1.2.3.4 - DEF CON Media Server

Transcription

1.2.3.4 - DEF CON Media Server
Examining the
Internet s Pollution!
Karyn Benson!
kbenson@cs.ucsd.edu!
2
https://www.reddit.com/r/AskReddit/comments/2pjsf9/garbage_men_of_reddit_whats_the_most_illegal/
People throw out interesting and valuable items
3
http://www.owensworld.com/funny-pictures/vehicles/2-cars-dumpster
This talk: what sort of interesting and valuable
information can we find in the Internet s trash? 4
About me
•  I studied Internet
trash for the last 4 years of my PhD
•  Before grad school: wrote intrusion detection software
5
Outline
•  What is Internet trash? •  How can we collect trash? •  Data for this presentation
•  Interesting and valuable items found in trash •  Conclusion
6
What is Internet trash? •  Unsolicited packets
•  Passively captured
•  Also called Internet Background Radiation (IBR)
7
Traffic: Scanning
•  Searching for hosts that run a service
8
Traffic: Backscatter
• Host responds to forged packets
From: 1.2.3.4
To: 3.3.3.3
Attacker
SYN
7.7.7.7
Victim
3.3.3.3
1.2.3.4
9
Traffic: Backscatter
• Host responds to forged packets
From: 3.3.3.3
To: 1.2.3.4
SYN-ACK Victim
Attacker
7.7.7.7
3.3.3.3
1.2.3.4
10
Traffic: Misconfiguration
• Host erroneously believes that a machine is hosting
a service
DNS Servers:
5.5.5.5
6.6.6.6
1.2.3.4 X
11
Traffic: Bugs
• Software errors cause packets to reach unintended
destinations
DNS Servers:
4.3.2.1
To: 1.2.3.4
DNS Query
1.2.3.4
12
Traffic: Spoofed
•  Hosts forge their IP address to make it appear as though it originates from a
different source
From: 2.2.2.2
To: 1.2.3.4
SYN
3.3.3.3
1.2.3.4
13
Traffic: Unknown
•  Traffic produced for an unknown purpose
•  TCP SYN to non-standard port
•  Encrypted UDP packets
•  UDP with unknown payload
6:00:06.000065 IP 111.248.55.49.51956 > 1.16.56.246.7605: UDP, length 19
0x0000: 4500 002f 6c48 0000 7011 ---- 6ff8 3731 E../lH..p..Fo.71
0x0010: 0110 38f6 caf4 1db5 001b 8298 7133 0f00 ,.8.........q3..
0x0020: 643e c2d4 2cf5 42b5 810f 7f01 5344 1e
d>..,.B.....SD.
14
How can we collect trash? 15
How to collect unsolicited traffic
•  Honeypots: Setting up machines that are purposefully infected with malware
1.0.0.0
16
How to collect unsolicited traffic
•  One-way traffic: Record any packet without a response
1.0.0.0
1.0.0.4
BGP:
1.0.0.0/24
1.0.0.33
1.0.0.97 1.0.0.133 1.0.0.208
Destination
Rule
Any without response
Write packet to storage
17
How to collect unsolicited traffic
•  Greynet: Record traffic destined to any unused IP address
1.0.0.0
1.0.0.4
BGP:
1.0.0.0/24
1.0.0.33
1.0.0.97 1.0.0.133 1.0.0.208
Destination
Rule
1.0.0.[0,4,33,97,133, 208]
Route to destination
All others in 1.0.0.0/24
Write packet to storage
18
How to collect unsolicited traffic
•  Covering prefix: Record any packet destined to an unused subnet
1.0.0.1
1.0.0.9
1.0.0.31
1.0.0.63 1.0.0.127
BGP
1.0.0.0/24
1.0.0.17
Destination
Rule
1.0.0.0/25
Route to destination
1.0.0.128/25
Write packet to storage
19
How to collect unsolicited traffic
•  Network telescope: Announce unused addresses and record all traffic
BGP:
1.0.0.0/24
Destination
Rule
1.0.0.0/24
Write packet to storage
20
We use network telescopes to easily study
macroscopic behaviors
Pros:
Honeynet
Scalability
Ease of implementation
One-way traffic
Fewer privacy concerns
Greynet
Cons:
Lack of in-depth details
Covering prefix
Avoidability
Network telescope
21
Data used in this presentation
22
Our method of obtaining trash : Network
telescopes
•  Multiple large (academic) network telescopes
•  Currently capturing ~5TB compressed pcap per week
•  Historical: traffic since 2008
Scanning,
misconfigured,
buggy or under
attack host
23
IBR is pervasive: We observe traffic from many
diverse sources
•  Removed spoofed traffic. Method: [CCR 13]
Total
~July 2013
Percent BGP
Announced
IP addresses
133M
5%
/24 blocks
3.15M
30%
Prefixes
205k
45%
ASes
24.2k
54%
Countries
233
99%
24
IBR is persistent: We observe a large number of
sources over time
•  Removed spoofed traffic. Method: [CCR 13]
Spamhaus Attack
25
Interesting and valuable items found in Internet
trash 26
Network telescopes capture a wealth of securityrelated data
•  Scanning: Trends and relation to vulnerability announcements
•  Backscatter: Attacks on authoritative name servers
•  Misconfigurations: BitTorrent index poisoning attacks
•  Bugs: Byte order bug in security software
•  Unknown: Encryption vs. obfuscation
27
Network telescopes capture a wealth of securityrelated data
•  Scanning: Trends and relation to vulnerability announcements
•  Backscatter: Attacks on authoritative name servers
•  Misconfigurations: BitTorrent index poisoning attacks
•  Bugs: Byte order bug in security software
•  Unknown: Encryption vs. obfuscation
28
Methodology
•  Used Bro s parameters: IP is considered a scanner if it sends:
•  Packets to 25 different network telescope IP addresses
•  Same protocol/port
•  Within 5 minutes
•  Results depend on size of network telescope
•  Doesn t capture super stealthy scanners (e.g., [Dainotti et al. IMC 12])
29
Scanning: 2008-2012
•  Conficker dominates
Conficker Outbreak
Packets
IPs
30
How do we know which packets originate from
Conficker?
