High Speed Traffic Analysis for High-Speed Traffic Analysis for - - PowerPoint PPT Presentation

high speed traffic analysis for high speed traffic
SMART_READER_LITE
LIVE PREVIEW

High Speed Traffic Analysis for High-Speed Traffic Analysis for - - PowerPoint PPT Presentation

Mar 28, 2024 350 likes •655 views

High Speed Traffic Analysis for High-Speed Traffic Analysis for Security: Challenges & Approaches Security: Challenges & Approaches C-DAC Asia-Pacific Advanced Network 32 nd Meeting, India Habitat Centre, New Delhi APAN 32nd Meeting,

slide-1
SLIDE 1

High Speed Traffic Analysis for High-Speed Traffic Analysis for Security: Challenges & Approaches Security: Challenges & Approaches

C-DAC Asia-Pacific Advanced Network 32nd Meeting, India Habitat Centre, New Delhi

APAN 32nd Meeting, New Delhi, India

slide-2
SLIDE 2

P i O li Presentation Outline

  • Introduction

Ob ti & Fi di

  • Observations & Findings
  • Active and Passive Measurements
  • Challenges and approaches

Interesting Works

  • Interesting Works

APAN 32nd Meeting, New Delhi, India

slide-3
SLIDE 3

I d i Introduction

  • Evolution

Copper to Fibre – Copper to Fibre – Merging of LAN & WAN Technologies – Gigabits at LAN and Multi-Gigabits at Backbone – IPv4 to IPv6 – High-speed TCP g p – e-Governance, e-Science Application and Social computing

APAN 32nd Meeting, New Delhi, India

Social computing

slide-4
SLIDE 4

V l bili i Vulnerabilities

  • Backbone

Sec rit concerns ith respect to ro ting – Security concerns with respect to routing (BGP) C ith t t I f t t – Concerns with respect to Infrastructure

  • DoS, DDoS, DNS, botnets
  • User End

– Malware, Reconnaissance, Data-Exfiltration, , , , Buffer overflows, DDoS etc.,

APAN 32nd Meeting, New Delhi, India

slide-5
SLIDE 5

I i fi di Interesting findings

  • DDoS Attacks breaks the 100 Gbps barrier

(2010) (2010)

  • Application-Layer DDoS increasing in

sophistication sophistication

  • DNS has emerged as key attack target
  • IPv4-IPv6 security concerns
  • Mostly attack targets are targeted over
  • Mostly attack targets are targeted over

specific customer service and aimed at network services (DNS)

APAN 32nd Meeting, New Delhi, India

network services (DNS)

slide-6
SLIDE 6

Th b d Threats observed

  • DDoS towards User End

Mi fi ti d f il f d i

  • Misconfigurations and failure of devices
  • Botnets / Compromised hosts

p

  • HTTP, SMTP and DNS most targeted

(DDos) (DDos)

  • Average time to mitigate DDoS is 20

i t minutes

  • Zombie Computers (Botnet)

APAN 32nd Meeting, New Delhi, India

p ( )

slide-7
SLIDE 7

I f P i Infrastructure Protection

Backbone

  • Backbone

– ACLs

RFC 1918 3330 3704

  • RFC 1918, 3330, 3704

– Blackholing DNS Sinkhole Scrubbing – DNS Sinkhole, Scrubbing – Committed access rate (rate limiting) Stateful Firewall IPS – Stateful Firewall, IPS

  • Most of them fail to handle DDoS
  • Customer End
  • Customer End

– ACL, Stateful Firewall, IDS/IPS, UTM, Malware prevention

APAN 32nd Meeting, New Delhi, India

prevention

slide-8
SLIDE 8

T ffi A l i Obj ti Traffic Analysis: Objective

  • Trend analysis

P ti f i t i d tt k

  • Prevention of intrusions and attacks
  • Anomaly detection

y

  • QoS/SLA Validation

Net ork Pro isioning & Design

  • Network Provisioning & Design

APAN 32nd Meeting, New Delhi, India

slide-9
SLIDE 9

Obtain Statistics

  • Host/Interface based (IP address)

A li ti b d (P t b d)

  • Application based (Port based)
  • Application classification (Application

pp ( pp header analysis)

  • Temporal (time based)
  • Temporal (time based)
  • Protocol based (TCP, UDP, ICMP..)

