SlideShare a Scribd company logo

D4 Project Presentation

W
Wawszyniak Dumont Grégory

A large-scale distributed sensor network to monitor DDoS and other malicious activities relying on an open and collaborative project.

Technology
1 of 34
Download to read offline
D4 Project Open and collaborative network monitoring D4 projectTeam CIRCL https://www.d4-project.org/ 2019/05/21 Jean-Louis Huynen
Problem statement CSIRTs (or private organisations) build their own honeypot, honeynet or blackhole monitoring network Designing, managing and operating such infrastructure is a tedious and resource intensive task Automatic sharing between monitoring networks from different organisations is missing Sensors and processing are often seen as blackbox or difficult to audit 1 33
Objective Based on our experience with MISP1 where sharing played an important role, we transpose the model in D4 project Keeping the protocol and code base simple and minimal Allowing every organisation to control and audit their own sensor network Extending D4 or encapsulating legacy monitoring protocols must be as simple as possible Ensuring that the sensor server has no control on the sensor (unidirectional streaming) Don’t force users to use dedicated sensors and allow flexibility of sensor support (software, hardware, virtual) 1 https://github.com/MISP/MISP 2 33
D4 Overview 3 33
(short) History D4 Project (co-funded under INEA CEF EU program) started - 1st November 2018 D4 encapsulation protocol version 1 published - 1st December 2018 v0.1 release of the D4 core2 including a server and simple D4 C client - 21st January 2019 First version of a golang D4 client3 running on ARM, MIPS, PPC and x86 - 14th February 2019 2 https://www.github.com/D4-project/d4-core 3 https://www.github.com/D4-project/d4-goclient/ 4 33
(short) History Release Date analyzer-d4-passivedns-v0.1 Apr. 5, 2019 analyzer-d4-passivessl-0.1 Apr. 25, 2019 analyzer-d4-pibs-v0.1 Apr. 8, 2019 BGP-Ranking-1.0 Apr. 25, 2019 d4-core-v0.1 Jan. 25, 2019 d4-core-v0.2 Feb. 14, 2019 d4-core-v0.3 Apr. 8, 2019 d4-goclient-v0.1 Feb. 14, 2019 d4-goclient-v0.2 Apr. 8, 2019 d4-server-packer-0.1 Apr. 25, 2019 IPASN-History-1.0 Apr. 25, 2019 sensor-d4-tls-fingerprinting-0.1 Apr. 25, 2019 see https://github.com/D4-Project 5 33
Roadmap - output CIRCL will host a server instance for organisations willing to contribute to a public dataset without running their own D4 server: Blackhole DDoS Passive DNS Passive SSL BGP mapping egress filtering mapping Radio-Specturm monitoring: 802.11, BLE, etc. ... 6 33
D4 encapsulation protocol 7 33
D4 Header Name bit size Description version uint 8 Version of the header type uint 8 Data encapsulated type uuid uint 128 Sensor UUID timestamp uint 64 Encapsulation time hmac uint 256 Authentication header (HMAC-SHA-256-128) size uint 32 Payload size 8 33
D4 Header Type Description 0 Reserved 1 pcap (libpcap 2.4) 2 meta header (JSON) 3 generic log line 4 dnscap output 5 pcapng (diagnostic) 6 generic NDJSON or JSON Lines 7 generic YAF (Yet Another Flowmeter) 8 passivedns CSV stream 254 type defined by meta header (type 2) 9 33
D4 meta header D4 header includes an easy way to extend the protocol (via type 2) without altering the format. Within a D4 session, the initial D4 packet(s) type 2 defines the custom headers and then the following packets with type 254 is the custom data encapsulated. { " type " : " ja3−j l " , " encoding " : " utf −8", " tags " : [ " tlp : white " ] , "misp : org " : "5 b642239−4db4−4580−adf4−4ebd950d210f " } 10 33
D4 server D4 core server4 is a complete server to handle clients (sensors) including the decapsulation of the D4 protocol, control of sensor registrations, management of decoding protocols and dispatching to adequate decoders/analysers. D4 server is written in Python 3.6 and runs on standard GNU/Linux distribution. 4 https://github.com/D4-project/d4-core 11 33
D4 server - management interface The D4 server provides a web interface to manage D4 sensors, sessions and analyzer. Get Sensors status, errors and statistics Get all connected sensors Manage Sensors (stream size limit, secret key, ...) Manage Accepted types UUID/IP blocklist Create Analyzer Queues 12 33
D4 server - main interface 13 33
D4 server - server management 14 33
D4 server - server management 15 33
D4 server - sensor overview 16 33
D4 server - sensor management 17 33
A distributed Network telescope to observe DDoS attacks 18 33
Motivation DDoS Attacks produce an observable side-effect: 0 500000 1 × 106 1.5 × 106 2 × 106 2.5 × 106 3 × 106 01/10 01/24 02/07 02/21 03/07 https://www.circl.lu/ Numberofpackets date (month / day) Backscatter traffic volume per 5 minutes in 2019 (/22) backscatter tcp traffic 19 33
