Beruflich Dokumente
Kultur Dokumente
AD
Author:JeromeRadcliffe,jay.radcliffe@gmail.com Advisor:JohannesB.Ullrich,Ph.D
Accepted:April5,2010
Abstract
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Peer to Peer networks (P2P) are heavily used for media sharing and distribution of files. Very few studies have looked at the effects and behaviors of these types of networks specifically during the period of time after the P2P connection has been terminated. This study will look specifically at this Afterglow period to look at the statistics related to the traffic seen during that period. Additionally qualitative methods will be used to look at this data for anomalies and malicious traffic.
2010 The SANS Institute As part of the Information Security Reading Room Author retains full rights.
1.1. Introduction
Thehistoryofpeertopeer(P2P)networkingcanbetracedbacktothelate 1990swhencomputertechnologyhadprogressedtothepointofeasyviewingand storageofmusicandvideofiles.Thisprogressionprecipitatedthedesireforusers toexchange,distributeandsharethesefilesamongsteachother.Theavailable technology,atthattime,wascumbersome.Itrequiredanindividualwhowishedto shareordistributefilestosetupaserverandrunaprogramthatwasdedicatedto hostingthosefiles.Settingupsuchaserver,however,wasbeyondtheskillofthe typicalcomputeruser.Inaddition,therewereotherhurdlesthatpreventedeasy access,includingsettingupuseraccounts,lettingusersknowwheretolocatethe server,andwhatfileswereavailabletoaccess.Thisdesireforuserstosharetheir filesinalesscumbersomeformateventuallypromptedthedevelopmentofsoftware Key
fingerprint
=
AF19
FA27
2F94
998D
FDB5
DE3D
F8B5
06E4
A169
4E46
andservicesthatalloweduserstoaccessanddistributefilesamongstthemselves, whichcametobeknownasP2Pnetworking(Johnson,McGuire,&Willey,2008). BitTorrentisaprotocolthatisusedtodistributeafileorfilesbetweenmultiple clients(Cohen,2008).Theadvantagethatithasovertraditionalserver/client methodsisthefactthattheremaybemultiplehostsondifferentnetworksthatcan providethefilessimultaneously.Thisallowsahosttodownloadthefilefasterand moreefficientlythendirectlyfromoneserver.Thisefficiencyincreaseswiththe numberofhoststhatparticipateinthetorrent.Theprocessfordistributingafileor filesstartswiththecreationofatorrentfile.Thisfilecontainstwoimportant things:thelocationofatrackerandinformationaboutthemakeupofthefileor files.ThetrackerisaURLtoaserverthatkeepstrackofallofthepeersthatare
JeromeRadcliffe;jay.radcliffe@gmail.com
2010 The SANS Institute As part of the Information Security Reading Room
3 participatinginthetorrent.Itisimportanttonotethatthetrackerdoesnothave anypiecesofthefilethatareinsideofthetorrent,itonlykeepstrackofthe participatingpeers(Cohen,2008).Tokeeptrackofthemakeupofthefiles containedinthetorrent,thefilesarebrokenupintosmallerpiecesandanMD5 hashiscreated.Thefilesarebrokendownintosmallerpiecestoincreasethe efficiencyoftransferringpiecesfrompeertopeer.Thisallowsapeertograbpieces ofthetorrentfrommultiplepeerssimultaneouslywhileassuringthecontinuityof thefilesasawhole. OneoftheconceptsthatthisstudywillfocusonisAfterglow.Thisisthe periodoftimeaftertheP2Psessionhasterminatedbuttherestillmaybeincoming requestsforsearchesordownloadstowhatwaspreviouslyavailablewhiletheP2P sessionwasstillactive.Theseconnectionattemptsarerejectedbythesystemafter Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 theterminationofthelisteningP2Pprogram.Thereareseveralreasonsthatthese connectionsarerelevant.First,itisawaytoevaluatetheefficiencyoftheP2P programanditsabilitytokeepanaccuraterecordofsystemsthatarestill participating.Inefficienciesinthismethodologyofkeepingtrackofparticipants wouldgreatlyincreasethetimeneededtofindandacquireparticipatingsystems andsubsequentlyacquiringthosefiles.Second,therearesomesecurity implicationsthatneedtobeconsideredwiththeseafterglowconnectionattempts. Therecanbedifficultyinseparatingtheseconnectionattempts,whicharelegitimate andharmless,fromtrafficthatcouldbemalicious.Studyingthedecayrateofthis afterglowperiodmightprovideabetterideaofwhichconnectionsaremaliciousand whichareharmlessandexpected.Anadditionalsecurityconsiderationistheuseof
JeromeRadcliffe;jay.radcliffe@gmail.com
2010 The SANS Institute As part of the Information Security Reading Room
