Agenda Introduction. What is Malicious traffic. Malicious traffic types. Malicious traffic detection and prevention. Conclusion.
Introduction As the internet become more mature, management of its resources to provide guaranteed services is crucial. The success of the Internet has increased its vulnerability to misuse and performance problems.
Introduction It has been frequently abused by people mostly with hostile intentions. We have been under various kinds of attacks such as viruses, worms and commonly a bunch of spam mails every day.
Malicious Traffic It is hard to detect and distinguish malicious packet and legitimate packets in the traffic. The behavior of Internet traffic is very far from being regular. Presents large variations in its throughput at all scales.
Malicious Traffic Any traffic anomalies that occur from hardware or software failures to internet packets with maliciously modified options. Generated from what is called botnets.
Malicious Traffic: Botnets
Malicious Traffic Monitoring the flow of packets. Malicious traffic usually exhausts the legitimate resources by sending a lot of traffic. Monitoring traffic targeting unused addresses in the network.
Scanners Single source. Strikes the same port on many machines. Different ports on the same machine. Generatesa lot of flows.
Worms Self-replicating virus that does not alter files but resides in active memory and duplicates itself. CodeRed worm infected 395,000 computers and resulted in approximately $2.6 billion in damage. Results in an increase in service activity, especially if service is law traffic.
WormsMyTob Worm, 2005 Copies itself as %System%msnmsgs.exe Adds the value: “MSN” = “msnmsgs.exe” to IRC Server registry: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion RunServices HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun HKEY_CURRENT_USERSoftwareMicrosoftOLE HKEY_CURRENT_USERSYSTEMCurrentControlSetControlLsa W32.Mytob@mm runs every time Windows starts User Zone Server Zone
Malicious Spam Spamming is flooding the network with a huge amount of unsolicited email messages to force people to receive them. Contains malware or links to malicious sites.
Backscatter Email bounces for emails that a person didn’t send. Spammer is spoofing the Reply-to field in email. When sent to email server, it is bounces to the reply-to address rather than the sender. Used to overcome spam filters and in DOS attacks.
DOS, DDOS Generate a huge amount of adverse traffic to a target server to make it unavailable. Attempt to exhaust the resources of the victim. They are difficult to detect and prevent. DDOS attacks are simultaneously launched from several sources destined to the same target.
Malicious traffic Detection andPrevention Anomaly detection techniques. Signature-scan techniques. Intrusion detection and prevention systems. QoS metrics. Tools such as Snort. Network filters such as ACLs. Honeypots.
Anomaly detection techniques Differentiates between normal and malicious traffic by: Studying the normal behavior of users, resources. Create patterns for these activities. Any behavior that deviates from this pattern is considered malicious.
Signature-scan techniques Uses a database that store signatures. Passive scan for network traffic, any patterns match these stored signatures are considered malicious traffic. Effective for known attacks.
Intrusion detection and preventionsystems Software or hardware that is designed to detect and prevent any malicious attack or activity on the network. Monitor the network traffic. Analyze any suspicious event. Log these events and report them to the network administrator for actions.
QoS metrics Studying the behavior of the network traffic under normal and malicious attacks. Extracting parameters from network traffic.
Snort Open source tool that is used in intrusion detection systems. Real time analysis on the network traffic. Intrusion detection system to monitor the traffic, analyzes it and inform the network administrator for suspicious activities.
ACLs Installed in routers and used to match packet headers against a pre-defined list of rules and takes pre-defined actions on any matching packets.
Honeypots“a security resource whose value lies in being probed, attacked or compromised” Any attempt to interact with honeypots incurs a malicious activity or attack.
Conclusion Malicious traffic is any traffic anomalies occurs from failure in traffic packets that is intentionally modified for malicious acts. By studying malicious attacks we can obtain better understanding of malicious traffic and how to detect and prevent these attacks. An increase in the awareness toward the importance of security will help in mitigation against internet misuse.