190 likes | 354 Vues
ECE-8843 http://www.csc.gatech.edu/copeland/jac/8843/ Prof. John A. Copeland john.copeland@ece.gatech.edu 404 894-5177 fax 404 894-0035 Office: GCATT Bldg 579 email or call for office visit, or call Kathy Cheek, 404 894-5696 Slide Set 12 - Network Traffic Visualization.
E N D
ECE-8843 http://www.csc.gatech.edu/copeland/jac/8843/ Prof. John A. Copeland john.copeland@ece.gatech.edu 404 894-5177 fax 404 894-0035 Office: GCATT Bldg 579 email or call for office visit, or call Kathy Cheek, 404 894-5696 Slide Set 12 - Network Traffic Visualization
Result of Google “udp 27015” • 27015 is the default port number for various Sierra Online/Valve • multi-player online games -- "Halflife", among others. • Any game client may also be a server, or optionally the user may run a • game workstation in "dedicated" server mode. There are also various • "dedicated" servers that run under Windows NT, Linux, FreeBSD (in Linux • emulation mode, iirc), etc. • Due to the somewhat decentralized nature of this architecture, there have • sprung up several sites and software packages designed to help users find • and join a game on a server that is playing the game or map that they • prefer, is closest to them from a RTT sense, etc. • Your probes on 27015/udp are most likely game locator servers or clients, • or the game client itself looking for servers or requesting information • regarding servers past or present. 4
Result of Google “tcp 6881”BitTorrent is a peer-to-peer network • BitTorrent is not just a concept, but has a functioning implementation, already capable of swarming downloads across unreliable networks. This is the result of over two years of intensive development. - http://bitconjurer.org/BitTorrent/introduction.html 5
Therminator Traffic Visualization In the “Therminator” technology, each host is associated with one of eight sets of hosts associated with a “Bucket.” The Bucket can hold zero to fifteen “Balls.” Bucket Set number calculation: Host is Server for present connection: - add 1 (001) Client or Server? Host was seen during last few days: - add 2 (010) New or Old Friend? Host IP address is on our local network: - add 4 (100) Outside or Inside? e.g., a Client, New Friend (first seen today), Outside Host is in Bucket Set 0 (binary 000). For programming purposes the eight Buckets are up-down counters whose value is limited to the range zero to fifteen. A packet going from a Host in Bucket Set 5 to a Host in Bucket Set 7 would cause the following to happen (if Bucket 5 has less than 15 and Bucket 7 has at least 1 Ball): “Put a Ball in Bucket 5” = “Increment Counter 5” “Remove a Ball from Bucket 7” = “Decrement Counter 7” 6
Unfinished Flash Tutorial provided by Lee Hartley of Lancope, Inc. 9
Time (30 minutes) The SW+T present version uses 2-d graphics to display Therminator generate “State Distribution” and “Bucket Fill” numbers versus time, with a 30-second time interval (upper graphs). The lower graph and event log enable the network security analyst to determine the cause of the peaks shown in the “State Distribution” graph. 10
Peaks in the “State Distribution” indicate significant unbalance in the network traffic. 11
“Bucket Counts” indicate which type of hosts sent more packets than they received (larger bar, 25% max) and which received more that they sent (smaller bar, may disappear) 12
Var^2 Phantom Hosts Graphs that can help identify the cause of network events. The Var^2 curve is similar to the “State Distribution” graph. The Phantom Hosts curve has peaks when unused IP addresses are scanned. “Packets” peaks when there is a short-packet flood attack. 13
The “Events Log” generated by StealthWatch can precisely identify the cause of network events. It shows the most active Scans, Flows, and Hosts for each 30-seconds. Here we see host 219.178.8.5 has sent 741 packets at 1:55:30, but received none. There is no corresponding Flow, so these packets were sent to multiple subnets and IP addresses. 14
Now that we have an IP address to investigate, so we use StealthWatch to do a “Host Snapshot”. We find that the host is scanning for open TCP-445 ports and several other TCP ports (1430, 4679, 4681, 4685, ...) 15
We do a “whois” lookup on the IP address to find the network administrator that can be informed of a likely compromised host on his network, or a malicious user. If we are worried about these scans, and do not need to communicate with the offending host or his whole domain, we can signal the firewall or router to drop packets coming from that location. 16
With “Flow Filter” Here there are large FTP file transfers every 20 to 40 minutes that that last about 90 seconds, these create peaks in the State Distribution curves similar to an attack or fast scan. To mitigate this effect, we use a “Flow Filter,” that skips packets from any flow that has done a proper handshake and meets the criteria for a normal flow. The above shows the results from a fast TCP port 80 scan by a host in England (at 21:55-22:05 PST). This shows up as rectangular peaks in State Distribution (upper left), and in non-flow packets and Var^2 (lower-left). 17
Without “Flow Filter” This display, taken at the same time without Flow Filter shows the results for the same fast TCP port 80 scan which is now partially obscured by two FTP file transfers (at 21:44-21:46 and 21:54-21:57 PST). 18
StealthWatch + Therminator (SW+T) Basics The source host and the destination host are determined to belong to one of eight categories, depending on the yes/no decisions of three logic "switches." For example "Client/Server", "Old Friend/New Friend (Stranger)", "Known (Inside)/Unknown (outside)". Bucket Count Graph (upper right) The colored bars in the upper right graph represent the number of packets sent less the number received by each of these categories (called "Bucket Count"). These Bucket Counts are constrained. They start at 7 during each 30-sec time period and can not go negative or exceed 15. When a color disappears it means that hosts in that category have received more packets than they sent (could contain victims). When a bar doubles in size (25% height), it means that hosts in that category have sent more packets than they received (could contain attackers). State Count Graph (upper left) Each packet results in a "State," which is represented by the 8 Bucket Count values (b0,b1,b2,b3,b4,b5,b6,b7). A count is keep of how many times each state is occupied during the 30-second time period. Because of the constraints on bi, a high-speed DoS Attack or high-speed network scan will cause a few states to have high occupancy numbers. The stacked bar graph shows for each time period the occupancy numbers of the 12 most highly occupied states. The peaks indicate when significant events have occurred. Events Log (lower left) High-speed data file transfers can also cause State-Count peaks, as well as high-speed scans, SYN floods, fragment floods, distributed DoS, UDP worm spreads, ... . To determine the cause of a peak, consult the Event Log which provides data from the underlying StealthWatch system. Listed here for each 30-second period are the most active Hosts (number of packets or increase in CI), Scans (number of new CI points), and Flows (number of packets). In SW 3.0, Hosts with a high increase in Victim-CI points will also be shown. Status Graphs (upper right) Three things are presently plotted that help analysis (the values also appear in the Events Log). The number of total packets can show if an appreciable increase in packets on a network occurs (seen with short-packet DOS attacks more than with file transfers). The "Missed IPs" peaks when high-speed network scans send many packets to non-existent hosts (unused IP addresses). The VAR2 value is a mean-square variation of the State Occupancy Values, which has been found as another way to detect significant network events. 19