chg: [doc] PIBS added
parent
99fd7c1c2d
commit
a4e559c23e
|
@ -46,8 +46,18 @@
|
|||
\@writefile{nav}{\headcommand {\beamer@framepages {13}{13}}}
|
||||
\@writefile{nav}{\headcommand {\slideentry {0}{0}{14}{14/14}{}{0}}}
|
||||
\@writefile{nav}{\headcommand {\beamer@framepages {14}{14}}}
|
||||
\@writefile{nav}{\headcommand {\beamer@partpages {1}{14}}}
|
||||
\@writefile{nav}{\headcommand {\beamer@subsectionpages {1}{14}}}
|
||||
\@writefile{nav}{\headcommand {\beamer@sectionpages {1}{14}}}
|
||||
\@writefile{nav}{\headcommand {\beamer@documentpages {14}}}
|
||||
\@writefile{nav}{\headcommand {\gdef \inserttotalframenumber {13}}}
|
||||
\@writefile{nav}{\headcommand {\slideentry {0}{0}{15}{15/15}{}{0}}}
|
||||
\@writefile{nav}{\headcommand {\beamer@framepages {15}{15}}}
|
||||
\@writefile{nav}{\headcommand {\slideentry {0}{0}{16}{16/16}{}{0}}}
|
||||
\@writefile{nav}{\headcommand {\beamer@framepages {16}{16}}}
|
||||
\@writefile{nav}{\headcommand {\slideentry {0}{0}{17}{17/17}{}{0}}}
|
||||
\@writefile{nav}{\headcommand {\beamer@framepages {17}{17}}}
|
||||
\@writefile{nav}{\headcommand {\slideentry {0}{0}{18}{18/18}{}{0}}}
|
||||
\@writefile{nav}{\headcommand {\beamer@framepages {18}{18}}}
|
||||
\@writefile{nav}{\headcommand {\slideentry {0}{0}{19}{19/19}{}{0}}}
|
||||
\@writefile{nav}{\headcommand {\beamer@framepages {19}{19}}}
|
||||
\@writefile{nav}{\headcommand {\beamer@partpages {1}{19}}}
|
||||
\@writefile{nav}{\headcommand {\beamer@subsectionpages {1}{19}}}
|
||||
\@writefile{nav}{\headcommand {\beamer@sectionpages {1}{19}}}
|
||||
\@writefile{nav}{\headcommand {\beamer@documentpages {19}}}
|
||||
\@writefile{nav}{\headcommand {\gdef \inserttotalframenumber {18}}}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
This is pdfTeX, Version 3.14159265-2.6-1.40.18 (TeX Live 2017/Debian) (preloaded format=pdflatex 2018.10.13) 4 FEB 2019 22:48
|
||||
This is pdfTeX, Version 3.14159265-2.6-1.40.18 (TeX Live 2017/Debian) (preloaded format=pdflatex 2018.10.13) 4 FEB 2019 23:08
|
||||
entering extended mode
|
||||
restricted \write18 enabled.
|
||||
%&-line parsing enabled.
|
||||
|
@ -1291,7 +1291,7 @@ Overfull \hbox (19.37505pt too wide) in paragraph at lines 99--99
|
|||
|
||||
]
|
||||
LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/n' will be
|
||||
(Font) scaled to size 10.0pt on input line 128.
|
||||
(Font) scaled to size 10.0pt on input line 130.
|
||||
(./meta.tex
|
||||
LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/n' will be
|
||||
(Font) scaled to size 7.0pt on input line 3.
|
||||
|
@ -1305,7 +1305,7 @@ LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/it' will be
|
|||
|
||||
]
|
||||
LaTeX Font Info: Font shape `T1/FiraSans-OsF/m/n' will be
|
||||
(Font) scaled to size 12.0pt on input line 157.
|
||||
(Font) scaled to size 12.0pt on input line 159.
|
||||
|
||||
(/usr/share/texlive/texmf-dist/tex/latex/listings/lstlang1.sty
|
||||
File: lstlang1.sty 2015/06/04 1.6 listings language file
|
||||
|
@ -1318,6 +1318,31 @@ File: lstlang1.sty 2015/06/04 1.6 listings language file
|
|||
|
||||
] (./d4-client.tex) [14
|
||||
|
||||
] [15
|
||||
|
||||
]
|
||||
Missing character: There is no s in font nullfont!
|
||||
Missing character: There is no c in font nullfont!
