![Page 1: Network Forensics and Next Generation Internet Attackscs.jhu.edu/~fabian/courses/CS600.624/slides/discussion.pdf · Estimating botnet size How do we quantify these effects and relate](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f0882247e708231d4225bcc/html5/thumbnails/1.jpg)
1
Network Forensics and NextGeneration Internet Attacks
Moderated by: Moheeb Rajab
Background singers: Jay and Fabian
![Page 2: Network Forensics and Next Generation Internet Attackscs.jhu.edu/~fabian/courses/CS600.624/slides/discussion.pdf · Estimating botnet size How do we quantify these effects and relate](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f0882247e708231d4225bcc/html5/thumbnails/2.jpg)
2
Agenda
Questions and Critique of Timezones paper Extensions
Network Monitoring (recap)
Post-Mortem Analysis Background and Realms Problem of Identifying Patient zero Detecting Initial hit-list
Next Generation attacks (Omitted from slides) Implications and Challenges?
![Page 3: Network Forensics and Next Generation Internet Attackscs.jhu.edu/~fabian/courses/CS600.624/slides/discussion.pdf · Estimating botnet size How do we quantify these effects and relate](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f0882247e708231d4225bcc/html5/thumbnails/3.jpg)
3
Botnets or Worms ?!
“The authors don’t provide evidence that botnetspropagate in the same way like regular worms”
Opening Sentence:4
3
2
Malware
Botnets
Worms
![Page 4: Network Forensics and Next Generation Internet Attackscs.jhu.edu/~fabian/courses/CS600.624/slides/discussion.pdf · Estimating botnet size How do we quantify these effects and relate](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f0882247e708231d4225bcc/html5/thumbnails/4.jpg)
4
Student questions
![Page 5: Network Forensics and Next Generation Internet Attackscs.jhu.edu/~fabian/courses/CS600.624/slides/discussion.pdf · Estimating botnet size How do we quantify these effects and relate](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f0882247e708231d4225bcc/html5/thumbnails/5.jpg)
5
Data Collection
“The original data collection method itself is worthmentioning as a strength of this paper”
“Can’t someone who sees all the traffic intended for aC&C server do more than simply gather SYN statistics”
“It is not clear to me how do they know that theycaptured the propagation phase in their tests”
![Page 6: Network Forensics and Next Generation Internet Attackscs.jhu.edu/~fabian/courses/CS600.624/slides/discussion.pdf · Estimating botnet size How do we quantify these effects and relate](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f0882247e708231d4225bcc/html5/thumbnails/6.jpg)
6
Measuring Botnet Size
![Page 7: Network Forensics and Next Generation Internet Attackscs.jhu.edu/~fabian/courses/CS600.624/slides/discussion.pdf · Estimating botnet size How do we quantify these effects and relate](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f0882247e708231d4225bcc/html5/thumbnails/7.jpg)
7
SYN Counting
Only looking at the Transport Layer Do we even know what this traffic is?
DHCP’d hosts DHCP will cause SYNs coming from different
addresses.
How does the Tarpit help?
Totally unrelated traffic Scans, exploit attempts, etc.
![Page 8: Network Forensics and Next Generation Internet Attackscs.jhu.edu/~fabian/courses/CS600.624/slides/discussion.pdf · Estimating botnet size How do we quantify these effects and relate](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f0882247e708231d4225bcc/html5/thumbnails/8.jpg)
8
Estimating botnet size
How do we quantify these effects and relatethem back to the claimed 350 K size? Are we counting wrong? If we assume DHCP lease of∆ hours, how do these projections change?
Studied 50 botnets but we have 3 data points.
Fitting the model to the collected data What parameters did they use?
