SlideShare a Scribd company logo

Os Rash

oscon2007
oscon2007
Technology
1 of 40
Iptables Attack Visualization Michael Rash Security Architect Enterasys Networks, Inc. http://www.cipherdyne.org/ OSCON 2007­07­26   Copyright (C) 2007 Michael Rash 1
Agenda Why visualize iptables log data? ● context and change – iptables log message formats and data  – completeness New psad­2.0.8 release with Gnuplot interface ● Honeynet Project Scan34 iptables  ● visualizations (see http://www.honeynet.org) Gnuplot – AfterGlow –   Copyright (C) 2007 Michael Rash 2
Why Visualize Data? Consider the following set of values (each value  ● represents the number of packets to unique  TCP ports per minute): 5, 4, 2, 1, 3, 4, 55, 58, 70, 85, 120, 9, 2, 3, 1, 5, 4   Copyright (C) 2007 Michael Rash 3
Seeing the Trend   Copyright (C) 2007 Michael Rash 4
Graph Types Gnuplot ● Dots, points, lines through points – Good at seeing  – trends and relationships in large data sets (>  100,000 points) 3D mode with interactive viewing – AfterGlow ● Link Graphs – Good at expressing network  – relationships with IP addresses    Copyright (C) 2007 Michael Rash 5
Iptables Log Data Graphs will only be as good as the data source  ● permits Iptables logs include nearly every interesting  ● field for both the network and transport layer  headers – we just need an effective way to  parse and then visualize this data Iptables log messages can be tied to  ● application layer string matches via the string  match extension (see fwsnort)   Copyright (C) 2007 Michael Rash 6
iptables IP Header Coverage   Copyright (C) 2007 Michael Rash 7
iptables TCP Header Coverage   Copyright (C) 2007 Michael Rash 8
iptables TCP Log Message Jul 11 20:21:22 minastirith kernel: [199]  SID1361 ESTAB IN=eth1 OUT=  MAC=00:13:d3:38:b6:e4:00:13:46:c2:60:44:08:0 0 SRC=192.168.10.3 DST=192.168.10.1 LEN=60  TOS=0x00 PREC=0x00 TTL=63 ID=11112 DF  PROTO=TCP SPT=28778 DPT=80 WINDOW=5840  RES=0x00 ACK PSH URGP=0 OPT  (0101080A02A041D20CC386B1)   Copyright (C) 2007 Michael Rash 9
iptables UDP Header Coverage   Copyright (C) 2007 Michael Rash 10
iptables UDP Log Message Jul 11 20:50:54 minastirith kernel: [153]  SID2001597 IN=eth0 OUT=  MAC=00:13:d3:38:b6:e4:00:13:46:c2:60:44:08:0 0 SRC=192.168.10.3 DST=192.168.10.1 LEN=40  TOS=0x00 PREC=0x00 TTL=63 ID=29758 DF  PROTO=UDP SPT=32046 DPT=61 LEN=20   Copyright (C) 2007 Michael Rash 11
iptables ICMP Header Coverage   Copyright (C) 2007 Michael Rash 12
iptables ICMP Log Message Jul 11 20:57:18 minastirith kernel: [98]  SID2003294 IN=eth0 OUT=  MAC=00:13:d3:38:b6:e4:00:13:46:c2:60:44:08:0 0 SRC=192.168.10.3 DST=192.168.10.1 LEN=128  TOS=0x00 PREC=0x00 TTL=63 ID=53466  PROTO=ICMP TYPE=8 CODE=0 ID=27459 SEQ=0   Copyright (C) 2007 Michael Rash 13
psad­2.0.8 release Interfaces with Gnuplot – parses iptables log data  ● according to header field requirements and builds both a  data file and a directives file for Gnuplot Various counting modes are supported across different  ● time scales Granular requirements on iptables field values (including  ● negation) Gnuplot works best with integer data (separated by  ● commas or spaces), so IP addresses need to be  translated into integer equivalents   Copyright (C) 2007 Michael Rash 14
psad­2.0.8 release (cont'd) psad ­­gnuplot command line arguments: ●     ­­gnuplot­graph­style ­ “points”, “dots”, “linespoints”     ­­gnuplot­file­prefix ­ <file>.gnu, <file>.dat, <file>.png     ­­gnuplot­title – Graph title (used for psad command line)     ­­gnuplot­sort­style – time sorting vs. value sorting     ­­gnuplot­3D – Use “splot” for three­dimensional viewing     ­­gnuplot­view – Set viewing angle   Copyright (C) 2007 Michael Rash 15
The Honeynet Scan34 Data Set The goal of a Honeynet is to collect data on real  ● compromises – packet traces and log data is an excellent  learning tool Over 170,000 lines of iptables log data in the Scan34  ● challenge – covers a five week period Contains evidence of port scans, port sweeps, worm traffic  ● (Slammer, Nachi), and an outright compromise of a  system – we will visualize these graphically All IP addresses are sanitized to 11.11.0.0/16 ● http://www.honeynet.org/ ●   Copyright (C) 2007 Michael Rash 16
