Analysis of Attacks towards Turkish National Academic Network

Transcription

1 Analysis of Attacks towards Turkish National Academic Network Murat SOYSAL, Onur BEKTAŞ Abstract Monitoring unused IP address is an emerging method for capturing Internet security threads. Either an attack or a mis-configuration could generate network traffic towards the unused IP blocks of a network segment. This paper summarizes the method for ascertaining the attacks towards Turkish National Academic Network by the use of modified version of Blackhole concept. In this method Blackhole traffic is captured by using Honeypots and analyzed by using IP header information. The attacks are classified based on source IP address, originating country, operating system and destination port. Moreover, captured traffic originating from Turkey is further evaluated in order to characterize distribution of attacks among the Turkish Internet Service Providers. Index Keywords Terms Blackhole monitoring, Honeypot, network security, ULAKBIM, ULAKNET I. INTRODUCTION he security of the national and personal information Tresources has become more important with the expansion in the use of the internet and the increase in the number of applications such as e-government and electronic banking applications. Moreover, the increase in the number of cyber attacks and cyber terrorism have been threatening especially the security of the national information resources. These circumstances have emerged the urgent establishment of the Computer Security Incident Response Teams. Urged by necessity, Ulak-CSIRT, ULAKNET Computer Security Incident Response Team, has been established in the constitution of the National Academic Network (ULAKNET). ULAKNET, managed by Turkish Academic Network and Information Center (ULAKBIM) [1], provides network connectivity of universities and research institutes with similar institutions in Turkey and abroad. For ULAKBIM to provide services in order to be able to fulfill its primary duties there is a need for a high-speed reliable backbone and external connections. The main goal of ULAKBIM is to provide network services always one step ahead of the expectations of its users, made up of 100,000 academic personnel and more than 2.2 million university students. ULAKBIM is a partner of GÉANT2 and ULAKNET backbone is interconnected with the trans-european Research Manuscript received November 10, M. Soysal. is with the Turkish Academic Network and Information Center (ULAKBIM), Ankara, Bilkent, phone: ; fax: ; msoysal@ulakbim.gov.tr O. Bekta. is with the Turkish Academic Network and Information Center (ULAKBIM), Ankara, Bilkent, onur@ulakbim.gov.tr Network GÉANT2 with 2.5 Gbps capacity and an upgrade on this link is in process. ULAKNET backbone consists of three PoPs located in Ankara, Istanbul and Izmir and the backbone links are 1 Gbps, 500 Mbps and 500 Mbps accordingly. The CERT/CSIRT units are mainly established in the constitutions of well-organized and superior enterprises managing big networks [2]. Ulak-CSIRT (Computer Security Incident Response Team) is responsible for preventing the potential security violation of external networks to ULAKNET. Ulak-CSIRT also aims ascertaining the attacks and the people in charge and in the same way, preventing the attacks of ULAKNET to the outside world and if there is an attack, ascertaining the people in charge of the attack and sharing the information with the administrators of this network [3]. The method developed in this study is based on Blackhole concept and employs Honeypots in the scope of ascertaining the attacks towards ULAKNET mission of Ulak-CSIRT. In ordinary usage, Blackholes, from a network security perspective, are placed in the network where traffic is forwarded and dropped. Systems that monitor unused address space have been called Blackholes [4], darknets [5], network telescopes [6] or Sinkholes [7] and have been under investigation for a long time. Honeypots are kind Intrusion Detection Systems which emulates vulnerable systems or services to attract interest of intruders [8]. ULAKNET Blackhole Attack Detection System includes a Blackhole application based on ULAKNET unused IP blocks and the traffic forwarded to this system is received by a Honeypot. Inclusion of the Honeypot encourages the intruders to continue their attacking behavior which facilitates security experts analyzing the attacks deeper. Whereas, with single stand Blackholes security experts have limited capabilities since the traffic is directly dropped. Although there are some researches in literature focusing on the use of Honeypots in Blackhole applications, implementation in large scale networks is still a challenging study due to the great amount of data required to be analyzed. In addition, ULAKNET Blackhole Attack Detection System is a unique study in Turkey in this scale up to our knowledge. Moreover, our study represents national scale findings since it analyzes the attacks towards whole national academic network. These findings contribute to the analysis of attacks toward Turkey with interesting results such as the most attacking countries, the most attacking Operating Systems, the mostly attacked ports, etc. 126

