1.2.3.4 - DEF CON Media Server
Transcription
1.2.3.4 - DEF CON Media Server
Examining the Internet s Pollution! Karyn Benson! kbenson@cs.ucsd.edu! 2 https://www.reddit.com/r/AskReddit/comments/2pjsf9/garbage_men_of_reddit_whats_the_most_illegal/ People throw out interesting and valuable items 3 http://www.owensworld.com/funny-pictures/vehicles/2-cars-dumpster This talk: what sort of interesting and valuable information can we find in the Internet s trash? 4 About me • I studied Internet trash for the last 4 years of my PhD • Before grad school: wrote intrusion detection software 5 Outline • What is Internet trash? • How can we collect trash? • Data for this presentation • Interesting and valuable items found in trash • Conclusion 6 What is Internet trash? • Unsolicited packets • Passively captured • Also called Internet Background Radiation (IBR) 7 Traffic: Scanning • Searching for hosts that run a service 8 Traffic: Backscatter • Host responds to forged packets From: 1.2.3.4 To: 3.3.3.3 Attacker SYN 7.7.7.7 Victim 3.3.3.3 1.2.3.4 9 Traffic: Backscatter • Host responds to forged packets From: 3.3.3.3 To: 1.2.3.4 SYN-ACK Victim Attacker 7.7.7.7 3.3.3.3 1.2.3.4 10 Traffic: Misconfiguration • Host erroneously believes that a machine is hosting a service DNS Servers: 5.5.5.5 6.6.6.6 1.2.3.4 X 11 Traffic: Bugs • Software errors cause packets to reach unintended destinations DNS Servers: 4.3.2.1 To: 1.2.3.4 DNS Query 1.2.3.4 12 Traffic: Spoofed • Hosts forge their IP address to make it appear as though it originates from a different source From: 2.2.2.2 To: 1.2.3.4 SYN 3.3.3.3 1.2.3.4 13 Traffic: Unknown • Traffic produced for an unknown purpose • TCP SYN to non-standard port • Encrypted UDP packets • UDP with unknown payload 6:00:06.000065 IP 111.248.55.49.51956 > 1.16.56.246.7605: UDP, length 19 0x0000: 4500 002f 6c48 0000 7011 ---- 6ff8 3731 E../lH..p..Fo.71 0x0010: 0110 38f6 caf4 1db5 001b 8298 7133 0f00 ,.8.........q3.. 0x0020: 643e c2d4 2cf5 42b5 810f 7f01 5344 1e d>..,.B.....SD. 14 How can we collect trash? 15 How to collect unsolicited traffic • Honeypots: Setting up machines that are purposefully infected with malware 1.0.0.0 16 How to collect unsolicited traffic • One-way traffic: Record any packet without a response 1.0.0.0 1.0.0.4 BGP: 1.0.0.0/24 1.0.0.33 1.0.0.97 1.0.0.133 1.0.0.208 Destination Rule Any without response Write packet to storage 17 How to collect unsolicited traffic • Greynet: Record traffic destined to any unused IP address 1.0.0.0 1.0.0.4 BGP: 1.0.0.0/24 1.0.0.33 1.0.0.97 1.0.0.133 1.0.0.208 Destination Rule 1.0.0.[0,4,33,97,133, 208] Route to destination All others in 1.0.0.0/24 Write packet to storage 18 How to collect unsolicited traffic • Covering prefix: Record any packet destined to an unused subnet 1.0.0.1 1.0.0.9 1.0.0.31 1.0.0.63 1.0.0.127 BGP 1.0.0.0/24 1.0.0.17 Destination Rule 1.0.0.0/25 Route to destination 1.0.0.128/25 Write packet to storage 19 How to collect unsolicited traffic • Network telescope: Announce unused addresses and record all traffic BGP: 1.0.0.0/24 Destination Rule 1.0.0.0/24 Write packet to storage 20 We use network telescopes to easily study macroscopic behaviors Pros: Honeynet Scalability Ease of implementation One-way traffic Fewer privacy concerns Greynet Cons: Lack of in-depth details Covering prefix Avoidability Network telescope 21 Data used in this presentation 22 Our method of obtaining trash : Network telescopes • Multiple large (academic) network telescopes • Currently capturing ~5TB compressed pcap per week • Historical: traffic since 2008 Scanning, misconfigured, buggy or under attack host 23 IBR is pervasive: We observe traffic from many diverse sources • Removed spoofed traffic. Method: [CCR 