This document describes a system that uses a portable remote security device and wiki software to help network administrators monitor for and respond to malicious bots within protected sub-LAN networks. The remote security device can monitor network traffic, filter malicious packets, and intercept and forward suspicious traffic to aid in identifying compromised hosts. The central network manager controls the device using commands written on a wiki page, allowing them to remotely monitor sub-LANs and work with local managers to quickly identify and remove malicious bots.
This presentation covers different attacks that can be leveraged against wireless networks using Enterprise (802.1x) authentication. Attendees will learn about and see demonstrations of these attacks, many of which can be used to reveal the credentials used to join the wireless network. The presentation concludes with recommendations on how to defend against these attacks.
Matt Neely (CISSP, CTGA, GCIH and GCWN) is the Profiling Team Manager at SecureState, a Cleveland Ohio based security consulting company. At SecureState, Matt and his team perform traditional penetration tests, physical penetration tests, web application security reviews and wireless security assessments. His research interests include the convergence of physical and logical security, cryptography and all things wireless. Matt is also a host on the Security Justice podcast.
Improvement in Rogue Access Points - SensePost Defcon 22SensePost
A supporting slide deck for SensePost's Defcon 22 talk. It contains more useful written information, that the picture heavy version we presented at the conference. You can see the conference video at https://www.youtube.com/watch?v=i2-jReLBSVk and can get the code at https://github.com/sensepost/mana
This presentation covers different attacks that can be leveraged against wireless networks using Enterprise (802.1x) authentication. Attendees will learn about and see demonstrations of these attacks, many of which can be used to reveal the credentials used to join the wireless network. The presentation concludes with recommendations on how to defend against these attacks.
Matt Neely (CISSP, CTGA, GCIH and GCWN) is the Profiling Team Manager at SecureState, a Cleveland Ohio based security consulting company. At SecureState, Matt and his team perform traditional penetration tests, physical penetration tests, web application security reviews and wireless security assessments. His research interests include the convergence of physical and logical security, cryptography and all things wireless. Matt is also a host on the Security Justice podcast.
Improvement in Rogue Access Points - SensePost Defcon 22SensePost
A supporting slide deck for SensePost's Defcon 22 talk. It contains more useful written information, that the picture heavy version we presented at the conference. You can see the conference video at https://www.youtube.com/watch?v=i2-jReLBSVk and can get the code at https://github.com/sensepost/mana
IX 2020 - Internet Security & Mitigation of Risk Webinar: Linux Malware and D...APNIC
APNIC's Senior Security Specialist Adli Wahid gave a presentation on Linux malware, DDoS agents and bots, based on observations from the Honeynet project at the IX 2020 – Internet Security and Mitigation of Risk Webinar, held online on 15 June 2020.
The presentation covers information about basic and advanced ddos attacks; the tools, techniques and methods to perform them and how to prevent them using the methods present in TCP/IP. Given the different network and application protocols for tcp/ip; we tried to describe where ddos attacks are made possible in the communication process . Each attack is seperately analyzed and described and defense technique is described using the same analogy. Our motto: If there is a ddos case, there was a way to defend it.
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...APNIC
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially other (IoT) devices by Afifa Abbas.
A presentation given at APNIC 42's FIRST TC Security Session (2) session on Wednesday, 5 October 2016.
Zhiyun Qian-what leaves attacker hijacking USA Today siteGeekPwn Keen
In GeekPwn2016 Mid-year Contest, doctoral student Cao Yue of Dr.Zhiyun Qian showed ‘TCP hijacking’ attack. This attack can pop up a fishing web page and steal user’s password. This vulnerability in TCP/IP stack exists in almost all Android and Linux editions. Explained by Cao Yue, this vulnerability is found by his director, Mr. Qian found this vulnerability by reviewing Linux kernel source code.