What can be derived from backscatter traffic? External point of view on ongoing Denial of Service attacks: Confirm if there is a DDoS attack Recover time line of attacked targets Confirm which services (DNS, webserver, . . . ) Observe Infrastructure changes Assess the state of an infrastructure under denial of service attack Detect failure/addition of intermediate network equipments, firewalls, proxy servers etc Detect DDoS mitigation devices Create models of DoS/DDoS attacks 20 33
D4 in this setting D4 - for data collection and processing: provide various points of observation in non contiguous address space, aggregate and mix backscatter traffic collected from D4 sensors, perform analysis on big amount of data. D4 - from a end-user perspective: provide backscatter analysis results, provide daily updates, provide additional relevant (or pivotal) information (DNS, BGP, etc.), provide an API and search capabilities. 21 33
First release analyzer-d4-pibs5, an analyzer for a D4 network sensor: processes data produced by D4 sensors (pcaps), displays potential backscatter traffic on standard output, focuses on TCP SYN flood in this first release. 5 https://github.com/D4-project/analyzer-d4-pibs 22 33
Passive DNS 23 33
Problem statement CIRCL (and other CSIRTs) have their own passive DNS6 collection mechanisms Current collection models are affected with DoH7 and centralised DNS services DNS answers collection is a tedious process Sharing Passive DNS stream between organisation is challenging due to privacy 6 https://www.circl.lu/services/passive-dns/ 7 DNS over HTTPS 24 33
Potential Strategy Improve Passive DNS collection diversity by being closer to the source and limit impact of DoH (e.g. at the OS resolver level) Increasing diversity and mixing models before sharing/storing Passive DNS records Simplify process and tools to install for Passive DNS collection by relying on D4 sensors instead of custom mechanisms Provide a distributed infrastructure for mixing streams and filtering out the sharing to the validated partners 25 33
First release analyzer-d4-passivedns8, an analyzer for a D4 network sensor: processes data produced by D4 sensors (in passivedns CSV format9 ), ingests these into a Passive DNS server which can be queried later to search for the Passive DNS records, provides a lookup server (using on redis-compatible backend) that is a Passive DNS REST server compliant to the Common Output Format10 . 8 https://github.com/D4-project/analyzer-d4-passivedns 9 https://github.com/gamelinux/passivedns 10 https://tools.ietf.org/html/ draft-dulaunoy-dnsop-passive-dns-cof-04 26 33
Passive SSL revamping 27 33
A passive SSL fingerprinter CSIRT’s rationale for collecting TLS handshakes: pivot on additional data points, find owners of IP addresses, detect usage of CIDR blocks, detect vulnerable systems, detect compromised services, detect key material reuse, detect weak keys. 28 33
Objectives - TLS Fingerprinting Keeping a log of links between: x509 certificates, ports, IP address, client (ja3), server (ja3s), “JA3 is a method for creating SSL/TLS client fingerprints that should be easy to produce on any platform and can be easily shared for threat intelligence.”11 11 https://github.com/salesforce/ja3 29 33
Objectives - Mind your Ps and Qs Collect and store x509 certificates and TLS sessions: Public keys type and size, moduli and exponents, curves parameters. Detect anti patterns in crypto: Shared Public Keys, Moduli that share one prime factor, Moduli that share both prime factor, Small factors, Nonces reuse / common preffix or suffix, etc. 30 33
First release sensor-d4-tls-fingerprinting 12: Extracts and fingerprints certificates, and computes TLSH fuzzy hash. analyzer-d4-passivessl 13: Stores Certificates / PK details in a PostgreSQL DB. lookup-d4-passivessl 14: Exposes the DB through a public REST API. 12 github.com/D4-project/sensor-d4-tls-fingerprinting 13 github.com/D4-project/analyzer-d4-passivessl 14 github.com/D4-project/lookup-d4-passivessl 31 33
Future Mixing models for passive collection streams (for privacy) in next version of D4 core server Interconnecting private D4 sensor networks with other D4 sensor networks (sharing to partners filtered stream) Previewing datasets collected in D4 sensor network and providing open data stream (if contributor agrees to share under specific conditions) Leverage MISP sharing communities to augment Threat Intelligence, and provide accurate metrology. 32 33
Get in touch if you want to join the project, host a sensor or contribute Collaboration can include research partnership, sharing of collected streams or improving the software. Contact: info@circl.lu https://github.com/D4-Project https://twitter.com/d4_project https://d4-project.org 33 / 33

