1 Virtual Dark IP for Internet Threat Detection Akihiro Shimoda & Shigeki Goto Waseda University Black Hole sprott.physics.wisc.edu/pickover/embed.jpg Dark IP An IP address which is not assigned nor used It is actually allocated to a machine which does not respond to any incoming packets. Dark IP No response Incoming 4 Dark IP Sensor Box (Dark IP) Firewall Accept all incomming packets Block all outgoing packets PC Anomaly packets No response Attacker logging 5 Example: Observation System with Physical Sensors Sensor Web, Image, Sound Statistics Data Database & Analysis Server log data Alert Information Distributed Sensors The Internet Firewall 6 Packets captured by Dark IP Port Scanning or Host Scanning Backscatter packets of DDoS (Distributed DoS) Various configuration mistakes 7 Backscatter of DDoS Attackers TARGET IP address : X.X.X.X DDoS Packets destination: TARGET Source IP Address: Spoofed IP Address Back Scatter Packets destination: Spoofed IP Address Source: TARGET Internet other hosts/servers 8 Virtual Sensors Normal Servers No service offered Unused IP space Normal Hosts Mutual Communications One-way Access Virtual Sensors Attackers Netflow packets 9 Pros and Cons Pros No need for physical sensors Analyze thousands of Virtual Sensors simultaneously Covers a wide variety of traffic on a target Router Cons Target router should have Netflow function Accuracy degraded due to Netflow sampling Some errors in locating Virtual Dark IP 10 Netflow v5 Start Time2006/3/10 12:31:15SrcIP X.X.X. XDstIPY.Y.Y.Y End Time2006/3/10 12:31:18SrcMask/24DstMask/24 Protocol6SrcPort23221DstPort20 TOS80SrcAS1000DstAS2000 Flags10SrcIFFa 1/0DstIFFa 0/0 Packets1200 KBytes6400 X.X.X.X /24 port Y.Y.Y.Y /24 port 20 Fa 1/0Fa 0/0 AS 1000AS 2000 Netflow v5 record export Host AHost B 11 Flow Capture and Analysis Process Flow-tools Virtual Sensor Detection Algorithm Flow Attributes virtual sensors Netflow Database virtual sensors candidates Anomaly Packets Collector Results Output Netflow Router 12 Locating Virtual SensorsAlgorithm Virtual Sensor Candidates Virtual Sensors Senders List (cache) Not seen or Not communicating 13 Parameters Life Time 14 Parameters Limit timer 15 Experiment Configuration An malicious host Intermediate Router (Target of flow-observation) Wide area network A worm infected host Anomaly packets Scanning packets Autonomous System APAN-JP 16 Comparison Port 135/tcp 17 Comparison Port 135/tcp 18 Comparison Port 445/tcp 19 Comparison Port 1026/udp 20 Comparison Port 22/tcp 21 Comparison Port 80/tcp 22 Conclusion Virtual Dark IP New method for flow-based analysis Not need for physical sensors Verified certain similarity between Virtual Sensors and Physical Sensors Real comparison is planned Sensors at the same place and the same time 23 Thank you! 24 Extra Slides