Packet Analysing Tool for Network Monitoring - PowerPoint PPT Presentation

1 / 56

About This Presentation

Title:

Packet Analysing Tool for Network Monitoring

Description:

1 /56. Packet Analysing Tool for Network Monitoring ... Xmas scan. SYN, FIN. SYN/FIN scan. FIN. FIN scan. SYN. SYN scan. Flags. ???????????. 28 /56 ... – PowerPoint PPT presentation

Number of Views:206

Avg rating:3.0/5.0

Slides: 57

Provided by: Compu464

Category:

more less

Transcript and Presenter's Notes

Title: Packet Analysing Tool for Network Monitoring

1
Packet Analysing Tool for Network Monitoring
Computer System and Networking
??????????????????????????????????????????????????
??????
2
?????????????
??????? ???????????????????????????????????????
?????????????????
?????????? Packet Analysing Tool for Network
Monitoring
Computer System and Networking
????????????
????????? ???????????? ???????????? 4722082
????????????????
??. ??????? ?????
3
?????????????????

????????????????????????
???????? TCP/IP
???????????? ?????? ????????????
????????????
???? ????? ?????????????

Computer System and Networking
4
????????????????????????
Computer System and Networking
5
???????????????????????????

??????????????????????????????????????????????
? ??????????????????????????????
?????????????? ? ??????????
?????????? ? ???????????????????????????????????
??? TCP/IP
? TCP/IP ??????????? ????????????????????????
TCP/IP ?????????????????????????????????????????
??
? ????????? ?????????????????????????????????????
??
????????????????????????????????????????????????
???????
??????????????? ????????????
??????????????????? ?????????????????????

Computer System and Networking
6
??????????????????????

??????????????????????????? ??????????????????????
????????????????????????
????????????????????????????????????????????????
?????????
????????????????????????????
????????????????????????????????????????????????
????

Computer System and Networking
7
?????????????????????

1. ?????????????????????????????? ??????
???????????????? (Network based)
??????????????????? (Packet header)
?????????????
2. ?????????????????????????????????
??????????????? ??????
????????????????????? FreeBSD
??????????????????????????????????????? ??? Ping
sweep,
UDP port scan ??? TCP port scan
????????????????????? ????????????????????????????
???
????????? ??????????????? Denial of Service
(DoS) ???
Ping flood attack, UDP flood attack ??? SYN
flood attack

Computer System and Networking
8
???????? TCP/IP
Computer System and Networking
9
???????????????????????????????????????????
Computer System and Networking
10
Protocol Encapsulation
User data
Application
User data
Application header
TCP
TCP header
Computer System and Networking
Application data
IP
TCP segment
Application data
TCP header
IP header
Ethernet driver
IP datagram
Ethernet trailer
Application data
TCP header
IP header
Ethernet header
Ethernet
Ethernet frame
11
Protocol Encapsulation
Ethernet Frame
ARP datagram
IP datagram
Computer System and Networking
ICMP message
UDP datagram
TCP segment
12
Ethernet frame MAC header
MAC header
00 01 dc fb 94 38 00 02 e3 4b 3f 01
08 00 45 00 00 3c f0 99 ...
Destination MAC address 0001dcfb9438 Source
MAC address 0002e34b3f01 Type 0800 (IP)
IP datagram
13
IP datagram IP header
0
31
20 bytes
Computer System and Networking
14
ICMP message ICMP header
0
31
15 16
7 8

?????? ICMP ??????????????????????????

ICMP echo reply
Computer System and Networking
ICMP echo request
? Echo request (type 8, code 0) ? Echo reply
(type 0, code 0)
15
UDP datagram UDP header
0
31
16
15
8 bytes
Computer System and Networking
16
TCP segment TCP header
0
31
16
15
20 bytes
Computer System and Networking
17
???????????????????????? TCP
Client
Server
Computer System and Networking
segment 1
SYN, SEQ 500, no ACK
segment 2
SYN, SEQ 700, ACK 501
Three way handshake
segment 3
SEQ 501, ACK 701
18
???????????? ?????? ????????????
Computer System and Networking
19
???????????????????????????????

