IPAUDIT An Analyst’s Perspective… Phil Rodrigues University of Connecticut MIT Security Camp Aug...
-
date post
20-Dec-2015 -
Category
Documents
-
view
218 -
download
5
Transcript of IPAUDIT An Analyst’s Perspective… Phil Rodrigues University of Connecticut MIT Security Camp Aug...
![Page 1: IPAUDIT An Analyst’s Perspective… Phil Rodrigues University of Connecticut MIT Security Camp Aug 15, 2002.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d425503460f94a1cf4b/html5/thumbnails/1.jpg)
IPAUDITAn Analyst’s Perspective…
Phil Rodrigues
University of Connecticut
MIT Security Camp
Aug 15, 2002
![Page 2: IPAUDIT An Analyst’s Perspective… Phil Rodrigues University of Connecticut MIT Security Camp Aug 15, 2002.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d425503460f94a1cf4b/html5/thumbnails/2.jpg)
Goals
• Show how I use IPAUDIT everyday– Start the morning knowing nothing– Use IPAudit to identify network anomalies and
investigate them– Go home at night knowing a little bit more
• Also: an overview of UConn’s security practices
![Page 3: IPAUDIT An Analyst’s Perspective… Phil Rodrigues University of Connecticut MIT Security Camp Aug 15, 2002.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d425503460f94a1cf4b/html5/thumbnails/3.jpg)
Outline
• Web Graphs– Quick glance, looking for major issues
• Web Reports– Detailed look at suspicious anomalies
• Console– Thorough investigation of security incidents
![Page 4: IPAUDIT An Analyst’s Perspective… Phil Rodrigues University of Connecticut MIT Security Camp Aug 15, 2002.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d425503460f94a1cf4b/html5/thumbnails/4.jpg)
Web Graphs
• Network Traffic
• Incoming / Outgoing Scans
• Busiest Hosts
![Page 5: IPAUDIT An Analyst’s Perspective… Phil Rodrigues University of Connecticut MIT Security Camp Aug 15, 2002.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d425503460f94a1cf4b/html5/thumbnails/5.jpg)
Web Graphs: Traffic
• Plot of 30 minute total, inbound, and outbound traffic (bytes)
• Useful for large network anomalies: high-traffic transfers, D/DOS attacks, etc
![Page 6: IPAUDIT An Analyst’s Perspective… Phil Rodrigues University of Connecticut MIT Security Camp Aug 15, 2002.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d425503460f94a1cf4b/html5/thumbnails/6.jpg)
Web Graphs: Incoming Scans
• Shows local host connections that are either Only-Received, Only-Sent, or Sent-and-Received (normal)
• Only-Received detects incoming scans
• Only-Sent detects spoofed outbound attacks
![Page 7: IPAUDIT An Analyst’s Perspective… Phil Rodrigues University of Connecticut MIT Security Camp Aug 15, 2002.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d425503460f94a1cf4b/html5/thumbnails/7.jpg)
Incoming Scans: Only-Received
• Only-Received detects incoming scans– Anomaly where a single remote address sends
to a large amount of local addresses– Most of these local address receive data but do
not send any back– Displayed as a large red spike
![Page 8: IPAUDIT An Analyst’s Perspective… Phil Rodrigues University of Connecticut MIT Security Camp Aug 15, 2002.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d425503460f94a1cf4b/html5/thumbnails/8.jpg)
Incoming Scans: Only-Sent
• Only-Sent detects spoofed outbound attacks– Anomaly where a large number of local
addresses send data to a single remote address– Most of these local addresses are sending data
but have not received any (most of them do not exist)
– Displayed as a large blue spike– Can trace a spoofed address to a smaller
network but not to a single computer
![Page 9: IPAUDIT An Analyst’s Perspective… Phil Rodrigues University of Connecticut MIT Security Camp Aug 15, 2002.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d425503460f94a1cf4b/html5/thumbnails/9.jpg)
Web Graphs: Outgoing Scans
• Shows remote host connections that are either Only-Received, Only-Sent, or Sent-and-Received (normal)
• Only-Received detects outgoing scans– Anomaly where a large amount of remote addresses
receive data from one local address but do not reply
![Page 10: IPAUDIT An Analyst’s Perspective… Phil Rodrigues University of Connecticut MIT Security Camp Aug 15, 2002.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d425503460f94a1cf4b/html5/thumbnails/10.jpg)
Web Graphs: Busiest Hosts
• Busiest local / remote hosts per 30 minutes.– Large “wide” anomalies usually indicate a
hacked box (one-to-many, ftp/dcc), or occasionally DOS attacks (one-to-one).
