SlideShare a Scribd company logo

CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies of the internet? (Piotr Bazydło)

PROIDEA
PROIDEA

Darknet (network telescope) is an unused space of IP addresses, where normally we should observe no network traffic. However, it occurs that a lot of network packets can be observed, although no services or applications are available at these IP addresses. Origin of this network traffic can be usually divided into three categories: (1) misconfiguration of network devices/applications, (2) scanning activities, (3) backscatter from DoS attacks. According to this, we can observe a lot of interesting activities in this traffic. First of all, it is possible to track DoS victims (spoofed attacks). Secondly, we can observe trends in the scanning activities, thus allowing us to identify new threats and potential victims. We can also track scanning activity related to the amplified DRDoS attacks, which are probably the most destructive DoS attacks. Moreover, we are able to track activity of some botnets and as a result, we are collecting data about the infected devices, botnets' behavior and sometimes about their victims (DoS). I am observing NASK's darknet traffic for several months. Mean number of packets received per hour is is equal to 25 millions. On this basis, I would like to talk about activities seen in darknet, present some statistics concerning this traffic, show some case-studies concerning observed DoS attacks and describe botnet fingerprinting in this traffic.

Technology
1 of 57
Download to read offline
Piotr Bazydło Darknet traffic – what can we learn from nooks and crannies of the internet Research and Academic Computer Network NASK Work performed during SISSDEN project.
 Often called as „network telescope”.  An unused (dark) space of IP addresses.  In theory, there should be no network traffic. What is darknet?
In practice, we can see a lot of different packets:  Misconfiguration of network devices/applications. What is darknet?
Misconfiguration
In practice, we can see a lot of different packets:  Misconfiguration of network devices/applications.  Scanning activities. What is darknet?
Scanning
Scanning
In practice, we can see a lot of different packets:  Misconfiguration of network devices/applications.  Scanning activities.  Backscatter from DoS attacks. What is darknet?
DoS backscatter
DoS backscatter
In practice, we can see a lot of different packets:  Misconfiguration of network devices/applications.  Scanning activities.  Backscatter from DoS attacks.  Exploitation attempts. What is darknet?
Exploitation attempts
In practice, we can see a lot of different packets:  Misconfiguration of network devices/applications.  Scanning activities.  Backscatter from DoS attacks.  Exploitation attempts.  Weird and undefined stuff. What is darknet?
Our darknet consists of more than 100 000 IP addresses. Statistically, we:  Receive about 25 000 000 000 packets per month (80% of packets are TCP packets).  What gives us about 800 000 000 packets per day.  And more than 500 000 of packets per minute. Some numbers
 How to group these packets?  How to analyze them?  How to classify them into events?  How to define whether event is interesting or not?  How to fingerprint responsible actors? Problems
 Detect and analyze DoS attacks.  Fingerprint actors/botnets responsible for specific attacks.  Observe massive scan campaigns and observe responsible actors.  Observe botnets actions.  Forecast exploitation campaigns and even 0-day exploits.  Detect new signatures (Packet Generation Algorithm) in network traffic.  And other related actions. Okay, so what can we do with this traffic?
Geographical distribution of packets
Packets with SEQ = IP_DST
Let’s fingerprint! In total, about 45 000 unique IP addresses were fingerprinted (IoC).
Change of tactics We can see that Satori has started to exploit different ports/devices.
Memcached
Memcached Github 1.3 Tbps DoS
Memcached Github 1.3 Tbps DoS Reported 1.7 Tbps DoS
Memcached Github 1.3 Tbps DoS Reported 1.7 Tbps DoS
Day 1 – 20.02 (patient zero?)  Only 3 IP addresses – all located in the UK.  All 3 IP addresses within the same host – DigitalOcean.  Whole scan lasted about 25 minutes.  Only two source ports used (34860 and 43493).  One payload used (stats slabs with some additions).
Day 4 – 23.02  Only 2 IP addresses – UK and Singapore.  UK IP – the same as on 20.02.  Singapore ASN: Alibaba (China) Technology Co., Ltd.  Only two source ports used (34765 and 45931).  Guess what – still the same payload for both IP addresses.  Conclusion – we are probably still dealing with the single actor.
