, David Watson and Farnam Jahanian University.

- 1 - Data Reduction for the Scalable Automated Analysis of Distributed Darknet Traffic Michael Bailey, Evan Cooke, David Watson and Farnam Jahanian University.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &

1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &
T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering Current Calendar Calendar Index Upcoming Speakers About... Artificial Intelligence.

T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering Current Calendar Calendar Index Upcoming Speakers About... Artificial Intelligence.
Measurement and Diagnosis of Address Misconfigured P2P traffic Zhichun Li, Anup Goyal, Yan Chen and Aleksandar Kuzmanovic Lab for Internet and Security.

Measurement and Diagnosis of Address Misconfigured P2P traffic Zhichun Li, Anup Goyal, Yan Chen and Aleksandar Kuzmanovic Lab for Internet and Security.
© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.

© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Scalability, Fidelity and Containment in the Potemkin Virtual Honeyfarm Authors: Michael Vrable, Justin Ma, Jay chen, David Moore, Erik Vandekieft, Alex.

Scalability, Fidelity and Containment in the Potemkin Virtual Honeyfarm Authors: Michael Vrable, Justin Ma, Jay chen, David Moore, Erik Vandekieft, Alex.
The Changing Internet Ecology: New Threats to Infrastructure Security Farnam Jahanian Arbor Networks / University of Michigan.

The Changing Internet Ecology: New Threats to Infrastructure Security Farnam Jahanian Arbor Networks / University of Michigan.
Introduction to Honeypot, Botnet, and Security Measurement

Introduction to Honeypot, Botnet, and Security Measurement
Network Security Essentials Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Network Security Essentials Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Network and Internet Security SYSTEM SECURITY. Virus Countermeasures Antivirus approach ◦Ideal solution: Prevention ◦Not allowing the virus to infect.

Network and Internet Security SYSTEM SECURITY. Virus Countermeasures Antivirus approach ◦Ideal solution: Prevention ◦Not allowing the virus to infect.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Similar presentations

Ads by Google