CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies of the internet? (Piotr Bazydło)
0 likes•320 views
The document discusses the analysis of darknet traffic, revealing various packet types including misconfigurations, scanning activities, and exploitation attempts. The researchers received around 25 billion packets monthly from their darknet, consisting of over 100,000 IP addresses, and developed methods to classify and fingerprint malicious actors based on traffic patterns. They highlight the importance of recognizing packet generation algorithms in understanding attacks and operational insights from darknet analysis combined with other data sources.
![Russian watchodg - another attack
On 19.04 – another attack.
Still SYN FLOOD and ACK mitigation technique.
However, we have received ICMP packets signalizing ACK
FLOOD.
Destination Port = 0
SEQ[3:4] = 0 AND ACK[3:4] = 0](https://image.slidesharecdn.com/confidencepbv3darknet-180608072918/85/CONFidence-2018-Darknet-traffic-what-can-we-learn-from-nooks-and-crannies-of-the-internet-Piotr-Bazydlo-46-320.jpg)
![Why even bother?
Let’s compare SYN FLOOD packet
generation, while using legit PGA
and XoR.DDoS botnet PGA.
XoR.DDoS PGA:
IP_ID = SPORT,
SEQ[1:2] = IP_ID.](https://image.slidesharecdn.com/confidencepbv3darknet-180608072918/85/CONFidence-2018-Darknet-traffic-what-can-we-learn-from-nooks-and-crannies-of-the-internet-Piotr-Bazydlo-49-320.jpg)
![Why even bother?
Let’s compare SYN FLOOD packet
generation, while using legit PGA
and XoR.DDoS botnet PGA.
XoR.DDoS PGA:
IP_ID = SPORT,
SEQ[1:2] = IP_ID.
Assuming botnet with 100 000 machines:
2 400 000 more packets per second!](https://image.slidesharecdn.com/confidencepbv3darknet-180608072918/85/CONFidence-2018-Darknet-traffic-what-can-we-learn-from-nooks-and-crannies-of-the-internet-Piotr-Bazydlo-50-320.jpg)
![Signatures everywhere
SYN FLOOD on IP belonging to Google – full of PGA signatures.
1. SPORT = SEQ[1:2]
2. SEQ[3:4] = 0xFFFF
3. SPORT = IP_SRC[3:4]
1
2 3](https://image.slidesharecdn.com/confidencepbv3darknet-180608072918/85/CONFidence-2018-Darknet-traffic-what-can-we-learn-from-nooks-and-crannies-of-the-internet-Piotr-Bazydlo-54-320.jpg)
CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies of the internet? (Piotr Bazydło)
- 1. Piotr Bazydło Darknet traffic – what can we learn from nooks and crannies of the internet Research and Academic Computer Network NASK Work performed during SISSDEN project.
- 2. Often called as „network telescope”. An unused (dark) space of IP addresses. In theory, there should be no network traffic. What is darknet?
- 5. In practice, we can see a lot of different packets: Misconfiguration of network devices/applications. What is darknet?
- 7. In practice, we can see a lot of different packets: Misconfiguration of network devices/applications. Scanning activities. What is darknet?
- 8. Scanning
- 9. Scanning
- 10. In practice, we can see a lot of different packets: Misconfiguration of network devices/applications. Scanning activities. Backscatter from DoS attacks. What is darknet?
- 11. DoS backscatter
- 12. DoS backscatter
- 13. In practice, we can see a lot of different packets: Misconfiguration of network devices/applications. Scanning activities. Backscatter from DoS attacks. Exploitation attempts. What is darknet?
- 15. In practice, we can see a lot of different packets: Misconfiguration of network devices/applications. Scanning activities. Backscatter from DoS attacks. Exploitation attempts. Weird and undefined stuff. What is darknet?
- 16. Our darknet consists of more than 100 000 IP addresses. Statistically, we: Receive about 25 000 000 000 packets per month (80% of packets are TCP packets). What gives us about 800 000 000 packets per day. And more than 500 000 of packets per minute. Some numbers
- 17. How to group these packets? How to analyze them? How to classify them into events? How to define whether event is interesting or not? How to fingerprint responsible actors? Problems
- 18. Detect and analyze DoS attacks. Fingerprint actors/botnets responsible for specific attacks. Observe massive scan campaigns and observe responsible actors. Observe botnets actions. Forecast exploitation campaigns and even 0-day exploits. Detect new signatures (Packet Generation Algorithm) in network traffic. And other related actions. Okay, so what can we do with this traffic?
- 19. Geographical distribution of packets
- 21. Packets with SEQ = IP_DST
- 25. Let’s fingerprint! In total, about 45 000 unique IP addresses were fingerprinted (IoC).
