Characterizing Malicious Traffic on the Internet

1
Characterizing Malicious Traffic on the
Internet Stephen Lau and Scott Campbell slau,
scampbell_at_lbl.gov NERSC / LBNL DOE CSG
Training Conference Overland Park, KS May 26, 2004
2
Overview

• Why is this of interest?
• Network traffic
• Broken traffic
• Spoofed traffic
• Malicious traffic
• Data collection using Bro
• Operational experience at NERSC and LBNL
• Examples seen on the wire
• Worms
• Future Directions

3
Why Bother?

• Essential for effective computer protection
• Most techniques and tools developed and tested in
  clean environment
• Known signatures
• Known traffic or traffic that adheres to rules
• Synthetic data
• Lincoln Labs test suites
• Never tested against real traffic

4
The Rubber Meets the Road

• Reality
• Internet traffic is very noisy
• Lots of ill-behaved software, mis-configured
  systems
• Especially true in research environments
• Naively designed scientific codes
• Result
• Lots of false positives
• Many techniques fail in the real world
• Stuff just doesnt work
• Based on our experience
• Many people do not have a good understanding of
  real world traffic characteristics

5
Spoofed Traffic

• Internet traffic consists of packets
• Source and destination addresses
• Source addresses can be crafted
• Uses
• Disguise attacking location
• Denial of service attacks
• Side effect is backscatter
• Your address may be used as a spoof source
  address
• Packets will arrive at your site for connections
  not initiated by your site
• Can appear as though your site is under attack
• Another side effect
• System admins may fire off a nasty gram saying
  stop attacking me

6
Stepping Stones

• Attackers like to use multiple systems
• Only clueless attackers (script kiddies) use
  their own systems to launch attacks
• Reality Attackers can be anywhere and appear as
  they are coming from anywhere

7
Broken Traffic

• Ideally, Internet traffic behaves logically
• Adheres to RFCs
• Reality
• Storms of 10,000 FIN or RST packets, due to TCP
  bugs.
• Storms due to foggy days.
• Private addresses leaking out
• Legitimate tiny fragments
• Fragments with DF set
• Overlapping fragments
• TCPs that acknowledge data that was never sent
  (!)
• TCPs that retransmit different data than sent in
  the first place

8
Bro

• High performance intrusion detection system
  developed at LBNL and ACRI
• Vern Paxson primary developer
• Based on operational experience with high
  performance networks
• Grew out of tools developed to optimize and
  analyze network traffic
• Bro Development Goals
• High speed network monitoring
• Low packet loss rate
• Mechanism separate from policy

9
Bro Structure

• Packet capture and filter
• Built on libpcap
• Event Engine
• Evaluates packets
• Maintains state of the network connections
• Generates events
• Policy Script Interpreter
• Executes scripts written in policy language

10
Use of Bro Within NERSC
ESNet
Multiple Bro Systems

• Real Time Analysis
• Redundant Backup
• Test Box
• Bulk Traffic Recorder

Tapped Traffic
Network Traffic

Filtering Border Router
ACL Insertion
Multiple IDS

• Snort
• Bro Heavyweight Protocol Analysis
• Bro GRID / SSL Analysis

Tapped Traffic
Tapped Traffic

• Internal Traffic Bro Monitor
• Wireless Network Bro Monitor

NERSC
Wireless Network
11
How Much Malicious and Weird Traffic is Out
There?

• Traffic collected off NERSC border using Bro
• NERSC network is sparsely populated
• Some subnets have never had hosts on them
• Landmine subnets
• Bro runs 24/7 and records all network
  connections and portion of network traffic

12
Total NERSC Connections
13
Valid NERSC Connections
14
Traffic vs. Weird Ratios
15
Good vs. Weird Connections
16
Raw Good vs. Bad Connections
17
Good vs. Bad Connections
18
What is this Malicious Traffic?

• Two major forms
• Directed Attacks
• Running known vulnerability against chosen
  targets
• Background Radiation
• Opportunistic attacks
• Vulnerability Scans
• Searching for vulnerable services
• Kiddie scripts
• Not really knowing what they are doing
• Automated Worms
• Increasing portion of Internet noise
• Looking for new victims to infect

19
Scans
20
Worms

• What is a worm?
• Automated piece of code
• Searches for vulnerable systems
• Delivers payload (infection)
• Searches for new vulnerable systems
• Other characteristics
• Some have automated destructs built in
• Some will patch vulnerabilities
• Some will suppress other worms

21
The Internet is Wormy

• First Big worm Code Red
• Summer 2001
• So many worms now, hard to keep track of
• Slammer, Blaster, Netsky, Bagel, etc
• Surprise Worms never go away completely!
• Always some level of constant infection on the
  Internet

22
Fun With Worms
23
Future Directions

• Strange' nature of real Internet traffic is
  getting more and more unusual
• Increase in background radiation
• More virulent and malicious worms
• Nature of the threat is changing
• Attacks more directed at client behavior
• Malicious websites, email
• Change toward client based attacks making border
  traffic filtering less effective
• How do you filter a sniffed password?
• Browser based attacks
• Exploits simply by visiting a malicious website
• Greater need for comprehensive protection from
  border down to user education
• client-server model changing
• Security implications of Grid infrastructure
  needs to be properly addressed

24
Summary

• Internet traffic is complex
• Effective computer protection requires an
  understanding of real Internet traffic
• Security tools and techniques need to be tested
  against real Internet traffic

25
Contact Information

• Stephen Lau
• Lawrence Berkeley National Labs / NERSC
• 1 Cyclotron Road, M/S 943
• Berkeley, CA 94720
• slau_at_lbl.gov
• Scott Campbell
• Lawrence Berkeley National Labs / NERSC
• 1 Cyclotron Road, M/S 943
• Berkeley, CA 94720
• scampbell_at_lbl.gov

26
Growth of Code Red Worm
27
Onset of Nimda
28
Worm Attacks, Summer 2001
29
Endemic Code Red 1, Nimda
30
Endemic Code Red 1, Nimda - 2002