Port Scans Packets to many different ports from a single  ● source address Not just SYN packets, think of Nmap ­sF, ­sN,  ● ­sX, ­sA, (also ­sU for UDP) Visualize with IP address vs. the number of  ● packets to unique ports   Copyright (C) 2007 Michael Rash 17
psad Command psad ­m iptables.data ­­gnuplot ­­ CSV­fields “src:not11.11.0.0/16  dp:countuniq” ­­gnuplot­graph points  ­­gnuplot­xrange 0:26500 –gnuplot­ file­prefix portscan   Copyright (C) 2007 Michael Rash 18
Visualizing Port Scans (IP vs.  Packet Count to Unique Ports)   Copyright (C) 2007 Michael Rash 19
psad Gnuplot data files # Generated by psad v2.0.8 (file revision: 2092) # Command line: 'psad ­m iptables.data ­­gnuplot ­­CSV­fields src:not11.11.0.0/16  dp:countuniq ­­gnuplot­graph points ­­gnuplot­xrange 0:26500 ­­gnuplot­file­prefix  portscan ­­use­store portscan.store' # Time stamp:  Sun Jul  8 13:43:28 2007 905, 66  ### 905=60.248.80.102  12415, 10  ### 12415=63.135.2.15  15634, 10  ### 15634=63.186.32.94  24950, 10  ### 24950=218.85.9.143  16374, 8  ### 16374=63.204.104.150    Copyright (C) 2007 Michael Rash 20
When Did the Heaviest Scan  Occur?   Copyright (C) 2007 Michael Rash 21
psad Analysis of Scanner:  60.248.80.102 psad ­m iptables.data ­A ­­analysis­fields quot;src:60.248.80.102quot; SRC:  60.248.80.102, DL: 2, Dsts: 1, Pkts: 67, Unique sigs: 3 DST: 11.11.79.125         Scanned ports: UDP 7­43981, Pkts: 53, Chain: FORWARD, Intf: br0         Scanned ports: TCP 68­32783, Pkts: 14, Chain: FORWARD, Intf: br0         Signature match: quot;POLICY vncviewer Java applet download attemptquot;         TCP, Chain: FORWARD, Count: 1, DP: 5802, SYN, Sid: 1846         Signature match: quot;PSAD­CUSTOM Slammer communication attemptquot;         UDP, Chain: FORWARD, Count: 1, DP: 1434, Sid: 100208         Signature match: quot;RPC portmap listing UDP 32771quot;         UDP, Chain: FORWARD, Count: 1, DP: 32771, Sid: 1281   Copyright (C) 2007 Michael Rash 22
Port Sweeps Packets to a single port number across many  ● hosts Good evidence of an automated worm (or  ● human) that can exploit a specific vulnerability  in a particular service Visualize with external IP addresses vs.  ● destination ports vs. packet count   Copyright (C) 2007 Michael Rash 23
psad Command psad ­m iptables.data ­­gnuplot ­­ CSV­fields “src:not11.11.0.0/16  dp:count” ­­gnuplot­graph points -- gnuplot-3d ­­gnuplot­view 74,77 ­­ gnuplot­file­prefix portsweep   Copyright (C) 2007 Michael Rash 24
Visualizing Port Sweeps (IP vs.  Destination Port vs. Packet Count)   Copyright (C) 2007 Michael Rash 25
The Top Port Sweeper:  200.216.205.189 vs. TCP/3306   Copyright (C) 2007 Michael Rash 26
The Top Port Sweeper (Link Graph)   Copyright (C) 2007 Michael Rash 27
Slammer Worm Exploited a vulnerability in MS SQL Server  ● 2000 Single 404­byte UDP packet to port 1434 ● One of the fastest spreading worms in history ● Can easily be spoofed – useless to return ICMP  ● port unreachable with your IDS; need to block  the packet with an IPS and patch the  vulnerability   Copyright (C) 2007 Michael Rash 28
Visualizing the Slammer Worm  (UDP 404­byte Packets vs. Hours)   Copyright (C) 2007 Michael Rash 29
Visualizing the Slammer Worm  (UDP 404­byte Packets vs. Minutes)   Copyright (C) 2007 Michael Rash 30
Nachi Worm Exploits Windows 2000 and XP systems that  ● are not patched against the MS03­026  vulnerability Always sends a 92­byte ICMP echo request to  ● a target system before attempting to exploit the  vulnerability This ICMP packet makes the worm easy to  ● detect   Copyright (C) 2007 Michael Rash 31
Nachi Worm (92­Byte ICMP Packet  vs. Hours)   Copyright (C) 2007 Michael Rash 32
  Copyright (C) 2007 Michael Rash 33
Detecting A Compromised System  with Outbound Connections Honeynet systems should not make outbound  ● connections to external networks (except for  administrative or reporting communication with  known addresses) SSH and IRC connections are particularly  ● suspicious   Copyright (C) 2007 Michael Rash 34
Outbound Connections   Copyright (C) 2007 Michael Rash 35
   