![Page 9: Network Forensics and Next Generation Internet Attackscs.jhu.edu/~fabian/courses/CS600.624/slides/discussion.pdf · Estimating botnet size How do we quantify these effects and relate](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f0882247e708231d4225bcc/html5/thumbnails/9.jpg)
9
Evidence from “Da-list”
423 ( > 4 public IRCds)Feb 1st
11:00 AM EST
449Feb,1st
4:00 AM EST
Non-DNSDNSDate and Time
![Page 10: Network Forensics and Next Generation Internet Attackscs.jhu.edu/~fabian/courses/CS600.624/slides/discussion.pdf · Estimating botnet size How do we quantify these effects and relate](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f0882247e708231d4225bcc/html5/thumbnails/10.jpg)
10
General consensus
Contrary to authors the attackers could use thetimezones effect to their benefit How?
This is old-school, right?: Zhou et al. A first look at P2P worms: Threats and
Defenses. IPTPS, 2005. Botnet Herders can hide behind VoIP. InfoWeek, 2/27/06
Okay, this is getting ridiculous
Cherry-picking: some weird indications …
![Page 11: Network Forensics and Next Generation Internet Attackscs.jhu.edu/~fabian/courses/CS600.624/slides/discussion.pdf · Estimating botnet size How do we quantify these effects and relate](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f0882247e708231d4225bcc/html5/thumbnails/11.jpg)
11
Extensions Can we use this idea for containment?
Query to know if someone is infected How to preserve privacy and anonymity?
See Privacy-Preserving Data Mining. R. Agrawal and R.Srikant. Proceedings of SIGMOD, 2000
Patching rates? More grounded parameters might really affect model How might we get this?
Lifetime?
![Page 12: Network Forensics and Next Generation Internet Attackscs.jhu.edu/~fabian/courses/CS600.624/slides/discussion.pdf · Estimating botnet size How do we quantify these effects and relate](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f0882247e708231d4225bcc/html5/thumbnails/12.jpg)
12
Student Extensions
Is there better ways to track botnets other thanpoisoning DNS? Crazy idea #1: Anti-worm
Crazy idea #2: Statistical responders Better way: Weidong Cui et al. Protocol-Independent
Adaptive Relay of Application Dialog. In NDSS 2006
What would you have liked to see with this data?
![Page 13: Network Forensics and Next Generation Internet Attackscs.jhu.edu/~fabian/courses/CS600.624/slides/discussion.pdf · Estimating botnet size How do we quantify these effects and relate](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f0882247e708231d4225bcc/html5/thumbnails/13.jpg)
13
Using telescopes fornetwork forensics
![Page 14: Network Forensics and Next Generation Internet Attackscs.jhu.edu/~fabian/courses/CS600.624/slides/discussion.pdf · Estimating botnet size How do we quantify these effects and relate](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f0882247e708231d4225bcc/html5/thumbnails/14.jpg)
14
Infer characteristics of the attackPopulation size, demographics, distribution Infection rate, scanning behavior .. etc
Trace the attack back to its origin(s) Identifying patient zero Identifying the hit-list (if any)Reconstructing the infection tree
Forensic (Post-mortem) analysis
![Page 15: Network Forensics and Next Generation Internet Attackscs.jhu.edu/~fabian/courses/CS600.624/slides/discussion.pdf · Estimating botnet size How do we quantify these effects and relate](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f0882247e708231d4225bcc/html5/thumbnails/15.jpg)
15
Worm Evolution Tracking Realms
Graph Reconstruction
Reverse Engineering
Timing Analysis
![Page 16: Network Forensics and Next Generation Internet Attackscs.jhu.edu/~fabian/courses/CS600.624/slides/discussion.pdf · Estimating botnet size How do we quantify these effects and relate](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f0882247e708231d4225bcc/html5/thumbnails/16.jpg)
16
Infection Graph Reconstruction
Proposed a random walk algorithm on the hostscontact graph Provides who infected whom tree
Identifies the worm entry point(s) to a local network oradministrative domain.
