認(rèn)識網(wǎng)路安全與異常偵測中央大學(xué)電算中心楊素秋

96年11月13日報告大綱1.網(wǎng)路安全問題Viruses,Worms,Dosattack2.網(wǎng)路安全因應(yīng)對策Customer-basedcountermeasuresISP-basedcountermeasures3.Detection&NotificationSystemEnd-based,LAN-based,WAN-based(ISP)4.結(jié)語1.網(wǎng)路安全問題網(wǎng)路安全的挑戰(zhàn)VirusesLargeamountofprogramreplicationＭailvirusAttachedinemailInfectsystembyenduringuserclickingtheattachedResendlargeamountofmailvirusSelf-propagatingprograms,…Spreadthroughtoxicwebpagebrowsing1.網(wǎng)路安全問題(cont.)WormsSelf-propagatingprogramsspreadoverInternetSpreadbyscanningthenetworkforvulnerablemachines&infectingthemEvolutionofnetworkwormsSpreadthroughsystemvulnerabilityCoRed(Jul2001)Spreadthroughsystemvulnerability&tftpdNimda,Nachi(Sep2001)Spreadthroughsystemvulnerability&mailvirusSoBig(Aug2003),MyDoom(jan2004),Bagle(2004)Spreadthroughsystemvulnerability&ToxicwebsStanty(Dec2004)1.網(wǎng)路安全問題(cont.)BotNetZombiearmyDistributedthroughIrc(networkchatroom)6667/tcpDosattackSlamwellknownwebserver(MicroSofts,Google,…)Flooding-basedDDoSattackSignificantperformancedeclineofnetworklinkIdentificationthiefSpyware,Phishing(banks,ebay,paypal,…1.網(wǎng)路安全問題(cont.)TechnicalHackersShowtheirskillTechnicalHackers+CriminalgangEnormousprofitsTheweaklinkinInternetSecurityAsignificantpopulationofInternetusersarenotadequatelysecuretheirdesktops2.網(wǎng)路安全因應(yīng)對策WheresecuritycountermeasurescouldbeinvokedCustomer-basedcountermeasuresISP-basedcountermeasures**ISPcore/edge/accessrouters2.網(wǎng)路安全因應(yīng)對策(cont.)Customer-basedcountermeasuresAnti-virussoftwareFirewall,IDSOSVenders/wpatchWindowsUpdateLinuxUp2dateS/WVender’sSecurityImprovementsDesktopVulnerabilityCheckingFirewall==Secure??(Incorrect)2.網(wǎng)路安全因應(yīng)對策(cont.)WhyISP’sareuniquelypositionedtohelpJohnE.H.Clark(Feb2003)TrafficgatewayAlltrafficbw.Internet&thecustomer’sdesktoppassesthroughISP’saccessSkillednetworkmanagersWellorganizednetworkuserinformationHighefficiency,widerangeprotection2.網(wǎng)路安全因應(yīng)對策(cont.)ISP-basedcountermeasuresa)Measuring&monitoringtrafficto/fromcustomerb)Bi-directionIPSatISPaccess50%~60%ofjunkattacktrafficc)IngressaddressfilteringatISPaccessIn-linewiththetrafficbeingmonitoredd)User’sawareness&trainingeffort3.Detection&NotificationSystemSignatureDetectionPacketpayloadanomalydetectionPacket-basedTcpdump(snoopedoversubnetworks)Flow-basedNetfow(exportedbyrouter/switch)3.Detection&NotificationSystem(cont.)Ourworks遭感染/誤用的主機系統(tǒng)持續(xù),頻繁地建立網(wǎng)路連接到單一或多部主機,源自遭感染主機的超量傳訊特徵flow連接驟增封包量驟增超量訊務(wù)持續(xù)時段明顯拉長本研究擷取節(jié)點routerNetflow轉(zhuǎn)送紀(jì)錄實做FloodingDetectionSystem,FDS3.Detection&NotificationSystem(cont.)3.Detection&NotificationSystem(cont.)PortScan訊務(wù)特徵

源端主機要求建立的多個PortScanflows,集中在特殊的弱點

由目的主機回應(yīng)給源端主機的portnumber卻分散於大範(fàn)圍的1024~65535.3.Detection&NotificationSystem(cont.)選擇3項NetFlow辨識特徵(1)sourceIP位址(src_IP)(2)destina-tion應(yīng)用埠(dst_port)(3)小TCP封包使Feature-based訊務(wù)累計程式僅加總超速傳送SYN|FINTCPhandshaking封包往大量連網(wǎng)主機特殊弱點ports的source主機,突顯Portscan問題主機3.Detection&NotificationSystem(cont.)SMTPFlooding(Spam)訊務(wù)特徵

