Network Analysis While Preserving Privacy

About This Presentation

Title:

Network Analysis While Preserving Privacy

Description:

Analyzing traffic usually is done by examining packets Deep packet inspection ... flow-print -f3 ft-v07.2004-11-17.220025-0600 | grep 131.151.173.197 |more ... – PowerPoint PPT presentation

Number of Views:27

Avg rating:3.0/5.0

Slides: 51

Provided by: karll9

Category:

more less

Transcript and Presenter's Notes

Title: Network Analysis While Preserving Privacy

1
Network Analysis While Preserving Privacy

Karl F. Lutzen
Information Security Officer
kfl_at_mst.edu
meaning contents of transmission

2
Introduction

Privacy concerns today
Analyzing traffic usually is done by examining
packets Deep packet inspection
Looking at calling information can reveal much
Can be used as an IDS
Can be use as policy enforcement

3
Calling Information

Source IP address and port
Destination IP address and port
Protocol
Other data
Timestamps
Number of packets
Bytes
Technology used Netflow

4
NetFlow Background

Developed by Cisco to
Characterize traffic
Account for how and where it flows
Help optimize network investment
Traffic engineering/network planning
Provide usage-based billing

5
NetFlow Background

Three key characteristics
Be scalable
Be manageable
Be reliable

6
NetFlow Example

Computer A Web browses to Computer B will
generate 2 flows
Request flow
A (TCP) 1.2.3.43365 -gt 4.3.2.1 80
Reply Flow
B (TCP) 4.3.2.180 -gt 1.2.3.43365

7
NetFlow Typical Record

Source and destination IP address
Source and destination ports
Transport protocol TCP,UDP, ICMP, etc.
Type of service (ToS)
Packet and byte counts
Start and end timestamps
Input and output interface numbers

TCP flags
Routing information (next-hop address, source
autonomous system (AS) number, destination AS
number, source prefix mask, destination prefix
mask)

8
NetFlow Data Cache

Available on Cisco routers/switches
Available on Juniper routers
Cached on devices
WARNING! Not all devices are NetFlow-enabled!

9
NetFlow Cache Example

show ip cache flow
IP packet size distribution (78630M total
packets)
1-32 64 96 128 160 192 224 256 288
320 352 384 416 448 480
.002 .448 .062 .027 .013 .011 .008 .011 .003
.003 .002 .006 .005 .003 .002
512 544 576 1024 1536 2048 2560 3072 3584
4096 4608
.002 .003 .015 .033 .331 .000 .000 .000 .000
.000 .000
IP Flow Switching Cache, 6553988 bytes
32929 active, 32607 inactive, 524367786 added
4111490554 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 794824 bytes
32895 active, 16257 Inactive, 519171584 added,
519168554 added to flow
0 alloc failures, 12911870 force free
3 chunks, 1155 chunks added
last clearing of statistics never
--More

10
NetFlow Cache Example (cont.)

Protocol Total Flows Packets Bytes
Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt
/Sec /Flow /Flow
TCP-Telnet 3833510 0.8 10 179
9.2 9.0 26.8
TCP-FTP 12511306 2.9 6 132
19.7 6.3 16.5
TCP-FTPD 1194796 0.2 544 866
151.5 86.7 21.2
TCP-WWW 944754736 219.9 13 627
2871.0 3.2 23.7
TCP-SMTP 53320030 12.4 14 399
185.8 6.6 19.2
TCP-X 913841 0.2 41 631
8.9 19.2 24.5
TCP-BGP 1867 0.0 1 49
0.0 0.5 20.5
TCP-NNTP 1086658 0.2 252 874
63.8 15.2 26.8
TCP-Frag 228697 0.0 9 131
0.5 6.5 25.3
TCP-other 2264274585 527.1 23 568
12466.6 12.9 24.4
UDP-DNS 231113128 53.8 2 79
114.7 3.6 26.0
UDP-NTP 6394017 1.4 3 76
5.2 9.7 27.2
UDP-TFTP 13567 0.0 1 95
0.0 3.1 29.3
UDP-Frag 211973 0.0 3165 1266
156.2 116.2 27.5
UDP-other 1177902953 274.2 5 293
1385.8 6.1 25.8
ICMP 103453714 24.0 2 62
57.9 3.8 26.0
IGMP 726 0.0 2 300
0.0 3.5 29.1