Iptables Logging Args When building iptables LOG rules: ● Use ­­log­ip­options – Use ­­log­tcp­sequence – Use ­­log­tcp­options – More attacks can be detected, and operating  – systems can be passively fingerprinted   Copyright (C) 2007 Michael Rash 37
3D Graphing Demo...   Copyright (C) 2007 Michael Rash 38
No Starch Press, Sept 2007   Copyright (C) 2007 Michael Rash 39
Questions? http://www.cipherdyne.org/ mbr@cipherdyne.org   Copyright (C) 2007 Michael Rash 40

Recommended

The Data Center and Hadoop
The Data Center and HadoopThe Data Center and Hadoop
The Data Center and HadoopDataWorks Summit
 
How to Introduce Telemetry Streaming (gNMI) in Your Network with SNMP with Te...
How to Introduce Telemetry Streaming (gNMI) in Your Network with SNMP with Te...How to Introduce Telemetry Streaming (gNMI) in Your Network with SNMP with Te...
How to Introduce Telemetry Streaming (gNMI) in Your Network with SNMP with Te...InfluxData
 
DRP for Big Data - Stream Processing Architectures
DRP for Big Data - Stream Processing ArchitecturesDRP for Big Data - Stream Processing Architectures
DRP for Big Data - Stream Processing ArchitecturesMohamed Mehdi Ben Aissa
 
PhNOG 2019: RPKI Deployment Update
PhNOG 2019: RPKI Deployment UpdatePhNOG 2019: RPKI Deployment Update
PhNOG 2019: RPKI Deployment UpdateAPNIC
 
Nagios Conference 2013 - Troy Lea - Leveraging and Understanding Performance ...
Nagios Conference 2013 - Troy Lea - Leveraging and Understanding Performance ...Nagios Conference 2013 - Troy Lea - Leveraging and Understanding Performance ...
Nagios Conference 2013 - Troy Lea - Leveraging and Understanding Performance ...Nagios
 
Adaptive Query Optimization in 12c
Adaptive Query Optimization in 12cAdaptive Query Optimization in 12c
Adaptive Query Optimization in 12cAnju Garg
 
Os Saintandre
Os SaintandreOs Saintandre
Os Saintandreoscon2007
 
Os Vilain
Os VilainOs Vilain
Os Vilainoscon2007
 

Recommended

The Data Center and Hadoop
The Data Center and HadoopThe Data Center and Hadoop
The Data Center and HadoopDataWorks Summit
 
How to Introduce Telemetry Streaming (gNMI) in Your Network with SNMP with Te...
How to Introduce Telemetry Streaming (gNMI) in Your Network with SNMP with Te...How to Introduce Telemetry Streaming (gNMI) in Your Network with SNMP with Te...
How to Introduce Telemetry Streaming (gNMI) in Your Network with SNMP with Te...InfluxData
 
DRP for Big Data - Stream Processing Architectures
DRP for Big Data - Stream Processing ArchitecturesDRP for Big Data - Stream Processing Architectures
DRP for Big Data - Stream Processing ArchitecturesMohamed Mehdi Ben Aissa
 
PhNOG 2019: RPKI Deployment Update
PhNOG 2019: RPKI Deployment UpdatePhNOG 2019: RPKI Deployment Update
PhNOG 2019: RPKI Deployment UpdateAPNIC
 
Nagios Conference 2013 - Troy Lea - Leveraging and Understanding Performance ...
Nagios Conference 2013 - Troy Lea - Leveraging and Understanding Performance ...Nagios Conference 2013 - Troy Lea - Leveraging and Understanding Performance ...
Nagios Conference 2013 - Troy Lea - Leveraging and Understanding Performance ...Nagios
 
Adaptive Query Optimization in 12c
Adaptive Query Optimization in 12cAdaptive Query Optimization in 12c
Adaptive Query Optimization in 12cAnju Garg
 
