D4
/
architecture
mirror of https://github.com/D4-project/architecture
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: [doc] PIBS added

master
Alexandre Dulaunoy 2019-02-04 23:10:04 +01:00
parent 99fd7c1c2d
commit a4e559c23e
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
7 changed files with 197 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
docs/workshop/0-introduction/d4-introduction.aux
View File

@ -46,8 +46,18 @@
\@writefile{nav}{\headcommand {\beamer@framepages {13}{13}}} \@writefile{nav}{\headcommand {\beamer@framepages {13}{13}}}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{14}{14/14}{}{0}}} \@writefile{nav}{\headcommand {\slideentry {0}{0}{14}{14/14}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {14}{14}}} \@writefile{nav}{\headcommand {\beamer@framepages {14}{14}}}
\@writefile{nav}{\headcommand {\beamer@partpages {1}{14}}} \@writefile{nav}{\headcommand {\slideentry {0}{0}{15}{15/15}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@subsectionpages {1}{14}}} \@writefile{nav}{\headcommand {\beamer@framepages {15}{15}}}
\@writefile{nav}{\headcommand {\beamer@sectionpages {1}{14}}} \@writefile{nav}{\headcommand {\slideentry {0}{0}{16}{16/16}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@documentpages {14}}} \@writefile{nav}{\headcommand {\beamer@framepages {16}{16}}}
\@writefile{nav}{\headcommand {\gdef \inserttotalframenumber {13}}} \@writefile{nav}{\headcommand {\slideentry {0}{0}{17}{17/17}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {17}{17}}}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{18}{18/18}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {18}{18}}}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{19}{19/19}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {19}{19}}}
\@writefile{nav}{\headcommand {\beamer@partpages {1}{19}}}
\@writefile{nav}{\headcommand {\beamer@subsectionpages {1}{19}}}
\@writefile{nav}{\headcommand {\beamer@sectionpages {1}{19}}}
\@writefile{nav}{\headcommand {\beamer@documentpages {19}}}
\@writefile{nav}{\headcommand {\gdef \inserttotalframenumber {18}}}