11
NetFlow Limitations of Cache

Difficult to read
Only shows recent activity
No automation on devices for analysis
No accounting of flows (besides overall totals)

12
NetFlow Export of Data

Greatly enhances NetFlow and turns the technology
into a analysis tool!
Data sent to external collector(s)
Analyzed by one or more systems
Archived for other concerns
Efficient Uses multiple records per UDP packet

13
NetFlow Export Establish Policies!

Ensure policies are in place before deploying
covering
Retention of network usage statistics
Establish a retention policy.
Privacy protection of the data, who is
authorized, no offloading without sanitizing
personal data (the host portion)

14
Privacy

While the contents of the packet are not
recorded, the calling information can still be a
concern.
However, with virtual servers, it is impossible
to know the true destination
Mostly it can only be used as verification that
something occurred.

15
Deployment Diagram
16
Securing The Data Stream

Hmm, hold on there!
Using UDP, any Security in the transmission?
Nope!
Most deployments use a private, maintenance
network that only admins can touch.

17
Introduction to flow-tools

Full featured NetFlow tool set
Open-source software
Available from http//www.splintered.net/sw/flow-
tools/
Entire package compiles on most Linux, FreeBSD,
etc. systems

18
Flow-tools Contains

flow-capture
flow-cat
flow-dscan
flow-expire
flow-export
flow-fanout
flow-filter
flow-gen
flow-header
flow-import
flow-mask

flow-merge
flow-nfilter
flow-print
flow-receive
flow-report
flow-send
flow-split
flow-stat
flow-tag
flow-xlate

19
Single Source to Many Collectors

flow-fanout
Inline replacement for flow-capture
Replicates a NetFlow stream to multiple locations
Ideal for simultaneous
Replicated storage
Multiple systems for near real time analysis

20
No NetFlow? Use fprobe

http//sourceforge.net/projects/fprobe
Open source NetFlow probe
Linux, FreeBSD, etc.
Uses a SPAN port or network tap
Consider libpcap-ring kernel or MMAPed pcap for
high-speed collections (over 100 Mbits)
Can match CPU to traffic load
Downside loss of interface on reports

21
Portable Probe

Build a couple of portable probes to have on hand
for remote probes for network analysis. Install
flow-tools, fprobe, tcpdump on a system with a
large hard drive.
When a problem occurs, you can deploy it on a
SPAN port or with a hub or network TAP.

22
Traffic Analysis Know Thy Network!

NetFlow records the communication between systems
Quickly tells you what is happening on your
network at a high level
Can be used to spot anomalies
Simple IDS capabilities
Locate all stations doing the same thing on the
network
Policy enforcement

23
Knowing Where to Look

Deploy NetFlow on devices at keys location
Border of network(s)
Core points
Deploy probes where needed
Specific problem areas
Network aggregation points without NetFlow
capabilities.

24
Planning/Policies Make for Success

Establish policies as to what traffic is allowed
Establish specific pathways or gateways for
traffic like SMTP, IRC, HTTP, etc.
Any traffic not flowing through these gateways
are your indicator for problems
Segregate servers and workstations with subnets.

25
Analysis Finding the Needles

Which State?
Which County?
Which Field?
Which haystack?
What part of the haystack?
How many needles?

26
Finding the Needle(s) flow-stat

The flow-stat command provides quick statistics
Can provide reports on SRC/DST IPs or ports, as
well as others
Can sort by flows, octets or packets in ascending
or descending order
Coupled with flow-nfilter removes known good
traffic or look known problem traffic

27
Using flow-stat

flow-stat f format S sort field lt filename

Sort format
-s (lower case) sort field ascending
-S (upper case) sort field descending
Remember that the first field or column will be
0, not 1!

