Network Measurements: Unused IP address space traffic analysis at SSSUP Campus Network

Francesco Paolucci, Piero CastoldiResearch Unit at Scuola Superiore Sant’Anna, Pisa,

Italy

Italy-Tunisia Research Project sponsored by MIUR under FIRB International program

1° year plenary meeting, Tunis, March 29, 2007

2

Unused address space traffic

Dumping Internet traffic sent to unused IP addresses space can give information about attacks towards the target subnetwork.

Since there is no legitimate reason for a host to send packets to those destinations, such traffic provides strong evidence of malicious activity including DDoS backscatter, port scanning, and probe activity from active worms.

3

Useful Tools

Two kind of tools acquire information about unused traffic:

• Network telescopes – They work by monitoring traffic sent to communication dead-ends

such as unallocated portions of the IP address space. – can potentially provide early warning of a scanning-worm

outbreak, and can yield excellent forensic information• Honeypots

– are closely monitored network decoys serving several purposes– they can distract adversaries from more valuable machines on a

network– they allow in-depth examination of adversaries during and after

exploitation of a honeypot.

When coupled with honeypots, telescopes can be used to interact with potentially malicious traffic in order to determine the intent behind the traffic, including particular vulnerabilities being exploited and follow-on activity after a compromise succeeds.

4

SSSUP Unused traffic dumping

Scuola Superiore Sant’Anna Campus Network

• 8 different sites in Pisa and Pontedera

• Average incoming traffic: 25 Mbit/s

• 4 class-C address space

• Total IP address space = 1016

• Utilized IP address space = 162 (16%)

NETWORK SNIFFER & ANALYZER

Measurements Tools

• Linux Box PC equipped with high performance INTEL Network Interface Card

• Sniffer: Dumpcap (Wireshark Suite)

• Analyzer and offline filtering: Tshark & Wireshark

• Dumping point: Last switch to GARR Net, NO NAT, NO FIREWALL.

5

Dumping methodology

• Only Incoming traffic tracing• 1-hour long dumping twice a day for a

week– Most of the anomalous activities last less than

1 hour– Day-time and Night-time traces give indications

about high and low human user traffic characteristics

• Light online filtering • Complex offline filtering (entire IP address

space set filter)

6

Global traffic results : 25 Mbit/s

6 8 %

1 6 %1 2 %

2 % 1 % 1 % 1 % 0 % 0 %

TCP traffic

High ports (P 2P ,S pam)HTTP (80)P 2P serverP ort 8080S MTP (25)HTTP S (443)S S H (22)P OP (110)Messenger (1863)FTP (21)

8 2 %

1 2 %

6 %1 % 0 %

High P ortsE donkey 4662 4672D NS (53)OIC Q (8000)MS N (1863)

TCP packets (86%) UDP packets (13%)

About 80% of the traffic is driven by peer-to-peer applications.Within High ports traffic (src and dst >1024) values are distributed (no particular values emerge): p2p applications choose random high ports.

7

Unused traffic main results

• Traffic to unused addresses represents the 0,2% of the total incoming packets on the whole subnet.

• 4 pkts/s, average rate 6 kbit/s• Traffic activity profile is constant and

independent on the daytime (no profile differences between day and night time)

• Almost whole traffic represents (TCP) SYN or (UDP) spam packets

8

Packets statistics

ICMP 14%TCP 54%

UDP 32%

Traffic Protocols distribution

0-19 20-39 40-79 80-159 160-319 320-639 640-1279 1280-2559

0

10

20

30

40

50

60

70

67,61

0,89 0,02

29,52

0,01

Packet length distribution

%

•TCP and ICMP packets are quite short (SYN, PING = 70 byte long)

•UDP packets are longer (500 byte long)

9

Source IP Packets % Total Packets

193.194.89.102

9306 5 %

193.205.39.28 5822 3%

74.7.94.205 4200 2.2%

193.111.95.32 4180 2.2%

12.161.101.51 3912 2%

221.209.110.8 3558 1.9%

207.176.236.7 3546 1.8%

221.209.110.13

3469 1.8%

222.28.80.5 3400 1.8%

202.97.238.200

3163 1.6%

Unused Traffic sources

10

54%

18%

5%3%

2%2%

2%

2%

2%1%

1%1%0%0%

7%

MIC ROS OFT D S S YN 445E P MA P S YN 135S S H 22NE TB IOS -S S N 139E C HO S YN 7P OP 3 110IMA P 143FTP 21HTTP 80V E TTTC P 78RA D MIN 4899MS -S QL -S 1433D OMA IN S YN 53S MTP 25Other

TCP destination ports statistics

• Port 445 (Microsoft-DS Active Directory, Windows shares, Sasser worm, Agobot,

Zobotworm)

• Port 135 (EPMAP (End Point Mapper) / Microsoft RPC Locator Service , Nachi or

MSBlast worms)

• Port 22 (SSH SYN)

represent more than 75% of the total TCP traffic

11

7 0 %

2 3 %

5 %

1 %

0 %1 %

C A P 10261027MS -S QL-M 1434NE TB IOS -NS 137S NMP 161Other

UDP destination ports statistics

• Port 1026 (CAP, Calendar Access Protocol, Windows Messenger Spam)

• Port 1027 (unassigned, Messenger Spam)

• Port 1434 (MS-SQL, systems infected with the SQL Slammer )

represent 97% of the total UDP traffic

12

ICMP packets

• Type 8 (Ping request): 96 %

96%

2%

1%

P ing request (type 8)TTL exceeded (type 11)D S T unreachable (type 3)

13

Burstiness characteristics

• Similar behaviour at day and night time• Peaks of instantaneous 3-4 Mbit/s in 300 ms interval events (SPAM)• Average SCAN and ICMP 1 kbit/s events

DAY NIGHT

14

Traffic burstiness sorted by protocol

Different behaviour between TCP, UDP and ICMP traffic• TCP

– “Constant” bursts (1 packet, tinter= 4 s, duration= 0.2 s, rate 0.4 kbit/s)

– Burst train events (event duration = 100 s, each burst lasts 0.3 s with 200 kbit/s peak rate)

• UDP– Isolated 0.2 s long bursts with up to 3 Mbit/s peak rate (SPAM)

• ICMP

– Similar behaviour like TCP but lower peak and average rate (PING)