Office of Science

U.S. Department of Energy

The Bro Intrusion Detection

Stephen Lau

NERSC/LBNL

November 20, 2003

SC2003

Phoenix, AZ

November 20, 2003

Office of Science

U.S. Department of Energy

SC2003, Phoenix, AZ

Bro

• High performance intrusion detection system developed at LBNL and ACRI– Vern Paxson primary developer

• Based on operational experience with high performance networks

• Grew out of tools developed to optimize and analyze network traffic

• Bro Development Goals– High speed network monitoring– Low packet loss rate– Mechanism separate from policy

November 20, 2003

Office of Science

U.S. Department of Energy

SC2003, Phoenix, AZ

Bro State Model

• Bro maintains and analyzes state– Keeps track of all network connections– Reacts to network behavior patterns

• Signature based systems– i.e. Snort, RealSecure– Matches patterns seen in network streams

November 20, 2003

Office of Science

U.S. Department of Energy

SC2003, Phoenix, AZ

Bro Structure

• Packet capture and filter• Built on libpcap

• Event Engine• Evaluates packets• Maintains state of the network connections• Generates events

• Policy Script Interpreter • Executes scripts written in ‘policy language’

November 20, 2003

Office of Science

U.S. Department of Energy

SC2003, Phoenix, AZ

Bro Structure

Network

libpcap

Event Engine

Policy Script Interpreter

Packet Stream

Filtered Packet Stream

Event Stream

Real Time Notification / Record to Disk

tcpdump filter

Event Control

Policy Script

November 20, 2003

Office of Science

U.S. Department of Energy

SC2003, Phoenix, AZ

Bro Structure

• Real time processing– Analysis of real time traffic– Reaction to any significant events– Traffic filtered to only ‘interesting’ traffic

• Offline processing– Bro capable of archiving network traffic– Allows for more detailed analysis– Less traffic is filtered

November 20, 2003

Office of Science

U.S. Department of Energy

SC2003, Phoenix, AZ

Real Time Processing

• Works in conjunction with border router to drop (shun) hosts at the border

• Capable of injecting RST packets into stream– Code Red Worm instances– SSH vulnerability exploits

• Establishes real time alerts based on policy

November 20, 2003

Office of Science

U.S. Department of Energy

SC2003, Phoenix, AZ

Offline Processing

• Detects stepping stones– Compromised system used as a gateway

• Detects “backdoors”– i.e. telnet servers on non-standard port

• Detects file sharing systems– Gnutella, Napster, KaZaa

External Attacker

External Victim

Compromised Internal System

Network DMZ

Bro

November 20, 2003

Office of Science

U.S. Department of Energy

SC2003, Phoenix, AZ

Bro in Practical Use

• Primary IDS for LBNL/NERSC since 1996• Primary IDS for SC00-03 conferences• No specialized hardware needed• Low cost allows for multiple deployment

• Requirements– FreeBSD– Intel platform– Fiber tap– Disk space to archive data

November 20, 2003

Office of Science

U.S. Department of Energy

SC2003, Phoenix, AZ

Defense in Depth

Perimeter •Bro / Snort•Traffic Filtering•Virus Wall•Host Filtering

Internal Network•Network Isolation•Firewalls•Subnet traffic filtering

Host Level•Anti Virus Software•Active Scanning•Unused services disabled•Process Accounting•Encrypted Passwords

Users / staff•Staff Security Team•Usage Agreements•Periodic training•Emails on key issues

November 20, 2003

Office of Science

U.S. Department of Energy

SC2003, Phoenix, AZ

Use of Bro Within NERSC

ESNet

NERSC

Filtering BorderRouter

Network Traffic

Tapped Traffic

Multiple Bro Systems

ACL Insertion

• Real Time Analysis• Redundant Backup • Test Box• Bulk Traffic Recorder

Multiple IDS

• Snort• Bro Heavyweight Protocol Analysis• Bro GRID / SSL AnalysisTapped Traffic

• Internal Traffic Bro Monitor• Wireless Network Bro Monitor

Wireless Network

Tapped Traffic

November 20, 2003

Office of Science

U.S. Department of Energy

SC2003, Phoenix, AZ

Bro at NERSC

• 24/7 monitoring– Tied into a paging system for on-call security

person

• Bro checkpointed at set intervals– Clears out ‘orphaned’ sessions– Allows for offline data analysis