2 II. ULAKNET BLACKHOLE ATTACK DETECTION SYSTEM A. Blackholes Blackholes, from a network security perspective, are placed in the network where traffic is forwarded and dropped. Once an attack has been detected, blackholing can be used to drop all attack traffic at the edge of an Internet Service Provide (ISP) network, based on either destination or source IP addresses. Blackholes are used for monitoring unused Internet space to characterize security threats. Systems that monitor unused IP address space have been called Blackhole monitors [4], darknets [5], network telescopes [6] and Sinkholes [7]. Blackholes are capable of identifying configuration errors, routing problems [9], denial of service attacks (DoS) [10], [11], Internet worms [12], [13], [14], [15] and botnets [4]. There are some primitive results even from IPv6 Blackhole applications [16]. B. Capturing and Analyzing Attacks The Blackhole concept is adapted to detect the attacks by the help of unused IP blocks among ULAKNET. The following IPv4 address blocks are assigned to ULAKNET in Ripe Database [17]: / / / /17 ULAKBIM assigns sub-blocks of these four IP blocks to the nodes of ULAKNET, using its Assignment Window, and routes the traffic destined to these sub-blocks to the related node according to these assignments. On the other hand, some sub-blocks are currently not assigned to any node and consequently, nominated as unused IP blocks of ULAKNET. Any network packet whose destination address is in one of the unused IP block ranges belongs to either a malicious activity or a mis-configured traffic. The ULAKNET Blackhole application is mainly based on capturing and analyzing this kind of traffic. We used a very simple rule of routing to capture this traffic: The priority of the specific routes over the general ones. First, all four huge IP ranges assigned to ULAKBIM are routed to a ULAKNET Blackhole. ip route ip route ip route ip route Since the smaller blocks assigned to the nodes have more specific entries in the routing tables of backbone routers, they are issued first. All packets having a used IP address as a destination address are distributed to the related nodes. Then, the rest is captured by Blackhole. After capturing these packets the analysis is done according to the research interests. We assumed that if the captured packets belong to a malicious activity, this is mainly a scan before the actual attack since the destination is not a real victim with a valid IP address. Therefore, we decided to identify the distribution of these hosts according to the ISP hosting the attacker, the country the attacks come from, the destination ports scanned. This information could easily be gathered from the IP header part from the packets, so the deep packet inspection tools are not used in this study. Employing such a tool to identify the attack type more preciously and in more detail was another option, but it will not be cost effective since the captured packets probably belong to the only the scan part. Besides, as the number of packets towards the Blackhole increases, real time deep packet analysis of traffic gets more difficult. Honeyd [18] is used to gather information from the IP header part of the captured packets. Although honeyd is classified as low interaction honeypot it has advanced features like faking operating system probe scanners. Simplicity, human readable logs and familiarity are the main concerns while choosing honeyd. Honeyd creates a flow log for all connections request captured. Example log file includes the following lines: :00: tcp(6) S [Windows XP SP1] :00: tcp(6) E : :00: udp(17) : 30 Fields in the Honeyd log file can be interpreted as follows: The first field contains the timestamp of event The second field lists the protocol like tcp, udp etc. The third field may either be : o S start of a new connection o E end of a connection (Honeyd logs the amount of data received at the end of line) o Packet does not belong to any connection. Third field is four tuple of connection in the order of source IP, source port, destination IP and destination port. Honeyd also logs operating system (OS) of the attacker at the end of the line if it can be identified via passive fingerprinting. C. Classification of Attacks In this section, the methodology which is used to classify the attacks will be explained. The attacks are classified according to the ISP which the attacker belongs to, the 127