•  Bug in PRNG: primarily targets IP addresses {A.B.C.D | B <128 & D < 128}
•  Developed heuristic to identify sources randomly scanning with
this bug Missing data
31
How do we know which packets originate from
Conficker?
•  Bug in PRNG: primarily targets IP addresses {A.B.C.D | B <128 & D < 128}
•  Developed heuristic to identify sources randomly scanning with
this bug Conficker discovered
No Conficker
Expected
32
How do we know which packets originate from
Conficker?
•  Bug in PRNG: primarily targets IP addresses {A.B.C.D | B <128 & D < 128}
•  Developed heuristic to identify sources randomly scanning with
this bug •  Some evidence of a testing phase prior to discovery
Conficker discovered
First day: 2 IPs in"
Guangdong Province, China
No Conficker
Observed
33
Scanning Post 2012
•  Conficker is dying out
•  Port 23 (telnet) is popular
Packets
IPs
34
Scanning Post 2012
•  Conficker is dying out
•  Port 23 (telnet) is popular
Packets
Carna Botnet
IPs
35
http://internetcensus2012.bitbucket.org/paper.html
Scanning Post 2012: Scans of TCP/443 following
Heartbleed vulnerability announcement
36
Scanning Post 2012: Scans of TCP/5000 prior to
Akamai report of UPnP used for DDoS attacks
37
https://www.akamai.com/us/en/about/news/press/2014-press/akamai-warns-of-upnp-devices-used-in-ddos-attacks.jsp
Network telescopes capture a wealth of securityrelated data
•  Scanning: Trends and relation to vulnerability announcements
•  Backscatter: Attacks on authoritative name servers
•  Misconfigurations: BitTorrent index poisoning attacks
•  Bugs: Byte order bug in security software
•  Unknown: Encryption vs. obfuscation
38
Preventing access to websites via attacks on
authoritative name servers
Legitimate host
DNS server
1. DNS Query
4. DNS Response
5. HTTP
GET
3. Response to
Recursive DNS
Query
Webserver
2. Recursive DNS
Query
Authoritative NS
39
Reference: https://www.nanog.org/sites/default/files/nanog63-dnstrack-vannice-ddos.pdf
Why we see some of these attacks: open resolvers
From: 1.2.3.4
DNS Query
Spoofer 5.6.7.8
1.2.3.4
Open Resolver
Authoritative NS
40
Why we see some of these attacks: open resolvers
Recursive DNS
Query
Spoofer 5.6.7.8
1.2.3.4
Open Resolver
Authoritative NS
41
Why we see some of these attacks: open resolvers
Spoofer 5.6.7.8
Open Resolver
Response to
Recursive DNS
Query
1.2.3.4
Authoritative NS
42
Why we see some of these attacks: open resolvers
To: 1.2.3.4
DNS Response
Spoofer 5.6.7.8
1.2.3.4
Open Resolver
Authoritative NS
43
We infer more open resolvers as a result of an
increase in DNS traffic
IPs
IBR
~July 2013
3.4k
IBR
~Feb. 2014
1.56M
Same open
resolvers used
Very few open resolvers
before Jan 29, 2014
44
But the number of open resolvers we see is much
less than active probing
IPs
IBR
~July 2013
3.4k
IBR
~Feb. 2014
1.56M
Open
Resolver
Project
~Feb. 2014
37.6M
Same open
resolvers used
Very few open resolvers
before Jan 29, 2014
45
The open resolvers we observe are used in DoS
attacks... and it s working
IPs
OPCODE: OPCODE:
OK
SERVFAIL
Problem with the
(authoritative) NS
IBR
~July 2013
3.4k
3.0k
148
IBR
~Feb. 2014
1.56M
1.44M
1.45M
High number of
errors
Open
Resolver
Project
~Feb. 2014
37.6M
32.6M
0.92M
Low number of
errors
46
Queried domains
•  First day: queries for baidu.com --- likely testing phase
•  Data from first month of activity. We still observe the attack.
