chg: initial full version

master
Jean-Louis Huynen 2019-05-16 16:01:17 +02:00
parent 64c1683e21
commit 74ef101197
4 changed files with 13156 additions and 33 deletions

File diff suppressed because it is too large Load Diff

Binary file not shown.

After

Width:  |  Height:  |  Size: 105 KiB

Binary file not shown.

View File

@ -10,6 +10,8 @@
\usepackage{fancyvrb} \usepackage{fancyvrb}
\usepackage{listings} \usepackage{listings}
\usepackage{tabularx} \usepackage{tabularx}
\usepackage{amsfonts}
\usepackage{csquotes}
\definecolor{main}{RGB}{47, 161, 219} \definecolor{main}{RGB}{47, 161, 219}
\definecolor{background}{RGB}{240, 247, 255} \definecolor{background}{RGB}{240, 247, 255}
\definecolor{textcolor}{RGB}{85, 87, 83} \definecolor{textcolor}{RGB}{85, 87, 83}
@ -60,7 +62,9 @@
\item D4 Project (co-funded under INEA CEF EU program) started - 1st November 2018 \item D4 Project (co-funded under INEA CEF EU program) started - 1st November 2018
\item D4 encapsulation protocol version 1 published - 1st December 2018 \item D4 encapsulation protocol version 1 published - 1st December 2018
\item v0.1 release of the D4 core\footnote{\url{https://www.github.com/D4-project/d4-core}} including a server and simple D4 C client - 21st January 2019 \item v0.1 release of the D4 core\footnote{\url{https://www.github.com/D4-project/d4-core}} including a server and simple D4 C client - 21st January 2019
\item First version of a golang D4 client\footnote{\url{https://www.github.com/D4-project/d4-goclient/}} running on ARM, MIPS, PPC and x86 - February 2019 \item First version of a golang D4
client\footnote{\url{https://www.github.com/D4-project/d4-goclient/}}
running on ARM, MIPS, PPC and x86 - 14th February 2019
\end{itemize} \end{itemize}
\end{frame} \end{frame}
@ -91,41 +95,30 @@ sensor-d4-tls-fingerprinting-0.1 & Apr. 25, 2019 \tabularnewline
\end{tabularx} \end{tabularx}
\end{center} \end{center}
see \url{https://github.com/D4-Project}
\end{frame} \end{frame}
\begin{frame} \begin{frame}
\frametitle{D4 Overview} \frametitle{D4 Overview}
\includegraphics[scale=0.38]{../../diagram/d4-overview.png} \includegraphics[scale=0.38]{../../diagram/d4-overview.png}
% HERE there will be a timeline - not done in Tkiz
\end{frame} \end{frame}
\begin{frame} \begin{frame}
\frametitle{Roadmap} \frametitle{Roadmap - output}
\begin{itemize}
\item CIRCL will host an instance for organisations willing to
contribute without running their own D4 server, as well as for free-riders:
CIRCL will host a server instance for organisations willing to
contribute to a public dataset without running their own D4 server:
\begin{itemize} \begin{itemize}
\item Passive DNS collector / analyzer / lookup service \item [\checkmark]Passive SSL
\item Passive SSL collector / analyzer / lookup service \item [\checkmark] Passive DNS
\item [\checkmark]Blackhole DDoS
\item BGP mapping
\item egress filtering mapping
\item Radio monitoring
\item ...
\end{itemize} \end{itemize}
\item Closely followed by:
\begin{itemize}
\item Backscatter DDoS traffic analyzer
\end{itemize}
\end{itemize}
\end{frame} \end{frame}
\begin{frame}
\frametitle{D4 Overview}
\end{frame}
\begin{frame} \begin{frame}
\frametitle{D4 encapsulation protocol} \frametitle{D4 encapsulation protocol}
\includegraphics[scale=0.38]{../../diagram/d4-protocol-encapsulation.png} \includegraphics[scale=0.38]{../../diagram/d4-protocol-encapsulation.png}
@ -225,26 +218,164 @@ The D4 server provides a web interface to manage D4 sensors, sessions and analyz
\includegraphics[width=\textwidth]{../../diagram/d4-4.png} \includegraphics[width=\textwidth]{../../diagram/d4-4.png}
\end{frame} \end{frame}
\begin{frame} \begin{frame}
\frametitle{} \frametitle{}
{\center Passive DNS} \begin{center}
A distributed Network telescope to observe DDoS attacks
\end{center}
\vspace{10pt}
\begin{center}
\includegraphics[width=.7\textwidth]{eventhorizon.png}
\end{center}
\end{frame} \end{frame}
\begin{frame} \begin{frame}
\frametitle{} \frametitle{Motivation}
{\center Passive SSL} DDoS Attacks produce an observable side-effect:
\begin{center}
\scalebox{0.8}{\input{bsvol.tex}}
\end{center}
\end{frame} \end{frame}
\begin{frame} \begin{frame}
\frametitle{} \frametitle{What can be derived from backscatter traffic?}
{\center Passive Identification of BackScatter traffic}
\begin{itemize}
\item External point of view on ongoing denial of service attacks
\item Confirm if there is a DDOS attack
\item Recover time line of attacked targets
\item Confirm which services (DNS, webserver, $\dots$)
\item Infrastructure changes
\item Assess the state of an infrastructure under denial of service attack
\begin{itemize}