Day 5 – 24.02 (new kid on the block?)  Only 1 IP addresses – USA.  ASN: AS27176 DataWagon LLC.  Source ports seems to be randomized.  New payload has been used.  Scan lasted longer (about 3 hours).  Looks like we have a new actor.
And so on… Pre-github scanners.  About 60 IP addresses.  Several scanning patterns.
After github DoS scanners.  About 315 IP addresses.  Multiple different scanning patterns.
How can we define patterns?  Unique payloads types.  Unique source ports generation scheme.  Pairs of characteristics eg. source ports→ payload→ timeline.  And others.
How can we defined patterns?
How can we defined patterns?
Source Port = 22122  One IP from France.  ASN: AS12876 Online S.a.s.
Source Port = 11211  56 IPs from USA.  ASN: AS10439 CariNet  Pretty well organized (scan performed by many IPs).  The same payload.
Telegram ban in Russia
Indeed – it’s a hit - source port 443
ACK mitigation technique?
Russian watchodg - another attack  On 19.04 – another attack.  Still SYN FLOOD and ACK mitigation technique.  However, we have received ICMP packets signalizing ACK FLOOD.  Destination Port = 0  SEQ[3:4] = 0 AND ACK[3:4] = 0
PGA  Packet Generation Algorithm (firstly mentioned by 360Netlab).  Tools and malware often utilize different PGA in order to simplify/fasten packet generation procedure.  We have developed tool for the automatic detection of various PGA signatures.  Usually, based on some simple operations (bytes swaping, incrementation, values hardcoding and others).  Usually seen during scanning or DoSing actions. However, PGA was also spotted during C2 communication.
PGA
Why even bother?  Let’s compare SYN FLOOD packet generation, while using legit PGA and XoR.DDoS botnet PGA.  XoR.DDoS PGA:  IP_ID = SPORT,  SEQ[1:2] = IP_ID.
Why even bother?  Let’s compare SYN FLOOD packet generation, while using legit PGA and XoR.DDoS botnet PGA.  XoR.DDoS PGA:  IP_ID = SPORT,  SEQ[1:2] = IP_ID. Assuming botnet with 100 000 machines: 2 400 000 more packets per second!
Mirai – ingenious scanning  SEQ = DST_IP  Faster.  Doesn’t have to store information about sent packets, as it can only compare IP and ACK of incoming packet.
Is XoR.DDoS easily traceable?  Not really, as in SYN-ACK packets we lose information about IP_ID used in PGA.  We can compare DPORT and ACK in SYN-ACK packets.  However, we sometimes receive ICMP packets with spoofed packet included in the payload – in this case, we can identify whole signature.
Signatures everywhere SYN FLOOD on IP belonging to Google – full of PGA signatures.
Signatures everywhere SYN FLOOD on IP belonging to Google – full of PGA signatures. 1. SPORT = SEQ[1:2] 2. SEQ[3:4] = 0xFFFF 3. SPORT = IP_SRC[3:4] 1 2 3
Summary  Darknet is great, but it has its limitations.  We are observing a lot of different attacks, malicious activities and botnets.  We are especially interested in linking PGA signatures to particular malware or tools.  Results from darknet traffic analysis + data from other sources (sandboxes, honeypots and others) = a lot of operational info!
Other people involved in the presented work: Adrian Korczak (NASK) - development. Mateusz Goniprowski (NASK) – development. Krzysztof Lasota – consultations. Paweł Pawliński (CERT PL/NASK) – consultations. 360Netlab – PGA idea and intelligence.
This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 700176. Thank you for your attention. Twitter: @chudyPB https://sissden.eu/blog SISSDEN

Recommended

CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)
CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)
CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)PROIDEA
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...PROIDEA
 
BSides Algiers - Nmap Scripting Engine - Hani Benhabiles
BSides Algiers - Nmap Scripting Engine - Hani BenhabilesBSides Algiers - Nmap Scripting Engine - Hani Benhabiles
BSides Algiers - Nmap Scripting Engine - Hani BenhabilesShellmates
 
Violent python
Violent pythonViolent python
Violent pythonXatierlike Lee
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł MaziarzPROIDEA
 
Lisa14
Lisa14Lisa14
Lisa14Dan Lambright
 
Эксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAPЭксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAPPositive Hack Days
 

Recommended

CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)
CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)
CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)PROIDEA
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...PROIDEA
 