Attackers don’t just search for technology vulnerabilities, they take the easiest path and find the human vulnerabilities. Drive by web attacks, targeted spear phishing, and more are commonplace today with the goal of delivering custom malware. In a world where delivering custom advanced malware that handily evades signature and blacklisting approaches, and does not depend on application software vulnerabilities, how do we understand when are environments are compromised? What are the telltale signs that compromise activity has started, and how can we move to arrest a compromise in progress before the attacker laterally moves and reinforces their position? The penetration testing community knows these signs and artifacts of advanced malware presence, and it is up to us to help educate defenders on what to look for.
Presentation given at the Brucon security conference in Ghent, Belgium. Two new attacks are described. The first is a Denial of Service attack capable of halting all traffic for one minute by injecting only two frames. The second attack allows the injection of arbitrary many packets towards a client. It is shown that this can be used to perform a portscan on any TKIP-secured client.
Praktické postupy ochrany před DDoS útoky - Přednáška se bude zabývat postupy jak se chránit před DoS/DDoS útoky a to od nejnižší po nejvyšší vrstvu, od malých webů po korporátní sítě.
www.security-session.cz
DerbyCon 2016
Nick Landers @monoxgas
External mail via Exchange is one of the most common services offered by organizations today. The Microsoft Office suite is even more prevalent making Outlook the most common mail client around. This talk focuses on the abuse of these two products for the purpose of gaining code execution inside remote networks. Subjects include E-Mail and password scraping, OWA/EWS brute forcing techniques, and new research into abusing Outlook mail rules for remote code execution. Learn about the capabilities of client side rules, the underlying Windows APIs, and how to modify these rule objects to make phishing attacks obsolete. Security Consultant at Silent Break Security. Professional Hacker for 2 years. Current work involves writing custom malware and researching unique attack vectors that abuse functionality in windows environments.
Actual Condition Survey of Malware Download Sites for A Long PeriodAPNIC
Actual Condition Survey of Malware Download Sites for A Long Period, by Yasuyuki Tanaka.
A presentation given at APRICOT 2016’s Network Security session on 24 February 2016.
A Wearable LED Matrix Sign System@ACM SIGUCCS2015Takashi Yamanoue
A Wearable LED Matrix Sign System Which Shows a Tweet of Twitter and Its Application to Campus Guiding and Emergency Evacuation @ ACM SIGUCCS 2015, Lightning talks.
IX 2020 - Internet Security & Mitigation of Risk Webinar: Linux Malware and D...APNIC
APNIC's Senior Security Specialist Adli Wahid gave a presentation on Linux malware, DDoS agents and bots, based on observations from the Honeynet project at the IX 2020 – Internet Security and Mitigation of Risk Webinar, held online on 15 June 2020.
The presentation covers information about basic and advanced ddos attacks; the tools, techniques and methods to perform them and how to prevent them using the methods present in TCP/IP. Given the different network and application protocols for tcp/ip; we tried to describe where ddos attacks are made possible in the communication process . Each attack is seperately analyzed and described and defense technique is described using the same analogy. Our motto: If there is a ddos case, there was a way to defend it.
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...APNIC
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially other (IoT) devices by Afifa Abbas.
A presentation given at APNIC 42's FIRST TC Security Session (2) session on Wednesday, 5 October 2016.
Zhiyun Qian-what leaves attacker hijacking USA Today siteGeekPwn Keen
In GeekPwn2016 Mid-year Contest, doctoral student Cao Yue of Dr.Zhiyun Qian showed ‘TCP hijacking’ attack. This attack can pop up a fishing web page and steal user’s password. This vulnerability in TCP/IP stack exists in almost all Android and Linux editions. Explained by Cao Yue, this vulnerability is found by his director, Mr. Qian found this vulnerability by reviewing Linux kernel source code.