\item Detect failure/addition of intermediate network equipments, firewalls, proxy servers etc
\item Detect DDoS mitigation devices
\end{itemize}
\item Create probabilistic models of denial of service attacks
\end{itemize}
\end{frame} \end{frame}
\begin{frame}
\frametitle{D4 in this setting}
Aggregating backscatter traffic collected from D4 sensors:
\begin{itemize}
\item have various points of observation (non contiguous address space)
\item perform analysis on bigger amount of data
\end{itemize}
D4 lookup should provide:
\begin{itemize}
\item backscatter analysis results,
\item daily updates,
\item additional relevant information (DNS, BGP, etc.).
\end{itemize}
\end{frame}
\begin{frame}
\begin{center}
Passive DNS
\end{center}
\end{frame}
\begin{frame}
\frametitle{Problem statement}
\begin{itemize}
\item CIRCL (and other CSIRTs) have their own passive DNS\footnote{\url{https://www.circl.lu/services/passive-dns/}} collection mechanisms
\item Current {\bf collection models} are affected with DoH\footnote{DNS over HTTPS} and centralised DNS services
\item DNS answers collection is a tedious process
\item {\bf Sharing Passive DNS stream} between organisation is challenging due to privacy
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Potential Strategy}
\begin{itemize}
\item Improve {\bf Passive DNS collection diversity} by being closer to the source and limit impact of DoH (e.g. at the OS resolver level)
\item Increasing diversity and {\bf mixing models} before sharing/storing Passive DNS records
\item Simplify process and tools to install for {\bf Passive DNS collection by relying on D4 sensors} instead of custom mechanisms
\item Provide a distributed infrastructure for mixing streams and filtering out the sharing to the validated partners
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{First release}
\begin{itemize}
\item analyzer-d4-passivedns\footnote{\url{https://github.com/D4-project/analyzer-d4-passivedns}} is an analyzer for a D4 network sensor. The analyser can process data produced by D4 sensors (in passivedns CSV format\footnote{\url{https://github.com/gamelinux/passivedns}})
\item Ingest these into a {\bf Passive DNS server} which can be queried later to search for the Passive DNS records
\item The lookup server (using on redis-compatible backend) is a Passive DNS REST server compliant to the Common Output Format\footnote{\url{https://tools.ietf.org/html/draft-dulaunoy-dnsop-passive-dns-cof-04}}
\end{itemize}
\end{frame}
\begin{frame}
\begin{center}
Passive SSL revamping
\end{center}
\end{frame}
\begin{frame}
\frametitle{A passive SSL fingerprinter}
CSIRT's rationale for collecting TLS handshakes:
\begin{itemize}
\item pivot on additional data points,
\item find owners of IP addresses,
\item detect usage of CIDR blocks,
\item detect vulnerable systems,
\item detect compromised services,
\item detect Key material reuse,
\item detect weak keys.
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Objectives}
History of links between:
\begin{itemize}
\item x509 certificates,
\item ports,
\item IP address,
\item client (ja3),
\item server (ja3s),
\end{itemize}
\begin{displayquote}
``JA3 is a method for creating SSL/TLS client fingerprints that should be easy to produce on any platform and can be easily shared for threat intelligence.''\footnote{https://github.com/salesforce/ja3}
\end{displayquote}
\end{frame}
\begin{frame}
\frametitle{Objectives}
Mind your Ps and Qs:
\begin{itemize}
\item Public keys type and size,
\item modulos and exponents,
\item curves parameters.
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{First release}
\begin{itemize}
\item[\checkmark] sensor-d4-tls-fingerprinting
\footnote{\url{github.com/D4-project/sensor-d4-tls-fingerprinting}}:
Extracts and fingerprints certificates
\item[\checkmark] analyzer-d4-passivessl
\footnote{\url{github.com/D4-project/analyzer-d4-passivessl}}:
Stores Certificates / PK details in a PostgreSQL DB
\item lookup-d4-passivessl
\footnote{\url{github.com/D4-project/lookup-d4-passivessl}}:
Exposes the DB through a public REST API
\end{itemize}
\end{frame}
\begin{frame}[t]{Future}
\begin{itemize}
\item {\bf Mixing models for passive collection streams} (for privacy) in next version of D4 core server
\item Interconnecting private D4 sensor networks with other D4 sensor networks (sharing to partners filtered stream)
\item Previewing dataset collected in D4 sensor network and providing {\bf open data stream} (if contributor agrees to share under specific conditions)
\end{itemize}
\end{frame}
\begin{frame} \begin{frame}
\frametitle{Get in touch if you want to join the project, host a sensor or contribute} \frametitle{Get in touch if you want to join the project, host a sensor or contribute}