Applied Detection and Analysis with Flow Data - SO Con 2014chrissanders88
The document discusses using network flow data for applied detection and analysis. It describes how to collect flow data using tools like SiLK, analyze the data using rwfilter, rwstats and other SiLK tools, and use the results for detection via visualizations with FlowPlotter and intelligence gathering. Flow data provides benefits like small data footprint and scalability compared to full packet capture.
This document provides examples and explanations of rules options and techniques used in Snort intrusion detection rules. It begins with an introduction and overview of the topics to be covered. It then provides examples of rules that detect buffer overflows, protocol decoding, and the Kaminsky DNS cache poisoning bug. For each rule example, it breaks down the rule components and explains what each option is doing. It also provides additional explanations and examples for specific rule options like content, isdataat, byte_test, byte_jump, and PCRE. The document aims to explain both common and non-obvious uses of rule options through examples of real Snort rules.
This document discusses how the nmap scanner performs host discovery by default and explores customizing its behavior. It examines nmap's default discovery method which sends ICMP echo requests and TCP packets to target hosts and looks for responses. The document uses a DMZ network with varying firewall rulesets to demonstrate how the default method works in different scenarios. It shows that while the default method is sufficient when rules are very open, more specific rules may require customizing nmap's options to more accurately discover live hosts on the network.
Cryptographic Protocols: Practical revocation and key rotationPriyanka Aash
This document summarizes a presentation on asynchronous provably-secure hidden services. The presentation proposes a protocol that allows a client to communicate with a hidden server in an asynchronous and distributed network, while provably preserving the server's anonymity. The key aspects are: (1) the client broadcasts a request, (2) all nodes (including the server) secret share a response using random values, (3) shares are routed to the client who reconstructs the response, ensuring the server's behavior is indistinguishable from others. The protocol achieves linear communication complexity using homomorphic encryption and a spanning tree structure. Security is based on simulation, showing the real and simulated views are indistinguishable.
This document discusses distributed reflection denial-of-service (DRDoS) attacks and proposes countermeasures. It describes how DRDoS attacks work by spoofing the victim's IP and using protocols like DNS, NTP, and SNMP to amplify small requests into large responses. Objectives include constructing and analyzing these attacks in test environments. A self-designed algorithm is proposed to mitigate attacks by queueing and dropping oversized packets probabilistically. Results showed the algorithm successfully accepting legitimate traffic while thwarting DRDoS attacks.
The document provides information on various network analysis and scanning tools including:
- DNStracer which traces DNS queries back through recursive DNS servers.
- Tcptraceroute which performs traceroutes using TCP packets to bypass firewalls in the same way nmap does.
- Nmap which is a security scanning tool used for network inventory, management and auditing through techniques like host discovery, port scanning and OS detection.
- Lanmap which listens to network traffic on an interface and maps the topology of who is communicating with who and how much using various protocols.
- SPIKE which is a network protocol fuzzer development framework that represents protocols as blocks of binary data and size to allow
Type of DDoS attacks with hping3 exampleHimani Singh
This document summarizes common DDoS attack types and how to execute them using hping3 or other tools. It describes application layer attacks like HTTP floods, protocol attacks like SYN floods, volumetric attacks like ICMP floods, and reflection attacks. It then provides commands to execute various TCP, UDP, ICMP floods and other DDoS attacks using hping3 by spoofing addresses, modifying flags, and targeting ports. Layer 7 attacks exploiting HTTP requests are also summarized.
This document provides an overview of Nmap Scripting Engine (NSE) for security researchers looking to build NSE scripts. It covers the anatomy of an NSE script including required components like metadata, categories, portrules and actions. It also provides tips for scriptors like specifying the script directory, using debugging mode, and updating the script database. The goal is to provide a kickstart for researchers to learn how to create NSE scripts and proofs-of-concept.
Applied Detection and Analysis with Flow Data - SO Con 2014chrissanders88
The document discusses using network flow data for applied detection and analysis. It describes how to collect flow data using tools like SiLK, analyze the data using rwfilter, rwstats and other SiLK tools, and use the results for detection via visualizations with FlowPlotter and intelligence gathering. Flow data provides benefits like small data footprint and scalability compared to full packet capture.
This document provides examples and explanations of rules options and techniques used in Snort intrusion detection rules. It begins with an introduction and overview of the topics to be covered. It then provides examples of rules that detect buffer overflows, protocol decoding, and the Kaminsky DNS cache poisoning bug. For each rule example, it breaks down the rule components and explains what each option is doing. It also provides additional explanations and examples for specific rule options like content, isdataat, byte_test, byte_jump, and PCRE. The document aims to explain both common and non-obvious uses of rule options through examples of real Snort rules.
This document discusses how the nmap scanner performs host discovery by default and explores customizing its behavior. It examines nmap's default discovery method which sends ICMP echo requests and TCP packets to target hosts and looks for responses. The document uses a DMZ network with varying firewall rulesets to demonstrate how the default method works in different scenarios. It shows that while the default method is sufficient when rules are very open, more specific rules may require customizing nmap's options to more accurately discover live hosts on the network.
Cryptographic Protocols: Practical revocation and key rotationPriyanka Aash
This document summarizes a presentation on asynchronous provably-secure hidden services. The presentation proposes a protocol that allows a client to communicate with a hidden server in an asynchronous and distributed network, while provably preserving the server's anonymity. The key aspects are: (1) the client broadcasts a request, (2) all nodes (including the server) secret share a response using random values, (3) shares are routed to the client who reconstructs the response, ensuring the server's behavior is indistinguishable from others. The protocol achieves linear communication complexity using homomorphic encryption and a spanning tree structure. Security is based on simulation, showing the real and simulated views are indistinguishable.