|
||||
Missing character: There is no a in font nullfont!
|
||||
Missing character: There is no l in font nullfont!
|
||||
Missing character: There is no e in font nullfont!
|
||||
Missing character: There is no = in font nullfont!
|
||||
Missing character: There is no 0 in font nullfont!
|
||||
Missing character: There is no . in font nullfont!
|
||||
Missing character: There is no 4 in font nullfont!
|
||||
|
||||
Underfull \hbox (badness 1320) in paragraph at lines 249--249
|
||||
[]|\T1/FiraSans-OsF/m/sc/14.4 Observing SYN floods at-tacks in backscat-ter
|
||||
[]
|
||||
|
||||
[16
|
||||
|
||||
] [17
|
||||
|
||||
] (./flags.tex) [18
|
||||
|
||||
] (./pibs.tex) [19
|
||||
|
||||
]
|
||||
\tf@nav=\write7
|
||||
\openout7 = `d4-introduction.nav'.
|
||||
|
@ -1328,33 +1353,36 @@ File: lstlang1.sty 2015/06/04 1.6 listings language file
|
|||
\tf@snm=\write9
|
||||
\openout9 = `d4-introduction.snm'.
|
||||
|
||||
Package atveryend Info: Empty hook `BeforeClearDocument' on input line 208.
|
||||
Package atveryend Info: Empty hook `AfterLastShipout' on input line 208.
|
||||
Package atveryend Info: Empty hook `BeforeClearDocument' on input line 310.
|
||||
Package atveryend Info: Empty hook `AfterLastShipout' on input line 310.
|
||||
(./d4-introduction.aux)
|
||||
Package atveryend Info: Executing hook `AtVeryEndDocument' on input line 208.
|
||||
Package atveryend Info: Executing hook `AtEndAfterFileList' on input line 208.
|
||||
Package atveryend Info: Executing hook `AtVeryEndDocument' on input line 310.
|
||||
Package atveryend Info: Executing hook `AtEndAfterFileList' on input line 310.
|
||||
Package rerunfilecheck Info: File `d4-introduction.out' has not changed.
|
||||
(rerunfilecheck) Checksum: D41D8CD98F00B204E9800998ECF8427E;0.
|
||||
)
|
||||
Here is how much of TeX's memory you used:
|
||||
25465 strings out of 492982
|
||||
512350 string characters out of 6134895
|
||||
651280 words of memory out of 5000000
|
||||
28407 multiletter control sequences out of 15000+600000
|
||||
324501 words of font info for 85 fonts, out of 8000000 for 9000
|
||||
25611 strings out of 492982
|
||||
514988 string characters out of 6134895
|
||||
651424 words of memory out of 5000000
|
||||
28536 multiletter control sequences out of 15000+600000
|
||||
324948 words of font info for 86 fonts, out of 8000000 for 9000
|
||||
1141 hyphenation exceptions out of 8191
|
||||
71i,16n,99p,821b,1405s stack positions out of 5000i,500n,10000p,200000b,80000s
|
||||
{/usr/share/texlive/texmf-dist/fonts/enc/dvips/fira/fir_765q6w.enc}{/usr/shar
|
||||
e/texlive/texmf-dist/fonts/enc/dvips/fira/fir_xbqiro.enc}{/usr/share/texlive/te
|
||||
xmf-dist/fonts/enc/dvips/fira/fir_7gpamp.enc}</usr/share/texlive/texmf-dist/fon
|
||||
{/usr/share/texlive/texmf-dist/fonts/enc/dvips/fira/fir_7gpamp.enc}{/usr/shar
|
||||
e/texlive/texmf-dist/fonts/enc/dvips/fira/fir_765q6w.enc}{/usr/share/texlive/te
|
||||
xmf-dist/fonts/enc/dvips/fira/fir_xbqiro.enc}</usr/share/texlive/texmf-dist/fon
|
||||
ts/type1/public/fira/FiraMono-Regular.pfb></usr/share/texlive/texmf-dist/fonts/
|
||||
type1/public/fira/FiraSans-Bold.pfb></usr/share/texlive/texmf-dist/fonts/type1/
|
||||
public/fira/FiraSans-Regular.pfb></usr/share/texlive/texmf-dist/fonts/type1/pub
|
||||
lic/amsfonts/cm/cmsy10.pfb>
|
||||
Output written on d4-introduction.pdf (14 pages, 525439 bytes).
