wip: IS Day preso
parent
294c955331
commit
e55a949e5f
Binary file not shown.
After Width: | Height: | Size: 72 KiB |
Binary file not shown.
After Width: | Height: | Size: 109 KiB |
Binary file not shown.
After Width: | Height: | Size: 88 KiB |
Binary file not shown.
After Width: | Height: | Size: 103 KiB |
Binary file not shown.
After Width: | Height: | Size: 141 KiB |
Binary file not shown.
|
@ -59,12 +59,12 @@
|
||||||
\begin{frame}
|
\begin{frame}
|
||||||
\frametitle{(short) History}
|
\frametitle{(short) History}
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item D4 Project (co-funded under INEA CEF EU program) started - 1st November 2018
|
\item D4 Project (co-funded under INEA CEF EU program) started - {\bf 1st November 2018}
|
||||||
\item D4 encapsulation protocol version 1 published - 1st December 2018
|
\item D4 encapsulation protocol version 1 published - {\bf 1st December 2018}
|
||||||
\item v0.1 release of the D4 core\footnote{\url{https://www.github.com/D4-project/d4-core}} including a server and simple D4 C client - 21st January 2019
|
\item v0.1 release of the D4 core\footnote{\url{https://www.github.com/D4-project/d4-core}} including a server and simple D4 C client - {\bf 21st January 2019}
|
||||||
\item First version of a golang D4
|
\item First version of a golang D4
|
||||||
client\footnote{\url{https://www.github.com/D4-project/d4-goclient/}}
|
client\footnote{\url{https://www.github.com/D4-project/d4-goclient/}}
|
||||||
running on ARM, MIPS, PPC and x86 - 14th February 2019
|
running on ARM, MIPS, PPC and x86 - {\bf 14th February 2019}
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
|
@ -114,7 +114,7 @@ see \url{https://github.com/D4-Project}
|
||||||
\item [\checkmark]Blackhole DDoS
|
\item [\checkmark]Blackhole DDoS
|
||||||
\item BGP mapping
|
\item BGP mapping
|
||||||
\item egress filtering mapping
|
\item egress filtering mapping
|
||||||
\item Radio monitoring
|
\item Radio-Specturm monitoring: 802.11, BLE, etc.
|
||||||
\item ...
|
\item ...
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
@ -181,7 +181,7 @@ see \url{https://github.com/D4-Project}
|
||||||
|
|
||||||
\begin{frame}
|
\begin{frame}
|
||||||
\frametitle{D4 server - management interface}
|
\frametitle{D4 server - management interface}
|
||||||
The D4 server provides a web interface to manage D4 sensors, sessions and analyzer.
|
The D4 server provides a {\bf web interface} to manage D4 sensors, sessions and analyzer.
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item Get Sensors status, errors and statistics
|
\item Get Sensors status, errors and statistics
|
||||||
\item Get all connected sensors
|
\item Get all connected sensors
|
||||||
|
@ -194,34 +194,34 @@ The D4 server provides a web interface to manage D4 sensors, sessions and analyz
|
||||||
|
|
||||||
\begin{frame}
|
\begin{frame}
|
||||||
\frametitle{D4 server - main interface}
|
\frametitle{D4 server - main interface}
|
||||||
\includegraphics[width=\textwidth]{../../diagram/d4-5.png}
|
\includegraphics[width=\textwidth]{./d4-5.png}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
\begin{frame}
|
\begin{frame}
|
||||||
\frametitle{D4 server - server management}
|
\frametitle{D4 server - server management}
|
||||||
\includegraphics[width=\textwidth]{../../diagram/d4-2.png}
|
\includegraphics[width=\textwidth]{./d4-2.png}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
\begin{frame}
|
\begin{frame}
|
||||||
\frametitle{D4 server - server management}
|
\frametitle{D4 server - server management}
|
||||||
\includegraphics[width=\textwidth]{../../diagram/d4-3.png}
|
\includegraphics[width=\textwidth]{./d4-3.png}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
\begin{frame}
|
\begin{frame}
|
||||||
\frametitle{D4 server - sensor overview}
|
\frametitle{D4 server - sensor overview}
|
||||||
\includegraphics[width=\textwidth]{../../diagram/d4-1.png}
|
\includegraphics[width=\textwidth]{./d4-1.png}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
|
|
||||||
\begin{frame}
|
\begin{frame}
|
||||||
\frametitle{D4 server - sensor management}
|
\frametitle{D4 server - sensor management}
|
||||||
\includegraphics[width=\textwidth]{../../diagram/d4-4.png}
|
\includegraphics[width=\textwidth]{./d4-4.png}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
\begin{frame}
|
\begin{frame}
|
||||||
\frametitle{}
|
\frametitle{}
|
||||||
\begin{center}
|
\begin{center}
|
||||||
A distributed Network telescope to observe DDoS attacks
|
{\bf A distributed Network telescope to observe DDoS attacks}
|
||||||
\end{center}
|
\end{center}
|
||||||
\vspace{10pt}
|
\vspace{10pt}
|
||||||
\begin{center}
|
\begin{center}
|
||||||
|