This document discusses distributed reflection denial-of-service (DRDoS) attacks and proposes countermeasures. It describes how DRDoS attacks work by spoofing the victim's IP and using protocols like DNS, NTP, and SNMP to amplify small requests into large responses. Objectives include constructing and analyzing these attacks in test environments. A self-designed algorithm is proposed to mitigate attacks by queueing and dropping oversized packets probabilistically. Results showed the algorithm successfully accepting legitimate traffic while thwarting DRDoS attacks.
The document provides information on various network analysis and scanning tools including:
- DNStracer which traces DNS queries back through recursive DNS servers.
- Tcptraceroute which performs traceroutes using TCP packets to bypass firewalls in the same way nmap does.
- Nmap which is a security scanning tool used for network inventory, management and auditing through techniques like host discovery, port scanning and OS detection.
- Lanmap which listens to network traffic on an interface and maps the topology of who is communicating with who and how much using various protocols.
- SPIKE which is a network protocol fuzzer development framework that represents protocols as blocks of binary data and size to allow
Type of DDoS attacks with hping3 exampleHimani Singh
This document summarizes common DDoS attack types and how to execute them using hping3 or other tools. It describes application layer attacks like HTTP floods, protocol attacks like SYN floods, volumetric attacks like ICMP floods, and reflection attacks. It then provides commands to execute various TCP, UDP, ICMP floods and other DDoS attacks using hping3 by spoofing addresses, modifying flags, and targeting ports. Layer 7 attacks exploiting HTTP requests are also summarized.
This document provides an overview of Nmap Scripting Engine (NSE) for security researchers looking to build NSE scripts. It covers the anatomy of an NSE script including required components like metadata, categories, portrules and actions. It also provides tips for scriptors like specifying the script directory, using debugging mode, and updating the script database. The goal is to provide a kickstart for researchers to learn how to create NSE scripts and proofs-of-concept.
Neighbor Cache Fingerprinter (NCF) is a tool that fingerprints operating systems through analysis of how targets respond to unusual Address Resolution Protocol (ARP) packets and behavior. NCF sends various crafted ARP packets and probes targets, observing factors like the number of ARP requests before timeout, response to gratuitous ARP packets, and cache entry timeout periods. NCF then compares these characteristics to a relatively small database of fingerprints to determine the likely operating system and version of the target.
This document discusses DDoS attacks and mitigation methods. It begins by defining DDoS attacks as using multiple sources to overwhelm a target's availability, unlike a DOS attack which uses a single source. Common DDoS attack types are then outlined, along with the costs and impacts of attacks for victims. The document also provides details on specific attack methods like SYN floods, reflection attacks using DNS and NTP, and recommended mitigation techniques including whitelisting, rate limiting, and fingerprinting. It concludes by emphasizing that DDoS attacks are easy to carry out and difficult to detect, while having significant negative effects on victims.
Geographically dispersed perconaxtra db cluster deploymentMarco Tusa
Geographically Dispersed Percona XtraDB Cluster Deployment
Percona XtraDB Cluster is a very robust, high performing and widly used solution to answer to High Availability needs. But it can be very challinging when we are in the need to deploy the cluster over a geographically disperse area.
This presentation will briefely discuss what is the right approach to sucessfully deploy PXC when in the need to cover multiple geographical sites, close and far.
- What is PXC and what happens in a set of node when commit
- Let us clarify, geo dispersed
- What to keep in mind then
- how to measure it correctly
- Use the right way (sync/async)
- Use help like replication_manager
Tomas Hlavacek - IP fragmentation attack on DNSDefconRussia
This document summarizes an IP fragmentation attack on DNS resolvers. It exploits IP fragmentation and reassembly to reduce the entropy for cache poisoning from 32 bits to 16 bits. There are two types of attacks - one triggers fragmentation through spoofed ICMP messages, while the other registers a specially crafted zone to generate oversized responses. The attacks allow modifying DNS response fragments off-path to poison caches. Defenses include DNSSEC and workaround like ignoring certain ICMP and limiting response sizes.
The document discusses different nmap scanning techniques including SYN scans, FIN scans, ACK scans, and window scans. It provides pros and cons of each technique. It then details a mission to penetrate SCO's firewall and discern open ports on a target system using different scan types. Another mission works to locate webservers on the Playboy network offering free images, optimizing the scan by getting timing information and scanning faster without DNS lookups. Several IP addresses with port 80 open are identified.
The document discusses dynamic port scanning (DPS), which integrates ARP poisoning into port scanning to dynamically spoof the source IP address of scan packets. DPS works by poisoning the ARP cache of the target host or gateway so that scan replies are delivered to the scanning machine regardless of the spoofed source IP. This allows the scan to appear as if it is coming from many machines, improving stealth, while still obtaining results unlike traditional IP spoofing techniques. The document outlines how DPS works, current spoofing methods, advantages over other techniques, and limitations.
1) The document describes a proposed SDN-based system to detect and prevent DDoS attacks. It uses entropy calculations on traffic flow statistics to detect attacks. When an attack is detected, the controller installs rules to block traffic from bot IPs and the server uses CAPTCHAs to authenticate legitimate users.
2) The system was tested using iperf and attack tools on an emulation platform. Results showed it maintained high throughput even during attacks, unlike approaches that overload the controller. It also had lower false positives than other detection algorithms.
