IPAUDIT An Analysts Perspective - PowerPoint PPT Presentation

About This Presentation
Title:

IPAUDIT An Analysts Perspective

Description:

Web Graphs: Traffic. Plot of 30 minute total, inbound, and ... Web Graphs: Incoming Scans ... Web surfing vs Nimda infection. P2P activity vs X-DCC transfers ... – PowerPoint PPT presentation

Number of Views:64
Avg rating:3.0/5.0
Slides: 28
Provided by: philrod
Learn more at: http://web.mit.edu
Category:

less

Transcript and Presenter's Notes

Title: IPAUDIT An Analysts Perspective


1
IPAUDITAn Analysts Perspective
  • Phil Rodrigues
  • University of Connecticut
  • MIT Security Camp
  • Aug 15, 2002

2
Goals
  • Show how I use IPAUDIT everyday
  • Start the morning knowing nothing
  • Use IPAudit to identify network anomalies and
    investigate them
  • Go home at night knowing a little bit more
  • Also an overview of UConns security practices

3
Outline
  • Web Graphs
  • Quick glance, looking for major issues
  • Web Reports
  • Detailed look at suspicious anomalies
  • Console
  • Thorough investigation of security incidents

4
Web Graphs
  • Network Traffic
  • Incoming / Outgoing Scans
  • Busiest Hosts

5
Web Graphs Traffic
  • Plot of 30 minute total, inbound, and outbound
    traffic (bytes)
  • Useful for large network anomalies high-traffic
    transfers, D/DOS attacks, etc

6
Web Graphs Incoming Scans
  • Shows local host connections that are either
    Only-Received, Only-Sent, or Sent-and-Received
    (normal)
  • Only-Received detects incoming scans
  • Only-Sent detects spoofed outbound attacks

7
Incoming Scans Only-Received
  • Only-Received detects incoming scans
  • Anomaly where a single remote address sends to a
    large amount of local addresses
  • Most of these local address receive data but do
    not send any back
  • Displayed as a large red spike

8
Incoming Scans Only-Sent
  • Only-Sent detects spoofed outbound attacks
  • Anomaly where a large number of local addresses
    send data to a single remote address
  • Most of these local addresses are sending data
    but have not received any (most of them do not
    exist)
  • Displayed as a large blue spike
  • Can trace a spoofed address to a smaller network
    but not to a single computer

9
Web Graphs Outgoing Scans
  • Shows remote host connections that are either
    Only-Received, Only-Sent, or Sent-and-Received
    (normal)
  • Only-Received detects outgoing scans
  • Anomaly where a large amount of remote addresses
    receive data from one local address but do not
    reply

10
Web Graphs Busiest Hosts
  • Busiest local / remote hosts per 30 minutes.
  • Large wide anomalies usually indicate a hacked
    box (one-to-many, ftp/dcc), or occasionally DOS
    attacks (one-to-one).
  • Single spikes are usually legit file-transfers
    (one-to-one, fast I2 ftp transfers)

11
Web Reports
  • 30 Minute
  • Detailed view of immediate incidents
  • Daily
  • Summary of top talkers/scanners
  • Weekly/Monthly
  • Accumulated totals of high traffic users

12
Web Reports 30 Minute
  • Incoming / Outgoing Scans
  • Local / Remote Traffic
  • Busiest Traffic Pairs

13
30 Minute Scans
  • Incoming Good for informational purposes
  • Outgoing
  • Compromised local computers scan external
    networks sequentially for new targets
  • Virus infected local computers scan external
    addresses randomly for new hosts
  • P2P super-node activity where one local address
    is relaying search requests for many different
    remote addresses

14
30 Minute Local/Remote Traffic
  • Normal ratio file-transfers the top talkers /
    listeners usually get examined for TCP port
    details
  • One-sided transfers (highlighted in yellow or
    red) indicate an in/out DOS (or UDP streams)

15
30 Minute Traffic Pairs
  • Who is talking to Who?
  • Is that one busy local computer talking to many
    others? (hacked) to one other across I2?
    (research)
  • Gives a good geographical indicator rr.ny.com,
    wanado.fr (hacked) vs nasa.gov, cornell.edu
    (research)

16
Web Reports Daily
  • Local/Remote Traffic
  • Shows large, slower accumulated traffic that 30
    min reports may have not have alerted us to
  • Incoming/Outgoing Scans
  • Shows large, slower scans that 30 min missed
  • A slow scan of the entire class B would show up
    here, but good chance 30 min report or SNORT
    would not catch it

17
Web Reports Weekly/Monthly
  • Traffic
  • Just for measuring traffic, usually for bandwidth
    management
  • Allows for the slow accumulation of traffic

18
Console
  • 30min files
  • Records all IP connection info per 30 mins
  • RAW files
  • Records partial payload of selected TCP ports
  • telnet, ftp, smtp, irc, icmp

19
Console 30min
  • General Overview
  • grepvi a full 30min file for one IP, to get a
    sense of what was going on
  • Web surfing vs Nimda infection
  • P2P activity vs X-DCC transfers
  • Streaming video vs UDP DOS attacks
  • Failed logons vs password cracking

20
Console 30min
  • Detailed investigations
  • Start with an anomaly, then look to see what
    happened immediately before it for clues as to
    how they may have gotten in.
  • Determine the IP that was responsible for the
    intrusion, then see what else they were doing in
    the previous few days.

21
Console Raw
  • Detailed investigations
  • telnet, ftp, smtp, irc, icmp
  • Specific telnet commands (darn SSH)
  • ftp users/passwords and files (darn SCP)
  • irc conversations, channel/handle passwords
  • email headers for spam, etc issues

22
Successes Graphs
  • Detection of D/DOS attacks or extremely popular
    (aka illicit) file servers
  • Detection of new mass events like Code Red or
    Nimda
  • Detection of infected/compromised hosts that are
    scanning external networks

23
Successes Reports
  • Frequent updates allow fast response to
    large-traffic or high scan intrusions
  • Easy click-through from high-level reports to
    specific connection details
  • Detection of moderate rate DOS attacks
  • Summary of in/outbound scans that were too slow
    detect looking at a single time

24
Successes Console
  • Linux tools (grep, awk, uniq, sort, total, etc)
    allow for fast creation of detailed reports
  • Fairly easy to get complete picture of an
    intrusion by looking at before/after events
  • Spoofed attacks Look at time the attack started
    and scan for suspicious activity from a similar
    IP, which is probably the compromised host

25
Limitations
  • Small-scale events get lost in background noise
    of busy network
  • Takes 30 minutes to see new events
  • Limited ability to see payload information
  • SNORT happens to complement this nicely

26
Summary
  • Web Graphs
  • Quick glance at the network if it is quiet
    there things cant be that bad.
  • Web Reports
  • Summary of an hour, day, or week events, to help
    target suspicious anomalies
  • Console
  • Detailed investigation of incidents

27
Links
  • IPAUDIT
  • http//ipaudit.sourceforge.net
  • http//ipaudit.sf.net
  • UConn Network Reports
  • http//turkey.ucc.uconn.edu
  • Email
  • jon.rifkin_at_uconn.edu
  • phil.rodrigues_at_uconn.edu
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "IPAUDIT An Analysts Perspective" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!