- 28. Change of tactics We can see that Satori has started to exploit different ports/devices.
- 29. Memcached
- 31. Memcached Github 1.3 Tbps DoS Reported 1.7 Tbps DoS
- 32. Memcached Github 1.3 Tbps DoS Reported 1.7 Tbps DoS
- 33. Day 1 – 20.02 (patient zero?) Only 3 IP addresses – all located in the UK. All 3 IP addresses within the same host – DigitalOcean. Whole scan lasted about 25 minutes. Only two source ports used (34860 and 43493). One payload used (stats slabs with some additions).
- 34. Day 4 – 23.02 Only 2 IP addresses – UK and Singapore. UK IP – the same as on 20.02. Singapore ASN: Alibaba (China) Technology Co., Ltd. Only two source ports used (34765 and 45931). Guess what – still the same payload for both IP addresses. Conclusion – we are probably still dealing with the single actor.
- 35. Day 5 – 24.02 (new kid on the block?) Only 1 IP addresses – USA. ASN: AS27176 DataWagon LLC. Source ports seems to be randomized. New payload has been used. Scan lasted longer (about 3 hours). Looks like we have a new actor.
- 36. And so on… Pre-github scanners. About 60 IP addresses. Several scanning patterns.
- 37. After github DoS scanners. About 315 IP addresses. Multiple different scanning patterns.
- 38. How can we define patterns? Unique payloads types. Unique source ports generation scheme. Pairs of characteristics eg. source ports→ payload→ timeline. And others.
- 39. How can we defined patterns?
- 40. How can we defined patterns?
- 41. Source Port = 22122 One IP from France. ASN: AS12876 Online S.a.s.
- 42. Source Port = 11211 56 IPs from USA. ASN: AS10439 CariNet Pretty well organized (scan performed by many IPs). The same payload.
- 43. Telegram ban in Russia
- 44. Indeed – it’s a hit - source port 443
- 46. Russian watchodg - another attack On 19.04 – another attack. Still SYN FLOOD and ACK mitigation technique. However, we have received ICMP packets signalizing ACK FLOOD. Destination Port = 0 SEQ[3:4] = 0 AND ACK[3:4] = 0
- 47. PGA Packet Generation Algorithm (firstly mentioned by 360Netlab). Tools and malware often utilize different PGA in order to simplify/fasten packet generation procedure. We have developed tool for the automatic detection of various PGA signatures. Usually, based on some simple operations (bytes swaping, incrementation, values hardcoding and others). Usually seen during scanning or DoSing actions. However, PGA was also spotted during C2 communication.
- 48. PGA
- 49. Why even bother? Let’s compare SYN FLOOD packet generation, while using legit PGA and XoR.DDoS botnet PGA. XoR.DDoS PGA: IP_ID = SPORT, SEQ[1:2] = IP_ID.
- 50. Why even bother? Let’s compare SYN FLOOD packet generation, while using legit PGA and XoR.DDoS botnet PGA. XoR.DDoS PGA: IP_ID = SPORT, SEQ[1:2] = IP_ID. Assuming botnet with 100 000 machines: 2 400 000 more packets per second!
- 51. Mirai – ingenious scanning SEQ = DST_IP Faster. Doesn’t have to store information about sent packets, as it can only compare IP and ACK of incoming packet.
- 52. Is XoR.DDoS easily traceable? Not really, as in SYN-ACK packets we lose information about IP_ID used in PGA. We can compare DPORT and ACK in SYN-ACK packets. However, we sometimes receive ICMP packets with spoofed packet included in the payload – in this case, we can identify whole signature.
- 53. Signatures everywhere SYN FLOOD on IP belonging to Google – full of PGA signatures.
- 54. Signatures everywhere SYN FLOOD on IP belonging to Google – full of PGA signatures. 1. SPORT = SEQ[1:2] 2. SEQ[3:4] = 0xFFFF 3. SPORT = IP_SRC[3:4] 1 2 3
- 55. Summary Darknet is great, but it has its limitations. We are observing a lot of different attacks, malicious activities and botnets. We are especially interested in linking PGA signatures to particular malware or tools. Results from darknet traffic analysis + data from other sources (sandboxes, honeypots and others) = a lot of operational info!
- 56. Other people involved in the presented work: Adrian Korczak (NASK) - development. Mateusz Goniprowski (NASK) – development. Krzysztof Lasota – consultations. Paweł Pawliński (CERT PL/NASK) – consultations. 360Netlab – PGA idea and intelligence.
- 57. This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 700176. Thank you for your attention. Twitter: @chudyPB https://sissden.eu/blog SISSDEN