@ -241,41 +241,46 @@ The D4 server provides a web interface to manage D4 sensors, sessions and analyz
|
||||||
\frametitle{What can be derived from backscatter traffic?}
|
\frametitle{What can be derived from backscatter traffic?}
|
||||||
|
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item External point of view on ongoing denial of service attacks
|
\item External point of view on ongoing Denial of Service attacks:
|
||||||
\item Confirm if there is a DDOS attack
|
|
||||||
\item Recover time line of attacked targets
|
|
||||||
\item Confirm which services (DNS, webserver, $\dots$)
|
|
||||||
\item Infrastructure changes
|
|
||||||
\item Assess the state of an infrastructure under denial of service attack
|
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item Detect failure/addition of intermediate network equipments, firewalls, proxy servers etc
|
\item {\bf Confirm} if there is a DDoS attack
|
||||||
\item Detect DDoS mitigation devices
|
\item {\bf Recover} time line of attacked targets
|
||||||
|
\item {\bf Confirm} which services (DNS, webserver, $\dots$)
|
||||||
|
\item {\bf Observe} Infrastructure changes
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\item Create probabilistic models of denial of service attacks
|
\item {\bf Assess the state of an infrastructure under denial of service attack}
|
||||||
|
\begin{itemize}
|
||||||
|
\item {\bf Detect} failure/addition of intermediate network equipments, firewalls, proxy servers etc
|
||||||
|
\item {\bf Detect} DDoS mitigation devices
|
||||||
|
\end{itemize}
|
||||||
|
\item Create models of DoS/DDoS attacks
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
\begin{frame}
|
\begin{frame}
|
||||||
\frametitle{D4 in this setting}
|
\frametitle{D4 in this setting}
|
||||||
|
|
||||||
Aggregating backscatter traffic collected from D4 sensors:
|
|
||||||
|
D4 - for data collection and processing:
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item have various points of observation (non contiguous address space)
|
\item {\bf provide} various points of observation in non contiguous address space,
|
||||||
\item perform analysis on bigger amount of data
|
\item {\bf aggregate} and {\bf mix} backscatter traffic collected from D4 sensors,
|
||||||
|
\item {\bf perform} analysis on big amount of data.
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
||||||
D4 lookup should provide:
|
D4 - from a end-user perspective:
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item backscatter analysis results,
|
\item {\bf provide} backscatter analysis results,
|
||||||
\item daily updates,
|
\item {\bf provide} daily updates,
|
||||||
\item additional relevant information (DNS, BGP, etc.).
|
\item {\bf provide} additional relevant (or pivotal) information (DNS, BGP, etc.),
|
||||||
|
\item {\bf provide} an API and search capabilities.
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
\begin{frame}
|
\begin{frame}
|
||||||
\begin{center}
|
\begin{center}
|
||||||
Passive DNS
|
{\bf Passive DNS}
|
||||||
\end{center}
|
\end{center}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
|
@ -301,17 +306,25 @@ The D4 server provides a web interface to manage D4 sensors, sessions and analyz
|
||||||
|
|
||||||
\begin{frame}
|
\begin{frame}
|
||||||
\frametitle{First release}
|
\frametitle{First release}
|
||||||
\begin{itemize}
|
|
||||||
|
|
||||||
\item analyzer-d4-passivedns\footnote{\url{https://github.com/D4-project/analyzer-d4-passivedns}} is an analyzer for a D4 network sensor. The analyser can process data produced by D4 sensors (in passivedns CSV format\footnote{\url{https://github.com/gamelinux/passivedns}})
|
\begin{itemize}
|
||||||
\item Ingest these into a {\bf Passive DNS server} which can be queried later to search for the Passive DNS records
|
\item[\checkmark]
|
||||||
\item The lookup server (using on redis-compatible backend) is a Passive DNS REST server compliant to the Common Output Format\footnote{\url{https://tools.ietf.org/html/draft-dulaunoy-dnsop-passive-dns-cof-04}}
|
analyzer-d4-passivedns\footnote{\url{https://github.com/D4-project/analyzer-d4-passivedns}}, an analyzer for a D4 network sensor:
|
||||||
|
|
||||||
|
\begin{itemize}
|
||||||
|
\item {\bf processes} data produced by D4 sensors (in passivedns CSV format\footnote{\url{https://github.com/gamelinux/passivedns}}),
|
||||||
|
|
||||||
|
\item{\bf ingests} these into a {\bf Passive DNS server} which can be queried later to search for the Passive DNS records,
|
||||||
|
|
||||||
|
\item{\bf provides} a lookup server (using on
|
||||||
|
redis-compatible backend) that is a Passive DNS REST server compliant to the Common Output Format\footnote{\url{https://tools.ietf.org/html/draft-dulaunoy-dnsop-passive-dns-cof-04}}.