3) Future work could include expanding the system to detect attacks targeting different SDN layers and more servers. The approach provides an effective and scalable DDoS defense for
CNIT 50: 6. Command Line Packet Analysis ToolsSam Bowne
This document provides an overview of 6 command line packet analysis tools used for network security monitoring: Tcpdump, Dumpcap, Tshark, Argus, the Argus Ra client, and Argus Racluster. It describes what each tool is used for, basic syntax and examples of using filters to view specific traffic like ICMP, DNS, TCP handshakes. It also covers running these tools from the command line, reading captured packet files, and examining Argus session data files.
This document introduces Nmap, an open source network scanning tool. It describes Nmap's basic syntax and how it works, outlines different types of scans like TCP, UDP, and SYN scans, discusses timing options, and provides references and links to tutorials on hackingarticles.in about using Nmap for tasks like port scanning, vulnerability detection, and password cracking.
This document provides an overview and agenda for a training on the Nmap Scripting Engine (NSE). It begins with a 10 minute introduction to Nmap, covering what Nmap is used for and some basic scan options. Next, it spends 20 minutes reviewing the existing NSE script categories and how to use available scripts, demonstrating two sample scripts. Finally, it dedicates 20 minutes to explaining how to write your own NSE script, including the basic structure and providing an example of writing a script to find the website title.
This document provides instructions for installing and using Wireshark software to capture and analyze network traffic. It describes how to install Wireshark and additional plugins, configure user permissions to capture traffic, and remotely capture traffic over SSH. Example commands are given to list installed plugins, view available network interfaces, capture a session, and analyze statistics on captured packets. Formats and filters for Wireshark are also explained.
NMAP is a network scanning tool that can perform various types of scans, including port scans, version detection scans, and OS detection scans. It has many options to control the type and timing of scans. The document provides details on NMAP scan types like TCP SYN scans, ping scans using different packet types, and port scanning techniques. It also covers topics like port states, common ports, scan timing and output options.
IS Unit 1_Conventional Encryption_Classical Encryption TechniquesSarthak Patel
The document discusses classical encryption techniques such as the Caesar cipher, monoalphabetic substitution cipher, polyalphabetic ciphers like the Vigenère cipher, and the Playfair cipher. It explains the basic concepts of encryption including plaintext, ciphertext, encryption algorithms, decryption algorithms, and symmetric key cryptography. It also covers cryptanalysis techniques like frequency analysis that can be used to break some classical ciphers. The document is intended to introduce basic concepts of encryption as a precursor to studying modern cryptography.
The document discusses using Nmap to perform network scanning and reconnaissance. It provides an overview of Nmap, describing common scan types like TCP and UDP scans. It also covers useful Nmap options for tasks like service and operating system detection. The document demonstrates the Nmap Scripting Engine for tasks like vulnerability scanning and brute force attacks. It provides examples of commands for different scan types and scripts.
Classical Encryption Techniques in Network Securitybabak danyal
The document provides an overview of classical encryption techniques, including: symmetric ciphers that use the same key for encryption and decryption (such as the Caesar cipher, monoalphabetic ciphers like the Playfair cipher, and polyalphabetic ciphers like the Vigenère cipher) as well as transposition techniques that rearrange plaintext; rotor machines like the Enigma that implemented complex polyalphabetic substitution; and steganography that hides messages within other files or messages. The goal is to introduce basic concepts and terminology of encryption to prepare for studying modern cryptography.
Please note, this article does not intend to promote hacking. The intention is to help you understand the vulnerabilities in ssl and protect yourselves from the same. There are millions of innocent victims who fall prey because they are complacent the moment they see a 'secure https' symbol on their browser. I am trying to dispel that myth.
This document discusses seven grades of perfect forward secrecy (PFS) implementations and evaluates PFS support across different industries. PFS ensures that compromising long-term keys does not compromise past session keys. The document outlines different PFS approaches using Diffie-Hellman key exchange with or without elliptic curves. It finds that internet, infosec, defense and education industries tend to have the best PFS support, grading as a 1-4, while finance, electronics and software industries have poorer support, often not using PFS. The document concludes there is no good reason not to move to stronger PFS grades that use elliptic curves and avoid fallback to non-PFS ciphers.
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsBishop Fox
Learn the basics of network penetration testing success - an introduction to the top three tools that will help you on your security journey: Nmap, Netcat, and Metasploit. See how to use Nmap both for port scanning and vulnerability discovery. You'll also learn how to use Netcat to grab banners, make HTTP requests, and create both reverse and bind shells. Finally, we’ll learn the ins and outs of Metasploit, including how to integrate our Nmap scan results for even more ownage and using the built-in exploits to get shells.
At the end of this, you will be port scanning, creating payloads, and popping shells. This technical workshop is designed to familiarize you with the necessary tools to continue your ethical hacking journey. From here, take your l33t new skillz and apply them to Capture The Flag (CTF) competitions or scanning your home network for vulnerabilities.
(This was originally presented on February 22, 2010 at Day of Shecurity Boston 2019).
Neighbor Cache Fingerprinter (NCF) is a tool that fingerprints operating systems through analysis of how targets respond to unusual Address Resolution Protocol (ARP) packets and behavior. NCF sends various crafted ARP packets and probes targets, observing factors like the number of ARP requests before timeout, response to gratuitous ARP packets, and cache entry timeout periods. NCF then compares these characteristics to a relatively small database of fingerprints to determine the likely operating system and version of the target.
This document discusses DDoS attacks and mitigation methods. It begins by defining DDoS attacks as using multiple sources to overwhelm a target's availability, unlike a DOS attack which uses a single source. Common DDoS attack types are then outlined, along with the costs and impacts of attacks for victims. The document also provides details on specific attack methods like SYN floods, reflection attacks using DNS and NTP, and recommended mitigation techniques including whitelisting, rate limiting, and fingerprinting. It concludes by emphasizing that DDoS attacks are easy to carry out and difficult to detect, while having significant negative effects on victims.