13] Total ~July 2013 Percent BGP Announced IP addresses 133M 5% /24 blocks 3.15M 30% Prefixes 205k 45% ASes 24.2k 54% Countries 233 99% 24 IBR is persistent: We observe a large number of sources over time • Removed spoofed traffic. Method: [CCR 13] Spamhaus Attack 25 Interesting and valuable items found in Internet trash 26 Network telescopes capture a wealth of securityrelated data • Scanning: Trends and relation to vulnerability announcements • Backscatter: Attacks on authoritative name servers • Misconfigurations: BitTorrent index poisoning attacks • Bugs: Byte order bug in security software • Unknown: Encryption vs. obfuscation 27 Network telescopes capture a wealth of securityrelated data • Scanning: Trends and relation to vulnerability announcements • Backscatter: Attacks on authoritative name servers • Misconfigurations: BitTorrent index poisoning attacks • Bugs: Byte order bug in security software • Unknown: Encryption vs. obfuscation 28 Methodology • Used Bro s parameters: IP is considered a scanner if it sends: • Packets to 25 different network telescope IP addresses • Same protocol/port • Within 5 minutes • Results depend on size of network telescope • Doesn t capture super stealthy scanners (e.g., [Dainotti et al. IMC 12]) 29 Scanning: 2008-2012 • Conficker dominates Conficker Outbreak Packets IPs 30 How do we know which packets originate from Conficker? • Bug in PRNG: primarily targets IP addresses {A.B.C.D | B <128 & D < 128} • Developed heuristic to identify sources randomly scanning with this bug Missing data 31 How do we know which packets originate from Conficker? • Bug in PRNG: primarily targets IP addresses {A.B.C.D | B <128 & D < 128} • Developed heuristic to identify sources randomly scanning with this bug Conficker discovered No Conficker Expected 32 How do we know which packets originate from Conficker? • Bug in PRNG: primarily targets IP addresses {A.B.C.D | B <128 & D < 128} • Developed heuristic to identify sources randomly scanning with this bug • Some evidence of a testing phase prior to discovery Conficker discovered First day: 2 IPs in" Guangdong Province, China No Conficker Observed 33 Scanning Post 2012 • Conficker is dying out • Port 23 (telnet) is popular Packets IPs 34 Scanning Post 2012 • Conficker is dying out • Port 23 (telnet) is popular Packets Carna Botnet IPs 35 http://internetcensus2012.bitbucket.org/paper.html Scanning Post 2012: Scans of TCP/443 following Heartbleed vulnerability announcement 36 Scanning Post 2012: Scans of TCP/5000 prior to Akamai report of UPnP used for DDoS attacks 37 https://www.akamai.com/us/en/about/news/press/2014-press/akamai-warns-of-upnp-devices-used-in-ddos-attacks.jsp Network telescopes capture a wealth of securityrelated data • Scanning: Trends and relation to vulnerability announcements • Backscatter: Attacks on authoritative name servers • Misconfigurations: BitTorrent index poisoning attacks • Bugs: Byte order bug in security software • Unknown: Encryption vs. obfuscation 38 Preventing access to websites via attacks on authoritative name servers Legitimate host DNS server 1. DNS Query 4. DNS Response 5. HTTP GET 3. Response to Recursive DNS Query Webserver 2. Recursive DNS Query Authoritative NS 39 Reference: https://www.nanog.org/sites/default/files/nanog63-dnstrack-vannice-ddos.pdf Why we see some of these attacks: open resolvers From: 1.2.3.4 DNS Query Spoofer 5.6.7.8 1.2.3.4 Open Resolver Authoritative NS 40 Why we see some of these attacks: open resolvers Recursive DNS Query Spoofer 5.6.7.8 1.2.3.4 Open Resolver Authoritative NS 41 Why we see some of these attacks: open resolvers Spoofer 5.6.7.8 Open Resolver Response to Recursive DNS Query 1.2.3.4 Authoritative NS 42 Why we