類似Portscan傳訊特徵spam源端主機持續(xù)傳送超量SMTP(SimpleMailTransferPtorocol)訊務(wù)往多部主機主機outbound的連接數(shù)突然暴增超量SMTP傳送時段也呈明顯拉長3.Detection&NotificationSystem(cont.)PacketFlooding訊務(wù)特徵產(chǎn)出鉅量的UDP/ICMPFlooding封包阻斷選定主機的對外服務(wù)壅塞沿徑routing網(wǎng)段選擇source(src_IP)為virtualflow累計程式僅統(tǒng)計sourceIP傳送的超大量UDP/ICMPPacket/Byte/Flow訊務(wù)偵測與自動通告DDoS攻擊3.Detection&NotificationSystem(cont.)Flooding異常訊務(wù)偵測系統(tǒng)Feature-based訊務(wù)累計/排序程式 加總每一sourceIP主機送往各destinationport的flow數(shù),packet數(shù),byte數(shù),與meanpacketsize訊務(wù)變量,

Multi-thresholds異常偵測程式累計各時段source主機建立的flow[sourcei],packet[sourcei],byte[sourcei],pkt_size[sourcei]加總其發(fā)送超量TCP封包的持續(xù)時段duration[sourcei]與估定臨界質(zhì)比對,篩選得PortScansources.3.Detection&NotificationSystem(cont.)Flooding異常訊務(wù)的自動通告萃取ip_routingtableRouteripRouteSNMPMIB建置與啟動RWhoisIP管理資料查詢系統(tǒng)讀取異常訊務(wù)數(shù)據(jù)＆自動通告