Geographically dispersed perconaxtra db cluster deploymentMarco Tusa
Geographically Dispersed Percona XtraDB Cluster Deployment
Percona XtraDB Cluster is a very robust, high performing and widly used solution to answer to High Availability needs. But it can be very challinging when we are in the need to deploy the cluster over a geographically disperse area.
This presentation will briefely discuss what is the right approach to sucessfully deploy PXC when in the need to cover multiple geographical sites, close and far.
- What is PXC and what happens in a set of node when commit
- Let us clarify, geo dispersed
- What to keep in mind then
- how to measure it correctly
- Use the right way (sync/async)
- Use help like replication_manager
Tomas Hlavacek - IP fragmentation attack on DNSDefconRussia
This document summarizes an IP fragmentation attack on DNS resolvers. It exploits IP fragmentation and reassembly to reduce the entropy for cache poisoning from 32 bits to 16 bits. There are two types of attacks - one triggers fragmentation through spoofed ICMP messages, while the other registers a specially crafted zone to generate oversized responses. The attacks allow modifying DNS response fragments off-path to poison caches. Defenses include DNSSEC and workaround like ignoring certain ICMP and limiting response sizes.
The document discusses different nmap scanning techniques including SYN scans, FIN scans, ACK scans, and window scans. It provides pros and cons of each technique. It then details a mission to penetrate SCO's firewall and discern open ports on a target system using different scan types. Another mission works to locate webservers on the Playboy network offering free images, optimizing the scan by getting timing information and scanning faster without DNS lookups. Several IP addresses with port 80 open are identified.
The document discusses dynamic port scanning (DPS), which integrates ARP poisoning into port scanning to dynamically spoof the source IP address of scan packets. DPS works by poisoning the ARP cache of the target host or gateway so that scan replies are delivered to the scanning machine regardless of the spoofed source IP. This allows the scan to appear as if it is coming from many machines, improving stealth, while still obtaining results unlike traditional IP spoofing techniques. The document outlines how DPS works, current spoofing methods, advantages over other techniques, and limitations.
1) The document describes a proposed SDN-based system to detect and prevent DDoS attacks. It uses entropy calculations on traffic flow statistics to detect attacks. When an attack is detected, the controller installs rules to block traffic from bot IPs and the server uses CAPTCHAs to authenticate legitimate users.
2) The system was tested using iperf and attack tools on an emulation platform. Results showed it maintained high throughput even during attacks, unlike approaches that overload the controller. It also had lower false positives than other detection algorithms.
3) Future work could include expanding the system to detect attacks targeting different SDN layers and more servers. The approach provides an effective and scalable DDoS defense for
CNIT 50: 6. Command Line Packet Analysis ToolsSam Bowne
This document provides an overview of 6 command line packet analysis tools used for network security monitoring: Tcpdump, Dumpcap, Tshark, Argus, the Argus Ra client, and Argus Racluster. It describes what each tool is used for, basic syntax and examples of using filters to view specific traffic like ICMP, DNS, TCP handshakes. It also covers running these tools from the command line, reading captured packet files, and examining Argus session data files.
This document introduces Nmap, an open source network scanning tool. It describes Nmap's basic syntax and how it works, outlines different types of scans like TCP, UDP, and SYN scans, discusses timing options, and provides references and links to tutorials on hackingarticles.in about using Nmap for tasks like port scanning, vulnerability detection, and password cracking.
This document provides an overview and agenda for a training on the Nmap Scripting Engine (NSE). It begins with a 10 minute introduction to Nmap, covering what Nmap is used for and some basic scan options. Next, it spends 20 minutes reviewing the existing NSE script categories and how to use available scripts, demonstrating two sample scripts. Finally, it dedicates 20 minutes to explaining how to write your own NSE script, including the basic structure and providing an example of writing a script to find the website title.
This document provides instructions for installing and using Wireshark software to capture and analyze network traffic. It describes how to install Wireshark and additional plugins, configure user permissions to capture traffic, and remotely capture traffic over SSH. Example commands are given to list installed plugins, view available network interfaces, capture a session, and analyze statistics on captured packets. Formats and filters for Wireshark are also explained.
NMAP is a network scanning tool that can perform various types of scans, including port scans, version detection scans, and OS detection scans. It has many options to control the type and timing of scans. The document provides details on NMAP scan types like TCP SYN scans, ping scans using different packet types, and port scanning techniques. It also covers topics like port states, common ports, scan timing and output options.
IS Unit 1_Conventional Encryption_Classical Encryption TechniquesSarthak Patel
The document discusses classical encryption techniques such as the Caesar cipher, monoalphabetic substitution cipher, polyalphabetic ciphers like the Vigenère cipher, and the Playfair cipher. It explains the basic concepts of encryption including plaintext, ciphertext, encryption algorithms, decryption algorithms, and symmetric key cryptography. It also covers cryptanalysis techniques like frequency analysis that can be used to break some classical ciphers. The document is intended to introduce basic concepts of encryption as a precursor to studying modern cryptography.
The document discusses using Nmap to perform network scanning and reconnaissance. It provides an overview of Nmap, describing common scan types like TCP and UDP scans. It also covers useful Nmap options for tasks like service and operating system detection. The document demonstrates the Nmap Scripting Engine for tasks like vulnerability scanning and brute force attacks. It provides examples of commands for different scan types and scripts.
