Title: IT Infrastructure
1???????????
- ???? ???? ???
- 96? 11? 13?
2 ????
- 1. ??????
- Viruses, Worms, Dos attack
- 2.????????
- Customer-based countermeasures
- ISP-based countermeasures
- 3. Detection Notification System
- End-based, LAN-based, WAN-based (ISP)
- 4. ??
31. ??????
- ???????
- Viruses
- Large amount of program replication
- Mail virus
- Attached in email
- Infect system by enduring user clicking the
attached - Resend large amount of mail virus
- Self-propagating programs,
- Spread through toxic web page browsing
41.??????(cont.)
- Worms
- Self-propagating programs spread over Internet
- Spread by scanning the network for vulnerable
machines infecting them - Evolution of network worms
- Spread through system vulnerability
- CoRed (Jul 2001)
- Spread through system vulnerability tftpd
- Nimda, Nachi (Sep 2001)
- Spread through system vulnerability mail virus
- SoBig ( Aug 2003), MyDoom(jan 2004),Bagle (2004)
- Spread through system vulnerability Toxic
web-pages - Stanty (Dec 2004)
5(No Transcript)
6(No Transcript)
71.??????(cont.)
- BotNet
- Zombie army
- Distributed through Irc (network chat room)
- 6667/tcp
- Dos attack
- Slam well known web server (MicroSofts, Google,
) - Flooding-based DDoS attack
- Significant performance decline of network link
- Identification thief
- Spyware, Phishing (banks, ebay, paypal,
81.??????(cont.)
- Technical Hackers
- Show their skill
- Technical Hackers Criminal gang
- Enormous profits
- The weak link in Internet Security
- A significant population of Internet users are
not adequately secure their desktops
92.????????
- Where security countermeasures could be invoked
- Customer-based countermeasures
- ISP-based countermeasures
- ISP core/edge/access routers
102.????????(cont.)
- Customer-based countermeasures
- Anti-virus software
- Firewall, IDS
- OS Vender s/w patch
- Windows Update
- Linux Up2date
- S/W Venders Security Improvements
- Desktop Vulnerability Checking
- Firewall Secure ?? (Incorrect)
112.????????(cont.)
- Why ISPs are uniquely positioned to help
- John E.H. Clark (Feb 2003)
- Traffic gateway
- All traffic bw. Internet the customers desktop
passes through ISPs access - Skilled network managers
- Well organized network user information
- High efficiency, wide range protection
122.????????(cont.)
- ISP-based countermeasures
- a) Measuring monitoring traffic
- to/from customer
- b) Bi-direction IPS at ISP access
- 50 60 of junk attack traffic
- c) Ingress address filtering at ISP access
- In-line with the traffic being monitored
- d) Users awareness training effort
133. Detection Notification System
- Signature Detection
- Packet payload
- anomaly detection
- Packet-based
- Tcpdump (snooped over subnetworks)
- Flow-based
- Netfow (exported by router / switch)
143. Detection Notification System(cont.)
- Our works
- ??? /???????
- ??,?????????????????,??????????????
- flow?? ??
- ?????
- ????????????
- ???????router Netflow ????
- ??Flooding Detection System, FDS
153. Detection Notification System(cont.)
163. Detection Notification System(cont.)
- PortScan????
- ???????????PortScan flows,????????
- ?????????????port number????????1024 65535.
173. Detection Notification System(cont.)
- ??3?NetFlow????
- (1)source IP ?? (src_IP)
- (2)destina- tion???(dst_port)
- (3)?TCP??
- ?Feature-based??????
- ??????? SYNFIN TCP handshaking
?????????????ports?source ??, ??Portscan????
183. Detection Notification System(cont.)
- SMTP Flooding (Spam) ????
- ??Portscan????
- spam????
- ??????SMTP (Simple Mail Transfer Ptorocol)???????
- ??outbound????????
- ??SMTP??????????
193. Detection Notification System(cont.)
- Packet Flooding ????
- ?????UDP/ICMP Flooding??
- ???????????
- ????routing??
- ??source (src_IP) ?virtual flow
- ???????source IP ???
- ???UDP / ICMP Packet/ Byte/ Flow??
- ???????DDoS??
203. Detection Notification System(cont.)
- Flooding ????????
- Feature-based????/????
- ????source IP?????destination port?flow?,packet?,
byte?,?mean packet size????, - Multi-thresholds??????
- ?????source?????
- flow sourcei,packet sourcei,
- bytesourcei, pkt_sizesourcei
- ???????TCP???????durationsourcei
- ????????,???PortScan sources.
21(No Transcript)
22(No Transcript)
23(No Transcript)
24(No Transcript)
253. Detection Notification System(cont.)
- Flooding ?????????