see some of these attacks: open resolvers To: 1.2.3.4 DNS Response Spoofer 5.6.7.8 1.2.3.4 Open Resolver Authoritative NS 43 We infer more open resolvers as a result of an increase in DNS traffic IPs IBR ~July 2013 3.4k IBR ~Feb. 2014 1.56M Same open resolvers used Very few open resolvers before Jan 29, 2014 44 But the number of open resolvers we see is much less than active probing IPs IBR ~July 2013 3.4k IBR ~Feb. 2014 1.56M Open Resolver Project ~Feb. 2014 37.6M Same open resolvers used Very few open resolvers before Jan 29, 2014 45 The open resolvers we observe are used in DoS attacks... and it s working IPs OPCODE: OPCODE: OK SERVFAIL Problem with the (authoritative) NS IBR ~July 2013 3.4k 3.0k 148 IBR ~Feb. 2014 1.56M 1.44M 1.45M High number of errors Open Resolver Project ~Feb. 2014 37.6M 32.6M 0.92M Low number of errors 46 Queried domains • First day: queries for baidu.com --- likely testing phase • Data from first month of activity. We still observe the attack. 020sf.com 024web.net 027dz.com 028xkj.com 029sms.com 02gd.com 0319pk.com 03lcq.com 052000.com 0538hj.com 0571video.com 059sem.com 0769cg.com 0769ff.com 08ws.com 111da.com 1188008.com 1234176.com 139hg.com 167uc.com 16888china.com 173pk.com 176cc.com 176dd.com 176gj.com 176kw.com 176l.com 176mm.com 176xq.com 17c.cc 180xp.com 184sf.com 185jxcq.com 191cq.com 19jy.com 201314baidu.com 202aaa.com 236899.com 24ribi.com 250hj.com 266mi.com 269sf.com 2kkx.com 3000sy.com 300eeee.com 300llll.com 300ssss.com 303aaa.com 303bbb.com 30gg.com 316ms.com 321xy.com 360362.com 365ddos.cn 369df.com 38db.com 38za.com 3gabn.com 3kkx.com 3q518.com 3t33.com 4000123046.com 40cqcq.com 442ko.com 4z1s.info 500sf.com 512312.com 513wt.com 515kkk.com 51aidi.com 51rebeng.com 51yjzs.com 520898.com 520sfyx.com 525mk.com 52ccx.com 52ssff.com 531gou.com 555fz.com 567uu.com 56bj56.com 5ipop.net 5kkx.com 600dddd.com 60sf.com 616162.com 63fy.com 666hf.com 68yb.com 6ee.com 6g5b.info 6kkx.com 6ksf.com 700rrrr.com 72play.com 72sm.com 74486.com 76489.com 766mi.com 767hh.com 76wzw.com 76yxw.com 775gg.com 778ff.com 787ok.com 799mi.com 7afa.com 7s7ss.com 800liao.net 800nnnn.com 800oooo.com 800uuuu.com 815quan.com 81hn.com 81ypf.com 82hf.com 83uc.cn 83wy.com 84822258.com 85191.com 87145.com 87xn.com 885jj.com 886pk.com 8885ok.com 900eeee.com 909kkk.com 910pk.com 911aiai.com 911gan.com 911ii.com 911mimi.com 911sepian.com 911xi.com 911xu.com 911yinyin.com 915hao.com 919uc.com 926.com 92xiaobao.com 933fg.com 940945.net 97pc.net 980311.net 981118.com 98989833.com 991816.com 998.co 999qp.net 99hcq.com 99ktw.com 99mzi.com 99ting.com 99wf.com 9aq.com 9kanwo.com 9kf.com 9zny.com a6c5.com akadns.net aliyuncs.com amdxy.com appledaily.com.hk appledaily.com.tw arx888.com asxkmy.com atnext.com aws520.com b166.com badong123.com bbidda.com bbjck.com bbs117.com bdaudi.com bdhope.com betboy.cc betboy.hk betboy.tw bettykid.com bjts168.com boeeo.com booooook.com bw176.com byfire.net cc176.com cck168.com ccskys.com cd519.com cdhydq.com cdjbg.com cdxgy.com cg1314.com cgxin.com chinahjfu.com chuansf-1.com chuansf.com ck1997.com clntwr.com cm0556.com cn191.com cn948.com comedc.com cp375.com cq520.com cqqhjgj.com cs912.com ct0553.com ct176.com ctysy.com cxmyy.com dama2.com daqinyy.com disshow.com dmmjj.com dnsabc.com dt176.com dudu176.com dw173.com dytt8.net e0993.com e5e566.com edgesuite.net faahaa.com fen-sen.com fg9999.com fjhzw.com fu180.com furen88.net fw10000.com fzl4.com gbdzd.com gegegan1.com gegequ.com go176.com gotocdn.com guangyuchina.com gx911.com h5acg.com had1314.com hao9458.com haocq99.com haosf3165.com haosf86.net hcemba.com hcq180.com hcq99.com hcqmir.com he09.com heblq.com henhenlu.com hf600.cn hi0762.com hi182.com hj19.com hj321.com hkdns-vip.com