70
docs/workshop/0-introduction/d4-introduction.log
View File

@ -1,4 +1,4 @@
This is pdfTeX, Version 3.14159265-2.6-1.40.18 (TeX Live 2017/Debian) (preloaded format=pdflatex 2018.10.13) 4 FEB 2019 22:48 This is pdfTeX, Version 3.14159265-2.6-1.40.18 (TeX Live 2017/Debian) (preloaded format=pdflatex 2018.10.13) 4 FEB 2019 23:08
entering extended mode entering extended mode
restricted \write18 enabled. restricted \write18 enabled.
%&-line parsing enabled. %&-line parsing enabled.
@ -1291,7 +1291,7 @@ Overfull \hbox (19.37505pt too wide) in paragraph at lines 99--99
] ]
LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/n' will be LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/n' will be
(Font) scaled to size 10.0pt on input line 128. (Font) scaled to size 10.0pt on input line 130.
(./meta.tex (./meta.tex
LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/n' will be LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/n' will be
(Font) scaled to size 7.0pt on input line 3. (Font) scaled to size 7.0pt on input line 3.
@ -1305,7 +1305,7 @@ LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/it' will be
] ]
LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/n' will be LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/n' will be
(Font) scaled to size 12.0pt on input line 157. (Font) scaled to size 12.0pt on input line 159.
(/usr/share/texlive/texmf-dist/tex/latex/listings/lstlang1.sty (/usr/share/texlive/texmf-dist/tex/latex/listings/lstlang1.sty
File: lstlang1.sty 2015/06/04 1.6 listings language file File: lstlang1.sty 2015/06/04 1.6 listings language file
@ -1318,6 +1318,31 @@ File: lstlang1.sty 2015/06/04 1.6 listings language file
] (./d4-client.tex) [14 ] (./d4-client.tex) [14
] [15
]
Missing character: There is no s in font nullfont!
Missing character: There is no c in font nullfont!
Missing character: There is no a in font nullfont!
Missing character: There is no l in font nullfont!
Missing character: There is no e in font nullfont!
Missing character: There is no = in font nullfont!
Missing character: There is no 0 in font nullfont!
Missing character: There is no . in font nullfont!
Missing character: There is no 4 in font nullfont!
Underfull \hbox (badness 1320) in paragraph at lines 249--249
[]|\T1/FiraSans-OsF/m/sc/14.4 Observing SYN floods at-tacks in backscat-ter
[]
[16
] [17
] (./flags.tex) [18
] (./pibs.tex) [19
] ]
\tf@nav=\write7 \tf@nav=\write7
\openout7 = `d4-introduction.nav'. \openout7 = `d4-introduction.nav'.
@ -1328,33 +1353,36 @@ File: lstlang1.sty 2015/06/04 1.6 listings language file
\tf@snm=\write9 \tf@snm=\write9
\openout9 = `d4-introduction.snm'. \openout9 = `d4-introduction.snm'.
Package atveryend Info: Empty hook `BeforeClearDocument' on input line 208. Package atveryend Info: Empty hook `BeforeClearDocument' on input line 310.
Package atveryend Info: Empty hook `AfterLastShipout' on input line 208. Package atveryend Info: Empty hook `AfterLastShipout' on input line 310.
(./d4-introduction.aux) (./d4-introduction.aux)
Package atveryend Info: Executing hook `AtVeryEndDocument' on input line 208. Package atveryend Info: Executing hook `AtVeryEndDocument' on input line 310.
Package atveryend Info: Executing hook `AtEndAfterFileList' on input line 208. Package atveryend Info: Executing hook `AtEndAfterFileList' on input line 310.
Package rerunfilecheck Info: File `d4-introduction.out' has not changed. Package rerunfilecheck Info: File `d4-introduction.out' has not changed.
(rerunfilecheck) Checksum: D41D8CD98F00B204E9800998ECF8427E;0. (rerunfilecheck) Checksum: D41D8CD98F00B204E9800998ECF8427E;0.
) )
Here is how much of TeX's memory you used: Here is how much of TeX's memory you used:
25465 strings out of 492982 25611 strings out of 492982
512350 string characters out of 6134895 514988 string characters out of 6134895
651280 words of memory out of 5000000 651424 words of memory out of 5000000
28407 multiletter control sequences out of 15000+600000 28536 multiletter control sequences out of 15000+600000
324501 words of font info for 85 fonts, out of 8000000 for 9000 324948 words of font info for 86 fonts, out of 8000000 for 9000
1141 hyphenation exceptions out of 8191 1141 hyphenation exceptions out of 8191
71i,16n,99p,821b,1405s stack positions out of 5000i,500n,10000p,200000b,80000s 71i,16n,99p,821b,1405s stack positions out of 5000i,500n,10000p,200000b,80000s
{/usr/share/texlive/texmf-dist/fonts/enc/dvips/fira/fir_765q6w.enc}{/usr/shar {/usr/share/texlive/texmf-dist/fonts/enc/dvips/fira/fir_7gpamp.enc}{/usr/shar
e/texlive/texmf-dist/fonts/enc/dvips/fira/fir_xbqiro.enc}{/usr/share/texlive/te e/texlive/texmf-dist/fonts/enc/dvips/fira/fir_765q6w.enc}{/usr/share/texlive/te
xmf-dist/fonts/enc/dvips/fira/fir_7gpamp.enc}</usr/share/texlive/texmf-dist/fon xmf-dist/fonts/enc/dvips/fira/fir_xbqiro.enc}</usr/share/texlive/texmf-dist/fon
ts/type1/public/fira/FiraMono-Regular.pfb></usr/share/texlive/texmf-dist/fonts/ ts/type1/public/fira/FiraMono-Regular.pfb></usr/share/texlive/texmf-dist/fonts/
type1/public/fira/FiraSans-Bold.pfb></usr/share/texlive/texmf-dist/fonts/type1/ type1/public/fira/FiraSans-Bold.pfb></usr/share/texlive/texmf-dist/fonts/type1/
public/fira/FiraSans-Regular.pfb></usr/share/texlive/texmf-dist/fonts/type1/pub public/fira/FiraSans-Italic.pfb></usr/share/texlive/texmf-dist/fonts/type1/publ
lic/amsfonts/cm/cmsy10.pfb> ic/fira/FiraSans-Regular.pfb></usr/share/texlive/texmf-dist/fonts/type1/public/
Output written on d4-introduction.pdf (14 pages, 525439 bytes). amsfonts/cm/cmmi10.pfb></usr/share/texlive/texmf-dist/fonts/type1/public/amsfon
ts/cm/cmsy10.pfb></usr/share/texlive/texmf-dist/fonts/type1/public/amsfonts/sym
bols/msam10.pfb>
Output written on d4-introduction.pdf (19 pages, 600379 bytes).
PDF statistics: PDF statistics:
157 PDF objects out of 1000 (max. 8388607) 200 PDF objects out of 1000 (max. 8388607)
117 compressed objects within 2 object streams 152 compressed objects within 2 object streams
29 named destinations out of 1000 (max. 500000) 39 named destinations out of 1000 (max. 500000)
58 words of extra memory for PDF output out of 10000 (max. 10000000) 58 words of extra memory for PDF output out of 10000 (max. 10000000)

