Presentation is loading. Please wait.

Presentation is loading. Please wait.

MonNet – a project for network and traffic monitoring Detection of malicious Traffic on Backbone Links via Packet Header Analysis Wolfgang John and Tomas.

Published byStephany McKinney Modified over 8 years ago

Similar presentations

Presentation on theme: "MonNet – a project for network and traffic monitoring Detection of malicious Traffic on Backbone Links via Packet Header Analysis Wolfgang John and Tomas."— Presentation transcript:

1 MonNet – a project for network and traffic monitoring Detection of malicious Traffic on Backbone Links via Packet Header Analysis Wolfgang John and Tomas Olovsson Department of Computer Science and Engineering Chalmers University of Technology Göteborg, Sweden

2 2008-05-20TNC 2008 Introduction Traffic filtering is often done locally Backbone provides broader view What is happening „in the wild“? –Old, well known attack types? –Distributed attacks to several hosts/networks? –What to expect on ingress hosts? How good is pure packet header analysis?

3 2008-05-20TNC 2008 Introduction: Outline 1.Packet headers considered Fields and potential problems 2.Dataset Measurement location Transport protocol breakdown 3.Anomalies observed IP (+fragmentation), TCP, UDP, ICMP Discussion and highlights 4.Summary and Conclusions

4 2008-05-20TNC 2008 Packet Headers IP header structure

5 2008-05-20TNC 2008 Packet Headers (2) TCP header structure

6 2008-05-20TNC 2008 Packet Headers (3 ) UDP header structure ICMP header structure

7 2008-05-20TNC 2008 Outline (2) 1.Packet headers considered Fields and potential problems 2.Dataset Measurement location Transport protocol breakdown 3.Anomalies observed IP (+fragmentation), TCP, UDP, ICMP Discussion 4.Summary and Conclusions

8 2008-05-20TNC 2008 Dataset: Measurement location Internet Regional ISPs Göteborg Stockholm Other smaller Universities and Institutes Göteborgs Univ. Student- Net 2x 10 Gbit/s (OC-192) capturing headers only IP addresses anonymized 554 traces in late 2006 10 min. intervals during 3 months Chalmers Univ.

9 2008-05-20TNC 2008 Dataset (2) Transport protocol breakdown CAIDA‘s DatCat: SUNET fall 2006 https://imdc.datcat.org/collection/1-04HQ-3=SUNET+OC+192+Traces+fall+2006 IP Original Datagram IP Segment 1 IP Segment 2 IP Segment 3 IP Seg. 4 Fragment 1 Fragment 2 Fragment 3 Fragment 4 Fragment Series

10 2008-05-20TNC 2008 Outline (3) 1.Packet headers considered Fields and potential problems 2.Dataset Measurement location Transport protocol breakdown 3.Anomalies observed IP (+fragmentation), TCP, UDP, ICMP Discussion 4.Summary and Conclusions

11 2008-05-20TNC 2008 Anomalies observed IP header anomalies Two intervals with one million packets to four destinations Source IP of private class C (192.168/16) ICMP echo replies, 228 bytes DoS attack? No exploits of IP source route Land attack

12 2008-05-20TNC 2008 IP fragmenation inconsistencies IP ID values of zero are over-represented! one host inside a University five campaigns to five destinations with series of 6-7 fragments Iterating over entire port range half of the series with inconsistencies (holes etc.) hijacked host performing DoS (Frag attack!) 42 hosts are the main target 1/5 of all fragment series to these hosts are incomplete many gaps only 8 byte long! DDoS? Or just packet loss? 35 different times and different hosts! Not only overlaps, but also gasp Overlapping fragments fill gaps – on wrong places! 8 – 48 bytes overlapping fragments on consistent offsets Hardware/Software error? Common attack tool? Anomalies observed (2) Good news: Ping-of-death, sPing, IceNewk etc. not observed!

13 2008-05-20TNC 2008 Anomalies observed (3) TCP header anomalies Two or more field anomalies within the same TCP header 21 % in RST/ACK packets from port 80 79 % in SYN/ACK packets …. SYN/ACK attacks? source and desination ports of zero equally shared mainly SYN packets in host scanning campaigns Mahoney et al: FIN without ACK can reveal port-sweeps Not supported by our data!! Mainly to P2P ports – pure FIN after SYN connection attempts

14 2008-05-20TNC 2008 Anomalies observed (4) UDP header anomalies From UDP port zero: around 30 scanning campaigns of /24 ranges to port numbers 1025 and 1026 Windows messenger spam!