hl176.com hlm53.com hn179.com hnart123.com hndc114.com hqsy120.com hscmis.com htbdcn.com huaxia76.com hw166.com hyh588.com hz96.com icheren.net iidns.com iinfobook.net jc0633.com jccjk.com jd176.com jdgaj.com jdlcq.com jdyyw.com jeeweb.net jf086.com jh219.com jiaduolu.net jiayun588.com jn176.com jrj001.com jshgl.com jt1216.com jx116.com jx8111.com k9080.com kd5888.com kp811.com kr5b.com kx2014.com laocq.com laocq180.com laosf180.com laowz176.com laoyou999.com lcjba.com lcq170.com liehoo.net like400.com lmh176.com love303.com lpp176.com lsr176.com luse0.com luse1.com luse2.com luse3.com luse4.com luse5.com luse6.com luse7.com luse8.com luse9.com lwfb800.com lxt998.com lygfp.com lyxyqp.com lz9999.com m2bd.pw m3088tv.com manyefs.com mir108.com mir1860.com mir86.com miryy.com mly555.com mm5ii.com ncmir.com net0335.com nextmedia.com nnlrw.com onaccr-cn.com p0757.com pao176.com ph268.com pk8558.com pksf08.com puhup.com purednsd.com purevm.com px518.com q1.com qfqcc.com qhdflkmc.com qianliri.com qingfeng180.com quanben.com qy176.com rp1704.com rq180.com s6s5.com salangane-books.com scktsj.com sdcsnk.com sdjlh.com seluoluo2.com seluoluo3.com seoeee.com sf117.com sf123.com sf665.com sf717.com sg500.com sh1099.com sheshows.com sinaapp.com skcq.net sl139.com sp176.com ssthjy.com sytcqy.com szchscm.com tangdefenghuang.com tg180.com tianmao76.com tjldktv.com txj880.com tz176.com vip78.cn w78z.com w8best.com wan26.com wancantao.net wanfuyou.com wb123.com wfbaby.net wn176.com wotebang.com wsn88.com wy176.com wyb.name wysss.com wz.com x5wb.com x7car.com x7ok.com xhzssj.com xia00.com xiaolongcq.com xiaoyx123.com xie139.com xin2003.com xjliuxue.cn xtj123.com xx2pp.com xxxoooo.com xxyl100.com yeyelu0.com yeyelu9.com yg521.com yh996.com yifeng2012.com yinquanxuan.com youcai667.com ysbxw.com yshqq.com ysmir.cn ytwtoys.com ytz4.info yuhuakonggu.com yw110.com yw119.com yx5881.com yy188.com yy698.com yzrjy.com yzypp.com zbtlw.com zc911.com zgtx168.com zhao106.com zhaoil.com zhaoqjs.com zhizunfugu.com zinearts.com zongzi0898.com zst0510.com zuyu1.com zxj02.com zxw198.com 052000.com 422.ko.com 51pop.net 5rxe.info 999.net.ru baidu.com bb0575.com gb41.com geigan.org lhy716.com sz-xldrhy.com wgduznyw.ga wo135.com. zbtlw.com. zgvqtnrc.ga Example Registration Info: Domain Name:029sms.com ... Updated Date:2014-02-14 14:55:38 Creation Date:2014-02-14 14:55:38 ... Registrant Street:hkjhkjhjkhjkRegistrant City:Beijing ShiRegistrant State/ Province:Beijing ShiRegistrant Postal Code:333333Registrant Country:ChinaRegistrant Phone: 11111111Registrant Phone Ext:Registrant Fax:11111111 47 Network telescopes capture a wealth of securityrelated data • Scanning: Trends and relation to vulnerability announcements • Backscatter: Attacks on authoritative name servers • Misconfigurations: BitTorrent index poisoning attacks • Bugs: Byte order bug in security software • Unknown: Encryption vs. obfuscation 48 BitTorrent index poisoning attacks induce many hosts to send IBR • Index poisoning: purposefully inserting fake information into the DHT To: DHT Where can I get a torrent? BITTORRENT DHT ! 49 BitTorrent index poisoning attacks induce many hosts to send IBR • Index poisoning: purposefully inserting fake information into the DHT Torrent Location: 1.2.3.4 BITTORRENT DHT ! 50 Popular Torrents in IBR - July 2012 hash Torrent Packets 48484fab5754055fc530fcb5de556 4651c4ef28f" Grand Theft Auto - Chinatown Wars 450k 5b5e1ffa9390fff13f4af2aef9f58 61c4fbf46eb" Modern Family S3E22 398k d90c1110a5812d9a4bf3c28e27 9653a5c4f78dd1" CSI S12E22 204k 2ecce214e48feca39e32bb50df cf8151c1b166cc" Coldplay Ft. Rhianna Princess of China 187k 79f771ec436f09982fc345015fa 1c1d0d8c38b48" ??? 