020sf.com 024web.net 027dz.com 028xkj.com 029sms.com 02gd.com 0319pk.com 03lcq.com 052000.com 0538hj.com 0571video.com 059sem.com
0769cg.com 0769ff.com 08ws.com 111da.com 1188008.com 1234176.com 139hg.com 167uc.com 16888china.com 173pk.com 176cc.com 176dd.com
176gj.com 176kw.com 176l.com 176mm.com 176xq.com 17c.cc 180xp.com 184sf.com 185jxcq.com 191cq.com 19jy.com 201314baidu.com 202aaa.com
236899.com 24ribi.com 250hj.com 266mi.com 269sf.com 2kkx.com 3000sy.com 300eeee.com 300llll.com 300ssss.com 303aaa.com 303bbb.com 30gg.com
316ms.com 321xy.com 360362.com 365ddos.cn 369df.com 38db.com 38za.com 3gabn.com 3kkx.com 3q518.com 3t33.com 4000123046.com 40cqcq.com
442ko.com 4z1s.info 500sf.com 512312.com 513wt.com 515kkk.com 51aidi.com 51rebeng.com 51yjzs.com 520898.com 520sfyx.com 525mk.com 52ccx.com
52ssff.com 531gou.com 555fz.com 567uu.com 56bj56.com 5ipop.net 5kkx.com 600dddd.com 60sf.com 616162.com 63fy.com 666hf.com 68yb.com 6ee.com
6g5b.info 6kkx.com 6ksf.com 700rrrr.com 72play.com 72sm.com 74486.com 76489.com 766mi.com 767hh.com 76wzw.com 76yxw.com 775gg.com
778ff.com 787ok.com 799mi.com 7afa.com 7s7ss.com 800liao.net 800nnnn.com 800oooo.com 800uuuu.com 815quan.com 81hn.com 81ypf.com 82hf.com
83uc.cn 83wy.com 84822258.com 85191.com 87145.com 87xn.com 885jj.com 886pk.com 8885ok.com 900eeee.com 909kkk.com 910pk.com 911aiai.com
911gan.com 911ii.com 911mimi.com 911sepian.com 911xi.com 911xu.com 911yinyin.com 915hao.com 919uc.com 926.com 92xiaobao.com 933fg.com
940945.net 97pc.net 980311.net 981118.com 98989833.com 991816.com 998.co 999qp.net 99hcq.com 99ktw.com 99mzi.com 99ting.com 99wf.com
9aq.com 9kanwo.com 9kf.com 9zny.com a6c5.com akadns.net aliyuncs.com amdxy.com appledaily.com.hk appledaily.com.tw arx888.com asxkmy.com
atnext.com aws520.com b166.com badong123.com bbidda.com bbjck.com bbs117.com bdaudi.com bdhope.com betboy.cc betboy.hk betboy.tw
bettykid.com bjts168.com boeeo.com booooook.com bw176.com byfire.net cc176.com cck168.com ccskys.com cd519.com cdhydq.com cdjbg.com
cdxgy.com cg1314.com cgxin.com chinahjfu.com chuansf-1.com chuansf.com ck1997.com clntwr.com cm0556.com cn191.com cn948.com comedc.com
cp375.com cq520.com cqqhjgj.com cs912.com ct0553.com ct176.com ctysy.com cxmyy.com dama2.com daqinyy.com disshow.com dmmjj.com dnsabc.com
dt176.com dudu176.com dw173.com dytt8.net e0993.com e5e566.com edgesuite.net faahaa.com fen-sen.com fg9999.com fjhzw.com fu180.com furen88.net
fw10000.com fzl4.com gbdzd.com gegegan1.com gegequ.com go176.com gotocdn.com guangyuchina.com gx911.com h5acg.com had1314.com
hao9458.com haocq99.com haosf3165.com haosf86.net hcemba.com hcq180.com hcq99.com hcqmir.com he09.com heblq.com henhenlu.com hf600.cn
hi0762.com hi182.com hj19.com hj321.com hkdns-vip.com hl176.com hlm53.com hn179.com hnart123.com hndc114.com hqsy120.com hscmis.com
htbdcn.com huaxia76.com hw166.com hyh588.com hz96.com icheren.net iidns.com iinfobook.net jc0633.com jccjk.com jd176.com jdgaj.com jdlcq.com
jdyyw.com jeeweb.net jf086.com jh219.com jiaduolu.net jiayun588.com jn176.com jrj001.com jshgl.com jt1216.com jx116.com jx8111.com k9080.com
kd5888.com kp811.com kr5b.com kx2014.com laocq.com laocq180.com laosf180.com laowz176.com laoyou999.com lcjba.com lcq170.com liehoo.net
like400.com lmh176.com love303.com lpp176.com lsr176.com luse0.com luse1.com luse2.com luse3.com luse4.com luse5.com luse6.com luse7.com
