diff --git a/docs/workshop/0-introduction/d4-introduction.aux b/docs/workshop/0-introduction/d4-introduction.aux index 145b026..b56d425 100644 --- a/docs/workshop/0-introduction/d4-introduction.aux +++ b/docs/workshop/0-introduction/d4-introduction.aux @@ -46,8 +46,18 @@ \@writefile{nav}{\headcommand {\beamer@framepages {13}{13}}} \@writefile{nav}{\headcommand {\slideentry {0}{0}{14}{14/14}{}{0}}} \@writefile{nav}{\headcommand {\beamer@framepages {14}{14}}} -\@writefile{nav}{\headcommand {\beamer@partpages {1}{14}}} -\@writefile{nav}{\headcommand {\beamer@subsectionpages {1}{14}}} -\@writefile{nav}{\headcommand {\beamer@sectionpages {1}{14}}} -\@writefile{nav}{\headcommand {\beamer@documentpages {14}}} -\@writefile{nav}{\headcommand {\gdef \inserttotalframenumber {13}}} +\@writefile{nav}{\headcommand {\slideentry {0}{0}{15}{15/15}{}{0}}} +\@writefile{nav}{\headcommand {\beamer@framepages {15}{15}}} +\@writefile{nav}{\headcommand {\slideentry {0}{0}{16}{16/16}{}{0}}} +\@writefile{nav}{\headcommand {\beamer@framepages {16}{16}}} +\@writefile{nav}{\headcommand {\slideentry {0}{0}{17}{17/17}{}{0}}} +\@writefile{nav}{\headcommand {\beamer@framepages {17}{17}}} +\@writefile{nav}{\headcommand {\slideentry {0}{0}{18}{18/18}{}{0}}} +\@writefile{nav}{\headcommand {\beamer@framepages {18}{18}}} +\@writefile{nav}{\headcommand {\slideentry {0}{0}{19}{19/19}{}{0}}} +\@writefile{nav}{\headcommand {\beamer@framepages {19}{19}}} +\@writefile{nav}{\headcommand {\beamer@partpages {1}{19}}} +\@writefile{nav}{\headcommand {\beamer@subsectionpages {1}{19}}} +\@writefile{nav}{\headcommand {\beamer@sectionpages {1}{19}}} +\@writefile{nav}{\headcommand {\beamer@documentpages {19}}} +\@writefile{nav}{\headcommand {\gdef \inserttotalframenumber {18}}} diff --git a/docs/workshop/0-introduction/d4-introduction.log b/docs/workshop/0-introduction/d4-introduction.log index 639aeab..2708ebf 100644 --- a/docs/workshop/0-introduction/d4-introduction.log +++ b/docs/workshop/0-introduction/d4-introduction.log @@ -1,4 +1,4 @@ -This is pdfTeX, Version 3.14159265-2.6-1.40.18 (TeX Live 2017/Debian) (preloaded format=pdflatex 2018.10.13) 4 FEB 2019 22:48 +This is pdfTeX, Version 3.14159265-2.6-1.40.18 (TeX Live 2017/Debian) (preloaded format=pdflatex 2018.10.13) 4 FEB 2019 23:08 entering extended mode restricted \write18 enabled. %&-line parsing enabled. @@ -1291,7 +1291,7 @@ Overfull \hbox (19.37505pt too wide) in paragraph at lines 99--99 ] LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/n' will be -(Font) scaled to size 10.0pt on input line 128. +(Font) scaled to size 10.0pt on input line 130. (./meta.tex LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/n' will be (Font) scaled to size 7.0pt on input line 3. @@ -1305,7 +1305,7 @@ LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/it' will be ] LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/n' will be -(Font) scaled to size 12.0pt on input line 157. +(Font) scaled to size 12.0pt on input line 159. (/usr/share/texlive/texmf-dist/tex/latex/listings/lstlang1.sty File: lstlang1.sty 2015/06/04 1.6 listings language file @@ -1318,6 +1318,31 @@ File: lstlang1.sty 2015/06/04 1.6 listings language file ] (./d4-client.tex) [14 +] [15 + +] +Missing character: There is no s in font nullfont! +Missing character: There is no c in font nullfont! +Missing character: There is no a in font nullfont! +Missing character: There is no l in font nullfont! +Missing character: There is no e in font nullfont! +Missing character: There is no = in font nullfont! +Missing character: There is no 0 in font nullfont! +Missing character: There is no . in font nullfont! +Missing character: There is no 4 in font nullfont! + +Underfull \hbox (badness 1320) in paragraph at lines 249--249 + []|\T1/FiraSans-OsF/m/sc/14.4 Observing SYN floods at-tacks in backscat-ter + [] + +[16 + +] [17 + +] (./flags.tex) [18 + +] (./pibs.tex) [19 + ] \tf@nav=\write7 \openout7 = `d4-introduction.nav'. @@ -1328,33 +1353,36 @@ File: lstlang1.sty 2015/06/04 1.6 listings language file \tf@snm=\write9 \openout9 = `d4-introduction.snm'. -Package atveryend Info: Empty hook `BeforeClearDocument' on input line 208. -Package atveryend Info: Empty hook `AfterLastShipout' on input line 208. +Package atveryend Info: Empty hook `BeforeClearDocument' on input line 310. +Package atveryend Info: Empty hook `AfterLastShipout' on input line 310. (./d4-introduction.aux) -Package atveryend Info: Executing hook `AtVeryEndDocument' on input line 208. -Package atveryend Info: Executing hook `AtEndAfterFileList' on input line 208. +Package atveryend Info: Executing hook `AtVeryEndDocument' on input line 310. +Package atveryend Info: Executing hook `AtEndAfterFileList' on input line 310. Package rerunfilecheck Info: File `d4-introduction.out' has not changed. (rerunfilecheck) Checksum: D41D8CD98F00B204E9800998ECF8427E;0. ) Here is how much of TeX's memory you used: - 25465 strings out of 492982 - 512350 string characters out of 6134895 - 651280 words of memory out of 5000000 - 28407 multiletter control sequences out of 15000+600000 - 324501 words of font info for 85 fonts, out of 8000000 for 9000 + 25611 strings out of 492982 + 514988 string characters out of 6134895 + 651424 words of memory out of 5000000 + 28536 multiletter control sequences out of 15000+600000 + 324948 words of font info for 86 fonts, out of 8000000 for 9000 1141 hyphenation exceptions out of 8191 71i,16n,99p,821b,1405s stack positions out of 5000i,500n,10000p,200000b,80000s -{/usr/share/texlive/texmf-dist/fonts/enc/dvips/fira/fir_765q6w.enc}{/usr/shar -e/texlive/texmf-dist/fonts/enc/dvips/fira/fir_xbqiro.enc}{/usr/share/texlive/te -xmf-dist/fonts/enc/dvips/fira/fir_7gpamp.enc} -Output written on d4-introduction.pdf (14 pages, 525439 bytes). +public/fira/FiraSans-Italic.pfb> +Output written on d4-introduction.pdf (19 pages, 600379 bytes). PDF statistics: - 157 PDF objects out of 1000 (max. 8388607) - 117 compressed objects within 2 object streams - 29 named destinations out of 1000 (max. 500000) + 200 PDF objects out of 1000 (max. 8388607) + 152 compressed objects within 2 object streams + 39 named destinations out of 1000 (max. 500000) 58 words of extra memory for PDF output out of 10000 (max. 10000000) diff --git a/docs/workshop/0-introduction/d4-introduction.nav b/docs/workshop/0-introduction/d4-introduction.nav index d693e49..bd2db22 100644 --- a/docs/workshop/0-introduction/d4-introduction.nav +++ b/docs/workshop/0-introduction/d4-introduction.nav @@ -26,8 +26,18 @@ \headcommand {\beamer@framepages {13}{13}} \headcommand {\slideentry {0}{0}{14}{14/14}{}{0}} \headcommand {\beamer@framepages {14}{14}} -\headcommand {\beamer@partpages {1}{14}} -\headcommand {\beamer@subsectionpages {1}{14}} -\headcommand {\beamer@sectionpages {1}{14}} -\headcommand {\beamer@documentpages {14}} -\headcommand {\gdef \inserttotalframenumber {13}} +\headcommand {\slideentry {0}{0}{15}{15/15}{}{0}} +\headcommand {\beamer@framepages {15}{15}} +\headcommand {\slideentry {0}{0}{16}{16/16}{}{0}} +\headcommand {\beamer@framepages {16}{16}} +\headcommand {\slideentry {0}{0}{17}{17/17}{}{0}} +\headcommand {\beamer@framepages {17}{17}} +\headcommand {\slideentry {0}{0}{18}{18/18}{}{0}} +\headcommand {\beamer@framepages {18}{18}} +\headcommand {\slideentry {0}{0}{19}{19/19}{}{0}} +\headcommand {\beamer@framepages {19}{19}} +\headcommand {\beamer@partpages {1}{19}} +\headcommand {\beamer@subsectionpages {1}{19}} +\headcommand {\beamer@sectionpages {1}{19}} +\headcommand {\beamer@documentpages {19}} +\headcommand {\gdef \inserttotalframenumber {18}} diff --git a/docs/workshop/0-introduction/d4-introduction.pdf b/docs/workshop/0-introduction/d4-introduction.pdf index 0715350..e34ae17 100644 Binary files a/docs/workshop/0-introduction/d4-introduction.pdf and b/docs/workshop/0-introduction/d4-introduction.pdf differ diff --git a/docs/workshop/0-introduction/d4-introduction.tex b/docs/workshop/0-introduction/d4-introduction.tex index c8826a8..8077fb9 100644 --- a/docs/workshop/0-introduction/d4-introduction.tex +++ b/docs/workshop/0-introduction/d4-introduction.tex @@ -123,17 +123,19 @@ \begin{frame} \frametitle{D4 meta header} \framesubtitle{Meta types} + D4 header includes an easy way to {\bf extend the protocol} (via