129k b9be9fc1db584145407422b09 07d6a09b734a206" Parks and Recreation S4E22 127k 99a837efde41d35c283e2d9d7 e0a1d4a7cd996dd" Missing 2012 S1E9 106k 7b05b6b6db6c66e7bb8fa5aa7 0a185c7cfcd3d07" ??? 104k c0841cf3196a83d1d08ae4a9e af10fcfc6c7ba66" Big Trouble Little China 99k 99dfae74641d0ca29ef5238607 13a6270daefc6e" 36 China Town 91k 51 Popular Torrents in IBR - July 2013 hash Torrent Packets f7eb38b830ec749f43cf3df20dbc2 bf2c99fad97" Sette Anni in Tibet 2,356k 6ec64cb88937418d6af29fca6d 017e0c658654b7" 高清 光720P版BD-RMVB.中字 912k f90cb027174c2af3c5b838be09 a62ff16d6c2ef5" 美 生 TC英 中字.rmvb 845k fedcf797109c7929558d069602 ac6fab0b46e814" Halo 4 Until Dawn 735k 3b508d09e9c4677b2f67683a9 dde2d5ce0b2aa24" soh 360 580k 1254bb23d1a04447cb67bc047 9549a504d083c31" Her Sweet Hand China Lost Treasure 539k 48484fab5754055fc530fcb5de 5564651c4ef28f" Grand Theft Auto - Chinatown Wars 489k b9be9fc1db584145407422b09 07d6a09b734a206" Parks and Rec S4E22 482k 93efed3aa07e7523d5c4e42f02 57f9aa8d5011c3" Dajiyun 431k 039a07b38de4529c477f3b756 98937e9c5d4acd6" ntdvt news 325k 52 BitTorrent: Temporal aspect • Unclear why fewer /24 blocks are observed • But pausing attack is a possible explanation /24 BLOCKS (FROM BT) PER Hour 2012 53 BitTorrent: Spatial aspect • /24 blocks sending BitTorrent KRPC packets are more likely to be observed by certain destination IPs and ports • get_peers and find_node packets: certain IP addresses more likely to be targeted : {X.B.C.D| B & 0x88 = 0x00 and D & 0x09 = 0x01} • A bug in PRNG for generating IP addresses is a plausible explanation 54 July 2015: Huge increase in BitTorrent traffic • Graph: BitTorrent KRPC packets • Increase is caused by traffic destined to 1 IP => traffic from over 3.7M /24s per month • Still going on... not sure of all the details yet 55 Investigating July 2015 increase in BitTorrent IBR • Installed two BitTorrent clients on one machine (uTorrent, Deluged) • Just joined DHT didn t download any torrents • ~2.5 months: Nov. 15 2015 - Jan. 28 2016 • uTorrent: 12 IPs sent 112 packets to a network telescope IP • Deluged: 51 IPs send 64 packets to a network telescope IP • Who directed us to network telescope? • LibTorrent most popular client, but not used exclusively • China most popular geolocation, but not exclusively 56 Suspicious BitTorrent behavior • Most IDs associated with network telescope IP have their third byte equal to 0x04 • Other IP address in response packets occur frequently and have third-byte quirks Sample node IDs Other IP Packets 3rd byte b8:1d:04:ef:96:18:e4:20:6b:c2:8d:1a:31:af:de:7a:81:66:02:56 157.144.153.163 76 from 6 IPs 0x05 bd:23:04:04:e9:5e:f5:a0:10:08:06:95:a3:ab:93:c7:74:f5:a6:58 177.123.230.26 55 from 7 IPs 0x00 52:b1:04:09:49:b4:91:f8:38:e6:c5:06:38:8d:04:8a:50:99:3f:50 212.246.161.63 64 from 7 IPs 0x06 05:b5:04:7e:6a:b8:96:1a:35:07:4e:ae:3e:d3:41:21:95:45:a8:81 217.123.247.72 87 from 4 IPs 0x03 13:28:04:d6:d3:2d:db:c5:07:79:7e:14:27:09:e1:37:e7:7e:25:2f 27.171.198.228 55 from 8 IPs 0x07 13:28:04:a9:5c:2d:82:2f:78:65:54:13:04:6d:b4:10:72:57:8d:5d 90.122.90.178 4 from 3 IPs 0x01 57 Network telescopes capture a wealth of securityrelated data • Scanning: Trends and relation to vulnerability announcements • Backscatter: Attacks on authoritative name servers • Misconfigurations: BitTorrent index poisoning attacks • Bugs: Byte order bug in security software • Unknown: Encryption vs. obfuscation 58 How many sources send us unsolicited traffic? Source IPs per hour 7.0M ???? 6.0M 5.0M BitTorrent 4.0M Conficker 3.0M Outbreak 2.0M 1.0M 0.0M Jan 2008 Jan 2009 Jan 2010 Jan 2011 Jan 2012 Jan 2013 Jan 2014 Jan 2015 59 Responsible payload IP 123.4.253.107.8090 > 1.179.58.115.42501: UDP, LENGTH 30 4500 003A DF4B 0000 2E11 ---- 7B04 FD6B E..:.K......