Classical Encryption Techniques in Network Securitybabak danyal
The document provides an overview of classical encryption techniques, including: symmetric ciphers that use the same key for encryption and decryption (such as the Caesar cipher, monoalphabetic ciphers like the Playfair cipher, and polyalphabetic ciphers like the Vigenère cipher) as well as transposition techniques that rearrange plaintext; rotor machines like the Enigma that implemented complex polyalphabetic substitution; and steganography that hides messages within other files or messages. The goal is to introduce basic concepts and terminology of encryption to prepare for studying modern cryptography.
Please note, this article does not intend to promote hacking. The intention is to help you understand the vulnerabilities in ssl and protect yourselves from the same. There are millions of innocent victims who fall prey because they are complacent the moment they see a 'secure https' symbol on their browser. I am trying to dispel that myth.
This document discusses seven grades of perfect forward secrecy (PFS) implementations and evaluates PFS support across different industries. PFS ensures that compromising long-term keys does not compromise past session keys. The document outlines different PFS approaches using Diffie-Hellman key exchange with or without elliptic curves. It finds that internet, infosec, defense and education industries tend to have the best PFS support, grading as a 1-4, while finance, electronics and software industries have poorer support, often not using PFS. The document concludes there is no good reason not to move to stronger PFS grades that use elliptic curves and avoid fallback to non-PFS ciphers.
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsBishop Fox
Learn the basics of network penetration testing success - an introduction to the top three tools that will help you on your security journey: Nmap, Netcat, and Metasploit. See how to use Nmap both for port scanning and vulnerability discovery. You'll also learn how to use Netcat to grab banners, make HTTP requests, and create both reverse and bind shells. Finally, we’ll learn the ins and outs of Metasploit, including how to integrate our Nmap scan results for even more ownage and using the built-in exploits to get shells.
At the end of this, you will be port scanning, creating payloads, and popping shells. This technical workshop is designed to familiarize you with the necessary tools to continue your ethical hacking journey. From here, take your l33t new skillz and apply them to Capture The Flag (CTF) competitions or scanning your home network for vulnerabilities.
(This was originally presented on February 22, 2010 at Day of Shecurity Boston 2019).
Protecting Financial Networks from Cyber CrimeLancope, Inc.
Financial services organizations are prime targets for cyber criminals. They must take extreme care to protect customer data, while also ensuring high levels of network availability to allow for 24/7 access to critical financial information. Additionally, industry consolidation has created large, heterogeneous network environments within large financial institutions, making it difficult to ensure that networks have the necessary visibility and protection to prevent a devastating security breach. By leveraging NetFlow from existing network infrastructure, financial services organizations can achieve comprehensive visibility across even the largest, most complex networks. The ability to quickly detect a wide range of potentially malicious activity helps prevent damaging data breaches and network disruptions. Attend this informational webinar, conducted by Lancope’s Director of Security Research, Tom Cross, to learn: How NetFlow can help quickly uncover both internal and external threats How pervasive network insight can accelerate incident response and forensic investigations How to substantially decrease enterprise risks
Creating Your Own Threat Intel Through Hunting & VisualizationRaffael Marty
The security industry is talking a lot about threat intelligence; external information that a company can leverage to understand where potential threats are knocking on the door and might have already perpetrated the network boundaries. Conversations with many CERTs have shown that we have to stop relying on knowledge about how attacks have been conducted in the past and start 'hunting' for signs of compromises and anomalies in our own environments.
In this presentation we explore how the decade old field of security visualization has emerged. We show how we have applied advanced analytics and visualization to create our own threat intelligence and investigated lateral movement in a Fortune 50 company.
Visualization. Data science. No machine learning. But pretty pictures.
Here is a blog post I wrote a bit ago about the general theme of internal threat intelligence:
http://www.darkreading.com/analytics/creating-your-own-threat-intel-through-hunting-and-visualization/a/d-id/1321225?
I'm take picture from here and there by goggling not mentioning all source please let me know if anyone has any objection. This presentation was presented in IUT CTF G3t R00t
This presentation is from the Gophercon-India where we talked about how to design a concurrent high performance database client in go language. We talked about how we use goroutines and channels to our advantages. we also talked about how to use pools for efficient memory utilization.
This document discusses an entropy downgrade attack and provides solutions to strengthen a system's entropy and random number generation. It explains that computers have limited entropy for generating strong cryptographic keys. An attacker can force a system to generate keys using less entropy, making the keys easier to crack. The document recommends increasing the entropy pool size, optimizing entropy collection, using hardware entropy sources, and caching previously generated strong primes to strengthen a system against this attack. It provides code examples and tools to help implement these solutions.
InfluxEnterprise Architecture Patterns by Tim Hall & Sam DillardInfluxData
1. The document provides an overview of InfluxEnterprise, including its core open source functionality, high availability features, scalability, fine-grained authorization, support options, and on-premise or cloud deployment options.
2. It discusses signs that an organization may be ready for InfluxEnterprise, such as high CPU usage, issues with single node deployments, and needing improved data durability or throughput.
3. The document covers InfluxEnterprise cluster architecture including meta nodes, data nodes, replication patterns, ingestion and query rates for different replication configurations, and examples for mothership, durable data ingest, and integrating with ElasticSearch deployments.
Information and data security pseudorandom number generation and stream cipherMazin Alwaaly
Information And Data Security Pseudorandom Number Generation and Stream Cipher seminar
Mustansiriya University
Department of Education
Computer Science
The document discusses various reconnaissance and access attacks against Cisco networks, as well as countermeasures. It covers passive sniffing, port scans, ping sweeps, password attacks, trust exploitation, IP spoofing, DHCP/ARP attacks, and DoS/DDoS attacks. Defenses include switched networks, encryption, firewall rules, DHCP snooping, dynamic ARP inspection, rate limiting, and storm control.