20
docs/workshop/0-introduction/d4-introduction.nav
View File

@ -26,8 +26,18 @@
\headcommand {\beamer@framepages {13}{13}} \headcommand {\beamer@framepages {13}{13}}
\headcommand {\slideentry {0}{0}{14}{14/14}{}{0}} \headcommand {\slideentry {0}{0}{14}{14/14}{}{0}}
\headcommand {\beamer@framepages {14}{14}} \headcommand {\beamer@framepages {14}{14}}
\headcommand {\beamer@partpages {1}{14}} \headcommand {\slideentry {0}{0}{15}{15/15}{}{0}}
\headcommand {\beamer@subsectionpages {1}{14}} \headcommand {\beamer@framepages {15}{15}}
\headcommand {\beamer@sectionpages {1}{14}} \headcommand {\slideentry {0}{0}{16}{16/16}{}{0}}
\headcommand {\beamer@documentpages {14}} \headcommand {\beamer@framepages {16}{16}}
\headcommand {\gdef \inserttotalframenumber {13}} \headcommand {\slideentry {0}{0}{17}{17/17}{}{0}}
\headcommand {\beamer@framepages {17}{17}}
\headcommand {\slideentry {0}{0}{18}{18/18}{}{0}}
\headcommand {\beamer@framepages {18}{18}}
\headcommand {\slideentry {0}{0}{19}{19/19}{}{0}}
\headcommand {\beamer@framepages {19}{19}}
\headcommand {\beamer@partpages {1}{19}}
\headcommand {\beamer@subsectionpages {1}{19}}
\headcommand {\beamer@sectionpages {1}{19}}
\headcommand {\beamer@documentpages {19}}
\headcommand {\gdef \inserttotalframenumber {18}}

BIN
docs/workshop/0-introduction/d4-introduction.pdf
View File

Binary file not shown.