type 2) without altering the format. Within a D4 session, the initial D4 packet(s) type 2 defines + the custom headers and then the following packets with type 254 is the custom data encapsulated. \small \input{meta.tex} \end{frame} - \begin{frame} \frametitle{} {\center Use-case: migrating a legacy network capture model into a D4 network sensor } \end{frame} + \begin{frame} \frametitle{Remote network capture} CIRCL operated honeybot for multiple years using a simple model of remote network capture. @@ -204,5 +206,105 @@ \end{block} \end{frame} +\begin{frame} + \frametitle{} +{\center Use-case: D4 analyzer to detect DDoS attacks in backscatter traffic +} +\end{frame} + +\begin{frame} +\frametitle{Observing SYN floods attacks in backscatter traffic} +Attack description + \begin{tikzpicture}{scale=0.4} + \node[rectangle,draw,fill=red!80] (a) at (0,0) {Attacker}; + \node[anchor=west] at (0.93,0.25) {Spoofed requests $H_{0},H_{1},H_{2},H_{3},...$}; + \node [rectangle,draw,fill=blue!25,anchor=east] at (8,0) (v) {Victim}; + \draw [->](a) --(v); + \foreach \x in {0,1,2,3} { + \node [rectangle,draw,fill=green!25,anchor=east] at (\x*2+1,-2) {$H_{\x}$}; + %Horizontal lines + \draw (\x*2+1, -\x*0.25-0.5)--(7.0+\x*.25,-\x*0.25-0.5); + %Links to the victim + \draw (7.0+\x*.25,-\x*0.25-0.5) -- (7.0+\x*.25,-0.25); + %Links to hosts + \draw[->] (\x*2+1, -\x*0.25-0.5)--(\x*2+1,-1.70); + } + \end{tikzpicture} + +\begin{center} + \begin{tabular}{|l|} + \hline + Connections\\ + \hline + $H_{0}$\\ + \hline + $H_{1}$\\ + \hline + $H_{2}$\\ + \hline + $H_{3}$\\ + \hline + \end{tabular} +\end{center} +\end{frame} + +\begin{frame} +\frametitle{What can be derived from backscatter traffic?} + +\begin{itemize} + \item External point of view on ongoing denial of service attacks + \item Confirm if there is a DDoS attack + \item Recover time line of attacked targets + \item Confirm which services are a target (DNS, webserver, $\dots$) + \item Infrastructure changes or updates + \item Assess the state of an infrastructure under denial of service attack + \begin{itemize} + \item Detect failure/addition of intermediate network equipments, firewalls, proxy servers etc + \item Detect DDoS mitigation devices or services + \end{itemize} + \item Create probabilistic models of denial of service attacks +\end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Confirm if there is a DDOS attack} + \begin{block}{Problem} + \begin{itemize} + \item Distinguish between compromised infrastructure and backscatter + \item Look at TCP flags $\to$ filter out single SYN flags + \item Focus on ACK, SYN/ACK, ... + \item Do not limit to SYN/ACK or ACK $\to$ ECE (ECN Echo)\footnote{\url{https://tools.ietf.org/html/rfc3168}} + \end{itemize} + \end{block} + \input{flags.tex} +\end{frame} + +\begin{frame} + \frametitle{Passive Identification of Backscatter (WiP)} + \lstset{% + language=bash, + backgroundcolor=\color{gray!25}, + basicstyle=\ttfamily, + breaklines=true, + columns=fullflexible + } +\input{pibs.tex} +\begin{tabular}{l|l} +Options & Explanations\\ +\hline +-r & read pcap file\\ +-b & display IPs under DDoS on standard output\\ +\end{tabular} + + +\begin{tabular}{l} + Dependencies\\ + \hline + libwiretap-dev\\ + libhiredis-dev\\ + libwsutil-dev\\ +\end{tabular} +\end{frame} + \end{document} diff --git a/docs/workshop/0-introduction/flags.tex b/docs/workshop/0-introduction/flags.tex new file mode 100644 index 0000000..cba7cd8 --- /dev/null +++ b/docs/workshop/0-introduction/flags.tex @@ -0,0 +1,12 @@ +\lstset{% + backgroundcolor=\color{gray!25}, + basicstyle=\ttfamily, + breaklines=true, + columns=fullflexible +} + +\begin{lstlisting} +tshark -n -r capture-20170916110006.cap.gz -T fields -e frame.time_epoch -e ip.src -e tcp.flags +1505552542.807286000 x.45.177.71 0x00000010 +1505552547.514922000 x.45.177.71 0x00000010 +\end{lstlisting} diff --git a/docs/workshop/0-introduction/pibs.tex b/docs/workshop/0-introduction/pibs.tex new file mode 100644 index 0000000..43fc641 --- /dev/null +++ b/docs/workshop/0-introduction/pibs.tex @@ -0,0 +1,3 @@ +\begin{lstlisting} +./pibs -b -r pcap_file.cap +\end{lstlisting}