3.Detection&NotificationSystem(cont.)Flooding異常訊務(wù)的自動通告（cont.)擷取骨幹router的數(shù)萬筆routingsnmpwalkipRouteMask(..11)snmpwalkipRouteNextHop(.4.)萃取/重建龐大ip_routing紀(jì)錄構(gòu)建符合RWhoisnetworkschema資料庫結(jié)合NextHop紀(jì)錄與管理聯(lián)絡(luò)資訊連線學(xué)校IP管理資訊查詢.tw/~yang/rwhois.php?ip=24.結(jié)語Flooding異常訊務(wù)偵測系統(tǒng)(FDS)aggregaterouterNetFlow轉(zhuǎn)送紀(jì)錄自動偵測PortScan,Spam與packetflooding攻擊訊務(wù)透過RwhoisdIP管理資訊的查詢自動將具體的異常訊務(wù)通告該網(wǎng)路用戶促使其補強系統(tǒng)安全,阻截flooding攻擊4.結(jié)語(cont.)據(jù)幾年來的使用經(jīng)驗網(wǎng)路匯集點的異常偵測系統(tǒng)能偵測多變的portscan訊務(wù)(不斷翻新的弱點ports)Spampacketflooding事件具體的flooding訊務(wù)數(shù)據(jù)能協(xié)助網(wǎng)管人員掌握異常源端主機聯(lián)絡(luò)用戶並分析其主機flooding現(xiàn)象ThankYou!桃園區(qū)網(wǎng)abuse通告分布中央大學(xué)電子計算機中心楊素秋(center7@.tw)報告大綱1.abusecomplaint自動轉(zhuǎn)通告2.abuse年度統(tǒng)計3.abuse分類統(tǒng)計4.P2Ptraffictargetsystem2/~yang/index_abuse_emule.php2/~yang/index_abuse_emule_port.php5.總結(jié)1.Abusecomplain自動轉(zhuǎn)通告Abusecomplaint轉(zhuǎn)通告系統(tǒng)定時接收abusecomplaintmailfileabuse@.tw(/var/mail/abuse)切割/分類abuse通告信PortScan/Passwordcrack(安全弱點掃描)Spam(廣告/色情信)Infringement(侵犯智慧財產(chǎn)權(quán))Phishing(網(wǎng)路詐騙)轉(zhuǎn)通知負(fù)責(zé)人員,並儲存資料庫記錄.1.Abusecomplain自動轉(zhuǎn)通告(cont.)系統(tǒng)處理程序如下:讀取abuse@.twmailfile,切割/儲存各單封信件執(zhí)行dbacl(digramicBayesiantextclassifier):分類各單封信件abusetype(spam,infringe,portscan,phish).掃描targetIP位址,並將IP,abuse類別存檔以IP為key,連接RwhoisServer,查詢管理員emai.,並將原信件寄發(fā)對應(yīng)的管理員.1.Abusecomplain自動轉(zhuǎn)通告(cont.)系統(tǒng)成效:節(jié)省一名處理abuse通告的網(wǎng)路管理人力.能即時地處理轉(zhuǎn)通告,不會因假期延誤通告.資料庫建檔提供on-demandabuse資料查詢網(wǎng)頁.2.abuse年度統(tǒng)計93年(2004)94年(2005)95年(2006)96年(2007)3.Abuse分類統(tǒng)計智財權(quán)(Infringement)廣告信(Spam)PortScanPhishing163.30.*.*4.Abuse歷史紀(jì)錄查詢URL.tw/Tyc_Abuse/Tanet/summ_notify.php單月統(tǒng)計abusecomplaint分類選擇年度,月份96-0195-125.P2PtraffictargetsystemFeatureofP2PmtrafficPacketsize(largepacket)Connections(manytomany)Duration(lastlonger)Trafficvolume(largeamount)URLsofTycP2Ptrafficstatistic2/~yang/index_abuse_emule.php2/~yang/index_abuse_emule_port.php6.總結(jié)日趨完整的網(wǎng)路安全防禦Technique區(qū)網(wǎng):FloodDetectionsystem校園網(wǎng):firewall,IDS使用者端:firewall,antiviruspackageEducationenduserProtectPCfrombeingexploitedassteppingstoneSecuritypolicyManagementSupport5.總結(jié)(cont.)PuttinganendtothedarksideofnetworkIncreaseawarenessEducationusersImplementorganizationpoliciesUseTechnologytoprotectagainstthesethreatsFloodingDetectionsystem5.總結(jié)(cont.)進行中的工作網(wǎng)路安全文件的彙整與分享網(wǎng)路管理工具與說明文件的彙整Content-based網(wǎng)路入侵偵測系統(tǒng)MiningDetection臺聯(lián)大出國線路效能評估中央大學(xué)電算中心楊素秋2007年10月8日報告大綱1.研究動機2.主要連外Trunk流量的變化3.國外網(wǎng)站檔案擷取延遲的變化4.結(jié)語1.研究動機臺聯(lián)大出國線路Cost2millionperyearPerformanceTrunkTrafficStatistics(MRTG圖)Ping(RTT値)部分firewall不允許pingtrafficUserSensitiveTrafficStatisticsDelayforfetchingpngorpdffileCisco,hp,3com,ubuntu*2.主要連外Trunk流量校園corerouter7609接臺聯(lián)大出國線路流量.tw/mrtg/7609/r7609_63.html中央大學(xué)到桃園區(qū)網(wǎng)流量.tw/mrtg/m160/m160_65.html桃園區(qū)網(wǎng)到TANET骨幹流量.tw/backbone/ncu_cht.html校園corerouter接臺聯(lián)大線路流量中央大學(xué)到桃園區(qū)網(wǎng)流量桃園區(qū)網(wǎng)到TANET骨幹流量2.主要連外Trunk流量(cont.)TANET出國流量變化.tw/internet/internet-pos-stm16.html臺聯(lián)大出國流量變化/ntcu-6509/_po8_1.htmlTANET出國流量變化臺聯(lián)大出國流量變化3.國外網(wǎng)站檔案擷取延遲效能比較網(wǎng)頁:

.tw/Ncu/browse.jspNCU_LlinkCollector31TYC_Link

3.國外網(wǎng)站檔案擷取延遲(cont.)2007-Aug&2007-Sep8/17~8/31,9/1~9/302007-Oct10/3(NCTU_DORM斷線)10/9(NCTU_DORM復(fù)線)10/15(TWGATE修正routingpath)10/16~10/314.子程式功能

delay2.javaget()main()wget_stat.shcrontabCalldelay2routinely

publicvoidget(StringtheUrl,Stringfilename)throwsIOException{theUrl_name=theUrl;try{URLgotoUrl=newURL(theUrl);InputStreamReaderisr=newInputStreamReader(gotoUrl.openStream());BufferedReaderin=newBufferedReader(isr);StringBuffersb=newStringBuffer();StringinputLine;booleanisFirst=true;//grabthecontentsattheURLwhile((inputLine=in.readLine())!=null){sb.append(inputLine+"\r\n");}//writeitlocallycreateAFile(filename,sb.toString());}catch(MalformedURLExceptionmue){mue.printStackTrace();}catch(IOExceptionioe){throwioe;}}publicstaticvoidmain(String[]args){Datedate=newDate();SimpleDateFormatday=newSimpleDateFormat("MMdd");SimpleDateFormatdf=newSimpleDateFormat("MMddHH");//System.out.println(df.format(date));Stringday_file=day.format(date);Stringcur_hour=df.format(date);Stringfilename="/home/Ncu_Link/"+day_file;try{BufferedWriterout=newBufferedWriter(newFileWriter(filename,true));out.write("\nHour"+cur_hour);longelapsedtime=System.currentTimeMillis();out.write("\nFrom"+elapsedtime+"msec.||");delay2httpGetter=newdelay2();