Recommended

Sectools
SectoolsSectools
Sectoolssecuredome
 
aaa
aaaaaa
aaahungnhatban
 
Network Monitoring with Wireshark
Network Monitoring with WiresharkNetwork Monitoring with Wireshark
Network Monitoring with WiresharkSiddharth Coontoor
 
Chapter 7 security tools i
Chapter 7 security tools iChapter 7 security tools i
Chapter 7 security tools iSyaiful Ahdan
 
COMP8045 - Project Report v.1.3
COMP8045 - Project Report v.1.3COMP8045 - Project Report v.1.3
COMP8045 - Project Report v.1.3Soon Zoo Kwon
 
Cont-Forensic-Analytics-Dipto-14Apr2015-post
Cont-Forensic-Analytics-Dipto-14Apr2015-postCont-Forensic-Analytics-Dipto-14Apr2015-post
Cont-Forensic-Analytics-Dipto-14Apr2015-postDipto Chakravarty
 
Final report
Final reportFinal report
Final reportJagbir Kalirai
 
Lightweight cryptography
Lightweight cryptographyLightweight cryptography
Lightweight cryptographyShivam Singh
 

Recommended

Sectools
SectoolsSectools
Sectoolssecuredome
 
aaa
aaaaaa
aaahungnhatban
 
Network Monitoring with Wireshark
Network Monitoring with WiresharkNetwork Monitoring with Wireshark
Network Monitoring with WiresharkSiddharth Coontoor
 
Chapter 7 security tools i
Chapter 7 security tools iChapter 7 security tools i
Chapter 7 security tools iSyaiful Ahdan
 
COMP8045 - Project Report v.1.3
COMP8045 - Project Report v.1.3COMP8045 - Project Report v.1.3
COMP8045 - Project Report v.1.3Soon Zoo Kwon
 
Cont-Forensic-Analytics-Dipto-14Apr2015-post
Cont-Forensic-Analytics-Dipto-14Apr2015-postCont-Forensic-Analytics-Dipto-14Apr2015-post
Cont-Forensic-Analytics-Dipto-14Apr2015-postDipto Chakravarty
 
Final report
Final reportFinal report
Final reportJagbir Kalirai
 
Lightweight cryptography
Lightweight cryptographyLightweight cryptography
Lightweight cryptographyShivam Singh
 
Fulltext02
Fulltext02Fulltext02
Fulltext02Aichetou Elkhadar
 
Network security
Network securityNetwork security
Network securityGreater Noida Institute Of Technology
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallGlenn McKnight
 
The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)
The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)
The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)Martin Schütte
 
Строим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиСтроим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиPositive Hack Days
 
L2 tp., ip sec
L2 tp., ip secL2 tp., ip sec
L2 tp., ip secZekriaMuzafar
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetDavid Sweigert
 
Security Issues in Next Generation IP and Migration Networks
Security Issues in Next Generation IP and Migration NetworksSecurity Issues in Next Generation IP and Migration Networks
Security Issues in Next Generation IP and Migration NetworksIOSR Journals
 
Qualifying exam-2015-final
Qualifying exam-2015-finalQualifying exam-2015-final
Qualifying exam-2015-finalOpen Networking Perú (Opennetsoft)
 
Proposed Lightweight Block Cipher Algorithm for Securing Internet of Things
Proposed Lightweight Block Cipher Algorithm for Securing Internet of ThingsProposed Lightweight Block Cipher Algorithm for Securing Internet of Things
Proposed Lightweight Block Cipher Algorithm for Securing Internet of ThingsSeddiq Q. Abd Al-Rahman
 
DETECTION OF ALGORITHMICALLY GENERATED MALICIOUS DOMAIN
DETECTION OF ALGORITHMICALLY GENERATED MALICIOUS DOMAINDETECTION OF ALGORITHMICALLY GENERATED MALICIOUS DOMAIN
DETECTION OF ALGORITHMICALLY GENERATED MALICIOUS DOMAINcscpconf
 
Antony's Final Draft v7
Antony's Final Draft v7Antony's Final Draft v7
Antony's Final Draft v7Antony Law
 
Security and Usability: Designing Security Tooling That Roboticists Can Use
Security and Usability: Designing Security Tooling That Roboticists Can UseSecurity and Usability: Designing Security Tooling That Roboticists Can Use
Security and Usability: Designing Security Tooling That Roboticists Can UseRuffin White
 