- ?? ip_routing table
- Router ipRoute SNMP MIB
- ?????RWhois IP????????
- ???????? ????
263. Detection Notification System(cont.)
- Flooding ?????????(cont.)
- ????router????routing
- snmpwalk ipRouteMask (1.3.6.1.4.21.2.1.11)
- snmpwalk ipRouteNextHop (1.3.6.1.4. 21.2.1.7)
- ??/???? ip_routing ??
- ????RWhois network schema???
- ??NextHop ?????????
- ???? IP??????
- http//susan.tyc.edu.tw/yang/rwhois.php?ip140.11
5.1.12
27(No Transcript)
284. ??
- Flooding????????(FDS)
- aggregate router NetFlow????
- ????PortScan, Spam? packet flooding????
- ?? Rwhoisd IP ???????
- ?????????????????
- ?????????,??flooding??
294. ??(cont.)
- ?????????
- ??????????????????
- portscan ?? (??????? ports)
- Spam
- packet flooding??
- ???flooding ????
- ???????????????
- ?????????? flooding??
30Thank You!
31???? abuse????
- ???? ???????
- ???(center7_at_cc.ncu.edu.tw)
32 ? ? ? ?
- 1. abuse complaint ?????
- 2. abuse????
- 3. abuse????
- 4. P2P traffic target system
- http//163.25.255.22/yang/index_abuse_emule.php
- http//163.25.255.22/yang/index_abuse_emule_port.
php - 5.??
331.Abuse complain ?????
- Abuse complaint ?????
- ???? abuse complaint mail file
- abuse_at_ncu.edu.tw (/var/mail/abuse)
- ??/?? abuse ???
- PortScan/Password crack (??????)
- Spam (??/???)
- Infringement (???????)
- Phishing (????)
- ???????,????????.
341.Abuse complain ?????(cont.)
- ????????
- ?? abuse_at_ncu.edu.tw mail file, ??/?? ?????
- ?? dbacl(digramic Bayesian text classifier)
???????abuse type (spam, infringe, portscan,
phish). - ?? target IP ??,?? IP, abuse ????
- ? IP ?key,?? Rwhois Server, ?????
emai.,?????????????.
351.Abuse complain ?????(cont.)
- ????
- ??????abuse?????????.
- ?????????,?????????.
- ?????
- ??on-demand abuse??????.
36(No Transcript)
372. abuse????
- 93?(2004)
- 94?(2005)
- 95?(2006)
- 96?(2007)
38(No Transcript)
39(No Transcript)
40(No Transcript)
41(No Transcript)
423.Abuse????
- ???(Infringement)
- ??? (Spam)
- PortScan
- Phishing
43(No Transcript)
44(No Transcript)
45(No Transcript)
46163.30..
474. Abuse ??????
- URL
- http//ayang.tyc.edu.tw/Tyc_Abuse/Tanet/summ_notif
y.php - ???? abuse complaint ??
- ?? ??,??
- 96-01
- 95-12
48(No Transcript)
49(No Transcript)
50(No Transcript)
515. P2P traffic target system
- Feature of P2Pmtraffic
- Packet size (large packet)
- Connections (many to many)
- Duration (last longer)
- Traffic volume (large amount)
- URLs of Tyc P2P traffic statistic
- http//163.25.255.22/yang/index_abuse_emule.php
- http//163.25.255.22/yang/index_abuse_emule_port.
php
52(No Transcript)
53(No Transcript)
546.??
- ???????????
- Technique
- ?? Flood Detection system
- ??? firewall, IDS
- ???? firewall, antivirus package
- Education end user
- Protect PC from being exploited as stepping stone
- Security policy
- Management Support
555.??(cont.)
- Putting an end to the dark side of network
- Increase awareness
- Education users
- Implement organization policies
- Use Technology to protect against these threats
- Flooding Detection system
565.??(cont.)
- ??????
- ????????????
- ??????????????
- Content-based ????????
- Mining
- Detection
57???????????
- ???????? ???
- 2007? 10? 8?
58????
- 1.????
- 2.???? Trunk ?????
- 3.?????????????
- 4.??
591.????
- ???????
- Cost
- 2 million per year
- Performance
- Trunk Traffic Statistics (MRTG?)
- Ping (RTT?)
- ?? firewall ??? ping traffic
- User Sensitive Traffic Statistics
- Delay for fetching png or pdf file
- Cisco, hp, 3com, ubuntu
602. ???? Trunk ??
- ??core router7609??????????
- http//cygnus.cc.ncu.edu.tw/mrtg/7609/r7609_63.htm
l - ???????????
- http//cygnus.cc.ncu.edu.tw/mrtg/m160/m160_65.html
- ?????TANET????