104
docs/workshop/0-introduction/d4-introduction.tex
View File

@ -123,17 +123,19 @@
\begin{frame} \begin{frame}
\frametitle{D4 meta header} \frametitle{D4 meta header}
\framesubtitle{Meta types} \framesubtitle{Meta types}
D4 header includes an easy way to {\bf extend the protocol} (via type 2) without altering the format. Within a D4 session, the initial D4 packet(s) type 2 defines
the custom headers and then the following packets with type 254 is the custom data encapsulated.
\small \small
\input{meta.tex} \input{meta.tex}
\end{frame} \end{frame}
\begin{frame} \begin{frame}
\frametitle{} \frametitle{}
{\center Use-case: migrating a legacy network capture model into a D4 network sensor {\center Use-case: migrating a legacy network capture model into a D4 network sensor
} }
\end{frame} \end{frame}
\begin{frame} \begin{frame}
\frametitle{Remote network capture} \frametitle{Remote network capture}
CIRCL operated honeybot for multiple years using a simple model of remote network capture. CIRCL operated honeybot for multiple years using a simple model of remote network capture.
@ -204,5 +206,105 @@
\end{block} \end{block}
\end{frame} \end{frame}
\begin{frame}
\frametitle{}
{\center Use-case: D4 analyzer to detect DDoS attacks in backscatter traffic
}
\end{frame}
\begin{frame}
\frametitle{Observing SYN floods attacks in backscatter traffic}
Attack description
\begin{tikzpicture}{scale=0.4}
\node[rectangle,draw,fill=red!80] (a) at (0,0) {Attacker};
\node[anchor=west] at (0.93,0.25) {Spoofed requests $H_{0},H_{1},H_{2},H_{3},...$};
\node [rectangle,draw,fill=blue!25,anchor=east] at (8,0) (v) {Victim};
\draw [->](a) --(v);
\foreach \x in {0,1,2,3} {
\node [rectangle,draw,fill=green!25,anchor=east] at (\x*2+1,-2) {$H_{\x}$};
%Horizontal lines
\draw (\x*2+1, -\x*0.25-0.5)--(7.0+\x*.25,-\x*0.25-0.5);
%Links to the victim
\draw (7.0+\x*.25,-\x*0.25-0.5) -- (7.0+\x*.25,-0.25);
%Links to hosts
\draw[->] (\x*2+1, -\x*0.25-0.5)--(\x*2+1,-1.70);
}
\end{tikzpicture}
\begin{center}
\begin{tabular}{|l|}
\hline
Connections\\
\hline
$H_{0}$\\
\hline
$H_{1}$\\
\hline
$H_{2}$\\
\hline
$H_{3}$\\
\hline
\end{tabular}
\end{center}
\end{frame}
\begin{frame}
\frametitle{What can be derived from backscatter traffic?}
\begin{itemize}
\item External point of view on ongoing denial of service attacks
\item Confirm if there is a DDoS attack
\item Recover time line of attacked targets
\item Confirm which services are a target (DNS, webserver, $\dots$)
\item Infrastructure changes or updates
\item Assess the state of an infrastructure under denial of service attack
\begin{itemize}
\item Detect failure/addition of intermediate network equipments, firewalls, proxy servers etc
\item Detect DDoS mitigation devices or services
\end{itemize}
\item Create probabilistic models of denial of service attacks
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Confirm if there is a DDOS attack}
\begin{block}{Problem}
\begin{itemize}
\item Distinguish between compromised infrastructure and backscatter
\item Look at TCP flags $\to$ filter out single SYN flags
\item Focus on ACK, SYN/ACK, ...
\item Do not limit to SYN/ACK or ACK $\to$ ECE (ECN Echo)\footnote{\url{https://tools.ietf.org/html/rfc3168}}
\end{itemize}
\end{block}
\input{flags.tex}
\end{frame}
\begin{frame}
\frametitle{Passive Identification of Backscatter (WiP)}
\lstset{%
language=bash,
backgroundcolor=\color{gray!25},
basicstyle=\ttfamily,
breaklines=true,
columns=fullflexible
}
\input{pibs.tex}
\begin{tabular}{l|l}
Options & Explanations\\
\hline
-r & read pcap file\\
-b & display IPs under DDoS on standard output\\
\end{tabular}
\begin{tabular}{l}
Dependencies\\
\hline
libwiretap-dev\\
libhiredis-dev\\
libwsutil-dev\\
\end{tabular}
\end{frame}
\end{document} \end{document}

12
docs/workshop/0-introduction/flags.tex Normal file
View File

@ -0,0 +1,12 @@
\lstset{%
backgroundcolor=\color{gray!25},
basicstyle=\ttfamily,
breaklines=true,
columns=fullflexible
}
\begin{lstlisting}
tshark -n -r capture-20170916110006.cap.gz -T fields -e frame.time_epoch -e ip.src -e tcp.flags
1505552542.807286000 x.45.177.71 0x00000010
1505552547.514922000 x.45.177.71 0x00000010
\end{lstlisting}

3
docs/workshop/0-introduction/pibs.tex Normal file
View File

@ -0,0 +1,3 @@
\begin{lstlisting}
./pibs -b -r pcap_file.cap
\end{lstlisting}