ConFoo Montreal - Approaches for application request throttlingMaarten Balliauw
Speaking from experience building a SaaS: users are insane. If you are lucky, they use your service, but in reality, they probably abuse. Crazy usage patterns resulting in more requests than expected, request bursts when users come back to the office after the weekend, and more! These all pose a potential threat to the health of our web application and may impact other users or the service as a whole. Ideally, we can apply some filtering at the front door: limit the number of requests over a given timespan, limiting bandwidth, ...
In this talk, we’ll explore the simple yet complex realm of rate limiting. We’ll go over how to decide on which resources to limit, what the limits should be and where to enforce these limits – in our app, on the server, using a reverse proxy like Nginx or even an external service like CloudFlare or Azure API management. The takeaway? Know when and where to enforce rate limits so you can have both a happy application as well as happy customers.
This document discusses using DNS traffic data and machine learning techniques to detect malware and security threats. It describes analyzing over 40 billion client DNS queries per day to derive security-related features like domain popularity, IP and ASN reputation, and client geographic diversity. These features are used in multivariate linear regression and graph-based ranking algorithms to score domains. Domains with suspicious scores are then fed into other classification models to identify threats while reducing false positives. The system aims to complement antivirus tools by leveraging large-scale DNS data in a constantly evolving cyber threat landscape.
Approaches for application request throttling - dotNetCologneMaarten Balliauw
Speaking from experience building a SaaS: users are insane. If you are lucky, they use your service, but in reality, they probably abuse. Crazy usage patterns resulting in more requests than expected, request bursts when users come back to the office after the weekend, and more! These all pose a potential threat to the health of our web application and may impact other users or the service as a whole. Ideally, we can apply some filtering at the front door: limit the number of requests over a given timespan, limiting bandwidth, ...
In this talk, we’ll explore the simple yet complex realm of rate limiting. We’ll go over how to decide on which resources to limit, what the limits should be and where to enforce these limits – in our app, on the server, using a reverse proxy like Nginx or even an external service like CloudFlare or Azure API management. The takeaway? Know when and where to enforce rate limits so you can have both a happy application as well as happy customers.
InfluxEnterprise Architectural Patterns by Dean Sheehan, Senior Director, Pre...InfluxData
Dean discusses architecture patterns with InfluxDB Enterprise, covering an overview of InfluxDB Enterprise, features, ingestion and query rates, deployment examples, replication patterns, and general advice.
When DevOps and Networking Intersect by Brent Salisbury of socketplane.ioDevOps4Networks
The document discusses the intersection of networks and DevOps. It covers challenges with traditional network operations including lack of programmability. It proposes distributed and software-defined networking approaches but notes hard problems remain. It emphasizes lessons learned around prototyping, understanding user needs, reliability, testing changes, and building a collaborative team culture.
Training Slides: 153 - Working with the CLIContinuent
Watch this 55min training session to learn about the main command line tools you’ll be using when working with Tungsten Replicator.
TOPICS COVERED
- Re-cap the previous Installation
- Explore the main Command Line Tools
- tpm
- trepctl
- thl
A computer network plays a major part in the development of any industry. Nowadays, in this fast paced
networking world each and every industry depends on internet for their progress. As said above this is the fast
paced world, the attack to disable the progress are also fast paced. DDoS (Distributed Denial of Service) is one
among them. Though it is one of the many attacks, they temporarily disable a service provided by the company.
This paper proposes a series of steps which not only checks the possible attack but also tries its best to thwart
them. Instead of going for conventional approach of blocking the excess traffic, the proposed approach will
prolong the access to the service. In the mean time checking for the possible attack is done. Thus, not only it
thwarts the attacks but also gives them reliable user their access with a little bit of delay, resulting in high
reliability.
Ceh v8 labs module 10 denial of serviceAsep Sopyan
The document describes how to perform a denial-of-service (DoS) attack using hping3. It provides instructions on launching BackTrack 5 r3 in a virtual machine, running hping3 to send a flood of SYN packets to a Windows 7 victim machine, and using Wireshark on the victim to observe the incoming SYN packets. The goal is to overload the victim's resources and render it unavailable by saturating it with external communication requests.
Snort is an open source network intrusion prevention system capable of real-time traffic analysis and packet logging. It uses a rules-based detection engine to examine packets against defined signatures. Snort has three main operational modes: sniffer, packet logger, and network intrusion detection system. It utilizes a modular architecture with plug-ins for preprocessing, detection, and output. Rules provide flexible and configurable detection signatures.
ACEP Magazine edition 4th launched on 05.06.2024Rahul
This document provides information about the third edition of the magazine "Sthapatya" published by the Association of Civil Engineers (Practicing) Aurangabad. It includes messages from current and past presidents of ACEP, memories and photos from past ACEP events, information on life time achievement awards given by ACEP, and a technical article on concrete maintenance, repairs and strengthening. The document highlights activities of ACEP and provides a technical educational article for members.