luse8.com luse9.com lwfb800.com lxt998.com lygfp.com lyxyqp.com lz9999.com m2bd.pw m3088tv.com manyefs.com mir108.com mir1860.com mir86.com
miryy.com mly555.com mm5ii.com ncmir.com net0335.com nextmedia.com nnlrw.com onaccr-cn.com p0757.com pao176.com ph268.com pk8558.com
pksf08.com puhup.com purednsd.com purevm.com px518.com q1.com qfqcc.com qhdflkmc.com qianliri.com qingfeng180.com quanben.com qy176.com
rp1704.com rq180.com s6s5.com salangane-books.com scktsj.com sdcsnk.com sdjlh.com seluoluo2.com seluoluo3.com seoeee.com sf117.com sf123.com
sf665.com sf717.com sg500.com sh1099.com sheshows.com sinaapp.com skcq.net sl139.com sp176.com ssthjy.com sytcqy.com szchscm.com
tangdefenghuang.com tg180.com tianmao76.com tjldktv.com txj880.com tz176.com vip78.cn w78z.com w8best.com wan26.com wancantao.net
wanfuyou.com wb123.com wfbaby.net wn176.com wotebang.com wsn88.com wy176.com wyb.name wysss.com wz.com x5wb.com x7car.com x7ok.com
xhzssj.com xia00.com xiaolongcq.com xiaoyx123.com xie139.com xin2003.com xjliuxue.cn xtj123.com xx2pp.com xxxoooo.com xxyl100.com yeyelu0.com
yeyelu9.com yg521.com yh996.com yifeng2012.com yinquanxuan.com youcai667.com ysbxw.com yshqq.com ysmir.cn ytwtoys.com ytz4.info
yuhuakonggu.com yw110.com yw119.com yx5881.com yy188.com yy698.com yzrjy.com yzypp.com zbtlw.com zc911.com zgtx168.com zhao106.com
zhaoil.com zhaoqjs.com zhizunfugu.com zinearts.com zongzi0898.com zst0510.com zuyu1.com zxj02.com zxw198.com 052000.com 422.ko.com 51pop.net
5rxe.info 999.net.ru baidu.com bb0575.com gb41.com geigan.org lhy716.com sz-xldrhy.com wgduznyw.ga wo135.com. zbtlw.com. zgvqtnrc.ga Example Registration Info:
Domain Name:029sms.com
...
Updated Date:2014-02-14 14:55:38
Creation Date:2014-02-14 14:55:38
...
Registrant
Street:hkjhkjhjkhjkRegistrant
City:Beijing ShiRegistrant State/
Province:Beijing ShiRegistrant Postal
Code:333333Registrant
Country:ChinaRegistrant Phone:
11111111Registrant Phone
Ext:Registrant Fax:11111111
47
Network telescopes capture a wealth of securityrelated data
•  Scanning: Trends and relation to vulnerability announcements
•  Backscatter: Attacks on authoritative name servers
•  Misconfigurations: BitTorrent index poisoning attacks
•  Bugs: Byte order bug in security software
•  Unknown: Encryption vs. obfuscation
48
BitTorrent index poisoning attacks induce many
hosts to send IBR
•  Index poisoning: purposefully inserting fake information into the DHT
To: DHT
Where can I get
a torrent?
BITTORRENT DHT
!
49
BitTorrent index poisoning attacks induce many
hosts to send IBR
•  Index poisoning: purposefully inserting fake information into the DHT
Torrent Location:
1.2.3.4
BITTORRENT DHT
!
50
Popular Torrents in IBR - July 2012
hash
Torrent
Packets
48484fab5754055fc530fcb5de556
4651c4ef28f"
Grand Theft Auto - Chinatown Wars
450k
5b5e1ffa9390fff13f4af2aef9f58
61c4fbf46eb"
Modern Family S3E22
398k
d90c1110a5812d9a4bf3c28e27
9653a5c4f78dd1"
CSI S12E22
204k
2ecce214e48feca39e32bb50df
cf8151c1b166cc"
Coldplay Ft. Rhianna Princess of China
187k
79f771ec436f09982fc345015fa
1c1d0d8c38b48"
???
129k
b9be9fc1db584145407422b09
07d6a09b734a206"
Parks and Recreation S4E22
127k
99a837efde41d35c283e2d9d7
e0a1d4a7cd996dd"
Missing 2012 S1E9
106k
7b05b6b6db6c66e7bb8fa5aa7
0a185c7cfcd3d07"
???