BSides Algiers - Nmap Scripting Engine - Hani Benhabiles
BSides Algiers - Nmap Scripting Engine - Hani BenhabilesBSides Algiers - Nmap Scripting Engine - Hani Benhabiles
BSides Algiers - Nmap Scripting Engine - Hani BenhabilesShellmates
 
Violent python
Violent pythonViolent python
Violent pythonXatierlike Lee
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł MaziarzPROIDEA
 
Lisa14
Lisa14Lisa14
Lisa14Dan Lambright
 
Эксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAPЭксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAPPositive Hack Days
 
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) ShenPROIDEA
 
Code Vulnerabilities & Attacks
Code Vulnerabilities & AttacksCode Vulnerabilities & Attacks
Code Vulnerabilities & AttacksMarcus Botacin
 
Velocity 2011 - Our first DDoS attack
Velocity 2011 - Our first DDoS attackVelocity 2011 - Our first DDoS attack
Velocity 2011 - Our first DDoS attackCosimo Streppone
 
Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]RootedCON
 
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devicessrkedmi
 
Использование KASan для автономного гипервизора
Использование KASan для автономного гипервизораИспользование KASan для автономного гипервизора
Использование KASan для автономного гипервизораPositive Hack Days
 
Camping: Going off the Rails with Ruby
Camping: Going off the Rails with RubyCamping: Going off the Rails with Ruby
Camping: Going off the Rails with RubyEleanor McHugh
 
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...Positive Hack Days
 
Nmap for Scriptors
Nmap for ScriptorsNmap for Scriptors
Nmap for Scriptorsn|u - The Open Security Community
 
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicJaime Blasco
 
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)Igalia
 
Blockchain
BlockchainBlockchain
BlockchainForgeRock Identity Tech Talks
 
Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanningamiable_indian
 
Nmap scripting engine
Nmap scripting engineNmap scripting engine
Nmap scripting enginen|u - The Open Security Community
 
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawBeginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawRedspin, Inc.
 
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu securityCSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu securityCanSecWest
 
Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet Ravi Rajput
 
HTTP/3 in curl
HTTP/3 in curlHTTP/3 in curl
HTTP/3 in curlDaniel Stenberg
 
Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?inaz2
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsBishop Fox
 
Asegúr@IT 7: Playing with Satellites 1.2
Asegúr@IT 7: Playing with Satellites 1.2Asegúr@IT 7: Playing with Satellites 1.2
Asegúr@IT 7: Playing with Satellites 1.2Chema Alonso
 
Ip Spoofing
Ip SpoofingIp Spoofing
Ip Spoofingarpit.arp
 

More Related Content

What's hot

"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) ShenPROIDEA
 
Code Vulnerabilities & Attacks
Code Vulnerabilities & AttacksCode Vulnerabilities & Attacks
Code Vulnerabilities & AttacksMarcus Botacin
 
Velocity 2011 - Our first DDoS attack
Velocity 2011 - Our first DDoS attackVelocity 2011 - Our first DDoS attack
Velocity 2011 - Our first DDoS attackCosimo Streppone
 
Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]RootedCON
 
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devicessrkedmi
 
Использование KASan для автономного гипервизора
Использование KASan для автономного гипервизораИспользование KASan для автономного гипервизора
Использование KASan для автономного гипервизораPositive Hack Days
 
Camping: Going off the Rails with Ruby
Camping: Going off the Rails with RubyCamping: Going off the Rails with Ruby
Camping: Going off the Rails with RubyEleanor McHugh
 
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...Positive Hack Days
 
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicJaime Blasco
 
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)Igalia
 
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawBeginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawRedspin, Inc.
 
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu securityCSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu securityCanSecWest
 
Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet Ravi Rajput
 
Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?inaz2
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsBishop Fox
 

What's hot (20)

"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
 
Code Vulnerabilities & Attacks
Code Vulnerabilities & AttacksCode Vulnerabilities & Attacks
Code Vulnerabilities & Attacks
 
Velocity 2011 - Our first DDoS attack
Velocity 2011 - Our first DDoS attackVelocity 2011 - Our first DDoS attack
Velocity 2011 - Our first DDoS attack
 
Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]
 
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
 
Использование KASan для автономного гипервизора
Использование KASan для автономного гипервизораИспользование KASan для автономного гипервизора
Использование KASan для автономного гипервизора
 