Os Saintandre
Os SaintandreOs Saintandre
Os Saintandreoscon2007
 
Os Vilain
Os VilainOs Vilain
Os Vilainoscon2007
 
Os Racicot
Os RacicotOs Racicot
Os Racicotoscon2007
 
Os Capouch
Os CapouchOs Capouch
Os Capouchoscon2007
 
Os Ramani
Os RamaniOs Ramani
Os Ramanioscon2007
 
Os Keller
Os KellerOs Keller
Os Kelleroscon2007
 
Os Oram
Os OramOs Oram
Os Oramoscon2007
 
Os Bernier
Os BernierOs Bernier
Os Bernieroscon2007
 
Programming the PS3
Programming the PS3Programming the PS3
Programming the PS3Olivier Grisel
 
XS Boston 2008 Network Topology
XS Boston 2008 Network TopologyXS Boston 2008 Network Topology
XS Boston 2008 Network TopologyThe Linux Foundation
 
The Art of Grey-Box Attack
The Art of Grey-Box AttackThe Art of Grey-Box Attack
The Art of Grey-Box AttackPrathan Phongthiproek
 
Os Wilhelm
Os WilhelmOs Wilhelm
Os Wilhelmoscon2007
 
The Data Center and Hadoop
The Data Center and HadoopThe Data Center and Hadoop
The Data Center and HadoopMichael Zhang
 
Cisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Connect Toronto 2017 - Model-driven TelemetryCisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Connect Toronto 2017 - Model-driven TelemetryCisco Canada
 
Large-Scale Stream Processing in the Hadoop Ecosystem
Large-Scale Stream Processing in the Hadoop EcosystemLarge-Scale Stream Processing in the Hadoop Ecosystem
Large-Scale Stream Processing in the Hadoop EcosystemGyula Fóra
 
SecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAPSecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAPChris John Riley
 
Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...
Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...
Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...Nelson Calero
 
شرح مبسط جدا لمنهج سيسكو CCNA
شرح مبسط جدا لمنهج سيسكو CCNAشرح مبسط جدا لمنهج سيسكو CCNA
شرح مبسط جدا لمنهج سيسكو CCNADawood Aqlan
 
Flink sql for continuous sql etl apps & Apache NiFi devops
Flink sql for continuous sql etl apps & Apache NiFi devopsFlink sql for continuous sql etl apps & Apache NiFi devops
Flink sql for continuous sql etl apps & Apache NiFi devopsTimothy Spann
 
Model-driven Telemetry: The Foundation of Big Data Analytics
Model-driven Telemetry: The Foundation of Big Data AnalyticsModel-driven Telemetry: The Foundation of Big Data Analytics
Model-driven Telemetry: The Foundation of Big Data AnalyticsCisco Canada
 
Building CloudScale Networks - AWS Summit Sydney 2018
Building CloudScale Networks - AWS Summit Sydney 2018Building CloudScale Networks - AWS Summit Sydney 2018
Building CloudScale Networks - AWS Summit Sydney 2018Amazon Web Services
 
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Cisco Russia
 
Stress your DUT
Stress your DUTStress your DUT
Stress your DUTRedge Technologies
 
PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...
PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...
PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...PROIDEA
 

More Related Content

Viewers also liked

Viewers also liked (6)

Os Racicot
Os RacicotOs Racicot
Os Racicot
 
Os Capouch
Os CapouchOs Capouch
Os Capouch
 
Os Ramani
Os RamaniOs Ramani
Os Ramani
 
Os Keller
Os KellerOs Keller
Os Keller
 
Os Oram
Os OramOs Oram
Os Oram
 
Os Bernier
Os BernierOs Bernier
Os Bernier
 

Similar to Os Rash

The Data Center and Hadoop
The Data Center and HadoopThe Data Center and Hadoop
The Data Center and HadoopMichael Zhang
 
Cisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Connect Toronto 2017 - Model-driven TelemetryCisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Connect Toronto 2017 - Model-driven TelemetryCisco Canada
 
Large-Scale Stream Processing in the Hadoop Ecosystem
Large-Scale Stream Processing in the Hadoop EcosystemLarge-Scale Stream Processing in the Hadoop Ecosystem
Large-Scale Stream Processing in the Hadoop EcosystemGyula Fóra
 
SecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAPSecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAPChris John Riley
 
Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...
Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...
Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...Nelson Calero
 
شرح مبسط جدا لمنهج سيسكو CCNA
شرح مبسط جدا لمنهج سيسكو CCNAشرح مبسط جدا لمنهج سيسكو CCNA
شرح مبسط جدا لمنهج سيسكو CCNADawood Aqlan
 