Introduction P2p
Introduction P2pIntroduction P2p
Introduction P2pDavide Carboni
 
How the CC Harmonizes with Secure Software Development Lifecycle
How the CC Harmonizes with Secure Software Development LifecycleHow the CC Harmonizes with Secure Software Development Lifecycle
How the CC Harmonizes with Secure Software Development LifecycleSeungjoo Kim
 
Leverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsLeverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsCisco Canada
 
Look at ipv6 security advantages over ipv4
Look at ipv6 security advantages over ipv4Look at ipv6 security advantages over ipv4
Look at ipv6 security advantages over ipv4Alexander Decker
 
A Technique by using Neuro-Fuzzy Inference System for Intrusion Detection and...
A Technique by using Neuro-Fuzzy Inference System for Intrusion Detection and...A Technique by using Neuro-Fuzzy Inference System for Intrusion Detection and...
A Technique by using Neuro-Fuzzy Inference System for Intrusion Detection and...IJMER
 
Futex ppt
Futex pptFutex ppt
Futex pptOECLIB Odisha Electronics Control Library
 
(130511) #fitalk network forensics and its role and scope
(130511) #fitalk network forensics and its role and scope(130511) #fitalk network forensics and its role and scope
(130511) #fitalk network forensics and its role and scopeINSIGHT FORENSIC
 
Splunk App for Stream
Splunk App for StreamSplunk App for Stream
Splunk App for StreamSplunk
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Chris Sistrunk
 

More Related Content

What's hot

DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallGlenn McKnight
 
The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)
The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)
The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)Martin Schütte
 
Строим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиСтроим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиPositive Hack Days
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetDavid Sweigert
 
Security Issues in Next Generation IP and Migration Networks
Security Issues in Next Generation IP and Migration NetworksSecurity Issues in Next Generation IP and Migration Networks
Security Issues in Next Generation IP and Migration NetworksIOSR Journals
 
Proposed Lightweight Block Cipher Algorithm for Securing Internet of Things
Proposed Lightweight Block Cipher Algorithm for Securing Internet of ThingsProposed Lightweight Block Cipher Algorithm for Securing Internet of Things
Proposed Lightweight Block Cipher Algorithm for Securing Internet of ThingsSeddiq Q. Abd Al-Rahman
 
DETECTION OF ALGORITHMICALLY GENERATED MALICIOUS DOMAIN
DETECTION OF ALGORITHMICALLY GENERATED MALICIOUS DOMAINDETECTION OF ALGORITHMICALLY GENERATED MALICIOUS DOMAIN
DETECTION OF ALGORITHMICALLY GENERATED MALICIOUS DOMAINcscpconf
 
Antony's Final Draft v7
Antony's Final Draft v7Antony's Final Draft v7
Antony's Final Draft v7Antony Law
 
Security and Usability: Designing Security Tooling That Roboticists Can Use
Security and Usability: Designing Security Tooling That Roboticists Can UseSecurity and Usability: Designing Security Tooling That Roboticists Can Use
Security and Usability: Designing Security Tooling That Roboticists Can UseRuffin White
 
How the CC Harmonizes with Secure Software Development Lifecycle
How the CC Harmonizes with Secure Software Development LifecycleHow the CC Harmonizes with Secure Software Development Lifecycle
How the CC Harmonizes with Secure Software Development LifecycleSeungjoo Kim
 
Leverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsLeverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsCisco Canada
 
Look at ipv6 security advantages over ipv4
Look at ipv6 security advantages over ipv4Look at ipv6 security advantages over ipv4
Look at ipv6 security advantages over ipv4Alexander Decker
 
A Technique by using Neuro-Fuzzy Inference System for Intrusion Detection and...
A Technique by using Neuro-Fuzzy Inference System for Intrusion Detection and...A Technique by using Neuro-Fuzzy Inference System for Intrusion Detection and...
A Technique by using Neuro-Fuzzy Inference System for Intrusion Detection and...IJMER
 
(130511) #fitalk network forensics and its role and scope
(130511) #fitalk network forensics and its role and scope(130511) #fitalk network forensics and its role and scope
(130511) #fitalk network forensics and its role and scopeINSIGHT FORENSIC
 

What's hot (20)

Fulltext02
Fulltext02Fulltext02
Fulltext02
 
Network security
Network securityNetwork security
Network security
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael Casadevall
 
The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)
The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)
The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)
 
Строим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиСтроим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атаки
 