Attackers don’t just search for technology vulnerabilities, they take the easiest path and find the human vulnerabilities. Drive by web attacks, targeted spear phishing, and more are commonplace today with the goal of delivering custom malware. In a world where delivering custom advanced malware that handily evades signature and blacklisting approaches, and does not depend on application software vulnerabilities, how do we understand when are environments are compromised? What are the telltale signs that compromise activity has started, and how can we move to arrest a compromise in progress before the attacker laterally moves and reinforces their position? The penetration testing community knows these signs and artifacts of advanced malware presence, and it is up to us to help educate defenders on what to look for.
Presentation given at the Brucon security conference in Ghent, Belgium. Two new attacks are described. The first is a Denial of Service attack capable of halting all traffic for one minute by injecting only two frames. The second attack allows the injection of arbitrary many packets towards a client. It is shown that this can be used to perform a portscan on any TKIP-secured client.
Praktické postupy ochrany před DDoS útoky - Přednáška se bude zabývat postupy jak se chránit před DoS/DDoS útoky a to od nejnižší po nejvyšší vrstvu, od malých webů po korporátní sítě.
www.security-session.cz
DerbyCon 2016
Nick Landers @monoxgas
External mail via Exchange is one of the most common services offered by organizations today. The Microsoft Office suite is even more prevalent making Outlook the most common mail client around. This talk focuses on the abuse of these two products for the purpose of gaining code execution inside remote networks. Subjects include E-Mail and password scraping, OWA/EWS brute forcing techniques, and new research into abusing Outlook mail rules for remote code execution. Learn about the capabilities of client side rules, the underlying Windows APIs, and how to modify these rule objects to make phishing attacks obsolete. Security Consultant at Silent Break Security. Professional Hacker for 2 years. Current work involves writing custom malware and researching unique attack vectors that abuse functionality in windows environments.
Actual Condition Survey of Malware Download Sites for A Long PeriodAPNIC
Actual Condition Survey of Malware Download Sites for A Long Period, by Yasuyuki Tanaka.
A presentation given at APRICOT 2016’s Network Security session on 24 February 2016.
A Wearable LED Matrix Sign System@ACM SIGUCCS2015Takashi Yamanoue
A Wearable LED Matrix Sign System Which Shows a Tweet of Twitter and Its Application to Campus Guiding and Emergency Evacuation @ ACM SIGUCCS 2015, Lightning talks.
Bot と Wiki を使った試験的な並列プログラミング環境およびプログラム例を示す。情報セキュリティ担当者が頭を悩ませていた悪性Botの耐障害性と超並列性を、科学技術計算や一般的な計算を行うために有益な方向に利用することを目指す。例として動的計画法を用いて最小経路問題を解く並列プログラムを示す。ここで、必要な計算資源(BotとWebページの数)はノード数に比例し、最小経路を計算するのに必要な時間は、求まる最小経路の弧の数に比例する。
A Technique to Assign an Appropriate Server to a Client, for a CDN Consists ...Takashi Yamanoue
This paper discusses a technique to assign an appropriate server to a client for a content delivery network (CDN). We assume that the CDN consists of not only servers in the global Internet but also servers in hierarchical private networks. To use a common web browser as the client, this technique does not use broadcasting or multicasting. When a client is placed in a private network and a server of the CDN is also placed in the same private network, the client is connected to the server automatically by using this technique. When a client is placed in a private network and no CDN server is in the private network, or when the client is placed in the global network, the client is connected to a server in the global network automatically. This technique could improve the bandwidth between a server and a client when they are placed in the same private network because the TCP bandwidth heavily depends on latency. The CDN user does not need to know the location of a server. This technique does not use DNS because a CDN server in a private network is not always registered in the DNS.
Wiki に書いたスクリプトに従って, 自動的に Twitter で tweet する情報提示システムと, その開発と利用例について述べる. ここで, 実際にtweet するホストと スクリプトが書かれている Wiki のサーバのホストとは独立している. このシステムを使って着る電光掲示板を拡張し, それを使って, フルマラソンのスタートからゴールまで, 周りの参加者や沿道の観衆にメッセージを送り続けることができた. このシステムを拡張し, インターネット上の応用システムの障害対策や, ハードウェアやソフトウェアの更新等によるダウンタイムの低減に役立てることについても検討を行う.