{..K 01B3 3A73 1F9A A605 0026 C0CF 0000 0000 ..:S.....&...... 0000 0000 3100 3D57 0000 0000 0000 0000 ....1.=W........ 0000 0000 287E 02C7 0000 • 8090 is most popular source port • 39455 is most popular destination port Fixed Connection ID Random 6:00:00.083796 0X0000: 0X0010: 0X0020: 0X0030: Counter 60 Lots of hosts from China % BGP Announced Address Space IPs China 101M 36.26% Taiwan 505k 1.45% Malaysia 442k 7.65% USA 324k 0.03% Hong 4 Kong 280k IPs belonging to CS department! 2.75% Japan 186k 0.11% Canada 129k 0.26% Thailand 126k 1.55% Australia 126k 0.31% Singapore 116k 2.16% • August 2013 data 61 Monitoring CS department address space • • Capture 1: 36 hours of traffic in/out of CS department for this packet • CS address space also receives packets • 3 of 4 IPs from CS observed generating this traffic Capture 2: Monitor all traffic to/from these IPs on associated UDP ports 62 Monitoring CS machines • • Packet 1: CS machines 04:40:45.211649 IP 180.153.227.168.80 > 2.239.95.102.10102: UDP, length 1044 0x0000: 4500 0430 0100 0000 ed11 ---- b499 e3a8 E..0......L%.... contact a common IP address: 0x0010: 02ef 5f66 0050 2776 041c b5bd 0414 0350 .._f.P'v.......P 0x0020: 2c00 0000 e469 18ad ab70 9e6c dad1 d5fe ,....i...p.l.... tr-b.p.360.cn 0x0030: c1c5 d3f7 e0cc 674d 0000 3200 0001 11d9 ......gM..2..... Packet 2: CS machines receive a large packet 0x0040: 0x0050: 0x0060: 0x0070: 0x0080: 0x0090: 0x00a0: 0x00b0: 0x00c0: 0x00d0: 0x00e0: 0x00f0: 0x0100: 0x0110: 0x0120: 0x0130: 0x0140: 0x0150: 0x0160: 0x0170: 0x0180: 0x0190: 0x01a0: 0x01b0: 0x01c0: 0x01d0: 0x01e0: 0x01f0: 0x0200: 0x0210: 0001 4233 3732 3232 6784 7146 4342 3139 3131 2711 b6f7 4346 3030 3346 9e52 af0c 4642 3542 3643 271c 6a78 4537 3736 4535 2777 71f9 3836 4434 3137 3b1a 07ad 3937 4334 3134 0044 287a 3035 3441 3537 0144 838b 4541 4536 3935 0144 97d4 4431 3634 3146 0144 7c09 3234 3634 4137 0144 2724 3431 4437 3541 0144 0000 3cf6 3039 4445 3846 153d 718f 4334 3736 4345 2774 b721 4643 3030 3946 0845 1b12 4441 4535 4234 4f7b b623 4637 3030 4337 1f9a dca2 3631 3834 4130 0000 1925 4232 4133 3731 0144 4da1 3645 3334 4539 0144 5ba8 4144 3736 3844 0144 880f 4333 3832 4333 0144 c1cc 3042 4330 3037 0044 f7ac 3742 4634 3638 3538 1f9a 7756 4643 4437 3131 9d41 73d7 3946 3242 4146 2711 b622 3836 3139 3545 1f9a 7075 3033 3130 3130 157a 0154 3536 3636 3832 1f9a 2a5c 3844 3042 3033 0044 e0df 3138 4342 4545 0144 4fdc 4343 3938 3546 0144 bcb9 4342 3230 4533 0044 6774 3330 4130 3134 0144 cc65 4137 4233 3031 0044 039e 3438 3830 4443 3146 1f9a dde8 3346 3334 4239 197a da17 3131 4639 3039 ace8 7177 3941 3335 3831 1f9a deb4 3243 3044 4434 5c7e 6eb5 3631 3232 3941 0eca 01cd 3335 3244 3443 0044 a6ed 3833 4443 3631 0144 0f23 4639 3333 3738 0144 6c38 4436 4544 4230 0044 5486 3039 3239 4430 0144 cd70 3338 3039 4244 0144 7bef 3538 ........5803DC2D B397<..%...D1F4C 72C409B2wV.....D 2214DEA3FC18.... g..D8F71D7CB3F83 qF(z.=.D11EE34DC CB05q.M..A.DB961 194AC46Es.O..z.D 115776349FCC...# '..DCEE92B9811F9 ....'t.DAF5FF933 CFEA.![.'..D0978 00E6FCAD.".....D 3F95007686CBqwl8 .R.D9F8D19209AD6 .....E.D5EE335ED FBD1.......D81B0 5B64DAC3pugt...D 6C1FE5820330..T. '..DB4C310A02C09 jx|.O{.D10140D29 E724.#...z.DD4D0 7664F70B.T.e\~.D E5A700C056A7n..p 'w.DC70766B36138 q.'$...D82012209 8641.......D9ABD D4D7617B*\.....D 175A84F48D48..{. 63 ;..DA0680B803558 Monitoring CS machines • Packet 3-40: CS machines contact sources encoded in packet 04:40:45.211649 IP 180.153.227.168.80 > 2.239.95.102.10102: UDP, length 1044 0x0000: 4500 0430 0100 0000 ed11 ---- b499 e3a8 E..0......L%.... 0x0010: 02ef 5f66 0050 2776 041c b5bd 0414 0350 .._f.P'v.......P 0x0020: 2c00 0000 e469 18ad ab70 9e6c dad1 d5fe ,....i...p.l.... 0x0030: c1c5 d3f7 e0cc 674d 0000 3200 0001 11d9 ......gM..2..... 