|
||||
public/fira/FiraSans-Italic.pfb></usr/share/texlive/texmf-dist/fonts/type1/publ
|
||||
ic/fira/FiraSans-Regular.pfb></usr/share/texlive/texmf-dist/fonts/type1/public/
|
||||
amsfonts/cm/cmmi10.pfb></usr/share/texlive/texmf-dist/fonts/type1/public/amsfon
|
||||
ts/cm/cmsy10.pfb></usr/share/texlive/texmf-dist/fonts/type1/public/amsfonts/sym
|
||||
bols/msam10.pfb>
|
||||
Output written on d4-introduction.pdf (19 pages, 600379 bytes).
|
||||
PDF statistics:
|
||||
157 PDF objects out of 1000 (max. 8388607)
|
||||
117 compressed objects within 2 object streams
|
||||
29 named destinations out of 1000 (max. 500000)
|
||||
200 PDF objects out of 1000 (max. 8388607)
|
||||
152 compressed objects within 2 object streams
|
||||
39 named destinations out of 1000 (max. 500000)
|
||||
58 words of extra memory for PDF output out of 10000 (max. 10000000)
|
||||
|
||||
|
|
|
@ -26,8 +26,18 @@
|
|||
\headcommand {\beamer@framepages {13}{13}}
|
||||
\headcommand {\slideentry {0}{0}{14}{14/14}{}{0}}
|
||||
\headcommand {\beamer@framepages {14}{14}}
|
||||
\headcommand {\beamer@partpages {1}{14}}
|
||||
\headcommand {\beamer@subsectionpages {1}{14}}
|
||||
\headcommand {\beamer@sectionpages {1}{14}}
|
||||
\headcommand {\beamer@documentpages {14}}
|
||||
\headcommand {\gdef \inserttotalframenumber {13}}
|
||||
\headcommand {\slideentry {0}{0}{15}{15/15}{}{0}}
|
||||
\headcommand {\beamer@framepages {15}{15}}
|
||||
\headcommand {\slideentry {0}{0}{16}{16/16}{}{0}}
|
||||
\headcommand {\beamer@framepages {16}{16}}
|
||||
\headcommand {\slideentry {0}{0}{17}{17/17}{}{0}}
|
||||
\headcommand {\beamer@framepages {17}{17}}
|
||||
\headcommand {\slideentry {0}{0}{18}{18/18}{}{0}}
|
||||
\headcommand {\beamer@framepages {18}{18}}
|
||||
\headcommand {\slideentry {0}{0}{19}{19/19}{}{0}}
|
||||
\headcommand {\beamer@framepages {19}{19}}
|
||||
\headcommand {\beamer@partpages {1}{19}}
|
||||
\headcommand {\beamer@subsectionpages {1}{19}}
|
||||
\headcommand {\beamer@sectionpages {1}{19}}
|
||||
\headcommand {\beamer@documentpages {19}}
|
||||
\headcommand {\gdef \inserttotalframenumber {18}}
|
||||
|
|
Binary file not shown.
|
@ -123,17 +123,19 @@
|
|||
\begin{frame}
|
||||
\frametitle{D4 meta header}
|
||||
\framesubtitle{Meta types}
|
||||
D4 header includes an easy way to {\bf extend the protocol} (via type 2) without altering the format. Within a D4 session, the initial D4 packet(s) type 2 defines
|
||||
the custom headers and then the following packets with type 254 is the custom data encapsulated.
|
||||
\small
|
||||
\input{meta.tex}
|
||||
\end{frame}
|
||||
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{}
|
||||
{\center Use-case: migrating a legacy network capture model into a D4 network sensor
|
||||
}
|
||||
\end{frame}
|
||||
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Remote network capture}
|
||||
CIRCL operated honeybot for multiple years using a simple model of remote network capture.
