Scribd
Upload
28 views28 pages

VisualizingNetworkAttacks-0 4

The document discusses visualizing network attacks and security data through graphs and diagrams. It introduces tools like DAVIX, Afterglow, Dot and Graphviz for capturing, processing and visualizing network data as graphs. Specific examples analyzed include visual cryptanalysis of DES encryption, visualizing honeypot attacks, and the famous 1994 Mitnick vs Shimomura attack.

Uploaded by

sanky08
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
28 views28 pages

VisualizingNetworkAttacks-0 4

The document discusses visualizing network attacks and security data through graphs and diagrams. It introduces tools like DAVIX, Afterglow, Dot and Graphviz for capturing, processing and visualizing network data as graphs. Specific examples analyzed include visual cryptanalysis of DES encryption, visualizing honeypot attacks, and the famous 1994 Mitnick vs Shimomura attack.

Uploaded by

sanky08
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 28

Visualizing Network Attacks

Eric Conrad
http://www.ericconrad.com
April 2009

A picture is worth 1,000


words
Many network, security and system
engineers have trained themselves
to correlate complex information
from text-based representation of
events
Like Cypher in The Matrix

However, many concepts lend


themselves to visual interpretation
2

One example: visual


cryptanalysis of DES ECB
mode
The Data Encryption Standard (DES) is a
block cipher with a number of modes
The native mode, Electronic Code
Book, does not chain the ciphertext
Identical 64-bit blocks of plaintext become
identical blocks of ciphertext

As a result, patterns may propagate


The other modes of DES destroy
patterns by chaining the previous block
of ciphertext with the next
3

Showing weaknesses of
DES ECB mode
Left image is BMP, right image
is same BMP encrypted in ECB
mode

Showing the effects of


chaining
Same logo, Cipher Block
Chaining (CBC) mode
ciphertext on right

DAVIX
DAVIX is a live CD
for data analysis
and visualization
Available at
http://secviz.org/
Burn ISO to CD,
and boot your
laptop into a rich
visualization
environment
6

The DAVIX Live CD


The DAVIX start
menu links to all
major tools
Visualization work
is broken down
into 3 processes:
Capture, Process,
Visualize
7

The DAVIX process


Capture includes tools that capture
network data, like wireshark,
tcpdump, etc.
Process includes tools that
manipulate data, such as
afterglow.pl, as well as the classic
Unix shell tools such as sed, awk,
perl and grep
Visualize includes tools to display
the data
8

A word on tools
All tools mentioned in this paper are on
the DAVIX 1.0.1 distribution
All graphics used in this paper were
generated directly from the DAVIX live CD
You may download all scripts in this paper
at http://files.ericconrad.com/vizcurrent.tgz
All example commands in this paper will
work directly on the DAVIX live CD
9

Dot
Dot is a language used to describe
graphs
Example digraph (directed graph) in
dot language, and resulting image:
digraph directed{
A -> B -> C;
B -> D;
}
10

Turning Dot into graphics


Graphviz (Graph Visualization Software)
includes a number of programs to
manipulate Dot programs
http://graphviz.org/

Includes tools that take a Dot file as


input, and create a graphics file as
output
This paper uses the Graphviz tools
twopi and neato

twopi uses a radial model to lay out nodes


neato uses a spring model to lay out nodes
11

Afterglow
Afterglow takes CSV files as
input and creates a Dot
language file as output
Makes creating directed
graphs very easy
The graph on the right was
created with echo 1,2,3
| afterglow.pl | neato
Tpng o example.png
12

Two-column mode
Two-column
mode has 2 types
of nodes: source
and target
This graph shows
2 source nodes
connecting to
three targets
13

Afterglow two-column
example:
normal arp requests

14

Arp bomb: scan of


unused IP addresses

15

Three-column mode
Three-column
mode adds an
event node
Source nodes
connect to
targets via
events
Example event:
protocol type
16

Visualizing honeypot attacks


Lets use the Dot language to visualize
attacks vs. a honeypot
Data is from the Honeynet Project Scan
of the Month 27:
During its first week of operation, the
honeypot was repeatedly compromised by
attackers and worms exploiting several
distinct vulnerabilities. Subsequent to a
successful attack, the honeypot was joined
to a large botnet.
Source: http://www.honeynet.org/scans/scan27/

What do the attacks look like visually?


17

The attacks, visually

18

Visual traceroute with Dot


Generate a route graph with Dot:

traceroute to the top 100 internet sites


Compute average time to each hop
Draw directed graph showing all
connections within 6 hops
Display nodes with colors showing RTT

First node is blue (and larger)


Nodes < 15 ms are palegreen
Nodes < 30 ms are green
Nodes < 45 ms are yellow
Rest are red

19

20

Visualizing Mitnick vs.


Shimomura
One of the most famous network attacks
occurred on Christmas Day, 1994, when
Kevin Mitnick allegedly attacked Tsutomu
Shimomuras systems
The attack exploited a trust relationship
between Shimomuras x-terminal and
server
Shimomura analyzed the attack, and was
kind enough to post a detailed post mortem
of the attack to the comp.security.misc
Usenet group
Including tcpdump output

21

The players
4 systems were involved in the
attack:

apollo.it.luc.edu: the source of the attack


server: a host trusted by xterminal
x-terminal: trusted by server
130.92.6.97: used as spoofed source for
DOS attack
There was no live system at this IP address at time of
attack

22

The attack
Goal was to forge a packet from server
to xterminal
DOSed server from 130.92.6.97
Harvested TCP sequence numbers from
xterminal
Spoofed connection from server to xterminal
Attacker did not see the SYN/ACK, and had to guess the
sequence number used, and increment by 1 for the reply

Lets use Shimomuras analysis to see the


attack visually
23

Mitnick vs. Shimomura

24

rumint: rumors in the


network
Another useful DAVIX tool is rumint, a
PVR for Network Traffic and Security
Visualization
rumint is short for rumor intelligence
Site: www.rumint.org

Much of what IDS analysts must do is


separating useful signals from noise
rumint is useful for spotting the
outlier
25

Analyzing honeypot with


rumint

26

rumint text rainfall mode


Matrix-style
falling text from
live network
capture or pcap
file
This shows botnet
IRC command
and control traffic
27

Any questions?

28

You might also like