View
288
Download
0
Category
Preview:
Citation preview
賴守全銘傳大學
電腦與通訊工程學系2007.08.23
網際網路安全之異常偵測
Bad News!
Huston, we have a problem!
2
Outline
The Theory (review of previous talk) SNMP & MRTG NetFlow WireShark
3
The Theory
5
Network Layers
OSI reference model
Internet Protocol suites
7 Application
FTP HTTPSMTP SNMP
NFS
6 Presentation XDR
5 Session RPC
4 Transport TCP UDP SCTP
3 Network IPv4 IPv6
2 Data link
1 Physical
ARP, RARP
ICMP
6
Layered Protocol Structure
TCPTCP UDPUDP
IPIP
ApplicationApplication ApplicationApplication
Layer 3
Layer 4
Layer 7
MACMAC Layer 2
7
Protocol Stacks
Application
Transport
Network
Data Link
Physical
Application
Transport
Network
Data Link
Physical
Message
Segment
Packet
Frame
M
MHt
MHtHn
MHtHnHd MHtHnHd
MHtHn
MHt
M
MHtHnHd
8
Ethernet (Layer 2)
Ethernet address MAC address Hardware address Uniquely assigned
CSMA/CD Binary exponential
back-off
Destination Address
(6)
Source Address
(6)
Type
(2)
Data
(46 - 1500)
Frame Check
Sequence
(4)
9
Ethernet Hubs
Signal relay (repeater) Relay to all ports
A LAN segment A single collision
domain Half-duplex
10
Ethernet Switches
10/100/1000Mbps Store and forward
Backplane bandwidth Forwarding rate
L2 forwarding table Traffic filtering FDB entries
One collision domain for each port
Full duplex
11
Route packets Provides best-effort, unreliable,
connectionless delivery of IP packets IP address
−Assigned by authority−Logical address
IP Network (Layer 3)
12
IP Packet Format
1 byte 1 byte 1 byte 1 byte
Version IP Header Length Type Of Service Total Length
Identification Flags Fragment Offset
Time To Live Protocol Header Checksum
Source IP Address
Destination IP Address
Options (+ padding)
Data
13
IP Addresses
Network address + Subnet address + Host address
Public address Private addresses (NAT)
−10/8, 176.16/12, 192.168/16 Subnet address
−Subnet mask−Gateway address (default router)
C Network Subnet Host
14
ARP (Address Resolution)
Mapping the IP address to Ethernet address−ARP spoofing
Broadcast protocol−ARP flooding
Who is 163.25.6.227
Yes, I am
15
IP Network Diagnose
ICMP−echo, echo-reply, destination-
unreachable−“ping” (knock on the door)−“traceroute (tracert)” (show the path)
16
A virtual circuit UDP - datagram delivery,
connectionless, unreliable, minimal TCP - byte-stream, connection-
oriented, reliable, full-duplex
Transport Layer (Layer 4)
17
TCP and UDP Ports
Host A (Client)Host A (Client) Host B (Server)Host B (Server)
ProcessProcess
ProcessProcess
ProcessProcess
ProcessProcess
ProcessProcess
ProcessProcess
LISTENCONNECT
Port Number
Port Number ProtocolApplication
(service)
21 FTP File transfer
23 TELNET Remote login
25 SMTP Email
53 DNS DNS
80 HTTP WWW
110 POP Email
119 NNTP Newsgroup
19
UDP Datagram Format
1 byte 1 byte 1 byte 1 byte
Source Port Destination Port
Checksum Length
Data
20
TCP Datagram Format
1 byte 1 byte 1 byte 1 byte
Source Port Destination Port
Sequence Number
Acknowledgement Number
Offeset reserved Control Window
Checksum Urgent Pointer
Options (if any)
Data
21
TCP Sequence Number
Host A Host B Time
SYNC=X
SYNC=Y, ACK=X+1
SYNC=X+1, ACK=Y+1
TCP three-way handshaking
SNMP & MRTG
23
SNMP Network Management
TCEB
Storage
Traffic Analyzer
DATA
HTML
SNMP ManagerSNMP
Statistics
SNMP
SNMP – Simple Network Management Protocol
To request (or set) values of MIB objects
Five types of messages (SNMPv1)−Get−GetNext−Set−Response−Trap
24
MIB
MIB – Management Information Database
25
{iso(1) org(3) dod(6)
directory (1)