JeromeRadcliffe;jay.radcliffe@gmail.com
2010 The SANS Institute As part of the Information Security Reading Room
5 created to look just for UDP packets whose destination is the P2P computer on the port number specified (Beale, Poor, & Foster, 2004). Once collected, the data was broken down into number of connections in a ten minute period. An example: for the time period of 00:00 to 00:10, or the first ten minutes after the connection was terminated, there were XX TCP connection attempts and YY UDP connection attempts. In order to determine what the Afterglow looks like, the mean decay time, along with the standard deviation, will be determined. Any connection attempt beyond one and a half standard deviations will be considered atypical. For each trial, the atypical connection attempts will be looked at in detail in order to determine more information about atypical Afterglow attempts. Additionally, information about X and Y are of interest. The following are the purpose and goals for these trials: Key determine what a normative afterglow DB5 D sessions might look like. This 1. Tofingerprint = AF19 FA27 2F94 998D Ffor P2PE3D F8B5 06E4 A169 4E46 could be qualitative in the form of graphical analysis or quantitative in the form of statistics. 2. To determine if the normative afterglow is consistent for the two connection types or multiple methods of P2P sessions. 3. To determine if there is any consistent pattern to the connection attempts made during the afterglow period that would distinguish them as malicious or suspicious. This would include looking at the country of origin and repetition of connection attempts.
JeromeRadcliffe;jay.radcliffe@gmail.com
2010 The SANS Institute As part of the Information Security Reading Room
2. Design
A series of experiments were designed to explore the topic of P2P afterglow. Each trial collected data related to the number of connections in response to an open P2P session. Thedatacollectionwasbrokendownintothreecategories.Thefirst categoryisthepresessionconnections;everytestwasverifiedtobezero connectionsforaminimumof2hoursbeforethetest.Thisassuresthatthe connectionsrecordedwereuniquetothesessionthatwasgoingtobeusedforthe test.Thesecondcategoryisactivesessionconnections,orconnectionsthat occurredwhiletheP2Psessionwasactiveandthetestserverwasparticipatingin datatransfer.Thethirdcategoryisthepostsessionconnections.Postsession connectionsarecategorizedasthosethattookplaceaftertheP2Psessionwas terminatedandthetestserverwasnotparticipatingindatatransfer. Key
fingerprint
=
AF19
FA27
2F94
998D
FDB5
DE3D
F8B5
06E4
A169
4E46
2.1. Network
One problem with most modern home networks is the monitoring of inbound and outbound traffic is difficult, as most networking equipment segregates the data that is being transmitted to increase efficiency and security. To accomplish this goal, a device called a hub is placed in the network that allows the monitoring of all the traffic flowing to all the computers. A hub is a network device that distributes all the traffic it sees on one port to all other ports on the hub. Diagram 1 depicts the network as it normally works without a hub installed where Diagram 2 depicts the network with the hub
JeromeRadcliffe;jay.radcliffe@gmail.com
2010 The SANS Institute As part of the Information Security Reading Room
7 installed. As you can see, the installation of a hub will allow for the monitoring of all traffic that flows into and out of the network (Spurgeon, 2000). Diagram 1- Network with no hub
2.2. Hardware
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
In addition to the network, other equipment is needed to accomplish the goals of this project. A Dell Inspiron 530 was used in this experiment to do the monitoring. Ubuntu 9.0 Server and an additional Network Interface Card (NIC) were both used on this computer. The NIC on the mainboard was set up to talk on the network with SSH installed and enabled, which allows for management remotely in a secure fashion. The additional network card was setup with no IP address information and physically hooked up to the hub installed at the perimeter of the network (as shown in Diagram 2). This configuration will best allow programs to interface with the network traffic the hub allows us to see.