httpGetter.get(args[0],args[1]);out.write("\nTo"+elapsedtime+"msec.||");elapsedtime=System.currentTimeMillis()-elapsedtime;out.write("\nIttakes"+elapsedtime+"msec."+theUrl_name+"\n");out.close();}catch(Exceptionex){ex.printStackTrace();}}}#!/bin/csh-fsetenvCLASSPATH'.'setbatch_home=/opt/apache-tomcat-6.0.14/webapps/ROOT/Socketsetflist=`/bin/ls$batch_home/lib/*.jar`foreachname($flist)setenvCLASSPATH${CLASSPATH}:${name}endcd$batch_homejavadelay2/cdc_content_elements/images/homepage/ba_partnerLocato_blue.jpgcisco.jpgjavadelay2/country/us/en/img/n4_welcome/smb/primary_smb_msg_730.jpghp.jpgjavadelay2/other/pdfs/solutions/en_US/3com_505403-001.pdf3com.pdfjavadelay2/themes/ubuntu07/images/ubuntulogo.pngubuntu.pngDate111900Ittakes922msec./cdc_content_elements/images/homepage/ba_partnerLocato_blue.jpgDate111900Ittakes1797msec./country/us/en/img/n4_welcome/smb/primary_smb_msg_730.jpgDate111900Ittakes19266msec./other/pdfs/solutions/en_US/3com_505403-001.pdfDate111900Ittakes1140msec./themes/ubuntu07/images/ubuntulogo.pngDate111904Ittakes1079msec./cdc_content_elements/images/homepage/ba_partnerLocato_blue.jpgDate111904Ittakes859msec./country/us/en/img/n4_welcome/smb/primary_smb_msg_730.jpgDate111904Ittakes12203msec./other/pdfs/solutions/en_US/3com_505403-001.pdfDate111904Ittakes1078msec./themes/ubuntu07/images/ubuntulogo.png4.子程式功能(cont.)LinkPerf.javaExtractthedatarecordedper4hoursperiodAggregatethemeandelay(msec)Outputtoanotherfile1101[Thu]{=774,=13443,=800,=1115}<br>1102[Fri]{=847,=12825,=815,=1025}<br>1103[Sat]{=1074,=13578,=853,=1225}<br>1104[Sun]{=672,=15053,=821,=1071}<br>1105[Mon]{=824,=13240,=837,=1065}<br>4.子程式功能(cont.)Browse.jspOfferusertomonitoringtheaggregatedatarecordsTimes_both.jspDrawthetime-seriesgraphaccordingtotheaggregatedatarecordsCalljfreechartlibrariesjfreechart-1.0.6<%@pagecontentType="image/png;charset=UTF-8"%><%@pageimport="java.util.*,java.io.*,java.awt.*,java.text.*"%><%@pageimport="org.jfree.chart.JFreeChart"%><%@pageimport="org.jfree.chart.ChartRenderingInfo"%><%@pageimport="org.jfree.chart.servlet.ServletUtilities"%><%@pageimport="org.jfree.chart.entity.StandardEntityCollection"%><%@pageimport="org.jfree.chart.servlet.ServletUtilities"%><%@pageimport="org.jfree.chart.ChartUtilities"%><%@pageimport="javax.servlet.ServletOutputStream"%><%@pageimport="org.jfree.chart.ChartFactory"%><%@pageimport="org.jfree.data.xy.*"%><%@pageimport="org.jfree.data.time.*"%><%@pageimport="org.jfree.chart.axis.*"%><%@pageimport="org.jfree.chart.ui.*"%><%@pageimport="org.jfree.chart.plot.*"%><%@pageimport="org.jfree.chart.renderer.xy.*"%><%@pageimport="org.jfree.ui.ApplicationFrame"%><%@pageimport="org.jfree.ui.RefineryUtilities"%><%@pageimport="org.jfree.chart.title.*"%><%@pageimport="org.jfree.chart.servlet.ServletUtilities"%><%@pageimport="org.jfree.chart.urls.*"%><%@pageimport="org.jfree.chart.entity.*"%><%@pageimport="org.jfree.chart.labels.StandardXYToolTipGenerator"%><%TimeSeriesCollectiondataset=newTimeSeriesCollection();TimeSeriesseries1=newTimeSeries("NCU-臺聯(lián)大出國專線");TimeSeriesseries2=newTimeSeries("TYC-TANET出國共用線路");series1.add(newDay(1,9,2007),13312);series1.add(newDay(2,9,2007),12880);series2.add