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...IJECEIAES
Climate change's impact on the planet forced the United Nations and governments to promote green energies and electric transportation. The deployments of photovoltaic (PV) and electric vehicle (EV) systems gained stronger momentum due to their numerous advantages over fossil fuel types. The advantages go beyond sustainability to reach financial support and stability. The work in this paper introduces the hybrid system between PV and EV to support industrial and commercial plants. This paper covers the theoretical framework of the proposed hybrid system including the required equation to complete the cost analysis when PV and EV are present. In addition, the proposed design diagram which sets the priorities and requirements of the system is presented. The proposed approach allows setup to advance their power stability, especially during power outages. The presented information supports researchers and plant owners to complete the necessary analysis while promoting the deployment of clean energy. The result of a case study that represents a dairy milk farmer supports the theoretical works and highlights its advanced benefits to existing plants. The short return on investment of the proposed approach supports the paper's novelty approach for the sustainable electrical system. In addition, the proposed system allows for an isolated power setup without the need for a transmission line which enhances the safety of the electrical network
Presentation of IEEE Slovenia CIS (Computational Intelligence Society) Chapte...University of Maribor
Slides from talk presenting:
Aleš Zamuda: Presentation of IEEE Slovenia CIS (Computational Intelligence Society) Chapter and Networking.
Presentation at IcETRAN 2024 session:
"Inter-Society Networking Panel GRSS/MTT-S/CIS
Panel Session: Promoting Connection and Cooperation"
IEEE Slovenia GRSS
IEEE Serbia and Montenegro MTT-S
IEEE Slovenia CIS
11TH INTERNATIONAL CONFERENCE ON ELECTRICAL, ELECTRONIC AND COMPUTING ENGINEERING
3-6 June 2024, Niš, Serbia
A review on techniques and modelling methodologies used for checking electrom...nooriasukmaningtyas
The proper function of the integrated circuit (IC) in an inhibiting electromagnetic environment has always been a serious concern throughout the decades of revolution in the world of electronics, from disjunct devices to today’s integrated circuit technology, where billions of transistors are combined on a single chip. The automotive industry and smart vehicles in particular, are confronting design issues such as being prone to electromagnetic interference (EMI). Electronic control devices calculate incorrect outputs because of EMI and sensors give misleading values which can prove fatal in case of automotives. In this paper, the authors have non exhaustively tried to review research work concerned with the investigation of EMI in ICs and prediction of this EMI using various modelling methodologies and measurement setups.
A SYSTEMATIC RISK ASSESSMENT APPROACH FOR SECURING THE SMART IRRIGATION SYSTEMSIJNSA Journal
The smart irrigation system represents an innovative approach to optimize water usage in agricultural and landscaping practices. The integration of cutting-edge technologies, including sensors, actuators, and data analysis, empowers this system to provide accurate monitoring and control of irrigation processes by leveraging real-time environmental conditions. The main objective of a smart irrigation system is to optimize water efficiency, minimize expenses, and foster the adoption of sustainable water management methods. This paper conducts a systematic risk assessment by exploring the key components/assets and their functionalities in the smart irrigation system. The crucial role of sensors in gathering data on soil moisture, weather patterns, and plant well-being is emphasized in this system. These sensors enable intelligent decision-making in irrigation scheduling and water distribution, leading to enhanced water efficiency and sustainable water management practices. Actuators enable automated control of irrigation devices, ensuring precise and targeted water delivery to plants. Additionally, the paper addresses the potential threat and vulnerabilities associated with smart irrigation systems. It discusses limitations of the system, such as power constraints and computational capabilities, and calculates the potential security risks. The paper suggests possible risk treatment methods for effective secure system operation. In conclusion, the paper emphasizes the significant benefits of implementing smart irrigation systems, including improved water conservation, increased crop yield, and reduced environmental impact. Additionally, based on the security analysis conducted, the paper recommends the implementation of countermeasures and security approaches to address vulnerabilities and ensure the integrity and reliability of the system. By incorporating these measures, smart irrigation technology can revolutionize water management practices in agriculture, promoting sustainability, resource efficiency, and safeguarding against potential security threats.
Batteries -Introduction – Types of Batteries – discharging and charging of battery - characteristics of battery –battery rating- various tests on battery- – Primary battery: silver button cell- Secondary battery :Ni-Cd battery-modern battery: lithium ion battery-maintenance of batteries-choices of batteries for electric vehicle applications.
Fuel Cells: Introduction- importance and classification of fuel cells - description, principle, components, applications of fuel cells: H2-O2 fuel cell, alkaline fuel cell, molten carbonate fuel cell and direct methanol fuel cells.
KuberTENes Birthday Bash Guadalajara - K8sGPT first impressionsVictor Morales
K8sGPT is a tool that analyzes and diagnoses Kubernetes clusters. This presentation was used to share the requirements and dependencies to deploy K8sGPT in a local environment.
Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024Sinan KOZAK
Sinan from the Delivery Hero mobile infrastructure engineering team shares a deep dive into performance acceleration with Gradle build cache optimizations. Sinan shares their journey into solving complex build-cache problems that affect Gradle builds. By understanding the challenges and solutions found in our journey, we aim to demonstrate the possibilities for faster builds. The case study reveals how overlapping outputs and cache misconfigurations led to significant increases in build times, especially as the project scaled up with numerous modules using Paparazzi tests. The journey from diagnosing to defeating cache issues offers invaluable lessons on maintaining cache integrity without sacrificing functionality.
Literature Review Basics and Understanding Reference Management.pptxDr Ramhari Poudyal
Three-day training on academic research focuses on analytical tools at United Technical College, supported by the University Grant Commission, Nepal. 24-26 May 2024
4. In computing, a denial-of-service attack (DoS attack) is a cyber-attack where the perpetrator seeks to
make a machine or network resource unavailable to its intended users by temporarily or indefinitely
disrupting services of a host connected to the Internet. Denial of service is typically accomplished by
flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and
prevent some or all legitimate requests from being fulfilled
Let’s start
with DDoS 43%
7. BUT it is a everyday headache
• It burns money and kills
business
• It consumes valuable
bandwidth
• When DDos kills your
uplink, it is a nightmare
for IDC cause
everybody dies
• Blocking/unblocking IP
also takes money and
time
8. It takes a lot to detect and
m i t i g a t e
• Attacking cost is low (even lower
with cloud)
• Nowhere to be traced (IP
spoofing)
• Random victims
• We need to find the
attack/attackers without hurting
good ones and it is expensive
13. • No mirroring/bypassing traffic is
needed so no delay expected
• Simple P4 lines(less than 100 lines
for SYN-flood)
• Detect and drop/mitigate, quick
response
• With INT/big data, a lot things can
happen in the same time
• Great performance (6.4Tbps line
rate)
What’s changed?