Report format.
0 Overall Summary
1 Average packet size distribution
2 Packets per flow distribution
3 Octets per flow distribution
4 Bandwidth per flow distribution
5 UDP/TCP destination port
6 UDP/TCP source port
7 UDP/TCP port
8 Destination IP
9 Source IP
10 Source/Destination IP
11 Source or Destination IP

28
Stats sorted by flows

--- ---- ---- Report Information --- --- ---
Fields Total
Symbols Disabled
Sorting Descending Field 1
Name Source IP
Args flow-stat -f9 -S1
IPaddr flows octets
packets
207.188.7.131 8676 3579254
26397
131.151.165.34 5442 107280977
131352
131.151.1.7 4943 1570499 8382
131.151.1.145 4572 514276
10864
131.151.177.2 4374 9645573
57475
131.151.178.57 4176 8924188
11501
131.151.175.115 4110 28260371
42063

29
Filtering traffic flow-nfilter

filter-primitive test
type ip-port
permit 135
permit 139
permit 445
or permit 135,139,445
default deny
filter-primitive ipok
type ip-address
deny 131.151.32.202
default permit
filter-primitive ip
type ip-address-prefix
permit 131.151/16
default deny

filter-primitive servers
type ip-address-prefix
deny 131.151.0/23
deny 131.151.2/24
default permit
filter-definition ms-scan
match dst-ip-port test
match src-ip-addr ipok
match src-ip-addr ip
match dst-ip-addr servers
match src-ip-addr servers

30
Sasser Worm Example

flow-nfilter -f ms-scan -F ms-scan lt
ft-v07.2004-05-02.155141-0500 flow-stat -f9 -S1
more
IPaddr flows octets
packets
131.151.169.114 2380 860065 8302
131.151.171.111 2368 807897 8150
131.151.177.132 2365 797034 8165
131.151.176.229 2357 782567 8032
131.151.171.23 2353 787680 8045
131.151.173.40 2337 662575 7775
131.151.176.81 2329 843737 7848
131.151.175.151 2329 745276 7840
131.151.177.47 2321 653594 7697
131.151.172.131 2317 723814 7755
131.151.172.192 2317 640136 7640
131.151.172.224 2311 641091 7629
131.151.173.73 2301 623940 7568
131.151.63.62 2298 596356 7519
131.151.199.2 2297 789097 7801

31
(No Transcript)
32
(No Transcript)
33
Profile of a Worm in NetFlow

Can use different protocols
High flow count
Low packet count 3 packets or less per flow
Use flow-stat or flow-report to spot them
Downside If the stations generate other
traffic, it can obscure the worm activity

34
Flow File Size Can Tell a Story

Always keep an eye on the NetFlow file sizes
Works best after a baseline of a few days or
weeks of observation.
General fluctuations are normal traffic patterns,
but a sudden surge indicates something new is
going on.
Sudden drops could indicate network problems.

35
Pig in the Python

-rw-r--r-- 1 netflow afsuser 2019685 May 2
1521 ft-v07.2004-10-02.151649-0500
-rw-r--r-- 1 netflow afsuser 2031767 May 2
1526 ft-v07.2004-10-02.152148-0500
-rw-r--r-- 1 netflow afsuser 2032419 May 2
1531 ft-v07.2004-10-02.152647-0500
-rw-r--r-- 1 netflow afsuser 2072933 May 2
1536 ft-v07.2004-10-02.153145-0500
-rw-r--r-- 1 netflow afsuser 2062822 May 2
1541 ft-v07.2004-10-02.153645-0500
-rw-r--r-- 1 netflow afsuser 2120842 May 2
1546 ft-v07.2004-10-02.154144-0500
-rw-r--r-- 1 netflow afsuser 7013906 May 2
1551 ft-v07.2004-10-02.154643-0500
-rw-r--r-- 1 netflow afsuser 11331622 May 2
1556 ft-v07.2004-05-02.155141-0500
-rw-r--r-- 1 netflow afsuser 15607255 May 2
1601 ft-v07.2004-05-02.155640-0500
-rw-r--r-- 1 netflow afsuser 15748046 May 2
1606 ft-v07.2004-05-02.160139-0500
-rw-r--r-- 1 netflow afsuser 14216272 May 2
1611 ft-v07.2004-05-02.160638-0500
-rw-r--r-- 1 netflow afsuser 12008287 May 2
1616 ft-v07.2004-05-02.161137-0500
-rw-r--r-- 1 netflow afsuser 9972353 May 2
1621 ft-v07.2004-05-02.161636-0500
-rw-r--r-- 1 netflow afsuser 8973700 May 2
1626 ft-v07.2004-05-02.162135-0500
-rw-r--r-- 1 netflow afsuser 9042363 May 2
1631 ft-v07.2004-05-02.162635-0500
-rw-r--r-- 1 netflow afsuser 8017690 May 2
1636 ft-v07.2004-05-02.163133-0500
-rw-r--r-- 1 netflow afsuser 8109288 May 2
1641 ft-v07.2004-05-02.163632-0500
-rw-r--r-- 1 netflow afsuser 7301829 May 2
1646 ft-v07.2004-05-02.164131-0500
-rw-r--r-- 1 netflow afsuser 7175834 May 2
1651 ft-v07.2004-05-02.164630-0500