Flink sql for continuous sql etl apps & Apache NiFi devops
Flink sql for continuous sql etl apps & Apache NiFi devopsFlink sql for continuous sql etl apps & Apache NiFi devops
Flink sql for continuous sql etl apps & Apache NiFi devopsTimothy Spann
 
Model-driven Telemetry: The Foundation of Big Data Analytics
Model-driven Telemetry: The Foundation of Big Data AnalyticsModel-driven Telemetry: The Foundation of Big Data Analytics
Model-driven Telemetry: The Foundation of Big Data AnalyticsCisco Canada
 
Building CloudScale Networks - AWS Summit Sydney 2018
Building CloudScale Networks - AWS Summit Sydney 2018Building CloudScale Networks - AWS Summit Sydney 2018
Building CloudScale Networks - AWS Summit Sydney 2018Amazon Web Services
 
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Cisco Russia
 
PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...
PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...
PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...PROIDEA
 
Perf Tuning Best Practices
Perf Tuning Best PracticesPerf Tuning Best Practices
Perf Tuning Best Practicesguest01bbdd
 
Statsd introduction
Statsd introductionStatsd introduction
Statsd introductionRick Chang
 
Model driven telemetry
Model driven telemetryModel driven telemetry
Model driven telemetryCisco Canada
 
Dynamic Service Chaining
Dynamic Service Chaining Dynamic Service Chaining
Dynamic Service Chaining Tail-f Systems
 

Similar to Os Rash (20)

Programming the PS3
Programming the PS3Programming the PS3
Programming the PS3
 
XS Boston 2008 Network Topology
XS Boston 2008 Network TopologyXS Boston 2008 Network Topology
XS Boston 2008 Network Topology
 
The Art of Grey-Box Attack
The Art of Grey-Box AttackThe Art of Grey-Box Attack
The Art of Grey-Box Attack
 
Os Wilhelm
Os WilhelmOs Wilhelm
Os Wilhelm
 
The Data Center and Hadoop
The Data Center and HadoopThe Data Center and Hadoop
The Data Center and Hadoop
 
Cisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Connect Toronto 2017 - Model-driven TelemetryCisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Connect Toronto 2017 - Model-driven Telemetry
 
Large-Scale Stream Processing in the Hadoop Ecosystem
Large-Scale Stream Processing in the Hadoop EcosystemLarge-Scale Stream Processing in the Hadoop Ecosystem
Large-Scale Stream Processing in the Hadoop Ecosystem
 
SecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAPSecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAP
 
Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...
Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...
Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...
 
شرح مبسط جدا لمنهج سيسكو CCNA
شرح مبسط جدا لمنهج سيسكو CCNAشرح مبسط جدا لمنهج سيسكو CCNA
شرح مبسط جدا لمنهج سيسكو CCNA
 
Flink sql for continuous sql etl apps & Apache NiFi devops
Flink sql for continuous sql etl apps & Apache NiFi devopsFlink sql for continuous sql etl apps & Apache NiFi devops
Flink sql for continuous sql etl apps & Apache NiFi devops
 
Model-driven Telemetry: The Foundation of Big Data Analytics
Model-driven Telemetry: The Foundation of Big Data AnalyticsModel-driven Telemetry: The Foundation of Big Data Analytics
Model-driven Telemetry: The Foundation of Big Data Analytics
 
Building CloudScale Networks - AWS Summit Sydney 2018
Building CloudScale Networks - AWS Summit Sydney 2018Building CloudScale Networks - AWS Summit Sydney 2018
Building CloudScale Networks - AWS Summit Sydney 2018
 
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
 
Stress your DUT
Stress your DUTStress your DUT
Stress your DUT
 
PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...
PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...
PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...
 
Perf Tuning Best Practices
Perf Tuning Best PracticesPerf Tuning Best Practices
Perf Tuning Best Practices
 
Statsd introduction
Statsd introductionStatsd introduction
Statsd introduction
 
Model driven telemetry
Model driven telemetryModel driven telemetry
Model driven telemetry
 
Dynamic Service Chaining
Dynamic Service Chaining Dynamic Service Chaining
Dynamic Service Chaining
 

More from oscon2007

J Ruby Whirlwind Tour
J Ruby Whirlwind TourJ Ruby Whirlwind Tour
J Ruby Whirlwind Touroscon2007
 
Solr Presentation5
Solr Presentation5Solr Presentation5
Solr Presentation5oscon2007
 
Os Fitzpatrick Sussman Wiifm
Os Fitzpatrick Sussman WiifmOs Fitzpatrick Sussman Wiifm
Os Fitzpatrick Sussman Wiifmoscon2007
 
Performance Whack A Mole
Performance Whack A MolePerformance Whack A Mole
Performance Whack A Moleoscon2007
 