14. E x a m p l e : S y n - C o o k i e
Detect normal vs.
suspicious traffic inside
network in 6.4Tbps
instead of statically
mirroring lots of traffic
to DDoS mitigation boxes
15. Non-attack scenario
Initiator Tofino switch Listener
SYN
SYN+ACK with cookie
ACK with cookie + 1
RST
SYN
SYN+ACK
ACK
Add to
whitelist
Not on
whitelist
16. Attack scenario
Initiator Tofino switch Listener
SYN
SYN+ACK with cookie
Not on
whitelist
SYN
SYN+ACK with cookie
Not on
whitelist
SYN
SYN+ACK with cookie
Not on
whitelist
.
.
.
.
Shielded
from the
attack
17. Control flow
Receive SYN
SIP in
whitelist
?
Compute SYN
cookie
Send SYN+ACK with
cookie in seq#
and timestamp
fields
Forward
packet
Yes
No
Receive ACK
ACK#-1 ==
cookie?
Add SIP to
whitelist
Send RST
Forward
packet
No
Yes
Compute SYN
cookie
ACK#-1 ==
timestamp?
No
22. DDoS Detection
• Challenges:
1. Large traffic → must be in data-plane
2. Many connections from many sources with low traffic → heavy hitter
detection
• Solution steps:
1. Count number of sources per service/destination in data plane
• Limited memory in data plane → Use an approximation data structure with
guaranteed accuracy (Hyper loglog sketch)
2. Estimate the number of flows and compare against a threshold
• Periodically in control-plane
• Or per packet in data-plane
3. Possible reactions
• Mark packets
• Forward to DDoS mitigation
• Zoom in destination IP range to find which server is under attack
• Zoom in source IP range to find the attacker
22
23. Hyper LogLog Sketch
• Motivation: Estimate the number of source IPs in many packets
• Intuition: To see a rare pattern in random numbers, we need to
see many values
1. If I say I got 100 straight heads in coin tossing, I was either
lucky or tossed the coin many times
• Algorithm:
1. Hash source IPs to a uniformly random number
2. Count the number of consecutive 0s in the beginning of hash
3. Keep track of the maximum number of zeros we saw till now
• More zeros indicate we saw more source IPs
• 10 zeros → 2^11 IPs in average
4. Do this for 1000s of times per packet and track separate numbers to
get an accurate estimate (avoid lucky cases)
• Updating only 1 of 1000s randomly has the same accuracy
5. Read 1000s of counters and use average
23
24. Hyper LogLog Sketch
• Motivation: Estimate the number of source IPs
in many packets
• Intuition: To see a rare pattern in random
numbers, we need to see many values
1. If I say I got 100 straight heads in coin
tossing, I was either lucky or tossed the coin
many times
• Algorithm:
1. Hash source IPs to a uniformly random number
2. Count consecutive 0s in the beginning of hash
3. Keep track of total number of zeros till now
• More zeros indicate we saw more source IPs
• 10 zeros → 2^11 IPs in average
4. Do this for 1000s of times per packet and track
separate numbers to get an accurate estimate
(avoid lucky cases)
• Updating only 1 of 1000s randomly has the
same accuracy
5. Read 1000s of counters and use average 24
25. Implementation: Count in data-plane, compare in control-plane
Hash
Count #
zeros
Track
max
zeros
Periodically
1. fetch counters from data-plane
2. estimate and compare against
threshold
3. reset counters
Control-plane
Data-plane
Watchlist
25
table count_zeros {
reads {
hll_md.hash : ternary;
}
actions {
count_zeros_do;
}
size : 64;
}
action count_zeros_do(zeros) {
modify_field(hll_md.zeros, zeros);
}
26. Results
# counters (SRAM bytes for Track max zeros table)
● Detection Latency:
○ Control-plane: ~5ms to fetch counters and estimate
○ Data-plane: 0 (it is per packet)
● Estimation error:
26
If threshold is 1B, we
may report a destination
with >0.985B or ignore
one with <1.15B source
IPs
27. Summary
27
Benefits of In-Network DDoS detection
•A Tofino implementation guarantees high scalability and line-rate
performance under any type of attack with minimal consumption of on-
chip memory and resources.
•In-network DDoS detection can be implemented in Tofino with high
accuracy and negligible probability for false positives.
•P4 programmability allows customers flexibility and customization
of the DDoS detection methods and mitigation actions.
•Granular statistics allow customers to quickly identify which
applications and services are under attack.
•When compared with a DDoS solution using NetFlow, a Tofino-based
approach is multiple orders of magnitude faster in detecting a DDoS
attack (tens of milliseconds vs. tens of seconds).
28. Summary
28
In-Network DDoS detection with programmable chipset like Tofino:
• High scalability & line-rate with minimal memory consumption
• High accuracy vs. negligible probability for false positives
• P4 programmability: flexible customization of detection methods and
mitigation actions
• Granular statistics: quick identify apps & services under attack
• Multiple orders of magnitude faster than NetFlow based solutions
(tens of milliseconds vs. tens of seconds)