FloCon 2019

Network telescope (a.k.a., darknet) is a monitored but otherwise unused IP space that should not receive any legitimate network traffic. In practice, a lot of packets can be observed in there: our network telescope deployed at NASK (Research and Academic Computer Network, Poland) which consists of more than 100 000 unused IP addresses gets about 30 million of packets per hour on average. This presentation will introduce a comprehensive system we developed to analyze malicious traffic on a large scale and produce actionable results in close to real time. We will present case studies where data from our network telescope is used for threat hunting and improving situational awareness.

Presentation plan:
1) Architecture and design
At the beginning, we will discuss basic concepts concerning the architecture of the system and present our approach to data analysis and aggregation.

2) Scanning activity and mass exploitation campaigns
As we are able to monitor a large number of IP addresses, it is possible to continuously observe and analyze trends in scanning activities. Just looking at the dynamics of target ports contributes to better situational awareness, but more in-depth analysis allows to reveal much more information. We will cover the following case studies:
a) Github Memcached DRDoS attack: can scanning patterns indicate an upcoming attack?
b) How publication of vulnerability PoCs or publication of the CVEs translate into observed exploitation campaigns.
c) Recognizing different groups responsible for the scanning activities by the analysis of their methods and technical capacities.

3) Denial of Service attacks
A significant part of the traffic we observe is backscatter generated by DoS attacks (for example TCP SYN or DNS floods) using spoofed source addresses. We are able to identify the victims and estimate duration and magnitude of attacks. We will show examples of interesting DoS attacks and demonstrate how data from network telescopes can be combined with other sources, like DRDoS honeypots, to obtain a global view on volumetric attacks on the internet.

4) Fingerprinting packet generation algorithms
Software for network scanning and DoS attacks (including malware) usually have custom code for generating packets. We will show how it is possible to analyze certain features of packets in the live traffic to automatically build signatures that can be used to fingerprint individual tools. This approach has been successfully applied to analysis of darknet traffic to create multiple signatures and to traffic from malware sandboxes to link some of the signatures to malware families.

Attendees will Learn:
Attendees will learn methods for deriving actionable threat intelligence from traffic collected through the network telescopes. We will explain how packet characteristics can be used to fingerprint network traffic (scanning or flooding) generated by particular malware families. The talk will have mostly practical focus, which should be useful for the members of CERTs/SOCs. From the researcher perspective, we will cover recent advancements in the analysis of network telescope traffic.