|
The Spinning Cube of Potential DoomStephen Lau - slau@lbl.govLawrence Berkeley National Labs NERSC December 10, 2003 |
There were two main development goals for the Cube. The primary goal was education. There has always been misinformation and hearsay regarding computer security and it is sometimes difficult for those unfamiliar with computer security to conceptualize the overall extent of malicious traffic on the Internet today. Unfortunately, it is often these very same people who are continual victims of computer security incidents. The SC conference attracts a wide range of government, academic and industrial attendees, showcasing the latest in high performance computing and networking. SCinet provides network connectivity for vendors and exhibitors and attendees emphasizing high speed connectivity and unfettered access. This emphasis precludes the use of any form of firewall or filtering to reduce the risk of computer security incidents.
As with most conferences, the network is provided on an "as is" basis. Although it is the responsibility of conference attendees to ensure that their systems are not vulnerable to computer security incidents, the reality of the Internet today is that a single system can disrupt an entire network. As such, SCinet deploys a number of monitoring systems, including Bro, to detect and stop potential computer security incidents before they disrupt the network. Since many of the attendees and exhibitors come from a network environment that has a firewall or filtering in place, they are often surprised at the swiftness that their systems are compromised on the "open" Internet. A common scenario is that the owner of the victim system has not kept their system up to date with patches since they rely on their institute's firewall to protect them. Although one could easily blame the victim for not keeping their system up to date, part of the blame must lie on computer security professionals. The concept of firewalls being a one stop solution is still a common mindset amongst the computer security industry. The concept of the increasing mobility of vulnerable devices and systems has also not been fully "realized" or addressed in the computer security world.
As part of the education process, SCinet has, for the past few years, captured and displayed clear text passwords using the Bro system. The technology and concept to do this has been around for many years and is considered passé by many computer security professionals. The reactions of many attendees who have seen this display, however, has been proof positive that there is a wide information gap between what non computer security people believe is possible and what is considered to be "common knowledge" amongst computer security professionals. It is this information gap that the Cube attempts to address.
The fact that the Internet today is a hostile place is well known to those who deal with computer security issues on a day to day basis. The typical computer user however is usually blissfully unaware of this fact. Barring news coverage of worms with media friendly names such as Blaster and Code Red and high profile individual cases of break-ins, most computer users are unaware of the constant every day level of malicious traffic. Although there are many tools available for displaying network traffic and potential security incidents, the vast majority of these tools are developed by network and security professionals for network and security professionals. The Cube attempts to display the overall level of malicious traffic in a fashion that can be easily understood by non computer security types.
The Cube leverages off of the Bro system's capability to log all instances of completed and attempted TCP connections. Bro is capable of not only detecting TCP connections, but also the source and destination IP addresses and port numbers. This information is stored in a log file along with other information identifying the type of traffic and whether or not this traffic was considered to be of a malicious nature, such as a worm or a port scan.
The Cube takes this connection information stored in the Bro files and displays it in a graphical format which can be more readily understood by people who are unfamiliar with networking and computer security techniques. The 'X' axis of the display (shown in red) represented the SCinet address space, which ranged from 141.221.128.0 - 141.221.255.255. The 'Z' axis (shown in blue) represented all possible IP address space (0.0.0.0 - 223.255.255.255). Multicast traffic (224.0.0.0 and above) was not displayed. The 'Y' axis (shown in green) represented the port number number (0-65535). Some well known port numbers include 22 (ssh), 25 (smtp), 80 (http).
Using the data collected by Bro, all TCP connections observed by Bro, both attempted and successful, are displayed as points. Each connection is a single point. The successful connections (SYN/FIN) are shown as white dots. The multi colored dots represents incomplete TCP connections, either SYN/RST or SYN with no response. The incomplete connections are colored using a rainbow colormap with the color varying by port number. This color mapping was used to assist the viewer in locating the point in 3-space. The lower left corner of the display shows the time that this traffic was recorded. It is also possible to rotate the Cube in three dimensions. This rotation assists the viewer in locating points in 3-space.
The vast majority of colored dots can be considered to be malicious traffic searching for vulnerable systems. A high number of connection attempts are at the low end of the port range (0-1024), representing attempts to locate enabled well known services (i.e. http, ssh, ftp, telnet, netbios, etc). Although some of these attempted connections can be explained by misconfigured applications or hosts that have potentially inadvertently crashed and thus are no longer listening for connections, the patterns that emerge from the data shows that these "false positives" are most likely in the minority.
Further evidence that these false positives are low in number can be seen in the data that was collected prior to the conference. The Bro system was enabled several weeks in advance of the conference during the set up phase for SCinet. Between this time and the conference setup, there were no hosts on SCinet, except for several routers and miscellaneous support systems. These systems numbered between 10 and 20. Since the SCinet address space is reserved for use for meetings and conferences, it is not typically used during the rest of the year. Displaying the traffic captured during this "quiet" period before the conference shows that the same patterns and levels of traffic was present.
The Cube was on display during the entire SC exhibition period, excluding times when the demonstration crashed, which as luck would have it, occurred at least once while a major funder was watching. Although the eventual goal is to have this data displayed in real time, data had to be updated manually during the conference. The manual updates occurred approximately twice a day. The Cube displayed data in a loop starting from the time that Bro initially was enabled several weeks prior to the conference up to as close as real time as possible given the manual updates. Since the Cube was primarily on automatic demonstration, it continually spun to assist viewers in conceptualizing the 3-space.