104k
c0841cf3196a83d1d08ae4a9e
af10fcfc6c7ba66"
Big Trouble Little China
99k
99dfae74641d0ca29ef5238607
13a6270daefc6e"
36 China Town
91k
51
Popular Torrents in IBR - July 2013
hash
Torrent
Packets
f7eb38b830ec749f43cf3df20dbc2
bf2c99fad97"
Sette Anni in Tibet
2,356k
6ec64cb88937418d6af29fca6d
017e0c658654b7"
高清 光720P版BD-RMVB.中字
912k
f90cb027174c2af3c5b838be09
a62ff16d6c2ef5"
美
生
TC英
中字.rmvb
845k
fedcf797109c7929558d069602
ac6fab0b46e814"
Halo 4 Until Dawn
735k
3b508d09e9c4677b2f67683a9
dde2d5ce0b2aa24"
soh 360
580k
1254bb23d1a04447cb67bc047
9549a504d083c31"
Her Sweet Hand China Lost Treasure
539k
48484fab5754055fc530fcb5de
5564651c4ef28f"
Grand Theft Auto - Chinatown Wars
489k
b9be9fc1db584145407422b09
07d6a09b734a206"
Parks and Rec S4E22
482k
93efed3aa07e7523d5c4e42f02
57f9aa8d5011c3"
Dajiyun
431k
039a07b38de4529c477f3b756
98937e9c5d4acd6"
ntdvt news
325k
52
BitTorrent: Temporal aspect
•  Unclear why fewer /24 blocks are observed
•  But pausing attack is a possible explanation
/24 BLOCKS (FROM BT) PER Hour
2012
53
BitTorrent: Spatial aspect
•  /24 blocks sending BitTorrent KRPC packets are more likely to be observed by
certain destination IPs and ports
•  get_peers and find_node packets: certain IP addresses more
likely to be targeted : {X.B.C.D| B & 0x88 = 0x00 and D & 0x09 = 0x01}
•  A bug in PRNG for generating IP addresses is a plausible explanation
54
July 2015: Huge increase in BitTorrent traffic
•  Graph: BitTorrent KRPC packets
•  Increase is caused by traffic destined to 1 IP => traffic from over 3.7M /24s
per month
•  Still going on... not sure of all the details yet
55
Investigating July 2015 increase in BitTorrent IBR
•  Installed two BitTorrent clients on one machine (uTorrent,
Deluged)
•  Just joined DHT didn t download any torrents
•  ~2.5 months: Nov. 15 2015 - Jan. 28 2016
•  uTorrent: 12 IPs sent 112 packets to a network telescope IP
•  Deluged: 51 IPs send 64 packets to a network telescope IP
•  Who directed us to network telescope?
•  LibTorrent most popular client, but not used exclusively
•  China most popular geolocation, but not exclusively
56
Suspicious BitTorrent behavior
•  Most IDs associated with network telescope IP have their
third byte equal to 0x04
•  Other IP address in response packets occur frequently and
have third-byte quirks
Sample node IDs
Other IP Packets 3rd byte
b8:1d:04:ef:96:18:e4:20:6b:c2:8d:1a:31:af:de:7a:81:66:02:56
157.144.153.163
76 from 6 IPs
0x05
bd:23:04:04:e9:5e:f5:a0:10:08:06:95:a3:ab:93:c7:74:f5:a6:58
177.123.230.26
55 from 7 IPs
0x00
52:b1:04:09:49:b4:91:f8:38:e6:c5:06:38:8d:04:8a:50:99:3f:50
212.246.161.63
64 from 7 IPs
0x06
05:b5:04:7e:6a:b8:96:1a:35:07:4e:ae:3e:d3:41:21:95:45:a8:81
217.123.247.72
87 from 4 IPs
0x03
13:28:04:d6:d3:2d:db:c5:07:79:7e:14:27:09:e1:37:e7:7e:25:2f
27.171.198.228
55 from 8 IPs
0x07
13:28:04:a9:5c:2d:82:2f:78:65:54:13:04:6d:b4:10:72:57:8d:5d
90.122.90.178
4 from 3 IPs
0x01
57
Network telescopes capture a wealth of securityrelated data
•  Scanning: Trends and relation to vulnerability announcements
•  Backscatter: Attacks on authoritative name servers
•  Misconfigurations: BitTorrent index poisoning attacks
•  Bugs: Byte order bug in security software
•  Unknown: Encryption vs. obfuscation
58
How many sources send us unsolicited traffic?
Source IPs per hour
7.0M
????
6.0M
5.0M
BitTorrent
4.0M
Conficker
3.0M
Outbreak
2.0M
1.0M
0.0M
Jan
2008
Jan
2009
Jan
2010
Jan
2011
Jan
2012
Jan
2013
Jan
2014
Jan
2015
59
Responsible payload
IP 123.4.253.107.8090 > 1.179.58.115.42501: UDP, LENGTH 30
4500 003A DF4B 0000 2E11 ---- 7B04 FD6B E..:.K......{..K
01B3 3A73 1F9A A605 0026 C0CF 0000 0000 ..:S.....&......
0000 0000 3100 3D57 0000 0000 0000 0000 ....1.=W........
0000 0000 287E 02C7 0000
• 
8090 is most popular source port
• 
39455 is most popular destination port
Fixed
Connection ID
Random
6:00:00.083796
0X0000:
0X0010:
0X0020:
0X0030:
Counter
60
Lots of hosts from China
% BGP Announced
Address Space
IPs
China
101M
36.26%
Taiwan
505k
1.45%
Malaysia
442k
7.65%
USA
324k
0.03%
Hong 4
Kong
280k
IPs belonging to CS department!