Xie et al, “Worm Origin IdentificationUsing Random Moonwalks” IEEESymposium on Security and Privacy, 2005
![Page 17: Network Forensics and Next Generation Internet Attackscs.jhu.edu/~fabian/courses/CS600.624/slides/discussion.pdf · Estimating botnet size How do we quantify these effects and relate](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f0882247e708231d4225bcc/html5/thumbnails/17.jpg)
17
Random Moonwalks A random moonwalk on the host contact graph:
Start with an arbitrarily chosen flow
Pick a next step flow randomly to walk backward in timebackward in time
Observation: epidemic attacks have a treetree structure
Initial causal flows emerge as high frequency flowsInitial causal flows emerge as high frequency flows
T
ΔtΔtΔtΔtΔt
1 11
11
1
ABCDEFGHIJ
4550
30
30
40
38
10 8
41
159
28
18
31
16
20
2
2215
2
3
8
810
9
Slide by: Ed Knightly
Bt1
C
t2
F
t3 t5
t6
D E
H
G
t4
![Page 18: Network Forensics and Next Generation Internet Attackscs.jhu.edu/~fabian/courses/CS600.624/slides/discussion.pdf · Estimating botnet size How do we quantify these effects and relate](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f0882247e708231d4225bcc/html5/thumbnails/18.jpg)
18
Random Moonwalk (Limitations)
Host Contact graph is known. requires extensive logging of host contacts
throughout the network
Only able to reconstruct infection history on alocal scale
Careful selection of parameters to guarantee theconvergence of the algorithms How to address this is left as open problem
![Page 19: Network Forensics and Next Generation Internet Attackscs.jhu.edu/~fabian/courses/CS600.624/slides/discussion.pdf · Estimating botnet size How do we quantify these effects and relate](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f0882247e708231d4225bcc/html5/thumbnails/19.jpg)
19
Outwitting the Witty
Exploits the structure of the random number generatorused by the worm
Careful analysis of the worm payload allows us to reconstructthe infection series
Kumar et al, “Exploiting Underlying Structurefor Detailed Reconstruction of an Internet-scale Event”, IMC 2005
![Page 20: Network Forensics and Next Generation Internet Attackscs.jhu.edu/~fabian/courses/CS600.624/slides/discussion.pdf · Estimating botnet size How do we quantify these effects and relate](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f0882247e708231d4225bcc/html5/thumbnails/20.jpg)
20
Witty Code !
srand(seed) { X ← seed }rand() { X ← X*214013 + 2531011; return X }
main()1. srand(get_tick_count());2. for(i=0;i<20,000;i++)3. dest_ip ← rand()[0..15] || rand()[0..15]4. dest_port ← rand()[0..15]5. packetsize ← 768 + rand()[0..8]6. packetcontents ← top-of-stack7. sendto()8. if(open_physical_disk(rand()[13..15] ))9. write(rand()[0..14] || 0x4e20)10. goto 111. else goto 2
![Page 21: Network Forensics and Next Generation Internet Attackscs.jhu.edu/~fabian/courses/CS600.624/slides/discussion.pdf · Estimating botnet size How do we quantify these effects and relate](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f0882247e708231d4225bcc/html5/thumbnails/21.jpg)
21
Witty Code!
Each Witty packet makes 4 calls to rand()
If first call to rand() returns Xi :
3. dest_ip ← (Xi)[0..15] || (XI+1)[0..15]4. dest_port ← (XI+2)[0..15]
Given top 16 bits of Xi, now brute force all possible lower 16 bits tofind which yield consistent top 16 bits for XI+1 & XI+2
⇒ Single Witty packet suffices to extract infectee’s complete PRNGstate!
![Page 22: Network Forensics and Next Generation Internet Attackscs.jhu.edu/~fabian/courses/CS600.624/slides/discussion.pdf · Estimating botnet size How do we quantify these effects and relate](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f0882247e708231d4225bcc/html5/thumbnails/22.jpg)
22
Interesting Observations
Reveals interesting facts about 700 infectedhosts: Uptime of infected machines
Number of available disks
Bandwidth Connectivity Who-infected whom Existence of hit-list Patient zero (?)
![Page 23: Network Forensics and Next Generation Internet Attackscs.jhu.edu/~fabian/courses/CS600.624/slides/discussion.pdf · Estimating botnet size How do we quantify these effects and relate](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f0882247e708231d4225bcc/html5/thumbnails/23.jpg)
23
Reverse Engineering (Limitations)
Not easily generalizable Needs to be done on a case by case basis
Can be tedious (go back to the paper to see).