Besides the primary educational aspect of the Cube, the secondary goal of the Cube was to investigate new techniques in visually analyzing network traffic and also to develop a tool that would potentially assist those involved with computer security to visually "see" new forms of attacks.
One of the more interesting findings from this method of visualizing network traffic is in the patterns that emerged. This finding was surprising even to those who deal with this type of traffic on a day to day basis. These patterns of traffic are mostly likely signatures of various tools in use. More detailed analysis would be required to correlate these patterns to particular tools, however this avenue of research could prove to be a powerful technique in determining when new attack tools are deployed.
Various distinct patterns quickly emerge from this visualization. Port scans appear as lines. Vertical lines are scans directed at a particular host searching for any listening port. Horizontal lines are scans directed at the entire address space on a particular port, such as port 80. Aside from these lines, which were expected, other forms of scans emerged from the data which were unexpected.
Scan patterns that have been dubbed "Barber poles" can also be seen. These scans vary their port number and IP addresses in an attempt to elude detectors. Although they may be capable of evading detectors, these type of scans stand out when visualized in this way. A notable distinction of these Barber pole scans is that the slopes of the lines varied. This implied that some of these scanning tools either skipped IP addresses and port numbers or scanned more than one port on a particular IP address. Further analysis is needed on these varying sloped scans. One scanning behavior that was detected was quite peculiar. In this instance, a Barber pole scan crawled through the SCinet address space, however as soon as the scan received a "positive" hit (ACK packet), the scan stopped and instead, crawled up the port range on that particular IP address. Once it crawled the entire port range, it continued the Barber pole behavior. Obviously, the tool being used was attempting to locate a listening host, and once it did, collected as much information as possible about that particular host and then moved on.
Another type of scan that was detected was dubbed a "Lawnmower" scan. These scans are quite "noisy" in that they will scan a wide range of contiguous ports while simultaneously marching across the entire address space. An interesting effect seen during one of these scans are holes in the data. These are most likely dropped packets that never made it to the network border. Some of these Lawnmower scans are quite rapid, happening within a few seconds. Others take a more leisurely time, slowly crossing the entire address space in the order of a minute.
It is obvious that there is a lot more structure to the traffic than can be seen at first glance. One observer likened it to looking at a cloud chamber. I believe that by varying the time scale, many of the seemingly random dots will coalesce into recognizable patterns. Since most of the attempts occurred against the well known services port range (0-1024), plotting this axis using a logarithmic scale to emphasize this range might yield more patterns that are currently obscured.
The Cube is a work in progress and there is ample room for further development. Judging from the reactions of SC attendees and on feedback I have received, I believe that it is a useful tool in communicating to non computer security types the inherent hostile nature of today's Internet. I also believe that the Cube can be developed into a useful tool for analyzing network traffic data also based on feedback from various computer security professionals present at the SC conference.
Cube Presentations and Publications
- The Spinning Cube of Potential Doom or How to Keep Jaded Conference Attendees Mesmerized While Hopefully Teaching Them Something" - Presented Jan 28, 2004 at the LBNL Computer Protection Brown Bag seminar.
- The Spinning Cube of Potential Doom - ACM Communications Viewpoint Column, June 2004. Subscription required
- Slashdot Article - June 1, 2004.
- Written in C++ and OpenGL
- Has been compiled and runs under Windows, Linux, FreeBSD
- Requires Bro as a data source
- Code is currently not available, sorry!. I plan on releasing the source as soon as I get a version that is more polished.
The Cube is a work in progress. Since its debut I've received some very positive feedback. The following is a list of features that have both been requested and that I believe would make the Cube a useful tool.
- Real time display of data
- Ability for data to be multicasted such that multiple instances of the Cube can be running simultaneously and viewing the same real time data.
- Data filters
- Ability to extract data out of the Bro log files by selecting points.
- Ability to scale and reverse time
- Compressing time may reveal patterns associated with slow scans.
- Logarithmic scale on ports axis
- There appears to be a lot of detail between ports 0 -1024, the well known services ports. Expanding this area of the graph may reveal some interesting patterns.
- I would like to run several well known scanning tools such as nmap and Nessus in a controlled fashion to see if one can develop visual 'signatures'.
- Display when the scan was detected and automatically blocked by the
Bro system.
- Display the activity recorded on "crisis" days such as the day Code
Red or Blaster hit.
- Screensaver capability. (#1 requested feature)
- Stereo display for the full 3D effect
There was a better movie here, but we got slashdott'ed so it was taken offline. It's my bad, the movie was huge and really needed some spiffing up anyway. Go watch the first 15 minutes of "The Corbomite Maneuver", preferably while sipping on tranya, and you'll get the picture. For the time being I've made available a poorer quality of the same video.
- NERSC Network Data - (31.4MB avi)
- NERSC Network Data - (51.9MB mpg)
- NERSC Network Data 2 - Poorer quality video and compressed (~2MB) - Running Time: 6:30
- Display of data collected off the NERSC network
- Noteworthy items with time indexes
- Nice Barber Pole Scan - 00:27
- Quick Port Scan - 00:52
- Lawnmower Scan - 04:14
Some images captured of the Cube. More to come.
Feedback
This is a work in progress. Feedback is greatly appreciated. Feel free to email me at: slau@lbl.gov.
