The Internet Motion Sensor:The Internet Motion Sensor:A Distributed Blackhole A Distributed Blackhole

Monitoring SystemMonitoring System

Presented By:Presented By:Arun KrishnamurthyArun Krishnamurthy

Authors: Michael Bailey, Evan Cooke, Farnam

Jahanian, Jose Nazario, David Watson.

12th Annual Network and Distributed System Security Symposium

(NDSS'05)

Presentation OutlinePresentation Outline The Threat ProblemThe Threat Problem

Why the Internet Motion Sensor (IMS) was Why the Internet Motion Sensor (IMS) was created?created?

Introduction to IMSIntroduction to IMS What is it?What is it? What is it supposed to do?What is it supposed to do? What are the components?What are the components?

ObservationsObservations What nasty stuff did IMS find?What nasty stuff did IMS find?

My comments and ConclusionMy comments and Conclusion What rocked? What sucked?What rocked? What sucked? Suggestions for improvement?Suggestions for improvement?

The Threat ProblemThe Threat Problem

A network that is always connected A network that is always connected is highly vulnerable to threats.is highly vulnerable to threats.

Threats Properties:Threats Properties: Globally Scoped.Globally Scoped. Can have no patches or fixes.Can have no patches or fixes. Evolutionary.Evolutionary. Can spread through the entire network Can spread through the entire network

within minutes.within minutes.

The Threat ProblemThe Threat Problem

Promising Method to Investigate Promising Method to Investigate Threats:Threats: Monitor unused or dark address space.Monitor unused or dark address space.

Issues:Issues: Sensor Coverage.Sensor Coverage.

Visibility of the system into Internet threats.Visibility of the system into Internet threats. Service EmulationService Emulation

What services to emulate and at what level to What services to emulate and at what level to emulate them?emulate them?

The Internet Motion SensorThe Internet Motion Sensor(What is it?)(What is it?)

Definition:Definition: A globally scoped Internet monitoring system whose A globally scoped Internet monitoring system whose

objective is to measure, characterize, and track objective is to measure, characterize, and track threats.threats.

Goals:Goals: Maintain a level of interactivity that can differentiate Maintain a level of interactivity that can differentiate

traffic on the same service.traffic on the same service.

Provide visibility into Internet threats beyond Provide visibility into Internet threats beyond address, geographical, and operational boundaries.address, geographical, and operational boundaries.

Enable characterization of emerging threats while Enable characterization of emerging threats while minimizing incremental effort.minimizing incremental effort.

The Internet Motion SensorThe Internet Motion Sensor(Architecture – Basic Idea)(Architecture – Basic Idea)

Consist of a set of distributed blackhole Consist of a set of distributed blackhole sensors, each monitoring a dedicated range of sensors, each monitoring a dedicated range of unused IP address space. Blackhole sensors unused IP address space. Blackhole sensors contain contain passivepassive and and active componentactive component..

Passive Component:Passive Component: Records packets sent to sensor’s address space.Records packets sent to sensor’s address space. Responds to specific packets to elicit more data Responds to specific packets to elicit more data

from source.from source.

Active Component:Active Component: Designed to extract the first payload of data across Designed to extract the first payload of data across

the major protocols.the major protocols.

The Internet Motion SensorThe Internet Motion Sensor(Architecture – Diagram)(Architecture – Diagram)

The Internet Motion SensorThe Internet Motion Sensor(Architecture - Main (Architecture - Main

Components)Components) Distributed Blackhole NetworkDistributed Blackhole Network

Used to increase visibility into global threats.Used to increase visibility into global threats.

Lightweight Active ResponderLightweight Active Responder Provides enough interactivity that traffic on Provides enough interactivity that traffic on

the same service can be differentiated the same service can be differentiated independent of application semantics.independent of application semantics.

Payload Signatures & CachingPayload Signatures & Caching Used to avoid recording duplicate payloads.Used to avoid recording duplicate payloads.

The Internet Motion SensorThe Internet Motion Sensor(Distributed Blackhole (Distributed Blackhole

NetworkNetwork)) A large distributed sensor network built from A large distributed sensor network built from

address blocks of many sizes that are scattered address blocks of many sizes that are scattered throughout the network.throughout the network.

Using Moore’s Telescopes Analogy, blocks of Using Moore’s Telescopes Analogy, blocks of larger sizes have a broader detection coverage.larger sizes have a broader detection coverage.

Different sensors observe different magnitudes Different sensors observe different magnitudes and types of traffic.and types of traffic.

/16 Address Sensor

/8 Address Sensor

The Internet Motion SensorThe Internet Motion Sensor(Lightweight Responder(Lightweight Responder))

Main responsibility is to elicit Main responsibility is to elicit payloads for TCP connections.payloads for TCP connections.

