Malicious traffic
- 1. MALICIOUS TRAFFIC Presented by Ishraq Fataftah
- 2. Agenda Introduction. What is Malicious traffic. Malicious traffic types. Malicious traffic detection and prevention. Conclusion.
- 3. Introduction As the internet become more mature, management of its resources to provide guaranteed services is crucial. The success of the Internet has increased its vulnerability to misuse and performance problems.
- 4. Introduction It has been frequently abused by people mostly with hostile intentions. We have been under various kinds of attacks such as viruses, worms and commonly a bunch of spam mails every day.
- 5. Introduction
- 6. Malicious Traffic It is hard to detect and distinguish malicious packet and legitimate packets in the traffic. The behavior of Internet traffic is very far from being regular. Presents large variations in its throughput at all scales.
- 7. Malicious Traffic Any traffic anomalies that occur from hardware or software failures to internet packets with maliciously modified options. Generated from what is called botnets.
- 9. Malicious Traffic Monitoring the flow of packets. Malicious traffic usually exhausts the legitimate resources by sending a lot of traffic. Monitoring traffic targeting unused addresses in the network.
- 10. Malicious Traffic Types Scanners. Worms. Malicious Spam. Backscatters. DOS, DDOS.
- 11. Scanners Single source. Strikes the same port on many machines. Different ports on the same machine. Generates a lot of flows.
- 12. Worms Self-replicating virus that does not alter files but resides in active memory and duplicates itself. CodeRed worm infected 395,000 computers and resulted in approximately $2.6 billion in damage. Results in an increase in service activity, especially if service is law traffic.
- 13. Worms MyTob Worm, 2005 Copies itself as %System%msnmsgs.exe Adds the value: “MSN” = “msnmsgs.exe” to IRC Server registry: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion RunServices HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun HKEY_CURRENT_USERSoftwareMicrosoftOLE HKEY_CURRENT_USERSYSTEMCurrentControlSetControlLsa W32.Mytob@mm runs every time Windows starts User Zone Server Zone
- 14. Malicious Spam Spamming is flooding the network with a huge amount of unsolicited email messages to force people to receive them. Contains malware or links to malicious sites.
- 15. Backscatter Email bounces for emails that a person didn’t send. Spammer is spoofing the Reply-to field in email. When sent to email server, it is bounces to the reply-to address rather than the sender. Used to overcome spam filters and in DOS attacks.
- 16. DOS, DDOS Generate a huge amount of adverse traffic to a target server to make it unavailable. Attempt to exhaust the resources of the victim. They are difficult to detect and prevent. DDOS attacks are simultaneously launched from several sources destined to the same target.
- 17. DOS, DDOS
- 18. Malicious traffic Detection and Prevention Anomaly detection techniques. Signature-scan techniques. Intrusion detection and prevention systems. QoS metrics. Tools such as Snort. Network filters such as ACLs. Honeypots.
- 19. Anomaly detection techniques Differentiates between normal and malicious traffic by: Studying the normal behavior of users, resources. Create patterns for these activities. Any behavior that deviates from this pattern is considered malicious.
- 20. Signature-scan techniques Uses a database that store signatures. Passive scan for network traffic, any patterns match these stored signatures are considered malicious traffic. Effective for known attacks.
- 21. Intrusion detection and prevention systems Software or hardware that is designed to detect and prevent any malicious attack or activity on the network. Monitor the network traffic. Analyze any suspicious event. Log these events and report them to the network administrator for actions.
- 22. QoS metrics Studying the behavior of the network traffic under normal and malicious attacks. Extracting parameters from network traffic.
- 23. Snort Open source tool that is used in intrusion detection systems. Real time analysis on the network traffic. Intrusion detection system to monitor the traffic, analyzes it and inform the network administrator for suspicious activities.
- 24. ACLs Installed in routers and used to match packet headers against a pre-defined list of rules and takes pre-defined actions on any matching packets.
- 25. Honeypots “a security resource whose value lies in being probed, attacked or compromised” Any attempt to interact with honeypots incurs a malicious activity or attack.
- 26. Conclusion Malicious traffic is any traffic anomalies occurs from failure in traffic packets that is intentionally modified for malicious acts. By studying malicious attacks we can obtain better understanding of malicious traffic and how to detect and prevent these attacks. An increase in the awareness toward the importance of security will help in mitigation against internet misuse.
Editor's Notes
- #5: threats may range from simple to severe functional and financial damage to the network infrastructure. Adding the legal perspective, these threats should be clearly and carefully identified, analyzed and managed.
- #6: data is encapsulated in packets.
- #7: Most flows are roughly symmetric at the packet levelWhenever a packet is sent, a packet is received within some reasonable interval (round trip time)This can me measured (and enforced) at the edge router inexpensively
- #8: these botnets launch malicious traffic that attacks network hosts and internet service provider (ISPS).
- #10: Malicious traffic can be detected by monitoring the network traffic using packet monitoring tools and studying any up normal or suspected behavior in the network. By monitoring the flow of packets, maliciously changed packets can be identified and infected computers can be determined based on its signature. In addition, malicious traffic usually exhausts the legitimate resources by sending a lot of traffic to halt its functionality. Another measurement can be by monitoring traffic targeting unused addresses in the network [3]. Unused addresses should expect a very limited load of traffic not mentioning that no device should be connected to it.
- #17: Among all attacks, the denial-of-service (DoS) attack is one ofthe attacks rather difficult to detect and prevent since they exploitregular services, and overwhelm such services with tremendousmalicious traffic.
- #19: Anomaly-detection first establishes a normal behavior pattern forusers, programs or resources in the system, and then looks for deviationfrom this behavior.signature-scan techniques passively monitor traffic seen on a network and detect an attack when patterns within the packet match predefined signatures in a database.They are a resource that has no authorized activity, they do not have any production value. Theoreticlly, a honeypot should see no traffic because it has no legitimate activity. This means any interaction with a honeypot is most likely unauthorized or malicious activity. Any connection attempts to a honeypot are most likely a probe, attack, or compromise. Snort’s open source network-based intrusion detection system (NIDS) has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks. Snort can be configured in three main modes: sniffer, packet logger, and network intrusion detection. Snort can be configured in three main modes: sniffer, packet logger, and network intrusion detection. the program will monitor network traffic and analyze it against a ruleset defined by the user. The program will then perform a specific action based on what has been identified