Measurement and Diagnosis of Address Misconfigured P2P traffic - PowerPoint PPT Presentation

1 / 22
About This Presentation
Title:

Measurement and Diagnosis of Address Misconfigured P2P traffic

Description:

Title: Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Author: Zhichun Li Last modified by: ZHICHUN Created Date – PowerPoint PPT presentation

Number of Views:76
Avg rating:3.0/5.0
Slides: 23
Provided by: Zhi66
Category:

less

Transcript and Presenter's Notes

Title: Measurement and Diagnosis of Address Misconfigured P2P traffic


1
Measurement and Diagnosis of Address
Misconfigured P2P traffic
Zhichun Li, Anup Goyal, Yan Chen and Aleksandar
Kuzmanovic Lab for Internet and Security
Technology (LIST) Northwestern Univ.
2
What is P2P address misconfiguration?
  • Thousands of peers send P2P file downloading
    requests to a random target (even not in the
    P2P system) on the Internet

Peers
random target on the Internet
Address-misconfigured P2P traffic
3
Motivations
  • P2P file sharing accounted for gt 60 of traffic
    in USA and gt 80 in Asia
  • P2P software DC has already been exploited by
    attackers for DoS
  • direct gigabit junk data per second to a victim
    host from more than 150,000 peers
  • End user perspective
  • Involve innocent users in DDoS attacks
    unconsciously
  • Anti-P2P arm-race
  • Downloading performance
  • ISP perspective
  • Reduce unwanted traffic for green InternetGet
    contacted by an ISP in Canada
  • P2P developer perspective
  • Identify the buggy software among a large number
    of variances.
  • Help design more robust P2P software

4
Outline
  • Motivation
  • Passive measurement results
  • P2PScope system design
  • Root cause diagnosis and analysis
  • Conclusion

5
Passive Measurement
  • Honeynet/honeyfarm datasets
  • Events of unique sources gt 100 in 6 hours

LBL NU GQ
Sensor 5 /24 10 /24 4 /16
Traces 901GB 916GB 49GB
Duration 47 months 16 months 26 days
Scan traffic removal
Event time window extraction
Target identification
6
Measurement Results
  • Event characteristics
  • Usually involve thousands of peers on average
  • Duration A few hours to up to a month

LBL NU
eMule 143 416
BitTorrent 74 211
Gnutella 4 3
Soribada 6 0
Xunlei 12 0
VAgaa 1 1
7
Popularity
39!
  • Growing Trend
  • IP space observed in three sensors in five
    different /8 IP prefixes

The total numbers of connections that match the
P2P signatures.
8
Further Diagnosis
  • Problems with passive measurement on archived
    data
  • Events have gone
  • Hard to backtrack the propagation
  • Root cause?
  • Need a real-time backtracking and diagnosis
    system!

9
Outline
  • Motivation
  • Passive measurement results
  • P2PScope system design
  • Root cause diagnosis and analysis
  • Conclusion

10
Design of P2PScope System
Backtracking system
P2P-enabled Honeynet
Root cause inference
P2P payload signature based responder
Event identification
Protocol parsing for metadata
11
Design of P2P Doctor System
Backtracking system
P2P-enabled Honeynet
Root cause inference
Peer Exchange Protocol Crawling
Index Server (tracker) Crawling BT top 100,
eMule 185
DHT Crawling
12
Design of P2P Doctor System
Backtracking system
P2P-enabled Honeynet
Root cause inference
  • Track the information flow for suspicious P2P
    software
  • Track how honeynet IPs propagated in P2P systems
  • Peer routability checking
  • Anti-P2P analysis
  • Hypothesis formulation and testing

Totally 7000 lines of Python, Perl and Bro
13
Outline
  • Motivation
  • Passive measurement results
  • P2P Doctor system design
  • Root cause diagnosis and analysis
  • Conclusion

14
Diagnosis Analysis
  • Questions
  • What is the root cause?
  • Which peers spread misconfiguration?
  • How is misconfiguration disseminated?
  • How badly are individual clients affected?
  • Results
  • Data plane traffic radiation
  • Detailed results focus on eMule and BitTorrent

15
Data Plane Traffic Radiation
1.2.3.4
Resource mapping
Who has avatar.avi?
1.2.3.4
16
eMule Root Cause
  • Byte ordering is the problem!

4.3.2.1
1.2.3.4
1.2.3.4
4.3.2.1
4.3.2.1
4.3.2.1
4.3.2.1
17
eMule Root Cause
  • Byte ordering is the problem!
  • 61 of the reverse honeynet peers indeed running
    eMule with the port number reported
  • For the backtracked peers which is in the
    unroutable IP space, 69.6 of them having reverse
    IPs run eMule
  • Locate bugs in source code
  • At least aMule 2.1.0 (a popular eMule
    alternative) has the byte order bug

18
eMule Peers Dissemination
  • Which peers spread misconfiguration?
  • 99.24 of misconfigured peers are normal peers
  • How is the misconfiguration disseminated?
  • Index Server? No
  • Peer exchange? Yes
  • DHT? No
  • Percentage of bogus peers in eMule network?
  • 12.7, 25.0 w/ a total of 37,079 backtracked
    peers

19
BitTorrent Root Cause I
  • Anti-P2P companies deliberately inject bogus
    peers!
  • 20 of traffic we observed related to anti-P2P
    peers
  • Only return bogus peers or anti-P2P peers
  • Using UTorrent peer exchange protocol to
    disseminate
  • Find a particular peer farm
  • One /24 network, each IP run hundreds of peers
  • Run Azureus 2.5.0.0 and IPs also run VMware
  • Return peers even for non-existing file hashes.

20
BitTorrent Root Cause II
  • KTorrent also has a byte-order bug
  • Discover using information flow tracking on
    KTorrent, UTorrent and Azureus
  • Identify the actual bug, report to KTorrent
    Developers and get confirmed.
  • Misconfiguration propagation
  • fully KTorrent all peers exchanged from others
  • partial UTorrent all peers that respond to TCP
    handshaking
  • almost not Azureus all peers that respond to
    BitTorrent handshaking.

21
Conclusions
  • The first study to measure and diagnose
    large-scale address misconfigured P2P traffic
  • Find 39 Internet background radiation is caused
    by address misconfiguration
  • Popular in various P2P systems, increase 100
    each year for four years, and scattered in the
    IPv4 space
  • For eMule, we found it is caused by network byte
    order problem
  • For BitTorrent
  • Anti-P2P companies deliberately inject bogus
    peers
  • KTorrent has a byte order bug

22
  • ? ? ?
Write a Comment
User Comments (0)
About PowerShow.com