IPAUDITAn Analyst’s Perspective…

Phil Rodrigues

University of Connecticut

MIT Security Camp

Aug 15, 2002

Goals

• Show how I use IPAUDIT everyday– Start the morning knowing nothing– Use IPAudit to identify network anomalies and

investigate them– Go home at night knowing a little bit more

• Also: an overview of UConn’s security practices

Outline

• Web Graphs– Quick glance, looking for major issues

• Web Reports– Detailed look at suspicious anomalies

• Console– Thorough investigation of security incidents

Web Graphs

• Network Traffic

• Incoming / Outgoing Scans

• Busiest Hosts

Web Graphs: Traffic

• Plot of 30 minute total, inbound, and outbound traffic (bytes)

• Useful for large network anomalies: high-traffic transfers, D/DOS attacks, etc

Web Graphs: Incoming Scans

• Shows local host connections that are either Only-Received, Only-Sent, or Sent-and-Received (normal)

• Only-Received detects incoming scans

• Only-Sent detects spoofed outbound attacks

Incoming Scans: Only-Received

• Only-Received detects incoming scans– Anomaly where a single remote address sends

to a large amount of local addresses– Most of these local address receive data but do

not send any back– Displayed as a large red spike

Incoming Scans: Only-Sent

• Only-Sent detects spoofed outbound attacks– Anomaly where a large number of local

addresses send data to a single remote address– Most of these local addresses are sending data

but have not received any (most of them do not exist)

– Displayed as a large blue spike– Can trace a spoofed address to a smaller

network but not to a single computer

Web Graphs: Outgoing Scans

• Shows remote host connections that are either Only-Received, Only-Sent, or Sent-and-Received (normal)

• Only-Received detects outgoing scans– Anomaly where a large amount of remote addresses

receive data from one local address but do not reply

Web Graphs: Busiest Hosts

• Busiest local / remote hosts per 30 minutes.– Large “wide” anomalies usually indicate a

hacked box (one-to-many, ftp/dcc), or occasionally DOS attacks (one-to-one).

– Single spikes are usually legit file-transfers (one-to-one, fast I2 ftp transfers)

Web Reports

• 30 Minute– Detailed view of immediate incidents

• Daily– Summary of top talkers/scanners

• Weekly/Monthly– Accumulated totals of high traffic users

Web Reports: 30 Minute

• Incoming / Outgoing Scans

• Local / Remote Traffic

• Busiest Traffic Pairs

30 Minute: Scans

• Incoming: Good for informational purposes• Outgoing:

– Compromised local computers scan external networks sequentially for new targets

– Virus infected local computers scan external addresses randomly for new hosts

– P2P “super-node” activity where one local address is relaying search requests for many different remote addresses

30 Minute: Local/Remote Traffic

• Normal ratio file-transfers: the top talkers / listeners usually get examined for TCP port details

• One-sided transfers (highlighted in yellow or red) indicate an in/out DOS (or UDP streams)

30 Minute: Traffic Pairs

• Who is talking to Who?

• Is that one busy local computer talking to many others? (hacked) to one other across I2? (research)

• Gives a good geographical indicator: rr.ny.com, wanado.fr (hacked) vs nasa.gov, cornell.edu (research)

Web Reports: Daily

• Local/Remote Traffic– Shows large, slower accumulated traffic that 30

min reports may have not have alerted us to

• Incoming/Outgoing Scans– Shows large, slower scans that 30 min missed– A slow scan of the entire class B would show

up here, but good chance 30 min report or SNORT would not catch it

Web Reports: Weekly/Monthly

• Traffic– Just for measuring traffic, usually for

bandwidth management– Allows for the slow accumulation of traffic

Console

• 30min files– Records all IP connection info per 30 mins

• RAW files– Records partial payload of selected TCP ports– telnet, ftp, smtp, irc, icmp

Console: 30min

• General Overview– grep|vi a full 30min file for one IP, to get a

sense of what was going on:• Web surfing vs Nimda infection

• P2P activity vs X-DCC transfers

• Streaming video vs UDP DOS attacks

• Failed logons vs password cracking

Console: 30min

• Detailed investigations– Start with an anomaly, then look to see what

happened immediately before it for clues as to how they may have gotten in.

– Determine the IP that was responsible for the intrusion, then see what else they were doing in the previous few days.

Console: Raw

• Detailed investigations– telnet, ftp, smtp, irc, icmp– Specific telnet commands (darn SSH)– ftp users/passwords and files (darn SCP)– irc conversations, channel/handle passwords– email headers for spam, etc issues

Successes: Graphs

• Detection of D/DOS attacks or extremely popular (aka illicit) file servers

• Detection of new mass events like Code Red or Nimda

• Detection of infected/compromised hosts that are scanning external networks

Successes: Reports

• Frequent updates allow fast response to large-traffic or high scan intrusions

• Easy click-through from high-level reports to specific connection details

• Detection of moderate rate DOS attacks

• Summary of in/outbound scans that were too slow detect looking at a single time

Successes: Console

• Linux tools (grep, awk, uniq, sort, total, etc) allow for fast creation of detailed reports

• Fairly easy to get complete picture of an intrusion by looking at before/after events– Spoofed attacks: Look at time the attack started

and scan for suspicious activity from a similar IP, which is probably the compromised host

Limitations

• Small-scale events get lost in background noise of busy network

• Takes 30 minutes to see new events

• Limited ability to see payload information

• SNORT: happens to complement this nicely

Summary

• Web Graphs– Quick glance at the network – if it is quiet there

things can’t be *that* bad.

• Web Reports– Summary of an hour, day, or week events, to

help target suspicious anomalies

• Console– Detailed investigation of incidents

Links

• IPAUDIT:– http://ipaudit.sourceforge.net– http://ipaudit.sf.net

• UConn Network Reports– http://turkey.ucc.uconn.edu

• Email:– jon.rifkin@uconn.edu– phil.rodrigues@uconn.edu