L2 tp., ip sec
L2 tp., ip secL2 tp., ip sec
L2 tp., ip sec
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheet
 
Security Issues in Next Generation IP and Migration Networks
Security Issues in Next Generation IP and Migration NetworksSecurity Issues in Next Generation IP and Migration Networks
Security Issues in Next Generation IP and Migration Networks
 
Qualifying exam-2015-final
Qualifying exam-2015-finalQualifying exam-2015-final
Qualifying exam-2015-final
 
Proposed Lightweight Block Cipher Algorithm for Securing Internet of Things
Proposed Lightweight Block Cipher Algorithm for Securing Internet of ThingsProposed Lightweight Block Cipher Algorithm for Securing Internet of Things
Proposed Lightweight Block Cipher Algorithm for Securing Internet of Things
 
DETECTION OF ALGORITHMICALLY GENERATED MALICIOUS DOMAIN
DETECTION OF ALGORITHMICALLY GENERATED MALICIOUS DOMAINDETECTION OF ALGORITHMICALLY GENERATED MALICIOUS DOMAIN
DETECTION OF ALGORITHMICALLY GENERATED MALICIOUS DOMAIN
 
Antony's Final Draft v7
Antony's Final Draft v7Antony's Final Draft v7
Antony's Final Draft v7
 
Security and Usability: Designing Security Tooling That Roboticists Can Use
Security and Usability: Designing Security Tooling That Roboticists Can UseSecurity and Usability: Designing Security Tooling That Roboticists Can Use
Security and Usability: Designing Security Tooling That Roboticists Can Use
 
Introduction P2p
Introduction P2pIntroduction P2p
Introduction P2p
 
How the CC Harmonizes with Secure Software Development Lifecycle
How the CC Harmonizes with Secure Software Development LifecycleHow the CC Harmonizes with Secure Software Development Lifecycle
How the CC Harmonizes with Secure Software Development Lifecycle
 
Leverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsLeverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage Threats
 
Look at ipv6 security advantages over ipv4
Look at ipv6 security advantages over ipv4Look at ipv6 security advantages over ipv4
Look at ipv6 security advantages over ipv4
 
A Technique by using Neuro-Fuzzy Inference System for Intrusion Detection and...
A Technique by using Neuro-Fuzzy Inference System for Intrusion Detection and...A Technique by using Neuro-Fuzzy Inference System for Intrusion Detection and...
A Technique by using Neuro-Fuzzy Inference System for Intrusion Detection and...
 
Futex ppt
Futex pptFutex ppt
Futex ppt
 
(130511) #fitalk network forensics and its role and scope
(130511) #fitalk network forensics and its role and scope(130511) #fitalk network forensics and its role and scope
(130511) #fitalk network forensics and its role and scope
 

Similar to D4 Project Presentation

Splunk App for Stream
Splunk App for StreamSplunk App for Stream
Splunk App for StreamSplunk
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Chris Sistrunk
 
Botprobe - Reducing network threat intelligence big data
Botprobe - Reducing network threat intelligence big data Botprobe - Reducing network threat intelligence big data
Botprobe - Reducing network threat intelligence big data DATA SECURITY SOLUTIONS
 
For your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and laFor your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and laShainaBoling829
 
Data Capture in IBM WebSphere Premises Server - Aldo Eisma, IBM
Data Capture in IBM WebSphere Premises Server - Aldo Eisma, IBMData Capture in IBM WebSphere Premises Server - Aldo Eisma, IBM
Data Capture in IBM WebSphere Premises Server - Aldo Eisma, IBMmfrancis
 
Monitoring federation open stack infrastructure
Monitoring federation open stack infrastructureMonitoring federation open stack infrastructure
Monitoring federation open stack infrastructureFernando Lopez Aguilar
 
Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)
Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)
Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)Jakub Botwicz
 
RFID Security Module
RFID Security ModuleRFID Security Module
RFID Security Modulecgvwzq
 
DDS Advanced Tutorial - OMG June 2013 Berlin Meeting
DDS Advanced Tutorial - OMG June 2013 Berlin MeetingDDS Advanced Tutorial - OMG June 2013 Berlin Meeting
DDS Advanced Tutorial - OMG June 2013 Berlin MeetingJaime Martin Losa
 
Splunk app for stream
Splunk app for stream Splunk app for stream
Splunk app for stream csching
 
Chapter 8 security tools ii
Chapter 8 security tools iiChapter 8 security tools ii
Chapter 8 security tools iiSyaiful Ahdan
 