2.75%
Japan
186k
0.11%
Canada
129k
0.26%
Thailand
126k
1.55%
Australia
126k
0.31%
Singapore
116k
2.16%
•  August 2013 data
61
Monitoring CS department address space
• 
• 
Capture 1: 36 hours of traffic in/out of CS department for this
packet
• 
CS address space also receives packets
• 
3 of 4 IPs from CS observed generating this traffic
Capture 2: Monitor all traffic to/from these IPs on associated UDP
ports
62
Monitoring CS machines
• 
• 
Packet 1: CS machines
04:40:45.211649 IP 180.153.227.168.80 > 2.239.95.102.10102: UDP, length 1044
0x0000: 4500 0430 0100 0000 ed11 ---- b499 e3a8 E..0......L%....
contact a common IP address:
0x0010: 02ef 5f66 0050 2776 041c b5bd 0414 0350 .._f.P'v.......P
0x0020: 2c00 0000 e469 18ad ab70 9e6c dad1 d5fe ,....i...p.l....
tr-b.p.360.cn
0x0030: c1c5 d3f7 e0cc 674d 0000 3200 0001 11d9 ......gM..2.....
Packet 2: CS machines
receive a large packet
0x0040:
0x0050:
0x0060:
0x0070:
0x0080:
0x0090:
0x00a0:
0x00b0:
0x00c0:
0x00d0:
0x00e0:
0x00f0:
0x0100:
0x0110:
0x0120:
0x0130:
0x0140:
0x0150:
0x0160:
0x0170:
0x0180:
0x0190:
0x01a0:
0x01b0:
0x01c0:
0x01d0:
0x01e0:
0x01f0:
0x0200:
0x0210:
0001
4233
3732
3232
6784
7146
4342
3139
3131
2711
b6f7
4346
3030
3346
9e52
af0c
4642
3542
3643
271c
6a78
4537
3736
4535
2777
71f9
3836
4434
3137
3b1a
07ad
3937
4334
3134
0044
287a
3035
3441
3537
0144
838b
4541
4536
3935
0144
97d4
4431
3634
3146
0144
7c09
3234
3634
4137
0144
2724
3431
4437
3541
0144
0000
3cf6
3039
4445
3846
153d
718f
4334
3736
4345
2774
b721
4643
3030
3946
0845
1b12
4441
4535
4234
4f7b
b623
4637
3030
4337
1f9a
dca2
3631
3834
4130
0000
1925
4232
4133
3731
0144
4da1
3645
3334
4539
0144
5ba8
4144
3736
3844
0144
880f
4333
3832
4333
0144
c1cc
3042
4330
3037
0044
f7ac
3742
4634
3638
3538
1f9a
7756
4643
4437
3131
9d41
73d7
3946
3242
4146
2711
b622
3836
3139
3545
1f9a
7075
3033
3130
3130
157a
0154
3536
3636
3832
1f9a
2a5c
3844
3042
3033
0044
e0df
3138
4342
4545
0144
4fdc
4343
3938
3546
0144
bcb9
4342
3230
4533
0044
6774
3330
4130
3134
0144
cc65
4137
4233
3031
0044
039e
3438
3830
4443
3146
1f9a
dde8
3346
3334
4239
197a
da17
3131
4639
3039
ace8
7177
3941
3335
3831
1f9a
deb4
3243
3044
4434
5c7e
6eb5
3631
3232
3941
0eca
01cd
3335
3244
3443
0044
a6ed
3833
4443
3631
0144
0f23
4639
3333
3738
0144
6c38
4436
4544
4230
0044
5486
3039
3239
4430
0144
cd70
3338
3039
4244
0144
7bef
3538
........5803DC2D
B397<..%...D1F4C
72C409B2wV.....D
2214DEA3FC18....
g..D8F71D7CB3F83
qF(z.=.D11EE34DC
CB05q.M..A.DB961
194AC46Es.O..z.D
115776349FCC...#
'..DCEE92B9811F9
....'t.DAF5FF933
CFEA.![.'..D0978
00E6FCAD.".....D
3F95007686CBqwl8
.R.D9F8D19209AD6
.....E.D5EE335ED
FBD1.......D81B0
5B64DAC3pugt...D
6C1FE5820330..T.
'..DB4C310A02C09
jx|.O{.D10140D29
E724.#...z.DD4D0
7664F70B.T.e\~.D
E5A700C056A7n..p
'w.DC70766B36138
q.'$...D82012209
8641.......D9ABD
D4D7617B*\.....D
175A84F48D48..{.
63
;..DA0680B803558
Monitoring CS machines
• 
Packet 3-40: CS machines
contact sources encoded in
packet
04:40:45.211649 IP 180.153.227.168.80 > 2.239.95.102.10102: UDP, length 1044
0x0000: 4500 0430 0100 0000 ed11 ---- b499 e3a8 E..0......L%....
0x0010: 02ef 5f66 0050 2776 041c b5bd 0414 0350 .._f.P'v.......P
0x0020: 2c00 0000 e469 18ad ab70 9e6c dad1 d5fe ,....i...p.l....