APAN 32nd Meeting, New Delhi, India

slide-10
SLIDE 10

A i d Aspects examined

Packet Level

  • Packet Level

– Bits per second (rate) – Size of packets Latencies RTT – Latencies, RTT – Throughput – Availability – Packet drops & errors Packet drops & errors – Deep packet inspection – Header analysis

  • Connection Level

Connection Level

– Connection rate – Direction of traffic (incoming/outgoing) – Stateful inspection – Flow analysis

  • Application profiling
  • Vulnerability assessment

APAN 32nd Meeting, New Delhi, India

y

  • Compliance with standards (RFCs)
slide-11
SLIDE 11

T ffi A l i Traffic Analysis

  • Active Measurement

P i M t

  • Passive Measurement
  • Header based Analysis

y

  • Deep Packet Inspection

Handling encr pted packets

  • Handling encrypted packets
  • Signature based detection
  • Detecting Anomalies

APAN 32nd Meeting, New Delhi, India

slide-12
SLIDE 12

Active Measurement

  • Interferes the network and carries out

measurement by injecting specifically measurement by injecting specifically crafted probe packets

– Ping traceroute (network tomography) Ping, traceroute (network tomography) – Capprobe, pathchar (delay, capacity estimation) estimation)

  • Vulnerability measurement

Nessus nmap – Nessus, nmap

  • Network Interface statistics

SNMP ( lli )

APAN 32nd Meeting, New Delhi, India

– SNMP (polling)

slide-13
SLIDE 13

P i M Passive Measurement

  • Pure observations and analysis of traffic
  • Packet Analysis
  • Packet Analysis

– Sniffers, tcpdump, Wireshark

  • Flow level monitoring
  • Flow level monitoring

– Netflow, IDS (like Snort/Bro)

T ffi Cl ifi ti

  • Traffic Classification

– CoralReef

TCP

  • TCP

– Tstat (TCPtrace) – multigigabit-per-second traffic analysis tool

APAN 32nd Meeting, New Delhi, India

analysis tool

slide-14
SLIDE 14

P i C d A l i Passive Capture and Analysis

APAN 32nd Meeting, New Delhi, India

slide-15
SLIDE 15

P k C Packet Capture

  • Standard Ethernet linecards

– libpcap p p – libnetfilter_queue (libipq) – libnids

  • Dedicated Hardware

– Like Endace DAG

  • Formats

– Pcap, erf, etherpeek, snoop, flow records RRD – RRD

  • Challenges

S l bilit ffi i t t

APAN 32nd Meeting, New Delhi, India

– Scalability, efficient memory management

slide-16
SLIDE 16

Hi h S d P k C High-Speed Packet Capture

N t k t i OS i i d h

  • Network support in OS is generic and hence

time taken for packet to move from network adapter to user space is high adapter to user space is high

– Latency and per-packet processing load

  • Performance
  • Performance

– System costs to bring packets from network to user space/application p pp – Application processing cost (classification, checksum etc..)

S l i

  • Solutions

– Memory mapped packet buffers (PF_RING) and DNA N tFPGA

APAN 32nd Meeting, New Delhi, India

– NetFPGA

slide-17
SLIDE 17

H d A l i Header Analysis

  • Threshold based:

– Find no of packets generated by internal hosts to a – Find no. of packets generated by internal hosts to a destination port in a time interval – TCP SYN, UDP Packets based analysis TCP SYN, UDP Packets based analysis – Scanning of Sequential destination addresses (after randomn IP address generation) – Traffic towards unallocated IP addresses (IANA/bogon lists) – Number of distinct destination IP

  • Application header analysis

APAN 32nd Meeting, New Delhi, India

slide-18
SLIDE 18

Deep Packet Inspection Deep Packet Inspection Challenges

  • Content Matching Complexities
  • Content Matching Complexities

– Control Vs Data Packets (more content i t d k t )

  • riented packets)

– Large % HTTP Traffic with large packet sizes – Number of signatures to be analyzed (> 10,000) – Variable size of signatures, regular expression match and stateful understanding – Packet fragments and Stream reassembly

  • Compressed & Encrypted traffic

APAN 32nd Meeting, New Delhi, India

  • Compressed & Encrypted traffic
slide-19
SLIDE 19

Fl A l Flow Analyzer

APAN 32nd Meeting, New Delhi, India

slide-20
SLIDE 20

O A h Our Approach

U b th ti d i t t d i

  • Use both active and passive measurement to devise

effective network management system

– Adrisya a Flow based passive measurement analyzer and Adrisya a Flow based passive measurement analyzer and anomaly detection solution – EDGE system was developed and deployed for monitoring Backbone routers and LAN resources Backbone routers and LAN resources – GYN (Guard Your Network) Intrusion Prevention Appliance (Multi-core based packet splitting) NetFPGA based Content Matching – NetFPGA based Content Matching – Security Assessment System (SAS) on top of Globus for grid environment