Two key contributions:Two key contributions: Ability to elicit payloads to differentiate Ability to elicit payloads to differentiate

traffic.traffic. Ability to get responses across ports Ability to get responses across ports

without application semantic without application semantic information.information.

The Internet Motion SensorThe Internet Motion Sensor(Lightweight Responder – Other (Lightweight Responder – Other

CharacteristicsCharacteristics)) Differentiate Services:Differentiate Services:

By using payload signatures, IMS can identify the By using payload signatures, IMS can identify the presence of new worms even in extremely noisy presence of new worms even in extremely noisy conditions.conditions.

Service Agnostic:Service Agnostic: Enables insight into less popular services.Enables insight into less popular services.

Example: Backdoor ports on existing wormsExample: Backdoor ports on existing worms

One Limitation:One Limitation: IMS provides little or no information on threats IMS provides little or no information on threats

that depend on application level responses.that depend on application level responses.

The Internet Motion SensorThe Internet Motion Sensor(Payload Signatures and (Payload Signatures and

CachingCaching)) Basic idea:Basic idea:

Check the MD5 checksum of the payload.Check the MD5 checksum of the payload. If the checksum is found in cache, thenIf the checksum is found in cache, then

Only log the signature. (DO NOT store the payload.)Only log the signature. (DO NOT store the payload.) ElseElse

Store both payload and signature.Store both payload and signature.

With a 96% cache hit rate, this method With a 96% cache hit rate, this method saves over 100 GB/day per address saves over 100 GB/day per address sensor!!!sensor!!!

The Internet Motion SensorThe Internet Motion Sensor(Payload Signatures and Caching (Payload Signatures and Caching

ExampleExample))WormWorm SignaturSignatur

eePayloadPayload HitsHits

MyWorMyWormm

9e107d9d372bb6826bd81d3542bt569g

11

9e107d9d372bb6826bd81d3542bt569g

MD5 Signature + PayloadBlackhole

Sensor

The Internet Motion SensorThe Internet Motion Sensor(Payload Signatures and Caching (Payload Signatures and Caching

ExampleExample))WormWorm SignaturSignatur

eePayloadPayload HitsHits

MyWorMyWormm

9e107d9d372bb6826bd81d3542bt569g

11

AnotherWorAnotherWormm

e56d4cd98f00b204e9800998ecf8427e

11

e56d4cd98f00b204e9800998ecf8427e

MD5 Signature + PayloadBlackhole

Sensor

The Internet Motion SensorThe Internet Motion Sensor(Payload Signatures and Caching (Payload Signatures and Caching

ExampleExample))WormWorm SignaturSignatur

eePayloadPayload HitsHits

MyWorMyWormm

9e107d9d372bb6826bd81d3542bt569g

22

AnotherWorAnotherWormm

e56d4cd98f00b204e9800998ecf8427e

11

9e107d9d372bb6826bd81d3542bt569g

MD5 Signature + PayloadBlackhole

Sensor

The Internet Motion SensorThe Internet Motion Sensor(Observations(Observations))

An IMS prototype developed at An IMS prototype developed at University of Michigan consisted of 28 University of Michigan consisted of 28 address sensors at 18 physical locations.address sensors at 18 physical locations.

3 events captured:3 events captured: Internet WormsInternet Worms ScanningScanning Distributed Denial of Service (DDoS) AttacksDistributed Denial of Service (DDoS) Attacks

The Internet Motion SensorThe Internet Motion Sensor(Internet Worms(Internet Worms))

IMS detection of various behaviors from IMS detection of various behaviors from worms:worms: Worm VirulenceWorm Virulence

How much traffic resulted from worm?How much traffic resulted from worm? What routers/paths got congested?What routers/paths got congested?

Worm DemographicsWorm Demographics Number of hosts infected?Number of hosts infected? Operating System and other information of host?Operating System and other information of host?

Worm PropagationWorm Propagation How does the worm select next target?How does the worm select next target?

Community ResponseCommunity Response What organizations reacted the fastest? What organizations reacted the fastest? Who is still infected?Who is still infected?

The Internet Motion SensorThe Internet Motion Sensor(The Blaster Worm(The Blaster Worm))

Description:Description: Affected Windows 2000/XP systems running Affected Windows 2000/XP systems running

DCOM RPC services and used a buffer DCOM RPC services and used a buffer overflow attack to run code on target overflow attack to run code on target machine.machine.

In a 7 day period, IMS detected 3 In a 7 day period, IMS detected 3 Phases:Phases: 11stst Phase – Growth Phase – Growth 22ndnd Phase – Decay Phase – Decay 33rdrd Phase – Persistence Phase – Persistence

The Internet Motion SensorThe Internet Motion Sensor(The Blaster Worm – Phases (The Blaster Worm – Phases

DiagramDiagram))

The Internet Motion SensorThe Internet Motion Sensor(The Blaster Worm(The Blaster Worm))

Other observation:Other observation: The Blaster Worm sends an exploit on The Blaster Worm sends an exploit on

TCP port 135, then follows with some TCP port 135, then follows with some commands on TCP port 4444.commands on TCP port 4444.