0x0030: c1c5 d3f7 e0cc 674d 0000 3200 0001 11d9 ......gM..2.....
0x0040: 0001 07ad 0000 0000 3538 3033 4443 3244 ........5803DC2D
0x0050: 4233 3937 3cf6 1925 1f9a 0044 3146 3443 B397<..%...D1F4C
0x0060: 3732 4334 3039 4232 7756 e0df 1f9a 0044 72C409B2wV.....D
0x0070: 3232 3134 4445 4133 4643 3138 dde8 a6ed 2214DEA3FC18....
0x0080: 6784 0044 3846 3731 4437 4342 3346 3833 g..D8F71D7CB3F83
0x0090: 7146 287a 153d 0144 3131 4545 3334 4443 qF(z.=.D11EE34DC
0x00a0: 4342 3035 718f 4da1 9d41 0144 4239 3631 CB05q.M..A.DB961
0x00b0: 3139 3441 4334 3645 73d7 4fdc 197a 0144 194AC46Es.O..z.D
0x00c0: 3131 3537 3736 3334 3946 4343 da17 0f23 115776349FCC...#
0x00d0: 2711 0144 4345 4539 3242 3938 3131 4639 '..DCEE92B9811F9
0x00e0: b6f7 838b 2774 0144 4146 3546 4639 3333 ....'t.DAF5FF933
0x00f0: 4346 4541 b721 5ba8 2711 0144 3039 3738 CFEA.![.'..D0978
04:40:45.215588 IP 2.239.95.102.10102 > 113.70.40.122.5437:
UDP,
length
0x0100: 3030 4536
4643
4144 72
b622 bcb9 ace8 0144 00E6FCAD.".....D
0x0000: 4500 0064 536f 0000 3f11 ---02ef
5f66
E..dSo..?....._f
0x0110: 3346 3935 3030 3736 3836 4342 7177 6c38 3F95007686CBqwl8
0x0010: 7146 287a 2776 153d 0050 1bff
0000 9e52
0000 0144
qF(z'v.=.P......
0x0120:
3946 3844 3139 3230 3941 4436 .R.D9F8D19209AD6
0x0020: f21e 9a42 4103 55e1 0000 0004
0000
0000
...BA.U.........
0x0130: af0c 97d4 0845 0144 3545 4533 3335 4544 .....E.D5EE335ED
0x0030: 0038 0000 0001 0000 0000 0028
e469 4642
18ad 4431
.8.........(.i..
0x0140:
1b12 880f 1f9a 0044 3831 4230 FBD1.......D81B0
0x0040: ab70 9e6c dad1 d5fe c1c5 d3f7
e0cc 3542
674d 3634
.p.l..........gM
0x0150:
4441 4333 7075 6774 1f9a 0044 5B64DAC3pugt...D
0x0050: 3336 3050 3030 3638 3531 4534
4230 3643
4442 3146
360P006851E4B0DB
0x0160:
4535 3832 3033 3330 deb4 5486 6C1FE5820330..T.
0x0060: 3433 3044
430D
0x0170: 271c 0144
4234 4333 3130 4130 3243 3039 '..DB4C310A02C09
0x0180: 6a78 7c09 4f7b 0144 3130 3134 3044 3239 jx|.O{.D10140D29
0x0190: 4537 3234 b623 c1cc 157a 0144 4434 4430 E724.#...z.DD4D0
0x01a0: 3736 3634 4637 3042 0154 cc65 5c7e 0144 7664F70B.T.e\~.D
0x01b0: 4535 4137 3030 4330 3536 4137 6eb5 cd70 E5A700C056A7n..p
0x01c0: 2777 0144 4337 3037 3636 4233 3631 3338 'w.DC70766B36138
0x01d0: 71f9 2724 1f9a 0044 3832 3031 3232 3039 q.'$...D82012209
0x01e0: 3836 3431 dca2 f7ac 1f9a 0044 3941 4244 8641.......D9ABD
0x01f0: 4434 4437 3631 3742 2a5c 039e 0eca 0144 D4D7617B*\.....D
0x0200: 3137 3541 3834 4634 3844 3438 01cd 7bef 175A84F48D48..{.
64
0x0210: 3b1a 0144 4130 3638 3042 3830 3335 3538 ;..DA0680B803558
Monitoring CS machines
• 
More packets are exchanged...
• 
and sometimes there is a byte order bug!
04:40:46.877858 IP 113.70.40.122.5437 >
0x0000: 4500 003a 6213 0000 2f11
0x0010: 02ef 5f66 153d 2776 0026
0x0020: a800 0d13 2100 55e1 0149
0x0030: 0038 0000 0005 0006 0000
2.239.95.102.10102: UDP, length 30
---- 7146 287a E..:b.../...qF(z
8a67 0000 0000 .._f.='v.&.g....
f488 0134 9733 ....!.U..I...4.3
.8........
04:40:46.878016 IP 2.239.95.102.10102 >
0x0000: 4500 003a 552d 0000 3f11
0x0010: 7a28 4671 2776 3d15 0026
0x0020: 0000 0000 3100 55e1 0000
0x0030: 0000 0000 42d6 0005 0000
122.40.70.113.15637: UDP, length 30
---- 02ef 5f66 E..:U-..?....._f
2c6b 0000 0000 z(Fq'v=..&,k....