  • Devised Threat-Aware IDS Model using active and

passive techniques to profile traffic and changing vulnerabilities (host level) in a network and utilize the

APAN 32nd Meeting, New Delhi, India

( ) same for detecting relevant intrusions

slide-21
SLIDE 21

Analyzers

Signature Detection

Packet Collector Packet Decoder Packet & Context Based Detection Rule Engine Dynamic Loader

Detection

Packets Decoded Packets

Flow

Decoder State Based Detection Connection Management Application Decoder Dynamic Loader Flows (IP Queue)

Traffic Analyzer Flow Detection Flow Collector IPS

Events Events

Scan Detection Flood Detection Traffic Profiler

IDMEF communication

Management

Data Management User I/f

APAN 32nd Meeting, New Delhi, India

Comprehensive Threat Analysis

slide-22
SLIDE 22

Interesting Works

APAN 32nd Meeting, New Delhi, India

slide-23
SLIDE 23

Worms: Issues and Worms: Issues and Approaches

  • Target Scanning

– Random, hit-list, permutation, passive scanning, etc (Staniford p p g (

  • et. al)

– Anomalies (Connections to many unique IPs, receiving too many RST packets..) RST packets..)

  • Worm distribution

– Self-carried, embedded/secondary channel – Anomalies (Single-packet UDP, similar and identical content sent in network, secondary channel can be detected easily/prevented by firewall) easily/prevented by firewall)

  • Detecting Worm activation

– More of host analysis issue

APAN 32nd Meeting, New Delhi, India

slide-24
SLIDE 24

Data Exfiltration: Issues & Data Exfiltration: Issues & Approaches

  • Covert channels

Cab k et al and El Ata and Al Shaer – Cabuk et. al and El-Atawy and Al-Shaer (2009) show that DNS and HTTP can be used as covert channels as covert channels – SIDD framework: High speed transparent network bridge to detect data exfiltration over network bridge to detect data exfiltration over network (Yali Liu et. al)

APAN 32nd Meeting, New Delhi, India

slide-25
SLIDE 25

Packet Sampling

  • Braun et. al, “Packet Sampling for Worm

and Botnet detection in TCP Connections” and Botnet detection in TCP Connections

  • Small number of packets from beginning
  • f every TCP connections considered

APAN 32nd Meeting, New Delhi, India

slide-26
SLIDE 26

K R f Key References

  • World Wide Infrastructure Security Report, 2010, Arbor Networks
  • Experiences of Internet Traffic Monitoring with Tstat, Alessandro Finamore,

Marco Mellia, Michela Meo, and Maurizio M. Munafo`, Politecnico di Torino, Dario Rossi TELECOM ParisTech IEEE Net ork Ma /J ne 2011 Dario Rossi, TELECOM ParisTech, IEEE Network, May/June 2011

  • 10 Gbit/s Line Rate Packet Processing Using Commodity Hardware: Survey

and new Proposals, Luigi Rizzo, Luca Deri, Alfredo Cardigliano

  • Locating Network Domain Entry and Exit point/path for DDoS Attack Traffic
  • Locating Network Domain Entry and Exit point/path for DDoS Attack Traffic,,

IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT,

  • VOL. 6, NO. 3, SEPTEMBER 2009
  • Covert Channels (data exfiltration)

– Cabuk, S., Brodley, C. E., and Shields, C. (2009), “IP covert channel detection,” ACM Trans. Inf. Syst. Secur., 12 (4): 1–29 – El-Atawy, A. And Al-Shaer, E. (2009), "Building Covert Channels over the Packet Reordering Phenomenon," The 28th Conference on Computer Communications, g , p , IEEE (INFOCOM' 2009), Apr 19-25, 2009, 2186-2194 – SIDD: A Framework for Detecting Sensitive Data Exfiltration by an Insider Attack, Proceedings of the 42nd Hawaii International Conference on System Sciences – 2009

APAN 32nd Meeting, New Delhi, India

slide-27
SLIDE 27

A k l d Acknowledgements

All th k b d th t All these works are based on the support from Department of Information Technology (DIT), Ministry of Communication and Information Technology (MCIT), Govt. of India

APAN 32nd Meeting, New Delhi, India

slide-28
SLIDE 28

Thank you Thank you

subbu@cdac.in

APAN 32nd Meeting, New Delhi, India