Os Lanphier Brashears
Os Lanphier BrashearsOs Lanphier Brashears
Os Lanphier Brashearsoscon2007
 
Os Fitzpatrick Sussman Swp
Os Fitzpatrick Sussman SwpOs Fitzpatrick Sussman Swp
Os Fitzpatrick Sussman Swposcon2007
 
Os Berlin Dispelling Myths
Os Berlin Dispelling MythsOs Berlin Dispelling Myths
Os Berlin Dispelling Mythsoscon2007
 
Os Keysholistic
Os KeysholisticOs Keysholistic
Os Keysholisticoscon2007
 
Os Jonphillips
Os JonphillipsOs Jonphillips
Os Jonphillipsoscon2007
 
Os Urnerupdated
Os UrnerupdatedOs Urnerupdated
Os Urnerupdatedoscon2007
 

More from oscon2007 (20)

J Ruby Whirlwind Tour
J Ruby Whirlwind TourJ Ruby Whirlwind Tour
J Ruby Whirlwind Tour
 
Solr Presentation5
Solr Presentation5Solr Presentation5
Solr Presentation5
 
Os Borger
Os BorgerOs Borger
Os Borger
 
Os Harkins
Os HarkinsOs Harkins
Os Harkins
 
Os Fitzpatrick Sussman Wiifm
Os Fitzpatrick Sussman WiifmOs Fitzpatrick Sussman Wiifm
Os Fitzpatrick Sussman Wiifm
 
Os Bunce
Os BunceOs Bunce
Os Bunce
 
Yuicss R7
Yuicss R7Yuicss R7
Yuicss R7
 
Performance Whack A Mole
Performance Whack A MolePerformance Whack A Mole
Performance Whack A Mole
 
Os Fogel
Os FogelOs Fogel
Os Fogel
 
Os Lanphier Brashears
Os Lanphier BrashearsOs Lanphier Brashears
Os Lanphier Brashears
 
Os Tucker
Os TuckerOs Tucker
Os Tucker
 
Os Fitzpatrick Sussman Swp
Os Fitzpatrick Sussman SwpOs Fitzpatrick Sussman Swp
Os Fitzpatrick Sussman Swp
 
Os Furlong
Os FurlongOs Furlong
Os Furlong
 
Os Berlin Dispelling Myths
Os Berlin Dispelling MythsOs Berlin Dispelling Myths
Os Berlin Dispelling Myths
 
Os Kimsal
Os KimsalOs Kimsal
Os Kimsal
 
Os Pruett
Os PruettOs Pruett
Os Pruett
 
Os Alrubaie
Os AlrubaieOs Alrubaie
Os Alrubaie
 
Os Keysholistic
Os KeysholisticOs Keysholistic
Os Keysholistic
 
Os Jonphillips
Os JonphillipsOs Jonphillips
Os Jonphillips
 
Os Urnerupdated
Os UrnerupdatedOs Urnerupdated
Os Urnerupdated
 

Recently uploaded

Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 

Recently uploaded (20)

Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 

Os Rash

  • 1. Iptables Attack Visualization Michael Rash Security Architect Enterasys Networks, Inc. http://www.cipherdyne.org/ OSCON 2007­07­26   Copyright (C) 2007 Michael Rash 1
  • 2. Agenda Why visualize iptables log data? ● context and change – iptables log message formats and data  – completeness New psad­2.0.8 release with Gnuplot interface ● Honeynet Project Scan34 iptables  ● visualizations (see http://www.honeynet.org) Gnuplot – AfterGlow –   Copyright (C) 2007 Michael Rash 2
  • 3. Why Visualize Data? Consider the following set of values (each value  ● represents the number of packets to unique  TCP ports per minute): 5, 4, 2, 1, 3, 4, 55, 58, 70, 85, 120, 9, 2, 3, 1, 5, 4   Copyright (C) 2007 Michael Rash 3
  • 4. Seeing the Trend   Copyright (C) 2007 Michael Rash 4
  • 5. Graph Types Gnuplot ● Dots, points, lines through points – Good at seeing  – trends and relationships in large data sets (>  100,000 points) 3D mode with interactive viewing – AfterGlow ● Link Graphs – Good at expressing network  – relationships with IP addresses    Copyright (C) 2007 Michael Rash 5
  • 6. Iptables Log Data Graphs will only be as good as the data source  ● permits Iptables logs include nearly every interesting  ● field for both the network and transport layer  headers – we just need an effective way to  parse and then visualize this data Iptables log messages can be tied to  ● application layer string matches via the string  match extension (see fwsnort)   Copyright (C) 2007 Michael Rash 6
  • 7. iptables IP Header Coverage   Copyright (C) 2007 Michael Rash 7
  • 8. iptables TCP Header Coverage   Copyright (C) 2007 Michael Rash 8
  • 9. iptables TCP Log Message Jul 11 20:21:22 minastirith kernel: [199]  SID1361 ESTAB IN=eth1 OUT=  MAC=00:13:d3:38:b6:e4:00:13:46:c2:60:44:08:0 0 SRC=192.168.10.3 DST=192.168.10.1 LEN=60  TOS=0x00 PREC=0x00 TTL=63 ID=11112 DF  PROTO=TCP SPT=28778 DPT=80 WINDOW=5840  RES=0x00 ACK PSH URGP=0 OPT  (0101080A02A041D20CC386B1)   Copyright (C) 2007 Michael Rash 9
  • 10. iptables UDP Header Coverage   Copyright (C) 2007 Michael Rash 10
  • 11. iptables UDP Log Message Jul 11 20:50:54 minastirith kernel: [153]  SID2001597 IN=eth0 OUT=  MAC=00:13:d3:38:b6:e4:00:13:46:c2:60:44:08:0 0 SRC=192.168.10.3 DST=192.168.10.1 LEN=40  TOS=0x00 PREC=0x00 TTL=63 ID=29758 DF  PROTO=UDP SPT=32046 DPT=61 LEN=20   Copyright (C) 2007 Michael Rash 11
  • 12. iptables ICMP Header Coverage   Copyright (C) 2007 Michael Rash 12
  • 13. iptables ICMP Log Message Jul 11 20:57:18 minastirith kernel: [98]  SID2003294 IN=eth0 OUT=  MAC=00:13:d3:38:b6:e4:00:13:46:c2:60:44:08:0 0 SRC=192.168.10.3 DST=192.168.10.1 LEN=128  TOS=0x00 PREC=0x00 TTL=63 ID=53466  PROTO=ICMP TYPE=8 CODE=0 ID=27459 SEQ=0   Copyright (C) 2007 Michael Rash 13
  • 14. psad­2.0.8 release Interfaces with Gnuplot – parses iptables log data  ● according to header field requirements and builds both a  data file and a directives file for Gnuplot Various counting modes are supported across different  ● time scales Granular requirements on iptables field values (including  ● negation) Gnuplot works best with integer data (separated by  ● commas or spaces), so IP addresses need to be  translated into integer equivalents   Copyright (C) 2007 Michael Rash 14
  • 15. psad­2.0.8 release (cont'd) psad ­­gnuplot command line arguments: ●     ­­gnuplot­graph­style ­ “points”, “dots”, “linespoints”     ­­gnuplot­file­prefix ­ <file>.gnu, <file>.dat, <file>.png     ­­gnuplot­title – Graph title (used for psad command line)     ­­gnuplot­sort­style – time sorting vs. value sorting     ­­gnuplot­3D – Use “splot” for three­dimensional viewing     ­­gnuplot­view – Set viewing angle   Copyright (C) 2007 Michael Rash 15
  • 16. The Honeynet Scan34 Data Set The goal of a Honeynet is to collect data on real  ● compromises – packet traces and log data is an excellent  learning tool Over 170,000 lines of iptables log data in the Scan34  ● challenge – covers a five week period Contains evidence of port scans, port sweeps, worm traffic  ● (Slammer, Nachi), and an outright compromise of a  system – we will visualize these graphically All IP addresses are sanitized to 11.11.0.0/16 ● http://www.honeynet.org/ ●   Copyright (C) 2007 Michael Rash 16
  • 17. Port Scans Packets to many different ports from a single  ● source address Not just SYN packets, think of Nmap ­sF, ­sN,  ● ­sX, ­sA, (also ­sU for UDP) Visualize with IP address vs. the number of  ● packets to unique ports   Copyright (C) 2007 Michael Rash 17