?????????????????????????????????????????????????
???????????????????? ?????????????????????????????
??????????????????? ??????????????????????????????
???
????????????????????????????????????????????
???????????????????????????????????????????
????????????????????????? ????????????????????????
???????????????????????????????

Computer System and Networking
20
????????????????????????

???????????????????????????????????????
Ping sweep
UDP port scan
TCP port scan
?????????????????????????????????????????????
Ping flood attack
UDP flood attack
SYN flood attack

Computer System and Networking
21
?????????????????????
Computer System and Networking
22
???????????????????????????????????
Capture packet
Separate by protocol
Computer System and Networking
TCP
UDP
ICMP
Ping sweep and Ping flood check
UDP port scan and UDP flood check
TCP port scan and SYN flood check
Analysis and Decision
23
???????????????????????
Protocol ICMP Source IP 10.0.1.3 Destination
IP 10.0.1.1 Message Echo request
00 10 dc fb 94 38 00 02 e3 4b 3f 01
08 00 45 00 00 3c f0 99 00 00 80 01
34 24 0a 00 01 03 0a 00 01 01 08 00
43 5c 03 00 07 00 61 62 63 64 65 66
67 68 69 6a 6b 6c 6d 6e 6f 70 71 72
73 74 75 76 77 61 62 63 64 65 66 67
68 69
24
Ping sweep
113131.328925 10.0.1.2 ?
172.25.3.1 icmp echo
request 113131.361971 10.0.1.2
? 172.25.3.2 icmp echo
request 113131.394914 10.0.1.2
? 172.25.3.3 icmp echo
request 113131.427909 10.0.1.2
? 172.25.3.4 icmp echo
request 113131.460904 10.0.1.2
? 172.25.3.5 icmp echo
request 113131.493899 10.0.1.2
? 172.25.3.6 icmp echo
request 113131.526893 10.0.1.2
? 172.25.3.7 icmp echo
request 113131.559889 10.0.1.2
? 172.25.3.8 icmp echo
request 113131.592883 10.0.1.2
? 172.25.3.9 icmp echo request
25
UDP port scan
141427.531354 10.0.1.2 42412
? 10.0.1.3 30 141427.535333
10.0.1.2 42412 ? 10.0.1.3
31 141427.539334 10.0.1.2 42412
? 10.0.1.3 32 141427.539426
10.0.1.2 42412 ? 10.0.1.3
33 141427.539515 10.0.1.2 42412
? 10.0.1.3 34 141427.539603
10.0.1.2 42412 ?
10.0.1.3 35 141427.539692 10.0.1.2
42412 ? 10.0.1.3
36 141427.545335 10.0.1.2 42412
? 10.0.1.3 37 141427.545429
10.0.1.2 42412 ? 10.0.1.3
38
26
TCP port scan
151021.676633 10.0.1.2 33212 ?
10.0.1.3 80 flags FPU 151021.676747
10.0.1.2 33212 ? 10.0.1.3
23 flags FPU 151021.676854 10.0.1.2
33212 ? 10.0.1.3 1234 flags
FPU 151021.676961 10.0.1.2 33212
? 10.0.1.3 139 flags
FPU 151021.677068 10.0.1.2 33212
? 10.0.1.3 21 flags FPU 151021.677174
10.0.1.2 33212 ? 10.0.1.3
8080 flags FPU 151021.677280 10.0.1.2
33212 ? 10.0.1.3 22 flags
FPU 151021.677387 10.0.1.2 33212
? 10.0.1.3 25 flags FPU 151021.684606
10.0.1.2 33212 ? 10.0.1.3
53 flags FPU
27
TCP port scan
Computer System and Networking
28
Ping flood attack
171916.563767 10.0.1.2 ?
10.0.1.1 icmp echo
request 171916.564688 10.0.1.2
? 10.0.1.1 icmp echo
request 171916.565155 10.0.1.2
? 10.0.1.1 icmp echo
request 171916.565446 10.0.1.2
? 10.0.1.1 icmp echo
request 171916.565745 10.0.1.2
? 10.0.1.1 icmp echo
request 171916.566084 10.0.1.2
? 10.0.1.1 icmp echo
request 171916.566220 10.0.1.2
? 10.0.1.1 icmp echo
request 171916.566493 10.0.1.2
? 10.0.1.1 icmp echo
request 171916.566718 10.0.1.2
? 10.0.1.1 icmp echo request
29
UDP flood attack
175227.950028 10.0.1.2 62462
? 10.0.1.1 53 175227.950060
10.0.1.2 62462 ? 10.0.1.1
53 175227.950091 10.0.1.2 62462
? 10.0.1.1 53 175227.950123
10.0.1.2 62462 ? 10.0.1.1
53 175227.950155 10.0.1.2 62462
? 10.0.1.1 53 175227.950186
10.0.1.2 62462 ?
10.0.1.1 53 175227.950218 10.0.1.2
62462 ? 10.0.1.1
53 175227.950249 10.0.1.2 62462
? 10.0.1.1 53 175227.950281
10.0.1.2 62462 ? 10.0.1.1
53
30
SYN flood attack
185230.950819 10.0.1.2 58654 ?
10.0.1.1 80 flags S 185230.952817
10.0.1.2 56408 ? 10.0.1.1 80
flags S 185230.954818 10.0.1.2 59718
? 10.0.1.1 80 flags
S 185230.956816 10.0.1.2 9139
? 10.0.1.1 80 flags S 185230.958833
10.0.1.2 7910 ? 10.0.1.1 80
flags S 185230.960816 10.0.1.2 48226
? 10.0.1.1 80 flags
S 185230.962817 10.0.1.2 4506
? 10.0.1.1 80 flags S 185230.964815
10.0.1.2 4587 ? 10.0.1.1 80
flags S 185230.966816 10.0.1.2 16848
? 10.0.1.1 80 flags S
31
????????????????????????????????????????