36
NetFlow Email Virus Detection

Systems infected with Email viruses can be
detected via NetFlow due to
Multiple mail messages per host in the same flow
file (over 15 messages in 5 min)
Mail going directly to the border instead of
authorized servers (requires policies).
Policy enforcement example!

37
Typical Email Virus

flow-cat ft-v07.2004-11-18.190 flow-nfilter -f
/kfl/emailblocked -Femail flow-print -f3more
srcIP dstIP prot srcPort
dstPort octets packets
131.151.148.26 64.12.138.152 6 1148
25 144 3
131.151.148.26 64.12.138.57 6 1150
25 144 3
131.151.148.26 64.12.138.89 6 1152
25 144 3
131.151.148.26 64.12.137.249 6 1154
25 144 3
131.151.148.26 67.28.113.11 6 1156
25 144 3
131.151.148.26 67.28.114.36 6 1158
25 144 3
131.151.148.26 64.156.215.7 6 1160
25 144 3
131.151.148.26 206.190.36.245 6 1162
25 144 3
131.151.148.26 67.28.113.11 6 1165
25 144 3
131.151.148.26 67.28.114.36 6 1167
25 144 3
131.151.148.26 64.156.215.7 6 1169
25 144 3
131.151.148.26 206.190.36.245 6 1171
25 144 3
131.151.148.26 66.135.195.181 6 1174
25 144 3
131.151.148.26 66.135.195.180 6 1176
25 144 3
131.151.148.26 66.135.195.181 6 1179
25 144 3
131.151.148.26 66.135.195.180 6 1181
25 144 3
131.151.148.26 195.245.231.83 6 1184
25 144 3

38
Email checks Not all are bad

flow-print f3 lt last grep 131.151.65.124
grep " 25 6
srcIP dstIP prot srcPort
dstPort octets packets
131.151.65.124 65.54.252.230 6 3828
25 96 2
131.151.65.124 65.54.252.99 6 3842
25 96 2
131.151.65.124 65.54.252.230 6 3852
25 96 2
131.151.65.124 64.4.50.239 6 3867
25 96 2
131.151.65.124 65.54.167.230 6 3879
25 96 2
131.151.65.124 65.54.252.99 6 3897
25 96 2
131.151.65.124 65.54.252.230 6 3912
25 96 2
131.151.65.124 64.4.50.239 6 3922
25 96 2
131.151.65.124 65.54.167.230 6 3934
25 96 2
131.151.65.124 65.54.252.99 6 3943
25 96 2
131.151.65.124 65.54.252.230 6 3957
25 96 2
131.151.65.124 64.4.50.239 6 3972
25 96 2
131.151.65.124 65.54.167.230 6 4003
25 96 2
131.151.65.124 65.54.252.99 6 4018
25 96 2
131.151.65.124 65.54.252.230 6 4035
25 96 2
131.151.65.124 64.4.50.239 6 4053
25 96 2
131.151.65.124 65.54.167.230 6 4072
25 96 2