  • 18. psad Command psad ­m iptables.data ­­gnuplot ­­ CSV­fields “src:not11.11.0.0/16  dp:countuniq” ­­gnuplot­graph points  ­­gnuplot­xrange 0:26500 –gnuplot­ file­prefix portscan   Copyright (C) 2007 Michael Rash 18
  • 19. Visualizing Port Scans (IP vs.  Packet Count to Unique Ports)   Copyright (C) 2007 Michael Rash 19
  • 20. psad Gnuplot data files # Generated by psad v2.0.8 (file revision: 2092) # Command line: 'psad ­m iptables.data ­­gnuplot ­­CSV­fields src:not11.11.0.0/16  dp:countuniq ­­gnuplot­graph points ­­gnuplot­xrange 0:26500 ­­gnuplot­file­prefix  portscan ­­use­store portscan.store' # Time stamp:  Sun Jul  8 13:43:28 2007 905, 66  ### 905=60.248.80.102  12415, 10  ### 12415=63.135.2.15  15634, 10  ### 15634=63.186.32.94  24950, 10  ### 24950=218.85.9.143  16374, 8  ### 16374=63.204.104.150    Copyright (C) 2007 Michael Rash 20
  • 21. When Did the Heaviest Scan  Occur?   Copyright (C) 2007 Michael Rash 21
  • 22. psad Analysis of Scanner:  60.248.80.102 psad ­m iptables.data ­A ­­analysis­fields quot;src:60.248.80.102quot; SRC:  60.248.80.102, DL: 2, Dsts: 1, Pkts: 67, Unique sigs: 3 DST: 11.11.79.125         Scanned ports: UDP 7­43981, Pkts: 53, Chain: FORWARD, Intf: br0         Scanned ports: TCP 68­32783, Pkts: 14, Chain: FORWARD, Intf: br0         Signature match: quot;POLICY vncviewer Java applet download attemptquot;         TCP, Chain: FORWARD, Count: 1, DP: 5802, SYN, Sid: 1846         Signature match: quot;PSAD­CUSTOM Slammer communication attemptquot;         UDP, Chain: FORWARD, Count: 1, DP: 1434, Sid: 100208         Signature match: quot;RPC portmap listing UDP 32771quot;         UDP, Chain: FORWARD, Count: 1, DP: 32771, Sid: 1281   Copyright (C) 2007 Michael Rash 22
  • 23. Port Sweeps Packets to a single port number across many  ● hosts Good evidence of an automated worm (or  ● human) that can exploit a specific vulnerability  in a particular service Visualize with external IP addresses vs.  ● destination ports vs. packet count   Copyright (C) 2007 Michael Rash 23
  • 24. psad Command psad ­m iptables.data ­­gnuplot ­­ CSV­fields “src:not11.11.0.0/16  dp:count” ­­gnuplot­graph points -- gnuplot-3d ­­gnuplot­view 74,77 ­­ gnuplot­file­prefix portsweep   Copyright (C) 2007 Michael Rash 24
  • 25. Visualizing Port Sweeps (IP vs.  Destination Port vs. Packet Count)   Copyright (C) 2007 Michael Rash 25
  • 26. The Top Port Sweeper:  200.216.205.189 vs. TCP/3306   Copyright (C) 2007 Michael Rash 26
  • 27. The Top Port Sweeper (Link Graph)   Copyright (C) 2007 Michael Rash 27
  • 28. Slammer Worm Exploited a vulnerability in MS SQL Server  ● 2000 Single 404­byte UDP packet to port 1434 ● One of the fastest spreading worms in history ● Can easily be spoofed – useless to return ICMP  ● port unreachable with your IDS; need to block  the packet with an IPS and patch the  vulnerability   Copyright (C) 2007 Michael Rash 28
  • 29. Visualizing the Slammer Worm  (UDP 404­byte Packets vs. Hours)   Copyright (C) 2007 Michael Rash 29
  • 31. Nachi Worm Exploits Windows 2000 and XP systems that  ● are not patched against the MS03­026  vulnerability Always sends a 92­byte ICMP echo request to  ● a target system before attempting to exploit the  vulnerability This ICMP packet makes the worm easy to  ● detect   Copyright (C) 2007 Michael Rash 31
  • 32. Nachi Worm (92­Byte ICMP Packet  vs. Hours)   Copyright (C) 2007 Michael Rash 32
  • 33.   Copyright (C) 2007 Michael Rash 33
  • 34. Detecting A Compromised System  with Outbound Connections Honeynet systems should not make outbound  ● connections to external networks (except for  administrative or reporting communication with  known addresses) SSH and IRC connections are particularly  ● suspicious   Copyright (C) 2007 Michael Rash 34
  • 35. Outbound Connections   Copyright (C) 2007 Michael Rash 35
  • 36.    
  • 37. Iptables Logging Args When building iptables LOG rules: ● Use ­­log­ip­options – Use ­­log­tcp­sequence – Use ­­log­tcp­options – More attacks can be detected, and operating  – systems can be passively fingerprinted   Copyright (C) 2007 Michael Rash 37
  • 38. 3D Graphing Demo...   Copyright (C) 2007 Michael Rash 38
  • 39. No Starch Press, Sept 2007   Copyright (C) 2007 Michael Rash 39
  • 40. Questions? http://www.cipherdyne.org/ mbr@cipherdyne.org   Copyright (C) 2007 Michael Rash 40