• Data archiving– Maintain traffic data for about 3 months

• Anything beyond that is ‘subpoena bait’– Maintain network connection data forever

November 20, 2003

Office of Science

U.S. Department of Energy

SC2003, Phoenix, AZ

NERSC Network Traffic3 Week Period

Type of Traffic Number of

Connections

Overall Percentage

of Traffic

Bulk Data Transfer 666,529 83.73%

Grid Services 74,178 7.19%

Web Related 288,3754 5.30%

Database 620,1730 .27%

Mail 200,484 .04%

System Services 185,272 .04%

Interactive 116 <.1%

November 20, 2003

Office of Science

U.S. Department of Energy

SC2003, Phoenix, AZ

Total NERSC Connections

November 20, 2003

Office of Science

U.S. Department of Energy

SC2003, Phoenix, AZ

Valid NERSC Connections

November 20, 2003

Office of Science

U.S. Department of Energy

SC2003, Phoenix, AZ

Practical Bro

• Automatic ACL injection has very low false positive rate– At NERSC average about 1 every 6 months

• Reports generated whenever checkpointed– Results from blocks and odd events– Results from offline analyzer

• Backdoors and KaZaa traffic– Takes some time to “learn the traffic”

November 20, 2003

Office of Science

U.S. Department of Energy

SC2003, Phoenix, AZ

What Do We See

• Usual stuff– Lots and lots and lots and lots of scans

• Slow scans, flash scans, nmap, nessus, ISS

– Many worms and viruses• Code Red, Nimda, etc...

– Lots of backscatter

• Fun stuff and stuff we really shouldn’t see– Broken TCP stacks– Private network traffic (192.168.0.0, etc)– Broken NATs– Odd user behaviour– Odd OS/application behaviour

November 20, 2003

Office of Science

U.S. Department of Energy

SC2003, Phoenix, AZ

Bro at SC03

• Bro primary IDS for SC conference since SC00– Used to monitor SCinet traffic

• Maximum observed bandwidth– 16.8Gbps at SC2002 (Bandwidth Challenge)– Used router hardware BPF

• Passive monitoring only– Automatic countermeasures disabled

November 20, 2003

Office of Science

U.S. Department of Energy

SC2003, Phoenix, AZ

Bro at SC03

• IDS for SCinet – Ensure conference network does not get taken

down by attacks– Detect 0wned systems– Monitor for “odd” behavior

• Educational tool for attendees– Password capture and display– Alert exhibitors to “risky behavior”

• i.e. .rhosts with root enabled

November 20, 2003

Office of Science

U.S. Department of Energy

SC2003, Phoenix, AZ

SCinet Bro Infrastructure

GigE

CommodityInternet

OC-3

ISP-RTRCore-RTR-1

Bro

SCinet

Core-RTR-2

GigE

Bro

Bro

Nx10GE

Nx10GE

GigE

GigE

WAN

WAN2xOC-192

1xOC-192

November 20, 2003

Office of Science

U.S. Department of Energy

SC2003, Phoenix, AZ

Bro Future Directions

• Grid related technologies– Ability to detect Grid related protocols– X.509 Certificate Analyzer

• SSL Analyzer• Verify certificates are legitimate

• Router Shunting– Primary bottleneck in moving packets into user space– Leverage router based hardware filtering to analyze

“packets of interest”– Proof of concept demo at SC01-03

• Utilizing Bro and Juniper router

• Hardware based BPF to filter traffic

November 20, 2003

Office of Science

U.S. Department of Energy

SC2003, Phoenix, AZ

Port Mirroring

External Network

JuniperGigEInterface Bro

InternalNetwork

Mirrored Traffic

November 20, 2003

Office of Science

U.S. Department of Energy

SC2003, Phoenix, AZ

Filter-based Forwarding

Bro

Juniper

GigE Interface

Filtered Traffic

External Network

InternalNetwork

Filter

November 20, 2003

Office of Science

U.S. Department of Energy

SC2003, Phoenix, AZ

Contact Information

Stephen Lau

1 Cyclotron Road, M/S 943

Berkeley, CA 94720

Phone: +1 (510) 486-7178

Email: slau@lbl.gov

PGP: 44C8 C9CB C15E 2AE1 7B0A

544E 9A04 AB2B F63F 748B