Mapping Internet Sensors with Probe Response Attacks
Download
Report
Transcript Mapping Internet Sensors with Probe Response Attacks
Mapping Internet Sensors with Probe
Response Attacks
Authors: John Bethencourt, Jason Franklin,
Mary Vernon
Published At: Usenix Security Symposium, 2005
Presented By: Anvita Priyam
Internet Sensor Networks
Used as a tool to detect malicious internet traffic.
e.g. honeypots, log analysis centers
They publish public reports without disclosing sensor
locations.
Maintaining sensor anonymity is critical
Overview
Central Idea
Internet Storm Center(ISC) Background
Probe response attack
Countermeasures
Weaknesses
Suggestions
Central Idea
This paper presents an attack technique,
“Probe Response”
It is capable of determining the location of
internet sensors that publicly display
statistics.
It uses SANS internet storm center as case
study.
Motivation for attack
Focus is on internet sensors that enable collaborative intrusion
detection through wide area perspective of internet.
90
80
70
60
50
40
30
20
10
0
logs
source
central
Repository
East
West
North
1st Qtr
2nd Qtr
3rd Qtr
Statistics
4th Qtr
Case Study: The SANS Internet Storm
Center (ISC)
System that collects data from internet sensors and
publishes public reports.
It analyzes and aggregates this information and
automatically publishes several types of reports.
These reports are useful in detecting new worms and
blacklisting hosts controlled malicious users.
Port Report
Attacks are primarily concerned with port reports.
For each port the report gives three statistics:
> Number of reports: total entries in the log
> Number of sources: distinct source IP addresses with given
port
> Number of targets: distinct destination IP addresses
Example
Probe Response Attack- The Big Picture
Core Idea – Probe an IP address with activity that will be
reported to the ISC.
ATTACKER
Sends Packets
NO
Look for next IP
Address
YES
Check the
Reports
Monitored??
YES
Host is submitting logs
To the ISC
Reported??
NO
Basic Probe Response Algorithm
Consists of two stages
First Stage
> Begins with an ordered list
of IP addresses (0,1,2…) to
check.
> All invalid or unroutable
addresses are filtered out
> SYN packets are sent on
port Pi to each address in Si.
First Stage (cont’d)
Wait for 2 hours and retrieve port report
Intervals lacking activity are discarded
Remaining intervals are sent to 2nd stage with
number of monitored addresses in each
Second Stage
Repeats until the attack is
complete
Distribute the ports among
remaining intervals
Divide each interval into
subintervals
Send packets to every
subinterval except the last
Second Stage (cont’d)
For each subinterval of remaining interval we retrieve
the report
Number in last subinterval=
(total in that interval-number in other subintervals)
Empty subintervals Are discarded
Remaining subintervals are new set of remaining
intervals
Continue to divide until only monitored or
unmonitored addresses are left
Example
Dealing with noise
Sources other than attacker may be sending packets
to monitored address with same destination ports
This increases the number of targets reported
Causes the algorithm to produce both false positives
and false negatives
However, for a large number of ports this is low.
Use Report Noise Cancellation factor- send multiple
number of packets & while reviewing the reports
divide by the same factor
Simulation of Attack
First scenario- determine exact set of monitored
addresses (accurate but time consuming)
Second scenario- finding superset and subset of
monitored addresses
Use three different attackers
T1- 1.544Mbps upload bandwidth
T3- 38.4 Mbps upload bandwidth
OC6- 384 Mbps upload bandwidth
Results
Results
Results
Finding a Superset
Maximum false positive rate= 0.94
Report noise cancellation factor= 4
Runtime of attacks is reduced from 112 to 78 hours
Accepts around 3.5 million false positives which had
little effect on number of probes
Finding a Subset
Maximum false negative rate= 0.001
Report noise cancellation factor= 2
Reduces the runtime from 33 days and 17 hours to
15 days and 18 hours
Reduces the number of probes sent from 9.5 billion
to 4.4 billion
But misses 26% of the sensors
Countermeasures
Hashing- some or all of the fields
Encryption- encrypting a field with a key not publicly
available
Private reports- limit the info in the reports
Query limiting- limit the rate at which they can be
downloaded
Sampling- sample the logs coming in for analysis
before generating reports
Weaknesses
Uses adaptive probe response algorithm as each
round depends on the result of the previous one
The countermeasures suggested are not very
effective
Suggestions
Developing and evaluating a non-adaptive approach
Come up with more effective countermeasure