Camping: Going off the Rails with Ruby
Camping: Going off the Rails with RubyCamping: Going off the Rails with Ruby
Camping: Going off the Rails with Ruby
 
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
 
Nmap for Scriptors
Nmap for ScriptorsNmap for Scriptors
Nmap for Scriptors
 
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_public
 
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)
 
Blockchain
BlockchainBlockchain
Blockchain
 
Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanning
 
Nmap scripting engine
Nmap scripting engineNmap scripting engine
Nmap scripting engine
 
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawBeginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
 
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu securityCSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
 
Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet
 
HTTP/3 in curl
HTTP/3 in curlHTTP/3 in curl
HTTP/3 in curl
 
Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
 

Similar to CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies of the internet? (Piotr Bazydło)

Asegúr@IT 7: Playing with Satellites 1.2
Asegúr@IT 7: Playing with Satellites 1.2Asegúr@IT 7: Playing with Satellites 1.2
Asegúr@IT 7: Playing with Satellites 1.2Chema Alonso
 
Modul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptModul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptcemporku
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdftehkotak4
 
Black ops of tcp2005 japan
Black ops of tcp2005 japanBlack ops of tcp2005 japan
Black ops of tcp2005 japanDan Kaminsky
 
Cyber_Threat_Intelligent_Cyber_Operation_Contest
Cyber_Threat_Intelligent_Cyber_Operation_ContestCyber_Threat_Intelligent_Cyber_Operation_Contest
Cyber_Threat_Intelligent_Cyber_Operation_Contestnkrafacyberclub
 
Adversary Pattern Analysis - A Journey with APNIC Honeypot
Adversary Pattern Analysis - A Journey with APNIC HoneypotAdversary Pattern Analysis - A Journey with APNIC Honeypot
Adversary Pattern Analysis - A Journey with APNIC HoneypotA. S. M. Shamim Reza
 
Network Security fundamentals
Network Security fundamentalsNetwork Security fundamentals
Network Security fundamentalsTariq kanher
 
(130511) #fitalk network forensics and its role and scope
(130511) #fitalk network forensics and its role and scope(130511) #fitalk network forensics and its role and scope
(130511) #fitalk network forensics and its role and scopeINSIGHT FORENSIC
 
Detection and analysis_of_syn_flood_ddos
Detection and analysis_of_syn_flood_ddosDetection and analysis_of_syn_flood_ddos
Detection and analysis_of_syn_flood_ddosOleh Stupak
 
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam testsSecurity PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests📡 Sebastien Dudek
 
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteSREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteHostedGraphite
 
Security Onion: Peel Back the Layers of Your Network in Minutes
Security Onion: Peel Back the Layers of Your Network in MinutesSecurity Onion: Peel Back the Layers of Your Network in Minutes
Security Onion: Peel Back the Layers of Your Network in MinutesGreat Wide Open
 
Security Onion: peeling back the layers of your network in minutes
Security Onion: peeling back the layers of your network in minutesSecurity Onion: peeling back the layers of your network in minutes
Security Onion: peeling back the layers of your network in minutesbsidesaugusta
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat Security Conference
 

Similar to CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies of the internet? (Piotr Bazydło) (20)

Asegúr@IT 7: Playing with Satellites 1.2
Asegúr@IT 7: Playing with Satellites 1.2Asegúr@IT 7: Playing with Satellites 1.2
Asegúr@IT 7: Playing with Satellites 1.2
 
Ip Spoofing
Ip SpoofingIp Spoofing
Ip Spoofing
 
Internet census 2012
Internet census 2012Internet census 2012
Internet census 2012
 
Modul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptModul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.ppt
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdf
 
Black ops of tcp2005 japan
Black ops of tcp2005 japanBlack ops of tcp2005 japan
Black ops of tcp2005 japan
 
Network Security
Network SecurityNetwork Security
Network Security
 
Cyber_Threat_Intelligent_Cyber_Operation_Contest
Cyber_Threat_Intelligent_Cyber_Operation_ContestCyber_Threat_Intelligent_Cyber_Operation_Contest
Cyber_Threat_Intelligent_Cyber_Operation_Contest
 