IP address ???????????????????
??????? Port ???????????????????
Timestamp
??????????????????????????
?????? TCP flag
??????????????
??? Threshold

Computer System and Networking
(?????????????? gt Threshold) ?
32
?????????????????????
Computer System and Networking
33
Configuration file
THIS CONFIGURATION USED FOR 10.0.1.0/24
SCANNING SCAN_COUNT_THRESHOLD 50
SCAN_ALERT_DELAY 2 FLOODING
FLOOD_COUNT_THRESHOLD 100 FLOOD_ALERT_DELAY 5
FLOOD_ALERT_LEVEL 3
Computer System and Networking
34
???????????????????
1. ??????????????????????????????????????????????
????????????????????????? 2. ?????????????????? 3
. ?????????????????????? Hash function
??????????????????????????????? 4.
??????????????????????????????????????????????????
????????????????????????????
????????????????????? 4.1 ??? ???????????????????
?????????????????????? 4.2 ?????? ?????????? 5.
??????????????????????????????????????????????????
????????? 6. ??????? ?????????????? gt Threshold
??????? 6.1 ??? ??????????????
??????????????????????????????????????? 6.2
?????? ?????????? 7. ??????????? 2
Computer System and Networking
35
??????????????????????????????????????? Ping sweep
struct icmp_sweep u_long src_ip
u_long dst_ip int sweep_count int
log struct timeval last_log struct
icmp_sweep sweep_listLIST_SIZE
0
1
2

LIST_SIZE - 1
36
????????????????????? Ping sweep
SCAN_COUNT_THRESHOLD 30
Hashfunc()
0
113131.328925 10.0.1.2 ? 10.0.1.1
1
113131.361971 10.0.1.2 ? 10.0.1.3
2
113131.394914 10.0.1.2 ? 10.0.1.4

255
113131.892883 10.0.1.2 ? 10.0.1.30
Start time 000000
113131.892883 10.0.1.2 ? 10.0.1.31
113131.328925
37
????????????????????????????

