FloCon 2019 has ended
Back To Schedule
Wednesday, January 9 • 1:30pm - 2:00pm
Network Telescopes Revisited: From Loads of Unwanted Traffic to Threat Intelligence

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Network telescope (a.k.a., darknet) is a monitored but otherwise unused IP space that should not receive any legitimate network traffic. In practice, a lot of packets can be observed in there: our network telescope deployed at NASK (Research and Academic Computer Network, Poland) which consists of more than 100 000 unused IP addresses gets about 30 million of packets per hour on average. This presentation will introduce a comprehensive system we developed to analyze malicious traffic on a large scale and produce actionable results in close to real time. We will present case studies where data from our network telescope is used for threat hunting and improving situational awareness.

Presentation plan:
1) Architecture and design
At the beginning, we will discuss basic concepts concerning the architecture of the system and present our approach to data analysis and aggregation.

2) Scanning activity and mass exploitation campaigns
As we are able to monitor a large number of IP addresses, it is possible to continuously observe and analyze trends in scanning activities. Just looking at the dynamics of target ports contributes to better situational awareness, but more in-depth analysis allows to reveal much more information. We will cover the following case studies:
a) Github Memcached DRDoS attack: can scanning patterns indicate an upcoming attack?
b) How publication of vulnerability PoCs or publication of the CVEs translate into observed exploitation campaigns.
c) Recognizing different groups responsible for the scanning activities by the analysis of their methods and technical capacities.

3) Denial of Service attacks
A significant part of the traffic we observe is backscatter generated by DoS attacks (for example TCP SYN or DNS floods) using spoofed source addresses. We are able to identify the victims and estimate duration and magnitude of attacks. We will show examples of interesting DoS attacks and demonstrate how data from network telescopes can be combined with other sources, like DRDoS honeypots, to obtain a global view on volumetric attacks on the internet.

4) Fingerprinting packet generation algorithms
Software for network scanning and DoS attacks (including malware) usually have custom code for generating packets. We will show how it is possible to analyze certain features of packets in the live traffic to automatically build signatures that can be used to fingerprint individual tools. This approach has been successfully applied to analysis of darknet traffic to create multiple signatures and to traffic from malware sandboxes to link some of the signatures to malware families.

Attendees will Learn:
Attendees will learn methods for deriving actionable threat intelligence from traffic collected through the network telescopes. We will explain how packet characteristics can be used to fingerprint network traffic (scanning or flooding) generated by particular malware families. The talk will have mostly practical focus, which should be useful for the members of CERTs/SOCs. From the researcher perspective, we will cover recent advancements in the analysis of network telescope traffic.

avatar for Piotr Bazydlo

Piotr Bazydlo

Head of Network Security Methods Team, Research and Academic Computer Network (NASK, Poland)
Piotr Bazydlo earned a master's degree from Warsaw University of Technology in the faculty of Electronics and Information Technology in 2016. His adventures with cybersecurity started in the NASK (Research and Academic Computer Network) as a researcher in the Network Security Methods... Read More →
avatar for Adrian Korczak

Adrian Korczak

Network Security Researcher, Research and Academic Computer Network (NASK, Poland)
Adrian Korczak is a network security researcher at Research and Academic Computer Network in Poland (NASK). He finished his BS in Network Systems at the University of California Irvine. His interests cover subjects like malware analysis, sandboxing, and DGA.
avatar for Pawel Pawliński

Pawel Pawliński

Principal Security Specialist, CERT Polska / NASK
Paweł Pawliński is a principal specialist at CERT.PL. His past job experience include data analysis, threat tracking, and automation. He is responsible for the design and implementation of the n6 platform for sharing security-related data and has also designed systems for large-scale... Read More →

Wednesday January 9, 2019 1:30pm - 2:00pm EST
Grand Ballroom 300 Bourbon St, New Orleans, LA 70130