Adversary Pattern Analysis - A Journey with APNIC Honeypot
Adversary Pattern Analysis - A Journey with APNIC HoneypotAdversary Pattern Analysis - A Journey with APNIC Honeypot
Adversary Pattern Analysis - A Journey with APNIC Honeypot
 
footscan.PPT
footscan.PPTfootscan.PPT
footscan.PPT
 
Network security
Network securityNetwork security
Network security
 
Network Security fundamentals
Network Security fundamentalsNetwork Security fundamentals
Network Security fundamentals
 
INTERNATIONAL INDEXED REFEREED RESEARCH PAPER
INTERNATIONAL INDEXED REFEREED RESEARCH PAPERINTERNATIONAL INDEXED REFEREED RESEARCH PAPER
INTERNATIONAL INDEXED REFEREED RESEARCH PAPER
 
(130511) #fitalk network forensics and its role and scope
(130511) #fitalk network forensics and its role and scope(130511) #fitalk network forensics and its role and scope
(130511) #fitalk network forensics and its role and scope
 
Detection and analysis_of_syn_flood_ddos
Detection and analysis_of_syn_flood_ddosDetection and analysis_of_syn_flood_ddos
Detection and analysis_of_syn_flood_ddos
 
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam testsSecurity PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
 
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteSREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
 
Security Onion: Peel Back the Layers of Your Network in Minutes
Security Onion: Peel Back the Layers of Your Network in MinutesSecurity Onion: Peel Back the Layers of Your Network in Minutes
Security Onion: Peel Back the Layers of Your Network in Minutes
 
Security Onion: peeling back the layers of your network in minutes
Security Onion: peeling back the layers of your network in minutesSecurity Onion: peeling back the layers of your network in minutes
Security Onion: peeling back the layers of your network in minutes
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
 

Recently uploaded

Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 

Recently uploaded (20)

Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 

CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies of the internet? (Piotr Bazydło)