A system which tweets messages automatically, is shown. The system is a kind of bot networks, bots of which are controlled by commands on a wiki page, according to the script in the wiki page. We have constructed a wearable LED matrix sign which tweets automatically, using this system, and we have applied this to a public relations in a full marathon race. We also consider to use the structure of this system to enhance the resilience of application systems.
Portable Cloud Computing System – A System which Makes Everywhere an ICT Enh...Takashi Yamanoue
A "Portable Cloud Computing System (Portable Cloud)" is discussed. This system is a portable system that can turn any room into an ICT-enhanced classroom or an ICT-enhanced meeting-room. The Portable Cloud is a carrying case, which contains Wi-Fi access points, a network switch, and a server cluster. The server cluster includes a NAPT (Network Address Port Translation) router, a DHCP server, a captive portal, and application servers. The Wi-Fi access points, the NAPT router, the captive portal and the DHCP server make the space where the Portable Cloud is located, Internet accessible. The application servers contains applications such like "Distributed Web Screen Share (DWSS)", "Slide Plus", and "OwnCloud". The DWSS is a web application which transmits a live screen image of a PC to a large number of Web clients. Slide Plus is an interactive live slide presentation tool for a large audience with Web clients. OwnCloud is open source software by owncloud.com. This software enables file sharing among students and teachers similar to that found in Dropbox. We are using the Portable Cloud for our seminar class, meetings of grass-root groups, and academic conferences. We can't imagine holding our seminar class without the Portable Cloud.
it should not be complicated to get started understanding and creating networks in openstack. these slides will get you quickly up to speed in a simple way. to understand how the technology works and what you need to create multiple external networks, private and internal networks. check the original file on www.messeiry.com
In this slides deck, we gonna look into Wireless penetration testing requirements like hardware & software, Various IEEE standards. and also deep dive into WEP, WPA, WPA2 & its Security threats & Security best practices.
THREATS are possible attacks.
It includes
The spread of computer viruses
Infiltration and theft of data from external hackers
Engineered network overloads triggered by malicious mass e-mailing
Misuse of computer resources and confidential information by employees
Unauthorized financial transactions and other kinds of computer fraud conducted in the company's name
Electronic inspection of corporate computer data by outside parties
Damage from failure, fire, or natural disasters
Demystifying Wireless Security Using Open Source OptionsMichele Chubirka
Wireless LANs are often the soft underbelly of an organization's network. Users and guests demand easy access, but corporate resources still need to be protected. An enterprise could break the bank with expensive tools and consultants trying to maintain compliance and minimize risk.
The good news is that there are lots of excellent, well-documented open source (i.e., free) tools available to test and monitor your wireless network. And they don't even require a tin-foil hat.
Similar to Capturing Malicious Bots using a beneficial bot and wiki (20)
Bot Computing using the Power of Wiki CollaborationTakashi Yamanoue
Bot computing using the power of Wiki collaboration and an experimental implementation of the bot running environment are discussed. While botnets are usually created for malicious purposes, the bot computing in this study aims to use bots for beneficial purposes. The massively parallel and persistence features of a botnet can enhance its computing power and high availability for beneficial computing. Bot computing can also enhance people’s collaboration by introducing dynamic Web pages to previously static Wiki networks. Parallel dynamic programming for solving a minimal path problem is shown as an example. Resources such as the number of bots and the number of web pages were proportional to the number of nodes, and the time to solve the minimal path problem was proportional to the number of arcs of the minimal path.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
UiPath Test Automation using UiPath Test Suite series, part 3
Capturing Malicious Bots using a beneficial bot and wiki
1. Capturing Malicious Bots
Using a Beneficial Bot and
Wiki
Takashi Yamanoue, Kentaro Oda,
Koichi Shimozono
Kagoshima University
2. Contents
• Introduction
• Implementation
• Usage Example
• Related Research
• Concluding Remarks
3. Introduction
• A bot
– runs automated tasks over the Internet.