SDN, OpenFlow, NFV, and Virtual Network
SDN, OpenFlow, NFV, and Virtual NetworkSDN, OpenFlow, NFV, and Virtual Network
SDN, OpenFlow, NFV, and Virtual NetworkTim4PreStartup
 
Sector Sphere 2009
Sector Sphere 2009Sector Sphere 2009
Sector Sphere 2009lilyco
 
sector-sphere
sector-spheresector-sphere
sector-spherexlight
 
RedSplice_Network_Traffic_Examiner_Datasheet
RedSplice_Network_Traffic_Examiner_DatasheetRedSplice_Network_Traffic_Examiner_Datasheet
RedSplice_Network_Traffic_Examiner_DatasheetLaurentiu Nicula
 
Linux Based Advanced Routing with Firewall and Traffic Control
Linux Based Advanced Routing with Firewall and Traffic ControlLinux Based Advanced Routing with Firewall and Traffic Control
Linux Based Advanced Routing with Firewall and Traffic Controlsandy_vasan
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat Security Conference
 
Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...
Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...
Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...Brandon DeVault
 
Fiware - communicating with ROS robots using Fast RTPS
Fiware - communicating with ROS robots using Fast RTPSFiware - communicating with ROS robots using Fast RTPS
Fiware - communicating with ROS robots using Fast RTPSJaime Martin Losa
 

Similar to D4 Project Presentation (20)

Splunk App for Stream
Splunk App for StreamSplunk App for Stream
Splunk App for Stream
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?
 
Botprobe - Reducing network threat intelligence big data
Botprobe - Reducing network threat intelligence big data Botprobe - Reducing network threat intelligence big data
Botprobe - Reducing network threat intelligence big data
 
For your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and laFor your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and la
 
Data Capture in IBM WebSphere Premises Server - Aldo Eisma, IBM
Data Capture in IBM WebSphere Premises Server - Aldo Eisma, IBMData Capture in IBM WebSphere Premises Server - Aldo Eisma, IBM
Data Capture in IBM WebSphere Premises Server - Aldo Eisma, IBM
 
Monitoring federation open stack infrastructure
Monitoring federation open stack infrastructureMonitoring federation open stack infrastructure
Monitoring federation open stack infrastructure
 
Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)
Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)
Cotopaxi - IoT testing toolkit (3rd release - Black Hat Europe 2019 Arsenal)
 
RFID Security Module
RFID Security ModuleRFID Security Module
RFID Security Module
 
DDS Advanced Tutorial - OMG June 2013 Berlin Meeting
DDS Advanced Tutorial - OMG June 2013 Berlin MeetingDDS Advanced Tutorial - OMG June 2013 Berlin Meeting
DDS Advanced Tutorial - OMG June 2013 Berlin Meeting
 
Splunk app for stream
Splunk app for stream Splunk app for stream
Splunk app for stream
 
Chapter 8 security tools ii
Chapter 8 security tools iiChapter 8 security tools ii
Chapter 8 security tools ii
 
SDN, OpenFlow, NFV, and Virtual Network
SDN, OpenFlow, NFV, and Virtual NetworkSDN, OpenFlow, NFV, and Virtual Network
SDN, OpenFlow, NFV, and Virtual Network
 
Sector Sphere 2009
Sector Sphere 2009Sector Sphere 2009
Sector Sphere 2009
 
sector-sphere
sector-spheresector-sphere
sector-sphere
 
RedSplice_Network_Traffic_Examiner_Datasheet
RedSplice_Network_Traffic_Examiner_DatasheetRedSplice_Network_Traffic_Examiner_Datasheet
RedSplice_Network_Traffic_Examiner_Datasheet
 
Linux Based Advanced Routing with Firewall and Traffic Control
Linux Based Advanced Routing with Firewall and Traffic ControlLinux Based Advanced Routing with Firewall and Traffic Control
Linux Based Advanced Routing with Firewall and Traffic Control
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
 
optimizing_ceph_flash
optimizing_ceph_flashoptimizing_ceph_flash
optimizing_ceph_flash
 
Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...
Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...
Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...
 