  • 1. Piotr Bazydło Darknet traffic – what can we learn from nooks and crannies of the internet Research and Academic Computer Network NASK Work performed during SISSDEN project.
  • 2.  Often called as „network telescope”.  An unused (dark) space of IP addresses.  In theory, there should be no network traffic. What is darknet?
  • 3.
  • 4.
  • 5. In practice, we can see a lot of different packets:  Misconfiguration of network devices/applications. What is darknet?
  • 7. In practice, we can see a lot of different packets:  Misconfiguration of network devices/applications.  Scanning activities. What is darknet?
  • 10. In practice, we can see a lot of different packets:  Misconfiguration of network devices/applications.  Scanning activities.  Backscatter from DoS attacks. What is darknet?
  • 13. In practice, we can see a lot of different packets:  Misconfiguration of network devices/applications.  Scanning activities.  Backscatter from DoS attacks.  Exploitation attempts. What is darknet?
  • 15. In practice, we can see a lot of different packets:  Misconfiguration of network devices/applications.  Scanning activities.  Backscatter from DoS attacks.  Exploitation attempts.  Weird and undefined stuff. What is darknet?
  • 16. Our darknet consists of more than 100 000 IP addresses. Statistically, we:  Receive about 25 000 000 000 packets per month (80% of packets are TCP packets).  What gives us about 800 000 000 packets per day.  And more than 500 000 of packets per minute. Some numbers
  • 17.  How to group these packets?  How to analyze them?  How to classify them into events?  How to define whether event is interesting or not?  How to fingerprint responsible actors? Problems
  • 18.  Detect and analyze DoS attacks.  Fingerprint actors/botnets responsible for specific attacks.  Observe massive scan campaigns and observe responsible actors.  Observe botnets actions.  Forecast exploitation campaigns and even 0-day exploits.  Detect new signatures (Packet Generation Algorithm) in network traffic.  And other related actions. Okay, so what can we do with this traffic?
  • 20.
  • 22.
  • 23.
  • 24.
  • 25. Let’s fingerprint! In total, about 45 000 unique IP addresses were fingerprinted (IoC).
  • 26.
  • 27.
  • 28. Change of tactics We can see that Satori has started to exploit different ports/devices.
  • 31. Memcached Github 1.3 Tbps DoS Reported 1.7 Tbps DoS
  • 32. Memcached Github 1.3 Tbps DoS Reported 1.7 Tbps DoS
  • 33. Day 1 – 20.02 (patient zero?)  Only 3 IP addresses – all located in the UK.  All 3 IP addresses within the same host – DigitalOcean.  Whole scan lasted about 25 minutes.  Only two source ports used (34860 and 43493).  One payload used (stats slabs with some additions).
  • 34. Day 4 – 23.02  Only 2 IP addresses – UK and Singapore.  UK IP – the same as on 20.02.  Singapore ASN: Alibaba (China) Technology Co., Ltd.  Only two source ports used (34765 and 45931).  Guess what – still the same payload for both IP addresses.  Conclusion – we are probably still dealing with the single actor.
  • 35. Day 5 – 24.02 (new kid on the block?)  Only 1 IP addresses – USA.  ASN: AS27176 DataWagon LLC.  Source ports seems to be randomized.  New payload has been used.  Scan lasted longer (about 3 hours).  Looks like we have a new actor.
  • 36. And so on… Pre-github scanners.  About 60 IP addresses.  Several scanning patterns.
  • 37. After github DoS scanners.  About 315 IP addresses.  Multiple different scanning patterns.
  • 38. How can we define patterns?  Unique payloads types.  Unique source ports generation scheme.  Pairs of characteristics eg. source ports→ payload→ timeline.  And others.
  • 39. How can we defined patterns?
  • 40. How can we defined patterns?
  • 41. Source Port = 22122  One IP from France.  ASN: AS12876 Online S.a.s.
  • 42. Source Port = 11211  56 IPs from USA.  ASN: AS10439 CariNet  Pretty well organized (scan performed by many IPs).  The same payload.
  • 43. Telegram ban in Russia
  • 44. Indeed – it’s a hit - source port 443
  • 46. Russian watchodg - another attack  On 19.04 – another attack.  Still SYN FLOOD and ACK mitigation technique.  However, we have received ICMP packets signalizing ACK FLOOD.  Destination Port = 0  SEQ[3:4] = 0 AND ACK[3:4] = 0
  • 47. PGA  Packet Generation Algorithm (firstly mentioned by 360Netlab).  Tools and malware often utilize different PGA in order to simplify/fasten packet generation procedure.  We have developed tool for the automatic detection of various PGA signatures.  Usually, based on some simple operations (bytes swaping, incrementation, values hardcoding and others).  Usually seen during scanning or DoSing actions. However, PGA was also spotted during C2 communication.
  • 48. PGA
  • 49. Why even bother?  Let’s compare SYN FLOOD packet generation, while using legit PGA and XoR.DDoS botnet PGA.  XoR.DDoS PGA:  IP_ID = SPORT,  SEQ[1:2] = IP_ID.
  • 50. Why even bother?  Let’s compare SYN FLOOD packet generation, while using legit PGA and XoR.DDoS botnet PGA.  XoR.DDoS PGA:  IP_ID = SPORT,  SEQ[1:2] = IP_ID. Assuming botnet with 100 000 machines: 2 400 000 more packets per second!
  • 51. Mirai – ingenious scanning  SEQ = DST_IP  Faster.  Doesn’t have to store information about sent packets, as it can only compare IP and ACK of incoming packet.
  • 52. Is XoR.DDoS easily traceable?  Not really, as in SYN-ACK packets we lose information about IP_ID used in PGA.  We can compare DPORT and ACK in SYN-ACK packets.  However, we sometimes receive ICMP packets with spoofed packet included in the payload – in this case, we can identify whole signature.
  • 53. Signatures everywhere SYN FLOOD on IP belonging to Google – full of PGA signatures.
  • 54. Signatures everywhere SYN FLOOD on IP belonging to Google – full of PGA signatures. 1. SPORT = SEQ[1:2] 2. SEQ[3:4] = 0xFFFF 3. SPORT = IP_SRC[3:4] 1 2 3
  • 55. Summary  Darknet is great, but it has its limitations.  We are observing a lot of different attacks, malicious activities and botnets.  We are especially interested in linking PGA signatures to particular malware or tools.  Results from darknet traffic analysis + data from other sources (sandboxes, honeypots and others) = a lot of operational info!
  • 56. Other people involved in the presented work: Adrian Korczak (NASK) - development. Mateusz Goniprowski (NASK) – development. Krzysztof Lasota – consultations. Paweł Pawliński (CERT PL/NASK) – consultations. 360Netlab – PGA idea and intelligence.
  • 57. This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 700176. Thank you for your attention. Twitter: @chudyPB https://sissden.eu/blog SISSDEN