JeromeRadcliffe;jay.radcliffe@gmail.com
2010 The SANS Institute As part of the Information Security Reading Room
9 experiment, the port was changed. These actions are to decrease the chance that some other program or traffic will skew the data collection.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
To allow for traffic from the outside to enter the network, port changes were made in the uTorrent software including adjustments to the perimeter firewall. Before each trial was performed, the firewall rules were matched up with the adjustments made to the firewall device. In this case, it was a Linksys WRT54G running OpenWRT (http://openwrt.org/). These adjustments can be located on the NAT Tab in the setup configuration.
JeromeRadcliffe;jay.radcliffe@gmail.com
2010 The SANS Institute As part of the Information Security Reading Room
10
3. Results
Thefirststepinanalyzingthedatawastodeterminethebasicpatternof connectionsforeachofthefourtrialtypes,thisincludedbothananalysisofpre andpostsessionsconnections.Thebasicdescriptionofdataforeachofthefour trialscanbeseeninTable1.Thedecayrate,ortherateatwhichconnection attemptsdecreaseovertime,willbethefirstsetofanalyses.Thiswillbecompleted Key
fingerprint
=
AF19
FA27
2F94
998D
FDB5
DE3D
F8B5
06E4
A169
4E46
usingprimarilyqualitativeanalysis,althoughsomequantitativestatisticswereused. Second,thepossibilitiesofvariationsbetweenthetrialswereexamined.Finally,we lookedatthesourceoftheconnectionsthatweredeterminedtobebeyondthe typicalconnectionsresponding. Table1
Trial 1 Pre Post N Mean (SD) Skew Kurtosis
132 165.22 (143.19) 0.86 -0.54 170 1.54 (3.41) 3.38 13.72
JeromeRadcliffe;jay.radcliffe@gmail.com
2010 The SANS Institute As part of the Information Security Reading Room
11 Ascanbeseeninthetable,someofthedataviolatedtheassumptionofanormal distribution,whichonewouldexpectofadecayrateasmanyofthepostvalues shouldapproximatezero.Keepinginmindaskeworkurtosisvalueof+or2is consideredabnormal,youcanseetheratesforalmosteverytrialareoutsidethe normalrange.Thismakesitdifficulttorunmosttypicaltests(suchasanANOVAor ttest)whencomparingthedataorattemptingtodescribeameasureofcentral tendency(i.e.,mean,medium,mode)(Myers&Well,1995).Wheneverpossible, however,parametricstatisticswereused.Insituationswheredataviolatedthe parametricassumptionsofnormaldistribution,suchashighlyskewedorkurtotic data,nonparametricstaticswereusedandthedatawillalsobeconsidered qualitatively,suchasthroughthegraphsbelow.AlldatawillbeanalyzedusingSPSS Version17unlessotherwisestated. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 3.1DecayRatesAnalysis Thefirstanalysisexaminedthedecayrate,ortherateatwhichconnection attemptsdecreaseovertimeasmeasuredfromthetimetheP2Psessionis terminatedontheclientside.Graph1showsthenumberofattemptsmadewhile theconnectionwason,andGraph2displaystheconnectionattemptsafterthe connectionwasterminatedforthethirdtrial,whichusedBitTorrent.