Conclusion from Blaster Worm Conclusion from Blaster Worm observations:observations: IMS provides data that can differentiate IMS provides data that can differentiate

between different variants of worms.between different variants of worms. Passive blackhole sensors can not do that!Passive blackhole sensors can not do that!

The Internet Motion SensorThe Internet Motion Sensor(Blaster Worm Captured(Blaster Worm Captured))

The Internet Motion SensorThe Internet Motion Sensor(Blaster Worm Captured(Blaster Worm Captured))

The Internet Motion SensorThe Internet Motion Sensor(Blaster Worm Captured(Blaster Worm Captured))

The Internet Motion SensorThe Internet Motion Sensor(Scanning(Scanning))

Attackers scan for vulnerable services to exploit Attackers scan for vulnerable services to exploit them.them.

Beagle and MyDoom Worm:Beagle and MyDoom Worm: SMTP worms that began spreading in 2004.SMTP worms that began spreading in 2004. Listens to port 2745 (Beagle) and port 3127 Listens to port 2745 (Beagle) and port 3127

(MyDoom) for backdoors to load malicious software.(MyDoom) for backdoors to load malicious software. Conclusion from observations:Conclusion from observations:

Lightweight Responder allowed IMS to detect the Lightweight Responder allowed IMS to detect the backdoor ports.backdoor ports.

Since both worms have variants, having the Since both worms have variants, having the responder made it less time consuming than creating responder made it less time consuming than creating handcrafted service modules for each variant. handcrafted service modules for each variant.

The Internet Motion SensorThe Internet Motion Sensor(Beagle and MyDoom Scanning Activity (Beagle and MyDoom Scanning Activity

ChartChart))

The Internet Motion SensorThe Internet Motion Sensor(Distributed Denial of Service(Distributed Denial of Service))

These attacks rely on many end hosts to These attacks rely on many end hosts to consume network resources.consume network resources.

The SCO Group Attack:The SCO Group Attack: Attacked www.sco.com on December 10, 2003Attacked www.sco.com on December 10, 2003 Attacked 3 web servers, an FTP server, and a SMTP Attacked 3 web servers, an FTP server, and a SMTP

server.server. Since the attackers used spoofed IP addresses, IMS Since the attackers used spoofed IP addresses, IMS

was able to observe some backscatter from these was able to observe some backscatter from these attacks.attacks.

Conclusion from observation:Conclusion from observation: Showed the need for address diversity (having Showed the need for address diversity (having

different blocks of many sizes).different blocks of many sizes).

The Internet Motion SensorThe Internet Motion Sensor(Backscatter Diagram from (Backscatter Diagram from

SCO AttackSCO Attack))

The Internet Motion SensorThe Internet Motion Sensor(Strengths(Strengths))

IMS’ variety of address blocks IMS’ variety of address blocks allows it to find various worms allows it to find various worms that passive sensors can not that passive sensors can not detect.detect.

Payload Signature and Caching Payload Signature and Caching System can save over 100GB of System can save over 100GB of memory per sensor per day!memory per sensor per day!

The Internet Motion SensorThe Internet Motion Sensor(Weaknesses(Weaknesses))

Provides little or no information on Provides little or no information on threats that depend on application level threats that depend on application level responses.responses. NetBIOS services requires RPC NetBIOS services requires RPC bind() bind()

before being able to do RPC before being able to do RPC request()request(). IMS . IMS can detect RPC can detect RPC bind(),bind(), but not RPC but not RPC request()request() since no application level response was sent.since no application level response was sent.

Requires a relatively powerful machine.Requires a relatively powerful machine. x86 machine with at least 1GB RAM.x86 machine with at least 1GB RAM.11

1 From Internet Motion Sensor FAQ Site. http://ims.eecs.umich.edu/faq/index.html

The Internet Motion SensorThe Internet Motion Sensor(Suggestions for (Suggestions for ImprovementImprovement))

Find a way to get information on Find a way to get information on threats that depend of threats that depend of application level responses.application level responses.

Get IMS to fully learn the Get IMS to fully learn the behavior of worms so it can behavior of worms so it can automatically develop patches.automatically develop patches.

The Internet Motion SensorThe Internet Motion Sensor(Conclusion(Conclusion))

The IMS uses a variety of blackhole The IMS uses a variety of blackhole sensors of various sizes to track, sensors of various sizes to track, characterize, and measure threats.characterize, and measure threats.

It can detect various types of threats It can detect various types of threats that passive sensors can’t detect!that passive sensors can’t detect!

It would be great to run if you have a It would be great to run if you have a relatively powerful computer!relatively powerful computer!