Ping sweep
Ping sweep from 10.0.1.2 to 172.25.1.0 _at_093149
UDP port scan
UDP port scan from 10.0.1.2 to 10.0.1.1 ports
38, 146, 80, 855, 378, _at_172903
TCP port scan
TCP port scan from 10.0.1.2 to 172.25.3.253
flags F--P-U ports 389, 22, 1723, 113, 80,
_at_13.32.44

Computer System and Networking
38
???????????????????????????????? Flooding

Ping flood attack
Ping flood level 1 from 10.0.1.2 to 10.0.1.1
_at_125943
UDP flood attack
UDP flood level 2 from 10.0.1.2 to 10.0.1.3
port 21_at_093548
SYN flood attack
SYN flood level 3 from 10.0.1.2 to 10.0.1.1
port 80 _at_150954

Computer System and Networking
39
????????????
Computer System and Networking
40
????????????

????????????????????????????????????
????????????????????????????????????????
?????????????????????????????????

Computer System and Networking
41
???????????????????????????????????????
???????????????????????????????????
10.0.1.1
172.25.3.246
Ethernet
FreeBSD 6.1
Computer System and Networking
Hub
10.0.1.2
10.0.1.3
172.25.3.159
Windows XP SP2
FreeBSD 6.1
IP aliases 10.0.1.4 - 10.0.1.32
FreeBSD 6.1
42
????????????????????????????????????????????

ICMP
C\gt ping n 1 10.0.1.2
ICMP packet from 10.0.1.3 to 10.0.1.2 type 8
code 0 _at_184139.285436
ICMP packet from 10.0.1.2 to 10.0.1.3 type 0
code 0 _at_184139.285509
UDP
C\gt nslookup
UDP packet from 10.0.1.33831 to 192.100.77.553
_at_114345.162868
UDP packet from 192.100.77.553 to 10.0.1.33831
_at_114345.164384

Computer System and Networking
43
????????????????????????????????????????????

TCP
C\gt telnet 172.25.1.4 80
TCP packet from 10.0.1.33837 to 172.25.1.480
flags -S----_at_133036.340595
TCP packet from 172.25.1.480 to 10.0.1.33837
flags -S--A- _at_133036.350278
TCP packet from 10.0.1.33837 to 172.25.1.480
flags ----A- _at_133036.350712

Computer System and Networking
44
????????????????????????????????????????????????
SCAN_COUNT_THRESHOLD 30 SCAN_ALERT_DELAY 0
FLOOD_COUNT_THRESHOLD 100 FLOOD_ALERT_LEVEL 3
FLOOD_ALERT_DELAY 0
Computer System and Networking
45
????????????????????????????????????????????????
??????? 10.0.1.3 ???????????????????????? 590 MB
??? FTP server ??????????
??????? 10.0.1.2 ??? 10.0.1.3 ????????????????????
???? 590 MB ??? FTP server ??????????????????
Computer System and Networking

?????????????

??????? 10.0.1.2 ??? 10.0.1.3 ????????????????????
?? 590 MB ???????????? 172.25.3.159 ????????
??????? 10.0.1.2 ??? 10.0.1.3 ????????????????????
?????????????? 590 MB ??????????????
46
????????????????????????????????????????????????
??????? 172.25.3.159 ????? Ping sweep
?????????????????????????? ?????????? TCP ??? UDP
Port ?????????????? 1 ??? 1024 ??????????
10.0.1.3 ??????????????

???????????????????????????????
(???????????????????????????????)

??????? 10.0.1.2 ????? Ping flood ????????????
10.0.1.3 ????? 100,000 ????????
Computer System and Networking
??????? 172.25.3.159 ??? 10.0.1.2 ????? Ping
flood ???????????? 10.0.1.3 ????? 100,000
??????????????????????
??????? 172.25.3.159, 10.0.1.1 ??? 10.0.1.2 ?????
Ping flood ???????????? 10.0.1.3 ????? 100,000
??????????????????????
??????? 172.25.3.159, 10.0.1.1 ??? 10.0.1.2 ?????
Ping flood ???????????? 10.0.1.3 ????? 500,000
??????????????????????
47
????????????????????????????????????????????????
SCAN_COUNT_THRESHOLD 30 SCAN_ALERT_DELAY 5
FLOOD_COUNT_THRESHOLD 100 FLOOD_ALERT_LEVEL 3
FLOOD_ALERT_DELAY 30
Computer System and Networking
48
????????????????????????????????????????????????