internet (1)
mang (2) private (4) snmpv2 (6)
mib-2 (1)
system(1)
interfaces(2)
at(3)
ip(4)icmp(5) tcp(6)
udp(7)egp(8)
transmission(10)
snmp(11)
tcpRtoAlgorithm tcpRtoMin tcpConnTable
tcpConnState tcpConnLoclPort tcpConnRemPort
tcpRtoMax
ciscoibm hp dlink
MIB Objects
System Group (system) : 1.3.6.1.2.1.1 Interface Group (interface) :
1.3.6.1.2.1.2 − ifInOctets (.1.3.6.1.2.1.2.2.1.10.x)− ifOutOctets (.1.3.6.1.2.1.2.2.1.16.x)
Internet Protocol (ip) : 1.3.6.1.2.1.4 Transmission Control Protocol (tcp) :
1.3.6.1.2.1.6 User Datagram Protocol (udp) :
1.3.6.1.2.1.7 Private (private) : 1.3.6.1.4
26
SNMP & MIB
27
ManagerManager AgentAgent
Get/GetNext/Set
Response
Trap
UDP/161UDP/161
UDP/162UDP/162
MRTG: Multi Router Traffic Grapher− http://people.ee.ethz.ch/~oetiker/webtools/
mrtg/
RRDTool: Round-Robin Database Tool − http://people.ee.ethz.ch/~oetiker/webtools/
rrdtool/
MRTG & RRD Tool
Internet Worm Detection
A worm-infected host may generate extra high volume of probing packets
29
NetFlow
What is a Flow?
Defined by 7 unique keys−Source IP address−Destination IP address−Source port−Destination port−Layer 3 protocol type−TOS byte (DSCP)− Input logical interface (ifIndex)
•Source IP Address•Destination IP Address
•Input ifIndex•Output ifIndex
•Type of Service•TCP Flags•Protocol
•Start sysUpTime•End sysUpTime
•Source TCP/UDP Port
•Destination TCP/UDP Port
•Next Hop Address•Source AS Number•Dest. AS Number•Source Prefix Mask•Dest. Prefix Mask
•Source IP Address•Destination IP Address
From/To
Application
Routing and
Peering
Usage
Time of Day
PortUtilizatio
n
Quality of
Service
•Packet Count•Byte Count
NetFlow Version 5 Format
Why NetFlow ?
NetFlow statistics empowers users with the ability to characterize their IP data flows
The who, what, where, when, and how much IP traffic questions are answered
Offers a rich data set to be mined for network management, traffic engineering, and value-added service offerings (i.e. marketing data, personal NMS data)
NetFlow Collection
PC server−PIII-800 CPU, 512MB RAM, 60GB HD−FreeBSD, Linux or Solaris
flow-tools−http://www.splintered.net/sw/flow-tools/
NetFlow Export
srcIP dstIP prot srcPort dstPort octets packets140.114.207.5 220.160.200.175 6 16881 3832 1349 18140.114.220.101 219.137.134.186 6 26898 1580 1731 16140.114.220.101 219.78.108.200 6 26898 2945 64440 64140.114.226.53 158.130.67.92 6 1710 80 7734 49140.114.226.53 158.130.67.92 6 1711 80 4002 20140.114.220.139 218.30.69.60 6 3111 80 1026 14140.114.220.95 66.103.161.14 6 21929 2422 11367 16140.114.222.89 218.169.119.181 6 6689 3651 5676041 5261140.114.215.148 66.176.238.135 6 3182 17832 13778622 11612140.114.220.95 210.85.10.144 6 21929 51618 15808052 15228140.114.201.85 219.78.180.227 6 16881 4201 7690251 12210140.114.200.89 61.64.210.102 6 4662 4641 7784807 6377140.114.207.124 219.68.60.215 6 3887 4662 8545059 7087140.114.229.95 203.69.46.221 6 1849 5000 815011 17017140.114.212.185 61.241.109.19 6 1947 4686 957536 19186140.114.218.12 218.167.184.51 6 2012 4662 6749068 5604140.114.201.85 220.138.79.26 6 16881 3825 7888766 10540140.114.201.85 218.102.191.195 6 16881 3328 7452556 12174140.114.216.144 172.180.24.79 6 47383 1111 306 6140.114.226.3 140.120.234.194 6 2927 1882 4140 90140.114.226.167 61.51.36.149 6 11376 4177 92 2
NetFlow Analysis
Top hosts Traffic accounting (service
accounting) Behavior analysis (anomaly
detection)−Host which provide public service (host
with lots of incoming connection)−The provided service (port with lots of