- http//mrtg.moe.edu.tw/backbone/ncu_cht.html
61??core router????????
62???????????
63?????TANET????
642. ???? Trunk ??(cont.)
- TANET??????
- http//mrtg.moe.edu.tw/internet/internet-pos-stm16
.html - ?????????http//mrtg.ntcu.net/ntcu-6509/211.76.255
.1_po8_1.html
65TANET??????
66?????????
673.??????????
- ?????? http//bunny.tyc.edu.tw/Ncu/browse.jsp
- NCU_Llink Collector
- 140.115.11.131
- TYC_Link
- 163.25.254.7
683.??????????(cont.)
- 2007-Aug 2007-Sep
- 8/178/31, 9/19/30
- 2007-Oct
- 10/3 (NCTU_DORM??)
- 10/9 (NCTU_DORM??)
- 10/15 (TWGATE ??routing path)
- 10/16 10/31
69(No Transcript)
70(No Transcript)
71(No Transcript)
72(No Transcript)
73(No Transcript)
744. ?????
- delay2.java
- get()
- main()
- wget_stat.sh
- crontab
- Call delay2 routinely
75 public void get(String theUrl, String filename)
throws IOException theUrl_name
theUrl try URL gotoUrl
new URL(theUrl) InputStreamReader
isr new InputStreamReader(gotoUrl.openStream())
BufferedReader in new
BufferedReader(isr) StringBuffer sb
new StringBuffer() String
inputLine boolean isFirst true
//grab the contents at the URL
while ((inputLine in.readLine()) ! null)
sb.append(inputLine"\r\n")
//write it locally
createAFile(filename, sb.toString())
catch (MalformedURLException mue)
mue.printStackTrace()
catch (IOException ioe) throw ioe
76public static void main(String args)
Date datenew Date() SimpleDateFormat
daynew SimpleDateFormat("MMdd")
SimpleDateFormat dfnew SimpleDateFormat("MMddHH")
// System.out.println(df.format(date))
String day_fileday.format(date)
String cur_hourdf.format(date) String
filename "/home/Ncu_Link/" day_file
try BufferedWriter out new
BufferedWriter(new FileWriter(filename, true))
out.write("\n Hour " cur_hour)
long elapsedtime System.currentTimeMillis()
out.write("\n From "
elapsedtime " msec. ") delay2
httpGetter new delay2()
httpGetter.get(args0, args1)
out.write("\n To " elapsedtime " msec.
") elapsedtime
System.currentTimeMillis() - elapsedtime
out.write("\n It takes " elapsedtime "
msec." theUrl_name "\n")
out.close() catch (Exception
ex) ex.printStackTrace()
77!/bin/csh -f setenv CLASSPATH '.' set
batch_home/opt/apache-tomcat-6.0.14/webapps/ROOT/
Socket set flist/bin/ls batch_home/lib/.jar f
oreach name (flist) setenv CLASSPATH
CLASSPATHname end cd batch_home java
delay2 http//www.cisco.com/cdc_content_elements/i
mages/homepage/ ba_partnerLocato_blue.jpg
cisco.jpg java delay2 http//welcome.hp-ww.com/cou
ntry/us/en/img/n4_welcome/smb/ primary_smb_msg_730
.jpg hp.jpg java delay2 http//www.3com.com/other/
pdfs/solutions/en_US/3com_505403 -001.pdf
3com.pdf java delay2 http//www.ubuntu.com/themes/
ubuntu07/images/ubuntulogo.pn g ubuntu.png
78Date 111900 It takes 922 msec.http//www.cisco.com
/cdc_content_elements/images/homepage/ba_ partnerL
ocato_blue.jpg Date 111900 It takes 1797
msec.http//welcome.hp-ww.com/country/us/en/img/n4
_welcome/smb/pr imary_smb_msg_730.jpg Date
111900 It takes 19266 msec.http//www.3com.com/oth
er/pdfs/solutions/en_US/3com_505403- 001.pdf Date
111900 It takes 1140 msec.http//www.ubuntu.com/t
hemes/ubuntu07/images/ubuntulogo.png Date 111904
It takes 1079 msec.http//www.cisco.com/cdc_conten
t_elements/images/homepage/ba _partnerLocato_blue.
jpg Date 111904 It takes 859 msec.http//welcome.
hp-ww.com/country/us/en/img/n4_welcome/smb/pri mar
y_smb_msg_730.jpg Date 111904 It takes 12203
msec.http//www.3com.com/other/pdfs/solutions/en_U
S/3com_505403-001.pdf Date 111904 It takes 1078
msec.http//www.ubuntu.com/themes/ubuntu07/images/
ubuntulogo.png
794. ????? (cont.)
