SW T StealthWatch Therminator

1
ECE-8843 http//www.csc.gatech.edu/copeland/jac/88
43/ Prof. John A. Copeland john.copeland_at_ece.gat
ech.edu 404 894-5177 fax 404 894-0035 Office
GCATT Bldg 579 email or call for office visit, or
call Kathy Cheek, 404 894-5696 Slide Set 12 -
Network Traffic Visualization
2
Bandwidth Usage versus Time
2
3
TCP and UDP Port Usage Visualization
3
4
Result of Google udp 27015

• 27015 is the default port number for various
  Sierra Online/Valve
• multi-player online games -- "Halflife", among
  others.
• Any game client may also be a server, or
  optionally the user may run a
• game workstation in "dedicated" server mode.
  There are also various
• "dedicated" servers that run under Windows NT,
  Linux, FreeBSD (in Linux
• emulation mode, iirc), etc.
• Due to the somewhat decentralized nature of this
  architecture, there have
• sprung up several sites and software packages
  designed to help users find
• and join a game on a server that is playing the
  game or map that they
• prefer, is closest to them from a RTT sense, etc.
• Your probes on 27015/udp are most likely game
  locator servers or clients,
• or the game client itself looking for servers or
  requesting information
• regarding servers past or present.

4
5
Result of Google tcp 6881BitTorrent is a
peer-to-peer network

• BitTorrent is not just a concept, but has a
  functioning implementation, already capable of
  swarming downloads across unreliable networks.
  This is the result of over two years of intensive
  development. - http//bitconjurer.org/BitTorrent/i
  ntroduction.html

5
6
Therminator Traffic Visualization
In the Therminator technology, each host is
associated with one of eight sets of hosts
associated with a Bucket. The Bucket can hold
zero to fifteen Balls. Bucket Set number
calculation Host is Server for present
connection - add 1 (001) Client or
Server? Host was seen during last few days
- add 2 (010) New or Old Friend? Host IP
address is on our local network - add 4 (100)
Outside or Inside? e.g., a Client, New Friend
(first seen today), Outside Host is in Bucket Set
0 (binary 000). For programming purposes the
eight Buckets are up-down counters whose value is
limited to the range zero to fifteen. A packet
going from a Host in Bucket Set 5 to a Host in
Bucket Set 7 would cause the following to happen
(if Bucket 5 has less than 15 and Bucket 7 has at
least 1 Ball) Put a Ball in Bucket 5
Increment Counter 5 Remove a
Ball from Bucket 7 Decrement Counter 7
6
7
7
8
8
9
Unfinished Flash Tutorial provided by Lee Hartley
of Lancope, Inc.
9
10
Time (30 minutes)
The SWT present version uses 2-d graphics to
display Therminator generate State Distribution
and Bucket Fill numbers versus time, with a
30-second time interval (upper graphs). The
lower graph and event log enable the network
security analyst to determine the cause of the
peaks shown in the State Distribution graph.
10
11
Peaks in the State Distribution indicate
significant unbalance in the network traffic.
11
12
Bucket Counts indicate which type of hosts sent
more packets than they received (larger bar, 25
max) and which received more that they sent
(smaller bar, may disappear)
12
13
Var2
Phantom Hosts
Graphs that can help identify the cause of
network events. The Var2 curve is similar to
the State Distribution graph. The Phantom
Hosts curve has peaks when unused IP addresses
are scanned. Packets peaks when there is a
short-packet flood attack.
13
14
The Events Log generated by StealthWatch can
precisely identify the cause of network events.
It shows the most active Scans, Flows, and Hosts
for each 30-seconds. Here we see host 219.178.8.5
has sent 741 packets at 15530, but received
none. There is no corresponding Flow, so these
packets were sent to multiple subnets and IP
addresses.
14
15
Now that we have an IP address to investigate, so
we use StealthWatch to do a Host Snapshot. We
find that the host is scanning for open TCP-445
ports and several other TCP ports (1430, 4679,
4681, 4685, ...)
15
16
We do a whois lookup on the IP address to find
the network administrator that can be informed of
a likely compromised host on his network, or a
malicious user. If we are worried about these
scans, and do not need to communicate with the
offending host or his whole domain, we can signal
the firewall or router to drop packets coming
from that location.
16
17
With Flow Filter
Here there are large FTP file transfers
every 20 to 40 minutes that that last about 90
seconds, these create peaks in the State
Distribution curves similar to an attack or fast
scan. To mitigate this effect, we use a Flow
Filter, that skips packets from any flow that
has done a proper handshake and meets the
criteria for a normal flow. The above shows
the results from a fast TCP port 80 scan by a
host in England (at 2155-2205 PST). This shows
up as rectangular peaks in State Distribution
(upper left), and in non-flow packets and Var2
(lower-left).
17
18
Without Flow Filter
This display, taken at the same time without Flow
Filter shows the results for the same fast TCP
port 80 scan which is now partially obscured by
two FTP file transfers (at 2144-2146 and
2154-2157 PST).
18
19
StealthWatch Therminator (SWT) Basics
The source host and the destination host are
determined to belong to one of eight categories,
depending on the yes/no decisions of three logic
"switches." For example "Client/Server", "Old
Friend/New Friend (Stranger)", "Known
(Inside)/Unknown (outside)". Bucket Count
Graph (upper right) The colored bars in the
upper right graph represent the number of packets
sent less the number received by each of these
categories (called "Bucket Count"). These Bucket
Counts are constrained. They start at 7 during
each 30-sec time period and can not go negative
or exceed 15. When a color disappears it means
that hosts in that category have received more
packets than they sent (could contain victims).
When a bar doubles in size (25 height), it means
that hosts in that category have sent more
packets than they received (could contain
attackers). State Count Graph (upper left) Each
packet results in a "State," which is represented
by the 8 Bucket Count values (b0,b1,b2,b3,b4,b5,b
6,b7). A count is keep of how many times each
state is occupied during the 30-second time
period. Because of the constraints on bi, a
high-speed DoS Attack or high-speed network scan
will cause a few states to have high occupancy
numbers. The stacked bar graph shows for each
time period the occupancy numbers of the 12 most
highly occupied states. The peaks indicate when
significant events have occurred. Events Log
(lower left) High-speed data file transfers can
also cause State-Count peaks, as well as
high-speed scans, SYN floods, fragment floods,
distributed DoS, UDP worm spreads, ... . To
determine the cause of a peak, consult the Event
Log which provides data from the underlying
StealthWatch system. Listed here for each
30-second period are the most active Hosts
(number of packets or increase in CI), Scans
(number of new CI points), and Flows (number of
packets). In SW 3.0, Hosts with a high increase
in Victim-CI points will also be shown. Status
Graphs (upper right) Three things are presently
plotted that help analysis (the values also
appear in the Events Log). The number of total
packets can show if an appreciable increase in
packets on a network occurs (seen with
short-packet DOS attacks more than with file
transfers). The "Missed IPs" peaks when
high-speed network scans send many packets to
non-existent hosts (unused IP addresses). The
VAR2 value is a mean-square variation of the
State Occupancy Values, which has been found as
another way to detect significant network events.

19