3 D. Reporting All the classification results are visualized in a graphical manner and shared via Ulak-CSIRT web page [21]. The graphs include statistics such as the most attacking ULAKNET node, the most attacking countries and the most attacking IP address. This information is publicly published to enable all security teams to identify the most active attackers targeting Turkish Academic Network. Further details are available up on request, since public share could result in more security holes. Figure 1. Source IP based on analysis country the attacks come from, the destination ports scanned and the operating system used by the a The classifications based on the des directly gathered from the honeyd log source IP information is further proce hosting the attacker and the country This process is given in Figure 1 as a f III. RESULTS In this section the classification results of the attacks captured during June 2008 will be given. The log file processed exactly belongs to 30 days. The log file has an approximate size of 18 Gigabytes and over 233 Million lines. The total number of unique IP addresses in the log file is of these unique IP addresses belongs a significant number for our internet plication identified 50k compromised rkish ISP during one month. ng IP addresses In the first step, the country which t identified by using an open source [19]. GeoIP is a geographical loca mainly used to gather geographical Internet visitors in real-time. An query/result pair is given below: Query: Result: [root@blackhole]$ geoiploo GeoIP Country Edition: US, In step 2, country origin is determin Turkey are classified using Ge membership information [20] is use Turkish Local Internet Registers (LIR) and their IP ranges. At step 3 and 4, Turkey originated IP addresses are further classified as ULAKNET and the others. To accomplish this task, membership list further filtered based upon the registry base of LIR s. A LIR is added to Turkish LIR s List if its registry base is in Turkey. Attacks from Turkey are classified according to the ISPs hosting the attacker.. The last classification is made on the attacks coming from ULAKNET nodes. Most of ULAKNET nodes use the IPv4 blocks assigned by ULAKBIM, so it is easy to identify the node owning a source IPv4 address from the local databases. In addition, some nodes of ULAKNET have their own AS numbers and IPv4 addresses assigned directly from RIPE (e.g. METU, ITU). The local database is updated to include all IPv4 addresses used among ULAKNET. ng IP Addresses Attacking IP Addresses is one of the n network security point of view. This list could be used for dynamically generating Access Control Lists for filtering the most active attackers at the edge of backbone. After detecting IP address, traffic can also be redirected to deep packet intrusion detection systems (IDS) to analyze attack in depth. By using this method load on IDS can be reduced. B. The Most Attacking Countries Another type of classification on the attackers is made according to the countries they belong to. This information became much more important after the examples of cyber wars following the conflicts between some countries during The results in Figure 3 show the ranking according to the sum of all packets received from the attacking country. 128

4 remote shell access. Its ranking indicated that ssh probes are the most common attack type performed against Unix derivatives. Figure 3. Top Ten Attacking Countries Evaluations on the Top Ten Attacking Countries revealed that summing all the packets would mislead the ranking. A single host scanning the ports of another single destination could burst the country rank. A revise by counting all the traffic between dis IP pairs as single hit and result is g comparison of Figure 3 and Figure 4 s biased by the Polish hosts identified fro Figure 5. Top Ten Attacked Ports D The Most Attacking Operating Systems to identify the Operating System used ult of the attacker OS evaluation is as nce most of the internet users are using ating system has more than 70% share Figure 4. Top Ten Attacking Countries Revised ng OS C. The Mostly Attacked Ports The Top Ten Attacked Ports is giv information is valuable since some of the attacks could be identified according to these ports. In addition, the list of the mostly attacked ports is heavily used by network administrators to secure their network by simply blocking the probes to these ports. A dramatic result from this evaluation is the high share of Port 1433 which is commonly used by Microsoft's SQL server. Two MSSQL worms in May 2002 and January 2003 exploited several known MSSQL flaws [22]. The mostly attacked ports evaluation shows that the scan on this port still has a great amount of activity on Internet. Another interesting result is observation of port 1026 and 1027.These ports are used by Microsoft Windows messaging system which is designed for use by system administrators to notify users about their networks. Nevertheless, spammers use this service to send advertisements [23]. Port number 22 is used for SSH protocol which is used in Unix derivatives for encrypted his evaluation could be the 18% share ount of the open source attacking tools are available and Linux is feasible platform for running and improving such tools, a special attention to these attacks are paid. Linux can be used as server operating system. Thus, detection of Linux as attacker OS can be the indication of the more severe security problems like the compromise of DNS or SMTP servers. As a result, if detected OS is a server operating system it should be investigated more closely. E. Special analysis on the attackers from Turkey A novel result of this study is based on evaluating the attacks originating from Turkey. This is the first time in literature such a classification is given. 129

5 Figure 7. Top Ten Turkish ISPs The Turkish ISP ranking is given with two different evaluations similar to the Most Attacking Countries is section III.B. Figure 9. Top Ten Attacking ULAKNET Members Attacks were counted as a single hit if source and destination addresses are distinct. IV. CONCLUSION In this paper, ULAKNET Blackhole Attack Detection analysis methodology have been dings of the system for a one month d. It is also verified that even if the analyzed only in IP header level, an be gained about the attacks towards. Figure 8. Top Ten Turkish ISPs Revised It should be noted here that ULAK considerable amount of the attacks gath This is mainly based on the worm tra nearby hosts. A worm uses the sou subnet mask to discover the nearby related ports. The lead of Turk Telekom is an ex high share of the ISP in the market. rank of other ISPs could be beneficial f these ISPs to evaluate their position according to their competitors in the market. F. The Most Attacking ULAKNET members Since attack ranking of ULAKNET members are visualized and shared via Ulak-CSIRT web page on daily and hourly basis, only one month summary is given in Figure 9. e Blackhole can be the result of either ation error. The results of the detailed due to the attacks are presented in this AKNET Network Operations Center ork administrator of the ULAKNET general vision on the security threads cademic Network with the findings of the analysis over Blackhole data are nuously and results are updated in from ULAKNET nodes are further IRT to improve the security level in fying the compromised machines in s identification is automatically turned into security incident by a trouble ticketing system and the system informs security contact point of the node. Severity levels are assigned to each incident with time limits to investigate and resolve the attack. Two configuration errors causing network traffic towards Blackhole are also discovered in this study. In the first case the Akamai servers, hosted in ULAKBIM and providing the content delivery services to ULAKNET, were discovered to distribute traffic to Blackhole due to BGP routing problem. The second problem was discovered by the real time monitoring of port anomalies. A configuration error in the DNS server of one of the ULAKNET nodes resulted in excessive amount of traffic to port 53 of an unused IP address ( ). This anomaly was detected by the help of Blackhole Destination Port Daily Analysis. The 130