Fiware - communicating with ROS robots using Fast RTPS
Fiware - communicating with ROS robots using Fast RTPSFiware - communicating with ROS robots using Fast RTPS
Fiware - communicating with ROS robots using Fast RTPS
 

Recently uploaded

Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 

Recently uploaded (20)

Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 

D4 Project Presentation

  • 1. D4 Project Open and collaborative network monitoring D4 projectTeam CIRCL https://www.d4-project.org/ 2019/05/21 Jean-Louis Huynen
  • 2. Problem statement CSIRTs (or private organisations) build their own honeypot, honeynet or blackhole monitoring network Designing, managing and operating such infrastructure is a tedious and resource intensive task Automatic sharing between monitoring networks from different organisations is missing Sensors and processing are often seen as blackbox or difficult to audit 1 33
  • 3. Objective Based on our experience with MISP1 where sharing played an important role, we transpose the model in D4 project Keeping the protocol and code base simple and minimal Allowing every organisation to control and audit their own sensor network Extending D4 or encapsulating legacy monitoring protocols must be as simple as possible Ensuring that the sensor server has no control on the sensor (unidirectional streaming) Don’t force users to use dedicated sensors and allow flexibility of sensor support (software, hardware, virtual) 1 https://github.com/MISP/MISP 2 33
  • 5. (short) History D4 Project (co-funded under INEA CEF EU program) started - 1st November 2018 D4 encapsulation protocol version 1 published - 1st December 2018 v0.1 release of the D4 core2 including a server and simple D4 C client - 21st January 2019 First version of a golang D4 client3 running on ARM, MIPS, PPC and x86 - 14th February 2019 2 https://www.github.com/D4-project/d4-core 3 https://www.github.com/D4-project/d4-goclient/ 4 33
  • 6. (short) History Release Date analyzer-d4-passivedns-v0.1 Apr. 5, 2019 analyzer-d4-passivessl-0.1 Apr. 25, 2019 analyzer-d4-pibs-v0.1 Apr. 8, 2019 BGP-Ranking-1.0 Apr. 25, 2019 d4-core-v0.1 Jan. 25, 2019 d4-core-v0.2 Feb. 14, 2019 d4-core-v0.3 Apr. 8, 2019 d4-goclient-v0.1 Feb. 14, 2019 d4-goclient-v0.2 Apr. 8, 2019 d4-server-packer-0.1 Apr. 25, 2019 IPASN-History-1.0 Apr. 25, 2019 sensor-d4-tls-fingerprinting-0.1 Apr. 25, 2019 see https://github.com/D4-Project 5 33
  • 7. Roadmap - output CIRCL will host a server instance for organisations willing to contribute to a public dataset without running their own D4 server: Blackhole DDoS Passive DNS Passive SSL BGP mapping egress filtering mapping Radio-Specturm monitoring: 802.11, BLE, etc. ... 6 33
  • 9. D4 Header Name bit size Description version uint 8 Version of the header type uint 8 Data encapsulated type uuid uint 128 Sensor UUID timestamp uint 64 Encapsulation time hmac uint 256 Authentication header (HMAC-SHA-256-128) size uint 32 Payload size 8 33
  • 10. D4 Header Type Description 0 Reserved 1 pcap (libpcap 2.4) 2 meta header (JSON) 3 generic log line 4 dnscap output 5 pcapng (diagnostic) 6 generic NDJSON or JSON Lines 7 generic YAF (Yet Another Flowmeter) 8 passivedns CSV stream 254 type defined by meta header (type 2) 9 33
  • 11. D4 meta header D4 header includes an easy way to extend the protocol (via type 2) without altering the format. Within a D4 session, the initial D4 packet(s) type 2 defines the custom headers and then the following packets with type 254 is the custom data encapsulated. { " type " : " ja3−j l " , " encoding " : " utf −8", " tags " : [ " tlp : white " ] , "misp : org " : "5 b642239−4db4−4580−adf4−4ebd950d210f " } 10 33
  • 12. D4 server D4 core server4 is a complete server to handle clients (sensors) including the decapsulation of the D4 protocol, control of sensor registrations, management of decoding protocols and dispatching to adequate decoders/analysers. D4 server is written in Python 3.6 and runs on standard GNU/Linux distribution. 4 https://github.com/D4-project/d4-core 11 33
  • 13. D4 server - management interface The D4 server provides a web interface to manage D4 sensors, sessions and analyzer. Get Sensors status, errors and statistics Get all connected sensors Manage Sensors (stream size limit, secret key, ...) Manage Accepted types UUID/IP blocklist Create Analyzer Queues 12 33
  • 14. D4 server - main interface 13 33
  • 15. D4 server - server management 14 33
  • 16. D4 server - server management 15 33
  • 17. D4 server - sensor overview 16 33
  • 18. D4 server - sensor management 17 33
  • 19. A distributed Network telescope to observe DDoS attacks 18 33
  • 20. Motivation DDoS Attacks produce an observable side-effect: 0 500000 1 × 106 1.5 × 106 2 × 106 2.5 × 106 3 × 106 01/10 01/24 02/07 02/21 03/07 https://www.circl.lu/ Numberofpackets date (month / day) Backscatter traffic volume per 5 minutes in 2019 (/22) backscatter tcp traffic 19 33