|
||||
|
@ -204,5 +206,105 @@
|
|||
\end{block}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{}
|
||||
{\center Use-case: D4 analyzer to detect DDoS attacks in backscatter traffic
|
||||
}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Observing SYN floods attacks in backscatter traffic}
|
||||
Attack description
|
||||
\begin{tikzpicture}{scale=0.4}
|
||||
\node[rectangle,draw,fill=red!80] (a) at (0,0) {Attacker};
|
||||
\node[anchor=west] at (0.93,0.25) {Spoofed requests $H_{0},H_{1},H_{2},H_{3},...$};
|
||||
\node [rectangle,draw,fill=blue!25,anchor=east] at (8,0) (v) {Victim};
|
||||
\draw [->](a) --(v);
|
||||
\foreach \x in {0,1,2,3} {
|
||||
\node [rectangle,draw,fill=green!25,anchor=east] at (\x*2+1,-2) {$H_{\x}$};
|
||||
%Horizontal lines
|
||||
\draw (\x*2+1, -\x*0.25-0.5)--(7.0+\x*.25,-\x*0.25-0.5);
|
||||
%Links to the victim
|
||||
\draw (7.0+\x*.25,-\x*0.25-0.5) -- (7.0+\x*.25,-0.25);
|
||||
%Links to hosts
|
||||
\draw[->] (\x*2+1, -\x*0.25-0.5)--(\x*2+1,-1.70);
|
||||
}
|
||||
\end{tikzpicture}
|
||||
|
||||
\begin{center}
|
||||
\begin{tabular}{|l|}
|
||||
\hline
|
||||
Connections\\
|
||||
\hline
|
||||
$H_{0}$\\
|
||||
\hline
|
||||
$H_{1}$\\
|
||||
\hline
|
||||
$H_{2}$\\
|
||||
\hline
|
||||
$H_{3}$\\
|
||||
\hline
|
||||
\end{tabular}
|
||||
\end{center}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{What can be derived from backscatter traffic?}
|
||||
|
||||
\begin{itemize}
|
||||
\item External point of view on ongoing denial of service attacks
|
||||
\item Confirm if there is a DDoS attack
|
||||
\item Recover time line of attacked targets
|
||||
\item Confirm which services are a target (DNS, webserver, $\dots$)
|
||||
\item Infrastructure changes or updates
|
||||
\item Assess the state of an infrastructure under denial of service attack
|
||||
\begin{itemize}
|
||||
\item Detect failure/addition of intermediate network equipments, firewalls, proxy servers etc
|
||||
\item Detect DDoS mitigation devices or services
|
||||
\end{itemize}
|
||||
\item Create probabilistic models of denial of service attacks
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Confirm if there is a DDOS attack}
|
||||
\begin{block}{Problem}
|
||||
\begin{itemize}
|
||||
\item Distinguish between compromised infrastructure and backscatter
|
||||
\item Look at TCP flags $\to$ filter out single SYN flags
|
||||
\item Focus on ACK, SYN/ACK, ...
|
||||
\item Do not limit to SYN/ACK or ACK $\to$ ECE (ECN Echo)\footnote{\url{https://tools.ietf.org/html/rfc3168}}
|
||||
\end{itemize}
|
||||
\end{block}
|
||||
\input{flags.tex}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Passive Identification of Backscatter (WiP)}
|
||||
\lstset{%
|
||||
language=bash,
|
||||
backgroundcolor=\color{gray!25},
|
||||
basicstyle=\ttfamily,
|
||||
breaklines=true,
|
||||
columns=fullflexible
|
||||
}
|
||||
\input{pibs.tex}
|
||||
\begin{tabular}{l|l}
|
||||
Options & Explanations\\
|
||||
\hline
|
||||
-r & read pcap file\\
|
||||
-b & display IPs under DDoS on standard output\\
|
||||
\end{tabular}
|
||||
|
||||
|
||||
\begin{tabular}{l}
|
||||
Dependencies\\
|
||||
\hline
|
||||
libwiretap-dev\\
|
||||
libhiredis-dev\\
|
||||
libwsutil-dev\\
|
||||
\end{tabular}
|
||||
\end{frame}
|
||||
|
||||
|
||||
\end{document}
|
||||
|
|
|
@ -0,0 +1,12 @@
|
|||
\lstset{%
|
||||
backgroundcolor=\color{gray!25},
|
||||
basicstyle=\ttfamily,
|
||||
breaklines=true,
|
||||
columns=fullflexible
|
||||
}
|
||||
|
||||
\begin{lstlisting}
|
||||
tshark -n -r capture-20170916110006.cap.gz -T fields -e frame.time_epoch -e ip.src -e tcp.flags
|
||||
1505552542.807286000 x.45.177.71 0x00000010
|
||||
1505552547.514922000 x.45.177.71 0x00000010
|
||||
\end{lstlisting}
|
|
@ -0,0 +1,3 @@
|
|||
\begin{lstlisting}
|
||||
./pibs -b -r pcap_file.cap
|
||||
\end{lstlisting}
|
Loading…
Reference in New Issue