6 administrator of the node was informed to update the configuration of DNS server and enter the correct IP address ( ) to use ULAKBIM DNS forwarder service. This update prevented nodes DNS server from forwarding all uncached DNS queries to Blackhole. Blackhole system also detected considerable amount of traffic originated from unassigned ULAKNET IP addresses which is a clear indication of IP spoofing. Ulak-CSIRT published a recommendation including technical details of IP spoofing and ingress filtering as a possible solution as a result of this observation. [16] M. Ford, J. Stevens, J. Ronan, Initial Results from an IPv6 Darknet Internet Surveillance and Protection, in International Conference on Volume, Issue 2006, pp: [17] RIPE network coordination centre, [18] Honeyd virtual honeypot, [19] Geoip Geolocation IP finder [20] Local Internet Registries offering service in Turkey. Available: [21] ULAKNET honeypot statistics, [Online]. Available: [22] Port 1433 details, [Online]. Available: [23] Disabling Messenger Service in Windows XP, [Online]. Available: m.mspx In the future the efficiency of a Blackhole system can be improved by increasing the number of sensors. Moreover, if universities deploy their Blackhole systems monitored data can correlate together to produce better results. Another enhancement can be made by analyzing Blackhole traffic with the deep packet inspection tools. For example Honeynet can be used for this kind of purposes. REFERENCES [1] ULAKBIM The Turkish Academic Network and Information Centre, [2] RFC 2350, Expectations for Computer Security Incident Response. [3] Ulak-CSIRT, Turkish Academic network and information center Computer Security Incident Response Team, [4] Dug Song, Rob Malan, and Robert Stone, A snapshot of global Internet worm activity, presented at the FIRST Conference on Computer Security Incident Handling and Response, June [5] Team Cymru. The darknet project [Online]. Available: November [6] David Moore, Colleen Shannon, Geoffrey M. Voelker, and Stefan Savage, Network telescopes, Technical Report CS , UC San Diego, July [7] Barry Raveendran Greene and Danny McPherson, Sinkholes: A swiss army knife isp security tool,, June 2003 [Online]. Available: [8] The Honeynet Project, Know Your Enemy : Learning about Security Threats, (2nd Edition), Pearson Education. [9] S. Soltani, S. A. Kyaham, H. Radha, Detecting Malware Outbreaks Using a Statistical Model of Blackhole Traffic, in Proc. IEEE International Conference on Communications, Beijing, 2008, pp [10] David Moore, Geoffrey M. Voelker, and Stefan Savage, Inferring Internet denial-of-service activity, in of the Tenth USENIX Security Symposium, Washington, D.C., August 2001, pp [11] Evan Cooke, Michael Bailey, Z. Morley Mao, David Watson, and Farnam Jahanian, Toward understanding distributed Blackhole placement, in of the 2004 ACM Workshop on Rapid Malcode (WORM-04), New York, Oct ACM Press. [12] Michael Bailey, Evan Cooke, David Watson, Farnam Jahanian, and Jose Nazario, The Blaster Worm: Then and Now, IEEE Security & Privacy, 3(4):26 31, [13] David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, and Nicholas, Weaver. Inside the Slammer worm, IEEE Security & Privacy, 1(4):33 39, 2003 [14] Colleen Shannon and David Moore, The spread of the Witty worm, IEEE Security & Privacy, 2(4):46 50, July/August [15] Colleen Shannon, David Moore, and Jeffery Brown, Code-Red: a case study on the spread and victims of an Internet worm, in of the Internet Measurement Workshop (IMW), December