0000 0000 0000 ....1.U.........
....B.....
• 
So 1.2.3.4 receives packets when intended recipient has IP address 4.3.2.1
65
What software has this bug?
66
Qihoo 360
• 
Verified product usage with CS users
• 
360 Total Security Software License and Service
Agreement:
iii) The Upgrade module of the Software uses
peer-to-peer ("P2P") technology to improve
upgrade speed and efficiency of your
bandwidth usage. The P2P technology will
cause data to be uploaded, including program
modules and the Software's malware definition
database, which are used as components of
the Software. Your private data will not be
uploaded.
https://www.360totalsecurity.com/en/license/360-total-security/
67
Qihoo cleanup
•  It took about a month from notification for there to be a significant decrease
in packets originating from bug
Probably large
update events
Qihoo
notified
New version
on website
2015/2016
68
Network telescopes capture a wealth of securityrelated data
•  Scanning: Trends and relation to vulnerability announcements
•  Backscatter: Attacks on authoritative name servers
•  Misconfigurations: BitTorrent index poisoning attacks
•  Bugs: Byte order bug in security software
•  Unknown: Encryption vs. obfuscation
69
Making the unknown traffic known
•  Further investigation into unknown traffic can reveal source of traffic
•  Recall packet that appeared to have encrypted payload
•  Lots of traffic to 1 IP address + statistical analysis of bytes + white
papers [1] => this packet is a Sality C&C Related packet length
6:00:06.000065 IP 111.248.55.49.51956 > 1.16.56.246.7605: UDP, length 19
0x0000: 4500 002f 6c48 0000 7011 ---- 6ff8 3731 E../lH..p..Fo.71
0x0010: 0110 38f6 caf4 1db5 001b 8298 7133 0f00 ,.8.........q3..
0x0020: 643e c2d4 2cf5 42b5 810f 7f01 5344 1e
d>..,.B.....SD.
[1] Nicolas Falliere. Sality: Story of a Peer-to-Peer Viral Network.
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/
sality_peer_to_peer_viral_network.pdf, 2011."
70
Making the unknown traffic known
•  Further investigation into unknown traffic can reveal source of traffic
•  Recall packet that appeared to have encrypted payload
•  Lots of traffic to 1 IP address + statistical analysis of bytes + white
papers [1] => this packet is a Sality C&C RC4 Key
Related packet length
6:00:06.000065 IP 111.248.55.49.51956 > 1.16.56.246.7605: UDP, length 19
0x0000: 4500 002f 6c48 0000 7011 ---- 6ff8 3731 E../lH..p..Fo.71
0x0010: 0110 38f6 caf4 1db5 001b 8298 7133 0f00 ,.8.........q3..
0x0020: 643e c2d4 2cf5 42b5 810f 7f01 5344 1e
d>..,.B.....SD.
[1] Nicolas Falliere. Sality: Story of a Peer-to-Peer Viral Network.
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/
sality_peer_to_peer_viral_network.pdf, 2011."
71
Making the unknown traffic known
•  Further investigation into unknown traffic can reveal source of traffic
•  Recall packet that appeared to have encrypted payload
•  Lots of traffic to 1 IP address + statistical analysis of bytes + white
papers [1] => this packet is a Sality C&C RC4 Key
Related packet length
6:00:06.000065 IP 111.248.55.49.51956 > 1.16.56.246.7605: UDP, length 19
0x0000: 4500 002f 6c48 0000 7011 ---- 6ff8 3731 E../lH..p..Fo.71
0x0010: 0110 38f6 caf4 1db5 001b 8298 7133 0f00 ,.8.........q3..
0x0020: 0382
d>..,.B.....SD.
643e 0000
c2d4 0003
2cf5 ....
42b5 ....
810f ....
7f01 ....
5344 ..
1e
Version: 03
Command: 0x03 (Pack Exchange)
URL Pack Sequence ID:0x82000000
[1] Nicolas Falliere. Sality: Story of a Peer-to-Peer Viral Network.
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/
sality_peer_to_peer_viral_network.pdf, 2011."
72
Scale of misconfiguration
•  Like BitTorrent, Sality can have bogus information in its hash table that results
in many sources sending us packets
•  34 days in 2012: 386k IPs
•  34 days in 2013: 355k IPs
•  Symantec 2011: ~300k infections
[1] Nicolas Falliere. Sality: Story of a Peer-to-Peer Viral Network.
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/
sality_peer_to_peer_viral_network.pdf, 2011."
73
Conclusion
•  It s likely your machines transmit Internet background
radiation
•  Network telescopes capture a wealth of security-related
data
•  Including somewhat complex attacks/bugs/misconfigurations
•  Scanning trends
•  Attacks on authoritative name severs
•  BitTorrent index poisoning
•  Qihoo 360 byte-order bug
•  Misconfigurations in Sality botnet
74