There must be an easier way, right?
![Page 24: Network Forensics and Next Generation Internet Attackscs.jhu.edu/~fabian/courses/CS600.624/slides/discussion.pdf · Estimating botnet size How do we quantify these effects and relate](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f0882247e708231d4225bcc/html5/thumbnails/24.jpg)
24
Timing Analysis
Uses blind analysis of inter-arrival times ata network telescope to infer the wormevolution.
Moheeb Rajab et al. “Worm EvolutionTracking via Timing Analysis”, ACMWORM 2005
![Page 25: Network Forensics and Next Generation Internet Attackscs.jhu.edu/~fabian/courses/CS600.624/slides/discussion.pdf · Estimating botnet size How do we quantify these effects and relate](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f0882247e708231d4225bcc/html5/thumbnails/25.jpg)
25
Problem Statement and Goals
To what extent can a network monitor trace theinfection sequence back to patient zero by observingthe order of unique source contacts?
For worms that start with a hitlist, can we use networkmonitors to detect the existence of the hitlist anddetermine its size?
Consider a uniform scanning worm withscanning rate s and vulnerable populationsize V and a monitor with effective size M.
![Page 26: Network Forensics and Next Generation Internet Attackscs.jhu.edu/~fabian/courses/CS600.624/slides/discussion.pdf · Estimating botnet size How do we quantify these effects and relate](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f0882247e708231d4225bcc/html5/thumbnails/26.jpg)
26
Evolution Sequence and “Patient Zero”
We distinguish between two processes:
Time to Infect Time elapsed before the worm infects an additional
host
Time to Detect The time interval within which a monitor can
reliably detect at least one scan from a singlenewly infected host
inT
dT
![Page 27: Network Forensics and Next Generation Internet Attackscs.jhu.edu/~fabian/courses/CS600.624/slides/discussion.pdf · Estimating botnet size How do we quantify these effects and relate](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f0882247e708231d4225bcc/html5/thumbnails/27.jpg)
27
Time to Infect and Time to Detect
![Page 28: Network Forensics and Next Generation Internet Attackscs.jhu.edu/~fabian/courses/CS600.624/slides/discussion.pdf · Estimating botnet size How do we quantify these effects and relate](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f0882247e708231d4225bcc/html5/thumbnails/28.jpg)
28
Time to Infect and Time to Detect
Time to infect a new host
−
−−
=
3221
1log
11log
i
iin
sn
nVT
inT
![Page 29: Network Forensics and Next Generation Internet Attackscs.jhu.edu/~fabian/courses/CS600.624/slides/discussion.pdf · Estimating botnet size How do we quantify these effects and relate](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f0882247e708231d4225bcc/html5/thumbnails/29.jpg)
29
Monitor Accuracy
Monitor Detection time, dT
∏=
−∑
−−= =n
i
sTT
e
i
j
jindM
P1
32
1
211
Probability of error
![Page 30: Network Forensics and Next Generation Internet Attackscs.jhu.edu/~fabian/courses/CS600.624/slides/discussion.pdf · Estimating botnet size How do we quantify these effects and relate](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f0882247e708231d4225bcc/html5/thumbnails/30.jpg)
30
andinT dT
Uniform scanning worm:s = 350 scans/sec,V = 12,000Monitor size = /8
Probability of Error
![Page 31: Network Forensics and Next Generation Internet Attackscs.jhu.edu/~fabian/courses/CS600.624/slides/discussion.pdf · Estimating botnet size How do we quantify these effects and relate](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f0882247e708231d4225bcc/html5/thumbnails/31.jpg)
31
Infection Sequence Similarity
Sequence Similarity
( )( )( ) ( )
∑=
→−+
−=
m
i AeBe
AeAB
ii
i
rr
rmY
0 ,,
,
1
1 2 3 4 5 6 7 8 9 m-1 m
1 2 3 4 56 7 89 m-1 m
Actual (A)
Monitor (B)
![Page 32: Network Forensics and Next Generation Internet Attackscs.jhu.edu/~fabian/courses/CS600.624/slides/discussion.pdf · Estimating botnet size How do we quantify these effects and relate](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f0882247e708231d4225bcc/html5/thumbnails/32.jpg)
32
Is this any good?