0x0040: 0001 07ad 0000 0000 3538 3033 4443 3244 ........5803DC2D 0x0050: 4233 3937 3cf6 1925 1f9a 0044 3146 3443 B397<..%...D1F4C 0x0060: 3732 4334 3039 4232 7756 e0df 1f9a 0044 72C409B2wV.....D 0x0070: 3232 3134 4445 4133 4643 3138 dde8 a6ed 2214DEA3FC18.... 0x0080: 6784 0044 3846 3731 4437 4342 3346 3833 g..D8F71D7CB3F83 0x0090: 7146 287a 153d 0144 3131 4545 3334 4443 qF(z.=.D11EE34DC 0x00a0: 4342 3035 718f 4da1 9d41 0144 4239 3631 CB05q.M..A.DB961 0x00b0: 3139 3441 4334 3645 73d7 4fdc 197a 0144 194AC46Es.O..z.D 0x00c0: 3131 3537 3736 3334 3946 4343 da17 0f23 115776349FCC...# 0x00d0: 2711 0144 4345 4539 3242 3938 3131 4639 '..DCEE92B9811F9 0x00e0: b6f7 838b 2774 0144 4146 3546 4639 3333 ....'t.DAF5FF933 0x00f0: 4346 4541 b721 5ba8 2711 0144 3039 3738 CFEA.![.'..D0978 04:40:45.215588 IP 2.239.95.102.10102 > 113.70.40.122.5437: UDP, length 0x0100: 3030 4536 4643 4144 72 b622 bcb9 ace8 0144 00E6FCAD.".....D 0x0000: 4500 0064 536f 0000 3f11 ---02ef 5f66 E..dSo..?....._f 0x0110: 3346 3935 3030 3736 3836 4342 7177 6c38 3F95007686CBqwl8 0x0010: 7146 287a 2776 153d 0050 1bff 0000 9e52 0000 0144 qF(z'v.=.P...... 0x0120: 3946 3844 3139 3230 3941 4436 .R.D9F8D19209AD6 0x0020: f21e 9a42 4103 55e1 0000 0004 0000 0000 ...BA.U......... 0x0130: af0c 97d4 0845 0144 3545 4533 3335 4544 .....E.D5EE335ED 0x0030: 0038 0000 0001 0000 0000 0028 e469 4642 18ad 4431 .8.........(.i.. 0x0140: 1b12 880f 1f9a 0044 3831 4230 FBD1.......D81B0 0x0040: ab70 9e6c dad1 d5fe c1c5 d3f7 e0cc 3542 674d 3634 .p.l..........gM 0x0150: 4441 4333 7075 6774 1f9a 0044 5B64DAC3pugt...D 0x0050: 3336 3050 3030 3638 3531 4534 4230 3643 4442 3146 360P006851E4B0DB 0x0160: 4535 3832 3033 3330 deb4 5486 6C1FE5820330..T. 0x0060: 3433 3044 430D 0x0170: 271c 0144 4234 4333 3130 4130 3243 3039 '..DB4C310A02C09 0x0180: 6a78 7c09 4f7b 0144 3130 3134 3044 3239 jx|.O{.D10140D29 0x0190: 4537 3234 b623 c1cc 157a 0144 4434 4430 E724.#...z.DD4D0 0x01a0: 3736 3634 4637 3042 0154 cc65 5c7e 0144 7664F70B.T.e\~.D 0x01b0: 4535 4137 3030 4330 3536 4137 6eb5 cd70 E5A700C056A7n..p 0x01c0: 2777 0144 4337 3037 3636 4233 3631 3338 'w.DC70766B36138 0x01d0: 71f9 2724 1f9a 0044 3832 3031 3232 3039 q.'$...D82012209 0x01e0: 3836 3431 dca2 f7ac 1f9a 0044 3941 4244 8641.......D9ABD 0x01f0: 4434 4437 3631 3742 2a5c 039e 0eca 0144 D4D7617B*\.....D 0x0200: 3137 3541 3834 4634 3844 3438 01cd 7bef 175A84F48D48..{. 64 0x0210: 3b1a 0144 4130 3638 3042 3830 3335 3538 ;..DA0680B803558 Monitoring CS machines • More packets are exchanged... • and sometimes there is a byte order bug! 04:40:46.877858 IP 113.70.40.122.5437 > 0x0000: 4500 003a 6213 0000 2f11 0x0010: 02ef 5f66 153d 2776 0026 0x0020: a800 0d13 2100 55e1 0149 0x0030: 0038 0000 0005 0006 0000 2.239.95.102.10102: UDP, length 30 ---- 7146 287a E..:b.../...qF(z 8a67 0000 0000 .._f.='v.&.g.... f488 0134 9733 ....!.U..I...4.3 .8........ 04:40:46.878016 IP 2.239.95.102.10102 > 0x0000: 4500 003a 552d 0000 3f11 0x0010: 7a28 4671 2776 3d15 0026 0x0020: 0000 0000 3100 55e1 0000 0x0030: 0000 0000 42d6 0005 0000 122.40.70.113.15637: UDP, length 30 ---- 02ef 5f66 E..:U-..?....._f 2c6b 0000 0000 z(Fq'v=..&,k.... 0000 0000 0000 ....1.U......... ....B..... • So 1.2.3.4 receives packets when intended recipient has IP address 4.3.2.1 65 What software has this bug? 66 Qihoo 360 • Verified product usage with CS users • 360 Total Security Software License and Service Agreement: iii) The Upgrade module of the Software uses peer-to-peer ("P2P") technology to improve upgrade speed and efficiency of your bandwidth usage. The P2P technology will cause data to be uploaded, including program modules and the Software's malware definition database, which are used as components of the Software. Your private data will not