incoming connection)
Worm Detection
1213.17:13:45.689 140.114.218.165:0 140.111.0.108:0 1 1 921213.17:13:45.778 140.114.218.165:0 140.111.0.117:0 1 1 921213.17:13:45.786 140.114.218.165:0 140.111.0.127:0 1 1 921213.17:13:45.898 140.114.218.165:0 140.111.0.202:0 1 1 921213.17:13:45.944 140.114.218.165:0 140.111.0.225:0 1 1 921213.17:13:45.991 140.114.218.165:0 140.111.0.248:0 1 1 921213.17:13:46.037 140.114.218.165:0 140.111.1.12:0 1 1 921213.17:13:46.055 140.114.218.165:0 140.111.1.21:0 1 1 921213.17:13:48.100 140.114.218.165:0 140.111.1.45:0 1 1 921213.17:13:48.149 140.114.218.165:0 140.111.1.67:0 1 1 921213.17:13:48.194 140.114.218.165:0 140.111.1.90:0 1 1 921213.17:13:48.207 140.114.218.165:0 140.111.1.98:0 1 1 92
37
Open Mail Relay Detection
SMTP
SMTPSMTP
POP3
A B C
38
WireShark
40
Switch Port Mirroring
Broadcast traffic Port Mirroring
(Unicast) SPAN (Switched
Port Analyzer) Failing open
Sniffing
Network analysis (also known as traffic analysis, protocol analysis, sniffing, packet analysis, eavesdropping, and so on) is the process of capturing network traffic and inspecting it closely to determine what is happening on the network.
A sniffer is a program that monitors data traveling over a network.
41
A Double-Edged Sword
A network analyzer is used for−Converting the binary data in packets to
readable format−Troubleshooting problems on the
network−Analyzing the performance of a network
to discover bottlenecks−Network intrusion detection−Logging network traffic for forensics and
evidence−Analyzing the operations of applications
42
Network Analyzer
A network analyzer is composed of five basic parts−Hardware−Capture dirver−Buffer−Real-time analysis−Decode
43
WireShark
One of the best sniffers available and is being developed as a free, commercial-quality sniffer
It has numerous features, a nice graphical user interface (GUI), decodes over 400 protocols, and is actively being developed and maintained
Runs on UNIX-based systems, Mac OS X, and Windows
This is a great sniffer to use in a production environment, and is available at http://www.wireshark.org/
44
A Sniffing Example
45
SummarySummary
DetailDetail
DataData
Summary
User Requirements
Fast and reliable problem resolution. Most users will tolerate occasional outages, but ….
To be kept informed of the network status, including both scheduled and unscheduled disruptive maintenance
Network to be managed in such a way as to afford their applications consistently good response time
47
Network Management Techniques
ICMP (ping, traceroute): network connectivity, link quality, routing path
SNMP (MRTG or RRD Tools): bandwidth utilization (bps), forwarding rate (pps)
NetFlow (flow-tools): accounting, top hosts, service analysis
Packet Sniffing (WireShark): troubleshooting, analysis
48
Anomaly Detection
Computer network knowledge is the best (or required) support for network anomaly detection
Data are transmitted hierarchically through network procotol stacks
Anomaly detection could be done hierarchically
1.Network statistics (MRTG)2.Traffic analysis (NetFlow)3.Protocol analyzer (WireShark)
49
The Measurements
What can these measurements tell?−Bandwidth consumption−Packet forwarding rate−NetFlow accountings−Ping results−Traceroute results−Protocol-decoded packets after sniffing−DNS, SMTP, POP, HTTP request-response
results−CPU load, memory usage, disk space
50
What’s Wrong?
51
The End&
Thank You!
Recommended