– Single spikes are usually legit file-transfers (one-to-one, fast I2 ftp transfers)
![Page 11: IPAUDIT An Analyst’s Perspective… Phil Rodrigues University of Connecticut MIT Security Camp Aug 15, 2002.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d425503460f94a1cf4b/html5/thumbnails/11.jpg)
Web Reports
• 30 Minute– Detailed view of immediate incidents
• Daily– Summary of top talkers/scanners
• Weekly/Monthly– Accumulated totals of high traffic users
![Page 12: IPAUDIT An Analyst’s Perspective… Phil Rodrigues University of Connecticut MIT Security Camp Aug 15, 2002.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d425503460f94a1cf4b/html5/thumbnails/12.jpg)
Web Reports: 30 Minute
• Incoming / Outgoing Scans
• Local / Remote Traffic
• Busiest Traffic Pairs
![Page 13: IPAUDIT An Analyst’s Perspective… Phil Rodrigues University of Connecticut MIT Security Camp Aug 15, 2002.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d425503460f94a1cf4b/html5/thumbnails/13.jpg)
30 Minute: Scans
• Incoming: Good for informational purposes• Outgoing:
– Compromised local computers scan external networks sequentially for new targets
– Virus infected local computers scan external addresses randomly for new hosts
– P2P “super-node” activity where one local address is relaying search requests for many different remote addresses
![Page 14: IPAUDIT An Analyst’s Perspective… Phil Rodrigues University of Connecticut MIT Security Camp Aug 15, 2002.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d425503460f94a1cf4b/html5/thumbnails/14.jpg)
30 Minute: Local/Remote Traffic
• Normal ratio file-transfers: the top talkers / listeners usually get examined for TCP port details
• One-sided transfers (highlighted in yellow or red) indicate an in/out DOS (or UDP streams)
![Page 15: IPAUDIT An Analyst’s Perspective… Phil Rodrigues University of Connecticut MIT Security Camp Aug 15, 2002.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d425503460f94a1cf4b/html5/thumbnails/15.jpg)
30 Minute: Traffic Pairs
• Who is talking to Who?
• Is that one busy local computer talking to many others? (hacked) to one other across I2? (research)
• Gives a good geographical indicator: rr.ny.com, wanado.fr (hacked) vs nasa.gov, cornell.edu (research)
![Page 16: IPAUDIT An Analyst’s Perspective… Phil Rodrigues University of Connecticut MIT Security Camp Aug 15, 2002.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d425503460f94a1cf4b/html5/thumbnails/16.jpg)
Web Reports: Daily
• Local/Remote Traffic– Shows large, slower accumulated traffic that 30
min reports may have not have alerted us to
• Incoming/Outgoing Scans– Shows large, slower scans that 30 min missed– A slow scan of the entire class B would show
up here, but good chance 30 min report or SNORT would not catch it
![Page 17: IPAUDIT An Analyst’s Perspective… Phil Rodrigues University of Connecticut MIT Security Camp Aug 15, 2002.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d425503460f94a1cf4b/html5/thumbnails/17.jpg)
Web Reports: Weekly/Monthly
• Traffic– Just for measuring traffic, usually for
bandwidth management– Allows for the slow accumulation of traffic
![Page 18: IPAUDIT An Analyst’s Perspective… Phil Rodrigues University of Connecticut MIT Security Camp Aug 15, 2002.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d425503460f94a1cf4b/html5/thumbnails/18.jpg)
Console
• 30min files– Records all IP connection info per 30 mins
• RAW files– Records partial payload of selected TCP ports– telnet, ftp, smtp, irc, icmp
![Page 19: IPAUDIT An Analyst’s Perspective… Phil Rodrigues University of Connecticut MIT Security Camp Aug 15, 2002.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d425503460f94a1cf4b/html5/thumbnails/19.jpg)
Console: 30min
• General Overview– grep|vi a full 30min file for one IP, to get a
sense of what was going on:• Web surfing vs Nimda infection
• P2P activity vs X-DCC transfers
• Streaming video vs UDP DOS attacks
• Failed logons vs password cracking
![Page 20: IPAUDIT An Analyst’s Perspective… Phil Rodrigues University of Connecticut MIT Security Camp Aug 15, 2002.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d425503460f94a1cf4b/html5/thumbnails/20.jpg)
Console: 30min
• Detailed investigations– Start with an anomaly, then look to see what
happened immediately before it for clues as to how they may have gotten in.
