Date post: | 20-Dec-2015 |
Category: |
Documents |
View: | 218 times |
Download: | 5 times |
IPAUDITAn Analyst’s Perspective…
Phil Rodrigues
University of Connecticut
MIT Security Camp
Aug 15, 2002
Goals
• Show how I use IPAUDIT everyday– Start the morning knowing nothing– Use IPAudit to identify network anomalies and
investigate them– Go home at night knowing a little bit more
• Also: an overview of UConn’s security practices
Outline
• Web Graphs– Quick glance, looking for major issues
• Web Reports– Detailed look at suspicious anomalies
• Console– Thorough investigation of security incidents
Web Graphs
• Network Traffic
• Incoming / Outgoing Scans
• Busiest Hosts
Web Graphs: Traffic
• Plot of 30 minute total, inbound, and outbound traffic (bytes)
• Useful for large network anomalies: high-traffic transfers, D/DOS attacks, etc
Web Graphs: Incoming Scans
• Shows local host connections that are either Only-Received, Only-Sent, or Sent-and-Received (normal)
• Only-Received detects incoming scans
• Only-Sent detects spoofed outbound attacks
Incoming Scans: Only-Received
• Only-Received detects incoming scans– Anomaly where a single remote address sends
to a large amount of local addresses– Most of these local address receive data but do
not send any back– Displayed as a large red spike
Incoming Scans: Only-Sent
• Only-Sent detects spoofed outbound attacks– Anomaly where a large number of local
addresses send data to a single remote address– Most of these local addresses are sending data
but have not received any (most of them do not exist)
– Displayed as a large blue spike– Can trace a spoofed address to a smaller
network but not to a single computer
Web Graphs: Outgoing Scans
• Shows remote host connections that are either Only-Received, Only-Sent, or Sent-and-Received (normal)
• Only-Received detects outgoing scans– Anomaly where a large amount of remote addresses
receive data from one local address but do not reply
Web Graphs: Busiest Hosts
• Busiest local / remote hosts per 30 minutes.– Large “wide” anomalies usually indicate a
hacked box (one-to-many, ftp/dcc), or occasionally DOS attacks (one-to-one).
– Single spikes are usually legit file-transfers (one-to-one, fast I2 ftp transfers)
Web Reports
• 30 Minute– Detailed view of immediate incidents
• Daily– Summary of top talkers/scanners
• Weekly/Monthly– Accumulated totals of high traffic users
Web Reports: 30 Minute
• Incoming / Outgoing Scans
• Local / Remote Traffic
• Busiest Traffic Pairs
30 Minute: Scans
• Incoming: Good for informational purposes• Outgoing:
– Compromised local computers scan external networks sequentially for new targets
– Virus infected local computers scan external addresses randomly for new hosts
– P2P “super-node” activity where one local address is relaying search requests for many different remote addresses
30 Minute: Local/Remote Traffic
• Normal ratio file-transfers: the top talkers / listeners usually get examined for TCP port details
• One-sided transfers (highlighted in yellow or red) indicate an in/out DOS (or UDP streams)
30 Minute: Traffic Pairs
• Who is talking to Who?
• Is that one busy local computer talking to many others? (hacked) to one other across I2? (research)
• Gives a good geographical indicator: rr.ny.com, wanado.fr (hacked) vs nasa.gov, cornell.edu (research)
Web Reports: Daily
• Local/Remote Traffic– Shows large, slower accumulated traffic that 30
min reports may have not have alerted us to
• Incoming/Outgoing Scans– Shows large, slower scans that 30 min missed– A slow scan of the entire class B would show
up here, but good chance 30 min report or SNORT would not catch it
Web Reports: Weekly/Monthly
• Traffic– Just for measuring traffic, usually for
bandwidth management– Allows for the slow accumulation of traffic
Console
• 30min files– Records all IP connection info per 30 mins
• RAW files– Records partial payload of selected TCP ports– telnet, ftp, smtp, irc, icmp
Console: 30min
• General Overview– grep|vi a full 30min file for one IP, to get a
sense of what was going on:• Web surfing vs Nimda infection
• P2P activity vs X-DCC transfers
• Streaming video vs UDP DOS attacks
• Failed logons vs password cracking
Console: 30min
• Detailed investigations– Start with an anomaly, then look to see what
happened immediately before it for clues as to how they may have gotten in.
– Determine the IP that was responsible for the intrusion, then see what else they were doing in the previous few days.
Console: Raw
• Detailed investigations– telnet, ftp, smtp, irc, icmp– Specific telnet commands (darn SSH)– ftp users/passwords and files (darn SCP)– irc conversations, channel/handle passwords– email headers for spam, etc issues
Successes: Graphs
• Detection of D/DOS attacks or extremely popular (aka illicit) file servers
• Detection of new mass events like Code Red or Nimda
• Detection of infected/compromised hosts that are scanning external networks
Successes: Reports
• Frequent updates allow fast response to large-traffic or high scan intrusions
• Easy click-through from high-level reports to specific connection details
• Detection of moderate rate DOS attacks
• Summary of in/outbound scans that were too slow detect looking at a single time
Successes: Console
• Linux tools (grep, awk, uniq, sort, total, etc) allow for fast creation of detailed reports
• Fairly easy to get complete picture of an intrusion by looking at before/after events– Spoofed attacks: Look at time the attack started
and scan for suspicious activity from a similar IP, which is probably the compromised host
Limitations
• Small-scale events get lost in background noise of busy network
• Takes 30 minutes to see new events
• Limited ability to see payload information
• SNORT: happens to complement this nicely
Summary
• Web Graphs– Quick glance at the network – if it is quiet there
things can’t be *that* bad.
• Web Reports– Summary of an hour, day, or week events, to
help target suspicious anomalies
• Console– Detailed investigation of incidents
Links
• IPAUDIT:– http://ipaudit.sourceforge.net– http://ipaudit.sf.net
• UConn Network Reports– http://turkey.ucc.uconn.edu
• Email:– [email protected]– [email protected]