be uploaded. https://www.360totalsecurity.com/en/license/360-total-security/ 67 Qihoo cleanup • It took about a month from notification for there to be a significant decrease in packets originating from bug Probably large update events Qihoo notified New version on website 2015/2016 68 Network telescopes capture a wealth of securityrelated data • Scanning: Trends and relation to vulnerability announcements • Backscatter: Attacks on authoritative name servers • Misconfigurations: BitTorrent index poisoning attacks • Bugs: Byte order bug in security software • Unknown: Encryption vs. obfuscation 69 Making the unknown traffic known • Further investigation into unknown traffic can reveal source of traffic • Recall packet that appeared to have encrypted payload • Lots of traffic to 1 IP address + statistical analysis of bytes + white papers [1] => this packet is a Sality C&C Related packet length 6:00:06.000065 IP 111.248.55.49.51956 > 1.16.56.246.7605: UDP, length 19 0x0000: 4500 002f 6c48 0000 7011 ---- 6ff8 3731 E../lH..p..Fo.71 0x0010: 0110 38f6 caf4 1db5 001b 8298 7133 0f00 ,.8.........q3.. 0x0020: 643e c2d4 2cf5 42b5 810f 7f01 5344 1e d>..,.B.....SD. [1] Nicolas Falliere. Sality: Story of a Peer-to-Peer Viral Network. http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/ sality_peer_to_peer_viral_network.pdf, 2011." 70 Making the unknown traffic known • Further investigation into unknown traffic can reveal source of traffic • Recall packet that appeared to have encrypted payload • Lots of traffic to 1 IP address + statistical analysis of bytes + white papers [1] => this packet is a Sality C&C RC4 Key Related packet length 6:00:06.000065 IP 111.248.55.49.51956 > 1.16.56.246.7605: UDP, length 19 0x0000: 4500 002f 6c48 0000 7011 ---- 6ff8 3731 E../lH..p..Fo.71 0x0010: 0110 38f6 caf4 1db5 001b 8298 7133 0f00 ,.8.........q3.. 0x0020: 643e c2d4 2cf5 42b5 810f 7f01 5344 1e d>..,.B.....SD. [1] Nicolas Falliere. Sality: Story of a Peer-to-Peer Viral Network. http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/ sality_peer_to_peer_viral_network.pdf, 2011." 71 Making the unknown traffic known • Further investigation into unknown traffic can reveal source of traffic • Recall packet that appeared to have encrypted payload • Lots of traffic to 1 IP address + statistical analysis of bytes + white papers [1] => this packet is a Sality C&C RC4 Key Related packet length 6:00:06.000065 IP 111.248.55.49.51956 > 1.16.56.246.7605: UDP, length 19 0x0000: 4500 002f 6c48 0000 7011 ---- 6ff8 3731 E../lH..p..Fo.71 0x0010: 0110 38f6 caf4 1db5 001b 8298 7133 0f00 ,.8.........q3.. 0x0020: 0382 d>..,.B.....SD. 643e 0000 c2d4 0003 2cf5 .... 42b5 .... 810f .... 7f01 .... 5344 .. 1e Version: 03 Command: 0x03 (Pack Exchange) URL Pack Sequence ID:0x82000000 [1] Nicolas Falliere. Sality: Story of a Peer-to-Peer Viral Network. http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/ sality_peer_to_peer_viral_network.pdf, 2011." 72 Scale of misconfiguration • Like BitTorrent, Sality can have bogus information in its hash table that results in many sources sending us packets • 34 days in 2012: 386k IPs • 34 days in 2013: 355k IPs • Symantec 2011: ~300k infections [1] Nicolas Falliere. Sality: Story of a Peer-to-Peer Viral Network. http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/ sality_peer_to_peer_viral_network.pdf, 2011." 73 Conclusion • It s likely your machines transmit Internet background radiation • Network telescopes capture a wealth of security-related data • Including somewhat complex attacks/bugs/misconfigurations • Scanning trends • Attacks on authoritative name severs • BitTorrent index poisoning • Qihoo 360 byte-order bug • Misconfigurations in Sality botnet 74