JeromeRadcliffe;jay.radcliffe@gmail.com
2010 The SANS Institute As part of the Information Security Reading Room
12 Graph1ConnectionAttemptsWithActiveConnection,Trial3,BitTorrent
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
JeromeRadcliffe;jay.radcliffe@gmail.com
2010 The SANS Institute As part of the Information Security Reading Room
13 Graph2ConnectionAttemptsWithDeactivatedConnection,Trial3,BitTorrent
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
JeromeRadcliffe;jay.radcliffe@gmail.com
2010 The SANS Institute As part of the Information Security Reading Room
14 theresultsviolatethelawsofanormaldistribution(onewhichapproximatesabell curve).Instead,aqualitativeanalsysiswascompletedlookingattrialvariancein ordertodeterminethetypicalrateofdecay,oratimepointatwhichtheconnection rateshouldaproximatezero. 3.2TrialVarianceAnalysis Theconsistencyinthedecayratebetweentrial,orTrialVariance(Myers&Well, 1995),wasthefocusofthesecondanalysis.Ideally,theresultsofthetestwouldbe similarasthiswouldprovideabasisfornormaldecayratesusingP2Pnetworks. Graph3indicatestherateofdeclineinconnectionrateforallthreetrialsand providesavisualcomparison.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
JeromeRadcliffe;jay.radcliffe@gmail.com
2010 The SANS Institute As part of the Information Security Reading Room
15 Graph3:ThreeBitTorrentTests,Afterglowperiod
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
JeromeRadcliffe;jay.radcliffe@gmail.com
2010 The SANS Institute As part of the Information Security Reading Room
Table3.2(BT2)
29.73% 7.68% 4.87% 4.55% 4.29% 3.84% 3.75% 3.66% 3.26% 2.46% USA
Table3.3(BT3)
20.36% 6.41% 5.81% 5.23% 4.47% 4.19% 3.76% 3.56% 3.15% 2.70%
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
JeromeRadcliffe;jay.radcliffe@gmail.com
2010 The SANS Institute As part of the Information Security Reading Room
17 Graph4BitTorrenttest#2Afterglow
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
JeromeRadcliffe;jay.radcliffe@gmail.com
2010 The SANS Institute As part of the Information Security Reading Room
18
4. Discussion
ThisstudyfoundthatthedecayratesinBitTorrentP2Psessionsaregenerally quiteconsistentwithregardstotheoverallpatternofconnectionattempts.When lookingattheafterglowperiodsofallthreetests,thereisaquickdropinconnection attempts,followedbyatrickleofconnectionattemptsoverthecourseoffourteen hours. Thepostconnectionsourceinformationcanbeusedtoidentifyatrendindicating whoistryingtoconnecttoaterminatedP2Pclient.BylookingforrepetitiveIP addresses,IPaddressranges,orWhoisdatabasedontheIPaddresses,apattern mightbegintoemerge.Inthefuture,thisinformationcouldhelpdistinguish suspiciousconnectionsfromharmlessconnectionsandcouldprovideusefultools fordeterminingatypicalordangerousconnectionattempts. 6E4
A169
4E46
Key
fingerprint
=
AF19
FA27
2F94
998D
FDB5
DE3D
F8B5
0 4.1Limitationsofthestudy Thereweresomelimitationstothisstudy.First,therearemanytypesofP2P clientsthatcouldbeusedintheBitTorrentprotocol,andthesemightinteract differentlywhencomparedwiththeoneusedinthisstudy.Otherclientprograms mightinteractdifferentlywithotherpeersimpactingthedata.Second,thisstudy onlyusedaconsistentfiletypeintheP2Psearch,Fedora9InstallationDVD. Differentfilestypesmightbemoreriskyandproduceadifferentresult.For example,filesthatareinviolationofcopyrightcouldinvokemoreafterglowactivity. Third,thenumberoftestrunsandonlylookingatthe14hoursaftertheP2Psession wasterminatedcouldbeseenasalimitation.Moretestsmightprovideabetter JeromeRadcliffe;jay.radcliffe@gmail.com