– Determine the IP that was responsible for the intrusion, then see what else they were doing in the previous few days.
![Page 21: IPAUDIT An Analyst’s Perspective… Phil Rodrigues University of Connecticut MIT Security Camp Aug 15, 2002.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d425503460f94a1cf4b/html5/thumbnails/21.jpg)
Console: Raw
• Detailed investigations– telnet, ftp, smtp, irc, icmp– Specific telnet commands (darn SSH)– ftp users/passwords and files (darn SCP)– irc conversations, channel/handle passwords– email headers for spam, etc issues
![Page 22: IPAUDIT An Analyst’s Perspective… Phil Rodrigues University of Connecticut MIT Security Camp Aug 15, 2002.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d425503460f94a1cf4b/html5/thumbnails/22.jpg)
Successes: Graphs
• Detection of D/DOS attacks or extremely popular (aka illicit) file servers
• Detection of new mass events like Code Red or Nimda
• Detection of infected/compromised hosts that are scanning external networks
![Page 23: IPAUDIT An Analyst’s Perspective… Phil Rodrigues University of Connecticut MIT Security Camp Aug 15, 2002.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d425503460f94a1cf4b/html5/thumbnails/23.jpg)
Successes: Reports
• Frequent updates allow fast response to large-traffic or high scan intrusions
• Easy click-through from high-level reports to specific connection details
• Detection of moderate rate DOS attacks
• Summary of in/outbound scans that were too slow detect looking at a single time
![Page 24: IPAUDIT An Analyst’s Perspective… Phil Rodrigues University of Connecticut MIT Security Camp Aug 15, 2002.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d425503460f94a1cf4b/html5/thumbnails/24.jpg)
Successes: Console
• Linux tools (grep, awk, uniq, sort, total, etc) allow for fast creation of detailed reports
• Fairly easy to get complete picture of an intrusion by looking at before/after events– Spoofed attacks: Look at time the attack started
and scan for suspicious activity from a similar IP, which is probably the compromised host
![Page 25: IPAUDIT An Analyst’s Perspective… Phil Rodrigues University of Connecticut MIT Security Camp Aug 15, 2002.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d425503460f94a1cf4b/html5/thumbnails/25.jpg)
Limitations
• Small-scale events get lost in background noise of busy network
• Takes 30 minutes to see new events
• Limited ability to see payload information
• SNORT: happens to complement this nicely
![Page 26: IPAUDIT An Analyst’s Perspective… Phil Rodrigues University of Connecticut MIT Security Camp Aug 15, 2002.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d425503460f94a1cf4b/html5/thumbnails/26.jpg)
Summary
• Web Graphs– Quick glance at the network – if it is quiet there
things can’t be *that* bad.
• Web Reports– Summary of an hour, day, or week events, to
help target suspicious anomalies
• Console– Detailed investigation of incidents
![Page 27: IPAUDIT An Analyst’s Perspective… Phil Rodrigues University of Connecticut MIT Security Camp Aug 15, 2002.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d425503460f94a1cf4b/html5/thumbnails/27.jpg)
Links
• IPAUDIT:– http://ipaudit.sourceforge.net– http://ipaudit.sf.net
• UConn Network Reports– http://turkey.ucc.uconn.edu
• Email:– [email protected]– [email protected]