Transcript Mapping Internet Sensors with Probe Response Attacks

Mapping Internet Sensors with Probe
Response Attacks
Authors: John Bethencourt, Jason Franklin,
Mary Vernon
Published At: Usenix Security Symposium, 2005
Presented By: Anvita Priyam
Internet Sensor Networks



Used as a tool to detect malicious internet traffic.
e.g. honeypots, log analysis centers
They publish public reports without disclosing sensor
locations.
Maintaining sensor anonymity is critical
Overview






Central Idea
Internet Storm Center(ISC) Background
Probe response attack
Countermeasures
Weaknesses
Suggestions
Central Idea



This paper presents an attack technique,
“Probe Response”
It is capable of determining the location of
internet sensors that publicly display
statistics.
It uses SANS internet storm center as case
study.
Motivation for attack

Focus is on internet sensors that enable collaborative intrusion
detection through wide area perspective of internet.
90
80
70
60
50
40
30
20
10
0
logs
source
central
Repository
East
West
North
1st Qtr
2nd Qtr
3rd Qtr
Statistics
4th Qtr
Case Study: The SANS Internet Storm
Center (ISC)



System that collects data from internet sensors and
publishes public reports.
It analyzes and aggregates this information and
automatically publishes several types of reports.
These reports are useful in detecting new worms and
blacklisting hosts controlled malicious users.
Port Report


Attacks are primarily concerned with port reports.
For each port the report gives three statistics:
> Number of reports: total entries in the log
> Number of sources: distinct source IP addresses with given
port
> Number of targets: distinct destination IP addresses
Example
Probe Response Attack- The Big Picture

Core Idea – Probe an IP address with activity that will be
reported to the ISC.
ATTACKER
Sends Packets
NO
Look for next IP
Address
YES
Check the
Reports
Monitored??
YES
Host is submitting logs
To the ISC
Reported??
NO
Basic Probe Response Algorithm


Consists of two stages
First Stage
> Begins with an ordered list
of IP addresses (0,1,2…) to
check.
> All invalid or unroutable
addresses are filtered out
> SYN packets are sent on
port Pi to each address in Si.
First Stage (cont’d)

Wait for 2 hours and retrieve port report

Intervals lacking activity are discarded

Remaining intervals are sent to 2nd stage with
number of monitored addresses in each
Second Stage




Repeats until the attack is
complete
Distribute the ports among
remaining intervals
Divide each interval into
subintervals
Send packets to every
subinterval except the last
Second Stage (cont’d)





For each subinterval of remaining interval we retrieve
the report
Number in last subinterval=
(total in that interval-number in other subintervals)
Empty subintervals Are discarded
Remaining subintervals are new set of remaining
intervals
Continue to divide until only monitored or
unmonitored addresses are left
Example
Dealing with noise





Sources other than attacker may be sending packets
to monitored address with same destination ports
This increases the number of targets reported
Causes the algorithm to produce both false positives
and false negatives
However, for a large number of ports this is low.
Use Report Noise Cancellation factor- send multiple
number of packets & while reviewing the reports
divide by the same factor
Simulation of Attack






First scenario- determine exact set of monitored
addresses (accurate but time consuming)
Second scenario- finding superset and subset of
monitored addresses
Use three different attackers
T1- 1.544Mbps upload bandwidth
T3- 38.4 Mbps upload bandwidth
OC6- 384 Mbps upload bandwidth
Results
Results
Results
Finding a Superset

Maximum false positive rate= 0.94

Report noise cancellation factor= 4

Runtime of attacks is reduced from 112 to 78 hours

Accepts around 3.5 million false positives which had
little effect on number of probes
Finding a Subset





Maximum false negative rate= 0.001
Report noise cancellation factor= 2
Reduces the runtime from 33 days and 17 hours to
15 days and 18 hours
Reduces the number of probes sent from 9.5 billion
to 4.4 billion
But misses 26% of the sensors
Countermeasures





Hashing- some or all of the fields
Encryption- encrypting a field with a key not publicly
available
Private reports- limit the info in the reports
Query limiting- limit the rate at which they can be
downloaded
Sampling- sample the logs coming in for analysis
before generating reports
Weaknesses


Uses adaptive probe response algorithm as each
round depends on the result of the previous one
The countermeasures suggested are not very
effective
Suggestions

Developing and evaluating a non-adaptive approach

Come up with more effective countermeasure