2010 The SANS Institute As part of the Information Security Reading Room
19 totalpictureofwhattheafterglowlookslike.Additionally,assessingmorethanthe first14hoursaftertheconnectionwasterminatedmightalsoprovideaclearer pictureofwhatabsolutezerolookslike.Finally,oneinconsistencyinthedataisthat thethirdBitTorrentprotocolwasrunonadifferentnetwork.Inbetweenthe secondandthirdtrialthetestnetworkchangedfromComcasttoasmalllocalISP namedWestTel.TheWestTelnetworkconnectionhadhigherbandwidthwhich mighthaveaccountedforthehighernumberofconnectionsinthethirdtrial. Althoughthenumberofconnectionsinthethirdtrialwashigher,therateofdecay intheafterglowwasconsistentwiththeothertwotrials. 4.2Futureconsiderations Thecurrentstudywasagoodplacetostartintermsoflookingatdecayrate Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 analysis.Thereare,however,severalprospectivedirectionsthatcouldexpandon thislineofresearch.Onefuturedirectionmightlookattheprotocolandprogram associatedwiththeP2Pclientstoseeifthereareinefficienciesinthewayitkeeps trackofactiveorparticipatingclients.Thestatisticalinformationcouldalsoleadto moreadaptiveintrusiondetectionstrategieswhichwouldusethesetypesof statisticstoflagconnectionsthatareoutsidetheboundsofnormaltrafficrather thantrafficthatisexpected. Asecondareaofpossiblefutureresearchwouldfurtherexpandontheanomaly seeninthesecondtestcasewherethereweremultiplerepeatclientsattempting connectionsatconsistenttimeintervals.Researchcouldbedonetoidentifyfurther detailsontheseclientstodetermineacommonalitybetweenthem.
JeromeRadcliffe;jay.radcliffe@gmail.com
2010 The SANS Institute As part of the Information Security Reading Room
20 Anotherdirectionwouldbetodofurtheranalysisontheconnectionattempts beingmadeintheafterglowperiodtotryandidentifyadditionalmarkersthat woulddistinguishthemasbeingsuspicious.ThiscouldbepartsoftheTCP/UDP packetstructureandcontent. OverallthereisroomtogrowintheareaofP2Pconnectionresearch.This limitedstudyonlylookedatasmallareaofP2Pinteractions.Thereareanever growingnumberofBitTorrentclientsandallofthemhandletheprotocol differently.ThesedifferencescouldgreatlyimpacteveryareaofP2P communications,allofwhichareareasthatcouldbegroundsforresearch.Further researchofhowP2Pclientsinteractcouldprovideadditionalwaystoincrease efficiencyandprovideenhancedsecurity.
5. References
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Beale,J.,Poor,M.,&Foster,J.(2004).Snort2.1IntrusionDetection,SecondEdition. Syngress. Cohen,B.(2008).TheBitTorrentProtocolSpecification.Retrieved201026Feburary fromhttp://www.bittorrent.org/beps/bep_0003.html Johnson,E.,McGuire,D.,&Willey,N.(2008).TheEvolutionofthePeertoPeerFile SharingIndustryandtheSecurityRisksforUsers.41stHawaiiInternational conferenceonSystemSciences,(p.1). Myers,J.,&Well,A.(1995).ResearchDesignandStatisticalAnalysis.Routledge. Spurgeon,C.(2000).Ethernet:TheDefinitiveGuide.Sebastopol,CT:O'Reilly& Associates. Stevens,W.R.(1994).TCP/IPIllustrated,Volume1:TheProtocols.AddisonWesley Professional.
JeromeRadcliffe;jay.radcliffe@gmail.com
2010 The SANS Institute As part of the Information Security Reading Room
Amsterdam, Netherlands May 05, 2012 - May 19, 2012 San Diego, CA Toronto, ON Johannesburg, South Africa Brisbane, Australia Jakarta, Indonesia Denver, CO New York City, NY OnlineFL Books & MP3s Only May 10, 2012 - May 18, 2012 May 14, 2012 - May 19, 2012 May 17, 2012 - May 18, 2012 May 21, 2012 - May 26, 2012 May 28, 2012 - Jun 02, 2012 Jun 04, 2012 - Jun 09, 2012 Jun 12, 2012 - Jun 13, 2012 Mar 23, 2012 - Mar 30, 2012 Anytime