39
Controlled Mass Mailer

flow-nfilter -f /kfl/emailblocked -F email lt
ft-v07.2004-11-17.220025-0600 \
flow-print -f3
srcIP dstIP prot srcPort
dstPort octets packets
131.151.173.197 64.48.9.3 6 3281
25 144 3
131.151.173.197 32.97.166.40 6 3282
25 144 3
131.151.173.197 216.200.145.10 6 3283
25 144 3
131.151.173.197 208.36.123.68 6 3284
25 144 3
131.151.173.197 66.126.156.4 6 3285
25 144 3
131.151.173.197 61.9.0.109 6 3286
25 144 3
131.151.173.197 211.233.37.232 6 3287
25 144 3
131.151.173.197 200.217.215.90 6 3288
25 144 3
131.151.173.197 216.213.21.13 6 3289
25 144 3
131.151.173.197 202.138.96.6 6 3290
25 144 3
131.151.173.197 207.55.105.2 6 3291
25 144 3
131.151.173.197 216.86.113.228 6 3292
25 144 3
131.151.173.197 194.158.37.140 6 3293
25 144 3
131.151.173.197 209.242.224.42 6 3294
25 144 3
131.151.173.197 67.65.226.82 6 3295
25 144 3
131.151.173.197 64.18.4.10 6 3296
25 144 3

40
Multiple Control Hosts

flow-print -f3 lt ft-v07.2004-11-17.220025-0600
grep 131.151.173.197 more
131.151.173.197 64.48.9.3 6 3281
25 144 3
218.7.120.95 131.151.173.197 6 1438
12942 217 5
131.151.173.197 218.7.120.95 6 12942
1438 168 4
131.151.173.197 32.97.166.40 6 3282
25 144 3
210.51.191.41 131.151.173.197 6 3900
12942 217 5
131.151.173.197 210.51.191.41 6 12942
3900 168 4
131.151.173.197 216.200.145.10 6 3283
25 144 3
218.16.122.101 131.151.173.197 6 4559
12942 217 5
131.151.173.197 218.16.122.101 6 12942
4559 168 4
131.151.173.197 208.36.123.68 6 3284
25 144 3
218.16.122.100 131.151.173.197 6 3570
12942 261 6
131.151.173.197 218.16.122.100 6 12942
3570 210 5
131.151.173.197 66.126.156.4 6 3285
25 144 3
207.46.106.169 131.151.173.197 6 1863
3010 356 1
131.151.173.197 207.46.106.169 6 3010
1863 40 1
61.142.80.147 131.151.173.197 6 2857
12942 261 6
131.151.173.197 61.142.80.147 6 12942
2857 210 5
131.151.173.197 61.9.0.109 6 3286
25 144 3

41
Traffic Analysis Worm?

flow-nfilter -f ms-scan -F ms-scan lt
ft-v07.2004-10-25.141702-0500 \
flow-stat -f9 -S1 more
--- ---- ---- Report Information --- --- ---
Fields Total
Symbols Disabled
Sorting Descending Field 1
Name Source IP
Args flow-stat -f9 -S1
IPaddr flows Octets
packets
131.151.175.221 3365 186336
3882
131.151.151.144 137 89054
654
131.151.26.211 66 1913668
21807
131.151.38.229 41 60142
734
131.151.173.154 32 12131
93

42
Traffic Analysis Zeroing In

flow-print -f3 lt ft-v07.2004-10-25.141702-0500
grep 131.151.175.221 more
131.151.175.221 39.20.119.86 6 1332
445 96 2
131.151.175.221 131.151.39.200 6 1333
445 96 2
131.151.175.221 131.151.197.61 6 1334
445 96 2
131.151.175.221 181.213.252.165 6 1336
445 144 3
131.151.175.221 131.120.180.161 6 1338
445 144 3
131.151.175.221 131.252.118.187 6 1339
445 144 3
131.151.175.221 213.22.152.79 6 1340
445 144 3
131.151.175.221 132.241.57.93 6 1341
445 144 3
131.151.175.221 131.20.244.221 6 1343
445 96 2
131.151.175.221 131.151.68.88 6 1246
445 96 2
131.151.175.221 131.7.183.3 6 1344
445 144 3
131.151.175.221 131.239.215.78 6 1345
445 96 2
131.151.175.221 131.151.221.89 6 1347
445 144 3
131.151.175.221 131.39.76.244 6 1348
445 96 2
131.151.175.221 131.151.66.165 6 1349
445 144 3
131.151.175.221 101.211.104.57 6 1286
445 96 2
131.151.175.221 38.110.247.113 6 1351
445 144 3
131.151.175.221 131.38.73.212 6 1352
445 96 2