Two (interesting) cases:
Varying monitor sizes
Non-homogeneous scanning rates
![Page 33: Network Forensics and Next Generation Internet Attackscs.jhu.edu/~fabian/courses/CS600.624/slides/discussion.pdf · Estimating botnet size How do we quantify these effects and relate](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f0882247e708231d4225bcc/html5/thumbnails/33.jpg)
33
Bigger is Better
Larger telescopes provide ahighly similar view to theactual worm evolution
/16 view is completely useless!
![Page 34: Network Forensics and Next Generation Internet Attackscs.jhu.edu/~fabian/courses/CS600.624/slides/discussion.pdf · Estimating botnet size How do we quantify these effects and relate](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f0882247e708231d4225bcc/html5/thumbnails/34.jpg)
34
Effect of non-homogeneous scanning
Scanning rate distribution derivedfrom CAIDA’s dataset
![Page 35: Network Forensics and Next Generation Internet Attackscs.jhu.edu/~fabian/courses/CS600.624/slides/discussion.pdf · Estimating botnet size How do we quantify these effects and relate](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f0882247e708231d4225bcc/html5/thumbnails/35.jpg)
35
So, of what good is this?
Who cares what happens after thefirst 200 infections :-)
![Page 36: Network Forensics and Next Generation Internet Attackscs.jhu.edu/~fabian/courses/CS600.624/slides/discussion.pdf · Estimating botnet size How do we quantify these effects and relate](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f0882247e708231d4225bcc/html5/thumbnails/36.jpg)
36
Problem Statement and Goals
To what extent can a network monitor trace theinfection sequence back to patient zero by observingthe order of unique source contacts?
For worms that start with a hitlist, can we use networkmonitors to detect the existence of the hitlist anddetermine its size?
Consider a uniform scanning worm withscanning rate s and vulnerable populationsize V and a monitor with effective size M.
![Page 37: Network Forensics and Next Generation Internet Attackscs.jhu.edu/~fabian/courses/CS600.624/slides/discussion.pdf · Estimating botnet size How do we quantify these effects and relate](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f0882247e708231d4225bcc/html5/thumbnails/37.jpg)
37
What if the worm starts with a hit-list?
Hit-lists are used to Boost initial momentum of the worm (Possibly) hide the identity of patient zero
Trick: Exploit the pattern of inter-arrival timesof unique sources contacts at the monitor toinfer the existence and the size of the hitlist
![Page 38: Network Forensics and Next Generation Internet Attackscs.jhu.edu/~fabian/courses/CS600.624/slides/discussion.pdf · Estimating botnet size How do we quantify these effects and relate](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f0882247e708231d4225bcc/html5/thumbnails/38.jpg)
38
Hit-list detection and size estimation
Pattern Changearound the hit-list
boundariesH = 100
Estimated hit-listH aprox. 8080% in the same /1688% belong to the same institution
Witty Worm (CAIDA)Simulation ( H = 100 )
![Page 39: Network Forensics and Next Generation Internet Attackscs.jhu.edu/~fabian/courses/CS600.624/slides/discussion.pdf · Estimating botnet size How do we quantify these effects and relate](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f0882247e708231d4225bcc/html5/thumbnails/39.jpg)
39
Will we always see this pattern?
Same pattern was noticed also when varying populationsize and with non-homogeneous scanning rates.
H=1,000
![Page 40: Network Forensics and Next Generation Internet Attackscs.jhu.edu/~fabian/courses/CS600.624/slides/discussion.pdf · Estimating botnet size How do we quantify these effects and relate](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f0882247e708231d4225bcc/html5/thumbnails/40.jpg)
40
Why is that?
With a hit-list of size the average worminfection time should be less than
With a /8 monitor there is no h0 that can satisfy thisinequality Of course, for uniform scanning worms
0hinT
( )
( )
−
−−≤
−−
32
32
0
21log
21
1log1log1
1logMhV
α
0/ hTd