  • 21. What can be derived from backscatter traffic? External point of view on ongoing Denial of Service attacks: Confirm if there is a DDoS attack Recover time line of attacked targets Confirm which services (DNS, webserver, . . . ) Observe Infrastructure changes Assess the state of an infrastructure under denial of service attack Detect failure/addition of intermediate network equipments, firewalls, proxy servers etc Detect DDoS mitigation devices Create models of DoS/DDoS attacks 20 33
  • 22. D4 in this setting D4 - for data collection and processing: provide various points of observation in non contiguous address space, aggregate and mix backscatter traffic collected from D4 sensors, perform analysis on big amount of data. D4 - from a end-user perspective: provide backscatter analysis results, provide daily updates, provide additional relevant (or pivotal) information (DNS, BGP, etc.), provide an API and search capabilities. 21 33
  • 23. First release analyzer-d4-pibs5, an analyzer for a D4 network sensor: processes data produced by D4 sensors (pcaps), displays potential backscatter traffic on standard output, focuses on TCP SYN flood in this first release. 5 https://github.com/D4-project/analyzer-d4-pibs 22 33
  • 25. Problem statement CIRCL (and other CSIRTs) have their own passive DNS6 collection mechanisms Current collection models are affected with DoH7 and centralised DNS services DNS answers collection is a tedious process Sharing Passive DNS stream between organisation is challenging due to privacy 6 https://www.circl.lu/services/passive-dns/ 7 DNS over HTTPS 24 33
  • 26. Potential Strategy Improve Passive DNS collection diversity by being closer to the source and limit impact of DoH (e.g. at the OS resolver level) Increasing diversity and mixing models before sharing/storing Passive DNS records Simplify process and tools to install for Passive DNS collection by relying on D4 sensors instead of custom mechanisms Provide a distributed infrastructure for mixing streams and filtering out the sharing to the validated partners 25 33
  • 27. First release analyzer-d4-passivedns8, an analyzer for a D4 network sensor: processes data produced by D4 sensors (in passivedns CSV format9 ), ingests these into a Passive DNS server which can be queried later to search for the Passive DNS records, provides a lookup server (using on redis-compatible backend) that is a Passive DNS REST server compliant to the Common Output Format10 . 8 https://github.com/D4-project/analyzer-d4-passivedns 9 https://github.com/gamelinux/passivedns 10 https://tools.ietf.org/html/ draft-dulaunoy-dnsop-passive-dns-cof-04 26 33
  • 29. A passive SSL fingerprinter CSIRT’s rationale for collecting TLS handshakes: pivot on additional data points, find owners of IP addresses, detect usage of CIDR blocks, detect vulnerable systems, detect compromised services, detect key material reuse, detect weak keys. 28 33
  • 30. Objectives - TLS Fingerprinting Keeping a log of links between: x509 certificates, ports, IP address, client (ja3), server (ja3s), “JA3 is a method for creating SSL/TLS client fingerprints that should be easy to produce on any platform and can be easily shared for threat intelligence.”11 11 https://github.com/salesforce/ja3 29 33
  • 31. Objectives - Mind your Ps and Qs Collect and store x509 certificates and TLS sessions: Public keys type and size, moduli and exponents, curves parameters. Detect anti patterns in crypto: Shared Public Keys, Moduli that share one prime factor, Moduli that share both prime factor, Small factors, Nonces reuse / common preffix or suffix, etc. 30 33
  • 32. First release sensor-d4-tls-fingerprinting 12: Extracts and fingerprints certificates, and computes TLSH fuzzy hash. analyzer-d4-passivessl 13: Stores Certificates / PK details in a PostgreSQL DB. lookup-d4-passivessl 14: Exposes the DB through a public REST API. 12 github.com/D4-project/sensor-d4-tls-fingerprinting 13 github.com/D4-project/analyzer-d4-passivessl 14 github.com/D4-project/lookup-d4-passivessl 31 33
  • 33. Future Mixing models for passive collection streams (for privacy) in next version of D4 core server Interconnecting private D4 sensor networks with other D4 sensor networks (sharing to partners filtered stream) Previewing datasets collected in D4 sensor network and providing open data stream (if contributor agrees to share under specific conditions) Leverage MISP sharing communities to augment Threat Intelligence, and provide accurate metrology. 32 33
  • 34. Get in touch if you want to join the project, host a sensor or contribute Collaboration can include research partnership, sharing of collected streams or improving the software. Contact: info@circl.lu https://github.com/D4-Project https://twitter.com/d4_project https://d4-project.org 33 / 33