– usually a malicious application
– controlled by a malicious herder
• Herder
– the master of the bot
4. Introduction
• Many resent viruses
• are used for recruiting a host into a botnet
– Botnet
• is a collection of malicious bots.
– Malicious bots - in a campus LAN
• Leak private information of students,
research secrets
• spam other people
• attack other web sites via DDos.
5. Introduction
• A campus with malicious
bots
– may be considered to be
engaging in criminal activity.
6. Introduction
• The manager of the campus LAN
– has to be careful about malicious bots and
remove the bot quickly when found
8. Introduction
• NAT or fire-wall
– defend the LAN against
intrusion of a malicious bot.
– like a house protected
by a door with a key.
– Only permitted IP packets may pass through
the fire-wall or the NAT
– much like only people who have the key may
pass through the door of the house.
10. Introduction
• When a host in the sub-LAN is
compromized by a malicous bot
– it is hard to identify the compromized host
from the outside of the LAN, much like it is
hard to find a robber who is hidden in the
house or the building.
– DHCP and IPv6 with privacy address
extension (RFC 3041) also make it difficult
– the IP address is changed dynamically.
12. Introduction
• A campus’s LAN
– a central network infrastructure + sub-LANs.
• Some sub-LANs
– may be protected by a fire-wall or a NAT.
Sub-
The Internet
LAN
Sub-
LAN
Sub-
Central Network Infrastructure LAN
14. Introduction
• One way to realize this is to prohibit use
of a fire-wall or a NAT for a sub-LAN.
15. Introduction
• It is easy to define the rule, but unrealistic
because broadband routers with fire-wall
or NAT function are so common.
Laws are made to be
broken
16. Introduction
• When malicious communication between
a bot in a protected sub-LAN and another
?
host on the outside is discovered by the
manager of the central network
infrastructure (or the central manager),
? ?
?
17. Introduction
• the central manager usually directs the
manager of the sub-LAN to disconnect
the sub-LAN from the central network
infrastructure immediately.
? ?
?
19. Introduction
• Cannot always find the bot because
– anti-virus software can not find 0-day attacks,
– the central manager can not observe the
malicious communication in the sub-LAN.
? ?
?
20. Introduction
• Sometimes, the central manager would
like to monitor sub-LANs in order to find
the compromized host. The compromized
host should be found as quickly as
possible.
24. Introduction
• We have made a network security
controlling system which uses
– a remote security device and
– a web site with wiki software.
(PukiWiki)
26. Introduction
• The central manager can monitor and
control the sub-LAN behind a fire-wall or
a NAT easily from a web site with
common wiki software, using the remote
security device.
28. Introduction
• The remote security device is a kind of
bot which is controlled by the central
manager.
29. Introduction
• The device can do the following:
– Monitor traffic between hosts in the sub-LAN
and outside hosts.
– Filter out malicious packets of the traffic.
30. Introduction
– Intercept DNS query packets from the
suspicious host and return the IP address of
the fake host which pretends the herder’s
host.
– Pretend the herder’s host such like returning
the fake syn-ack packet to the syn packet
from the suspicious host.
31. Introduction
Fire-Wall
IDS
The Internet
Organization’s
Central Network The Wiki Site
Infrastructure Portable Remote
Security Device
NAT or Router
Original
Connection This Security Controlling System
Virus Infected Host
Sub-LAN
Auxiliary Switch
Auxiliary Wi-fi AP
34. • Filter/Controller
– If the packet matches up to a “select pattern”,
• pass through the packet (from one DAQ to
another DAQ) and
• send the information of the frame of the packet to
the wiki access engine with the status.
– If the packet matches up to a “drop pattern”,
• do not pass through the packet and send the
information of the frame of the packet to the wiki
access engin with the status.