43
Traffic Analysis Check the Border

flow-cat ft-v07.2004-10-25.141 flow-print f3
grep 131.151.175.221
srcIP dstIP prot srcPort
dstPort octets packets
131.151.175.221 65.54.252.230 6 3828
80 9173 15
65.54.252.230 131.151.175.221 6 80
3828 38860 72
131.151.175.221 64.4.50.132 6 2127
80 1516 7
64.4.50.132 131.151.175.221 6 80
2127 17834 32
131.151.175.221 128.73.23.25 6 2523
80 7872 123
128.73.23.25 131.151.175.221 6 80
2523 287793 374
131.151.175.221 206.63.81.89 6 1034
6667 11291 269
206.63.81.89 131.151.175.221 6 6667
1034 42958 290
206.63.81.89 131.151.175.221 6 6667
1034 105 1
Turns out that this was an IRC controlled Bot
sdbot.worm.j

44
Situation IFRAME Exploit

System suddenly generated a virus warning after
visiting a well known, trusted website.
System scan removed the known virus and
downloader, but an undetectable trojan was
downloaded during the event.
Trojan NOT detectable after virus definition
update and full system scan.
System now displays ads and runs very slow
Analysis of system required. Noted traffic
involving Netherlands IP address.

45
IFRAME Exploit Examining traffic

flow-cat ft-v07.2004-11-18.08 flow-print f3
grep " 62\.4\.84
srcIP dstIP prot srcPort
dstPort octets packets
131.151.232.172 62.4.84.45 6 3585
80 1106 23
62.4.84.45 131.151.232.172 6 3585
80 42562 34
131.151.232.172 62.4.84.41 6 3586
80 12637 313
62.4.84.41 131.151.232.172 6 80
3586 879907 590
131.151.232.172 62.4.84.53 6 3587
80 1633 7
62.4.84.53 131.151.232.172 6 80
3587 2257 6
We knew approximate time of the event.
Search on the network portion of the IP address
in question.
Three systems on foreign network are involved in
the exploit.
Banned IP range to contain problem.
Now we can search an entire days logs to find
the number of infected systems.

46
Create iframe Filter

filter-primitive test-address
type ip-address
permit 62.4.84.41
permit 62.4.84.45
permit 62.4.84.53
default deny
filter-primitive test-protocol
type ip-protocol
permit tcp
filter-definition iframe
match dst-ip-addr test-address
match ip-protocol test-protocol

47
Run iframe Filter

flow-cat f flow-nfilter -f iframe -F iframe
flow-print -f3 gt \ /out
Then run this output through awk, sort and grep
awk 'print 1' /out sort u grep 131.151
131.151.177.161
131.151.178.45
131.151.174.18
131.151.176.14
131.151.177.44
131.151.176.38
131.151.170.80
131.151.174.10
131.151.174.40
131.151.178.128
131.151.169.181
131.151.170.87
131.151.18.149
131.151.18.8

48
Spot Who is Using Services

Netflow is very useful for determining
Who is using various services
Impact on closing down ports
Location of servers

49
Other Types of Detection

Spyware
Verify claims on traffic from your network
DMCA reports
Attacks reports
Scanning reports
Email spoofed or real
Can aid with determining access controls and
Firewall rules null interface for dropped
traffic

50
Other Links

MOREnet NetFlow usage stats http//solutions.mor
e.net/mymorenet/plogin/
Cisco http//www.cisco.com
flow-tools home http//www.splintered.net/sw/flo
w-tools/
Great selection of links for various NetFlow
toolshttp//www.switch.ch/tf-tant/floma/software
.html
Fprobe source http//sourceforge.net/projects/fpr
obe
Libcap-ring, nprobe, ntop http//www.ntop.org
Well known IP ports (very good reference for
analysis) http//www.iana.org/assignments/port-n
umbers
If you ever have any questions of any sort,
please email me at kfl_at_mst.edu.