- LinkPerf.java
- Extract the data recorded per 4 hours period
- Aggregate the mean delay (msec)
- Output to another file
801101Thu welcome.hp-ww.com774,
www.3com.com13443, www.cisco.com800,
www.ubuntu.com1115ltbrgt 1102Fri
welcome.hp-ww.com847, www.3com.com12825,
www.cisco.com815, www.ubuntu.com1025ltbrgt 1103
Sat welcome.hp-ww.com1074, www.3com.com13578,
www.cisco.com853, www.ubuntu.com1225ltbrgt 1104
Sun welcome.hp-ww.com672, www.3com.com15053,
www.cisco.com821, www.ubuntu.com1071ltbrgt 1105
Mon welcome.hp-ww.com824, www.3com.com13240,
www.cisco.com837, www.ubuntu.com1065ltbrgt
814. ????? (cont.)
- Browse.jsp
- Offer user to monitoring the aggregate data
records - Times_both.jsp
- Draw the time-series graph according to the
aggregate data records - Call jfreechart libraries
- jfreechart-1.0.6
82lt_at_ page contentType "image/pngcharsetUTF-8"gt
lt_at_ page import"java.util.,java.io.,java.awt.,
java.text." gt lt_at_ page import
"org.jfree.chart.JFreeChart"gt lt_at_ page import
"org.jfree.chart.ChartRenderingInfo"gt lt_at_ page
import "org.jfree.chart.servlet.ServletUtilities"
gt lt_at_ page import "org.jfree.chart.entity.Standa
rdEntityCollection"gt lt_at_ page import
"org.jfree.chart.servlet.ServletUtilities"gt lt_at_
page import "org.jfree.chart.ChartUtilities"gt lt
_at_ page import "javax.servlet.ServletOutputStream"
gt lt_at_ page import"org.jfree.chart.ChartFactory"
gt lt_at_ page import"org.jfree.data.xy."gt lt_at_
page import"org.jfree.data.time."gt lt_at_ page
import"org.jfree.chart.axis." gt lt_at_ page
import"org.jfree.chart.ui." gt lt_at_ page
import"org.jfree.chart.plot."gt lt_at_ page
import"org.jfree.chart.renderer.xy."gt lt_at_ page
import"org.jfree.ui.ApplicationFrame" gt lt_at_
page import"org.jfree.ui.RefineryUtilities"gt lt_at_
page import"org.jfree.chart.title." gt lt_at_
page import"org.jfree.chart.servlet.ServletUtilit
ies" gt lt_at_ page import"org.jfree.chart.urls."
gt lt_at_ page import"org.jfree.chart.entity."
gt lt_at_ page import"org.jfree.chart.labels.Standar
dXYToolTipGenerator" gt lt TimeSeriesCollectio
n dataset new TimeSeriesCollection()
TimeSeries series1 new TimeSeries("NCU
-???????") TimeSeries series2 new
TimeSeries("TYC -TANET??????")
83 series1.add(new Day(1, 9, 2007), 13312)
series1.add(new Day(2, 9, 2007),
12880) series2.add(new Day(20, 10, 2007),
25573958) series2.add(new Day(21, 10, 2007),
25612666) // add the dataset
dataset.addSeries(series1)
dataset.addSeries(series2) //
dataset.setDomainIsPointsInTime(true) String
chartTitle "Delay of NCU / TYC Trunk (2007-Sep
Oct)" JFreeChart chart
ChartFactory.createTimeSeriesChart(
chartTitle, "??time", "Delay (msec)", dataset,
true, true, false ) chart.setBackgroundPaint
(java.awt.Color.white)
84// plot XYPlot plot chart.getXYPlot()
XYItemRenderer renderer plot.getRenderer()
if (renderer instanceof XYLineAndShapeRenderer)
XYLineAndShapeRenderer rr
(XYLineAndShapeRenderer) renderer //
rr.setDefaultShapesVisible(true) //
rr.setDefaultShapesFilled(true)
DateAxis axis (DateAxis) plot.getDomainAxis()
axis.setDateFormatOverride(new
SimpleDateFormat("dd")) chart.setBackgroundP
aint(java.awt.Color.white) OutputStream
ostream response.getOutputStream()
ChartUtilities.writeChartAsPNG(ostream, chart,
700, 400) ostream.close() gt
85(No Transcript)
865.??
- Tyc_Link/Ncu_Link????????
- ?? JAVA /JSP ??
- (1)????,?????JAVA
- population resources???.
- (2)??JAVA,JSP?K ?,???????.
- ???????? Socket, File, regex( pattern, match,
scanner) - ???????,???.
875.??(cont.)
- ?? Jfreechart
- Time series chart
- Bar chart
- Pie chart
- ????, ??????????
88Thank You!