35. – If the packet matches up to a “forward pattern”,
• replace the destination IP address and destination
port with the IP address and port of a pseudo
application of a pseudo host, and pass the replaced
packet to another DAQ.
• Send the information of the frame of the original
packet to the wiki access engine with the status.
36. – Sends a packet to one of the bridges from
one of the DAQs. The sending packet is one
of the following.
• The pseudo syn-ack packet to a syn packet of
dropped packets.
• The pseudo DNS answer packet to a DNS query
packet.
45. Usage Example
Commands and Results
• get ip=<IP address>
• get startsWith <String constant>
– Ex. “PING”, “PONG”, “NIC” , “USER” for IRC.
• lan2wan drop ip=<IP address>
• wan2lan drop ip=<IP address>
46. Usage Example
Commands and Results
• lan2wan return-syn-ack ip=<IP address>
• lan2wan forward ip=<IP address 1>
to <IP address2>:<Port>
• lan2wan dns-intercept ip=<IP address 1>
to <IP address 2>
48. Usage Example
Responding Infection
• The central manager identifies the
suspicious sub-LAN by using an IDS or a
firewall or managed security monitoring
service.
? ?
?
49. Usage Example
Responding Infection
• The central manager asks the sub-
manager of the sub-LAN to disconnect
the NAT or router of the sub-LAN from
the central network infrastructure.
? ?
?
50. Usage Example
Responding Infection
• The central manager writes commands
on the wiki page to capture and filter out
the suspicious packets. The manager
configures the remote security device to
connect the device to the wiki page.
51. Usage Example
Responding Infection
• The central manager sends the portable
sensor device to the sub-manager
– after the sub-manager agrees with the need
for identifying the suspicious host.
• The sub-manager connects the remote
security device to the sub-LAN and starts
it.
?
52. Usage Example
Responding Infection
• The remote security device reads the
commands on the wiki page periodically.
• When the device detects suspicious
packets, the device drop the packets and
writes information of the packets with the
MAC address of the suspicious host in
the sub-LAN on the wiki page.
?
53. Usage Example
Responding Infection
• The central manager confirms the
information of the suspicious packets on
the wiki page, and if the manager judges
the packets to be malicious,
• the central manager asks the sub-
manager to disconnect the host from that
sub-LAN.
54. Usage Example
Responding Infection
• If the central manager feels more deep
analysis on the traffic, the manager can
prepare a telnet server and s/he can write
commands for forwarding the packets
from the suspicious host to the telnet
server on the wiki page.
55. Usage Example
Responding Infection
• When a suspicious packet is forwarded to
the telnet server, the central manager can
see the contents of the packet and can
response to the packet on the telnet
server.
56. Usage Example
Responding Infection
• When the sub-manager cannot identify
the suspicious host, the central manager
writes the command, which transfers
packets from the host to a notification
web server, on the wiki page.
?
57. Usage Example
Responding Infection
• The notification web server
– notifies the user of the suspicious host that
the host is suspicious and asks the user of
the host to call the sub-manager.
• The sub-manager
– disconnects the suspicious host,
59. Related research
• Security Monitoring System
• Snort
• Observing MAC address at the WAN side
• Unix device with two NICs
• KASEYA and UNIFAS
60. Concluding Remarks
• Bot for Bot
• An Easy way of incident response
• Wiki
• Not so stable now for real using
– Hope to have your support, assistant, ..
– https://github.com/takashiyamanoue/TrafficC
ontroller
• Should not turn into dark side.
61. • Masato Masuya, Takashi Yamanoue,
Shinichiro Kubota
"An Experience of Monitoring University
Network Security Using a Commercial
Service and DIY Monitoring" ,
Proceedings of the 34nd annual ACM
SIGUCCS conference on User services,
pp.225-230, Edmonton, Alberta, Canada.
5-8 Nov. 2006.