15 2008-05-20TNC 2008 Anomalies observed (5) ICMP header observations two hosts sending 46 million “host redirects” during 12 days DoS attacks like Winfreez

16 2008-05-20TNC 2008 Anomalies observed (6) ICMP header observations contd. –No Ping-of-Death type attacks –No obvious attack with ICMP dest. unreachable (Smack) –No ICMP timestamp attacks (like moyari13) –No large scale usage of invalid ICMP types (Twinge or Trash attacks)

17 2008-05-20TNC 2008 Outline (4) 1.Packet headers considered Fields and potential problems 2.Dataset Measurement location Transport protocol breakdown 3.Anomalies observed IP (+fragmentation), TCP, UDP, ICMP Discussion 4.Summary and Conclusions

18 2008-05-20TNC 2008 Summary and Conclusions Systematic listing of header anomalies Occurences in real backbone traffic Many old attacks still out there –but some formerly popular attacks vanished Constant ”noise” of anomalous packets Some major campaigns of malicious activities detected

19 2008-05-20TNC 2008 Summary and Conclusions (2) Pure packet header analysis reveals a substantial amount of malicious activity Watch out for –IP ID of zero –port numbers of zero –Strange TCP flags –Reserved IP addresses –Unusual ICMP activity

20 2008-05-20TNC 2008 Summary and Conclusions (3) Next steps –Study potential of IP ID, SEQ and ACK numbers and port numbers for detection –Get access to payload data / broadcast addr. Anomalous applications headers? Malicious code? –Correlate packets (flows) Scannings, DDoS campaigns? What happens before? After?....

21 MonNet – a project for network and traffic monitoring More Information: http://www.chalmers.se/cse/EN/people/john-wolfgang or Email: johnwolf@chalmers.se http://www.chalmers.se/cse/EN/people/john-wolfgang Questions?

Download ppt "MonNet – a project for network and traffic monitoring Detection of malicious Traffic on Backbone Links via Packet Header Analysis Wolfgang John and Tomas."

Similar presentations

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
COEN 252 Computer Forensics Using TCPDump / Windump for package analysis.

COEN 252 Computer Forensics Using TCPDump / Windump for package analysis.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
CSE551: Computer Network Review r Network Layers r TCP/UDP r IP.

CSE551: Computer Network Review r Network Layers r TCP/UDP r IP.
Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.

Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.

CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.
Chapter 5 The Network Layer.

Chapter 5 The Network Layer.
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.

TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
TCP/IP Basics A review for firewall configuration.

TCP/IP Basics A review for firewall configuration.
Assessing the Nature of Internet traffic: Methods and Pitfalls Wolfgang John Chalmers University of Technology, Sweden together with Min Zhang Beijing.

Assessing the Nature of Internet traffic: Methods and Pitfalls Wolfgang John Chalmers University of Technology, Sweden together with Min Zhang Beijing.
Licentiate Seminar: On Measurement and Analysis of Internet Backbone Traffic Wolfgang John Department of Computer Science and Engineering Chalmers University.

Licentiate Seminar: On Measurement and Analysis of Internet Backbone Traffic Wolfgang John Department of Computer Science and Engineering Chalmers University.
ECE-6612 Prof. John A. Copeland 404 894-5177 fax 404 894-0035 Office: Klaus 3362.

ECE Prof. John A. Copeland fax Office: Klaus 3362.
CCNA Introduction to Networking 5.0 Rick Graziani Cabrillo College

CCNA Introduction to Networking 5.0 Rick Graziani Cabrillo College
1 Figure 3-33: Internet Control Message Protocol (ICMP) ICMP is for Supervisory Messages at the Internet Layer ICMP and IP  An ICMP message is delivered.

1 Figure 3-33: Internet Control Message Protocol (ICMP) ICMP is for Supervisory Messages at the Internet Layer ICMP and IP  An ICMP message is delivered.
4: Network Layer4a-1 IP datagram format ver length 32 bits data (variable length, typically a TCP or UDP segment) 16-bit identifier Internet checksum time.

4: Network Layer4a-1 IP datagram format ver length 32 bits data (variable length, typically a TCP or UDP segment) 16-bit identifier Internet checksum time.
Internet Control Message Protocol ICMP. ICMP has two major purposes: –To report erroneous conditions –To diagnose network problems ICMP has two major.

Internet Control Message Protocol ICMP. ICMP has two major purposes: –To report erroneous conditions –To diagnose network problems ICMP has two major.

Similar presentations

Ads by Google