|
||||||
|
\end{itemize}
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
\begin{frame}
|
\begin{frame}
|
||||||
\begin{center}
|
\begin{center}
|
||||||
Passive SSL revamping
|
{\bf Passive SSL revamping}
|
||||||
\end{center}
|
\end{center}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
|
@ -319,19 +332,19 @@ The D4 server provides a web interface to manage D4 sensors, sessions and analyz
|
||||||
\frametitle{A passive SSL fingerprinter}
|
\frametitle{A passive SSL fingerprinter}
|
||||||
CSIRT's rationale for collecting TLS handshakes:
|
CSIRT's rationale for collecting TLS handshakes:
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item pivot on additional data points,
|
\item {\bf pivot} on additional data points,
|
||||||
\item find owners of IP addresses,
|
\item {\bf find} owners of IP addresses,
|
||||||
\item detect usage of CIDR blocks,
|
\item {\bf detect} usage of CIDR blocks,
|
||||||
\item detect vulnerable systems,
|
\item {\bf detect} vulnerable systems,
|
||||||
\item detect compromised services,
|
\item {\bf detect} compromised services,
|
||||||
\item detect Key material reuse,
|
\item {\bf detect} key material reuse,
|
||||||
\item detect weak keys.
|
\item {\bf detect} weak keys.
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
\begin{frame}
|
\begin{frame}
|
||||||
\frametitle{Objectives}
|
\frametitle{Objectives - x509}
|
||||||
History of links between:
|
{\bf Keeping} a log of links between:
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item x509 certificates,
|
\item x509 certificates,
|
||||||
\item ports,
|
\item ports,
|
||||||
|
@ -345,13 +358,22 @@ The D4 server provides a web interface to manage D4 sensors, sessions and analyz
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
\begin{frame}
|
\begin{frame}
|
||||||
\frametitle{Objectives}
|
\frametitle{Objectives - Mind your Ps and Qs}
|
||||||
Mind your Ps and Qs:
|
{\bf Collect} and {\bf store} x509 certificates and TLS sessions:
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item Public keys type and size,
|
\item Public keys type and size,
|
||||||
\item modulos and exponents,
|
\item moduli and exponents,
|
||||||
\item curves parameters.
|
\item curves parameters.
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
{\bf Detect} broken crypto:
|
||||||
|
\begin{itemize}
|
||||||
|
\item Public Key reuse,
|
||||||
|
\item Moduli that share one prime factor,
|
||||||
|
\item Moduli that share both prime factor,
|
||||||
|
\item Small factors,
|
||||||
|
\item Nonces reuse / common preffix or suffix, etc.
|
||||||
|
\end{itemize}
|
||||||
|
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
\begin{frame}
|
\begin{frame}
|
||||||
|
@ -359,21 +381,23 @@ The D4 server provides a web interface to manage D4 sensors, sessions and analyz
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item[\checkmark] sensor-d4-tls-fingerprinting
|
\item[\checkmark] sensor-d4-tls-fingerprinting
|
||||||
\footnote{\url{github.com/D4-project/sensor-d4-tls-fingerprinting}}:
|
\footnote{\url{github.com/D4-project/sensor-d4-tls-fingerprinting}}:
|
||||||
Extracts and fingerprints certificates
|
{\bf Extracts} and {\bf fingerprints} certificates, and {\bf computes} TLSH fuzzy hash.
|
||||||
\item[\checkmark] analyzer-d4-passivessl
|
\item[\checkmark] analyzer-d4-passivessl
|
||||||
\footnote{\url{github.com/D4-project/analyzer-d4-passivessl}}:
|
\footnote{\url{github.com/D4-project/analyzer-d4-passivessl}}:
|
||||||
Stores Certificates / PK details in a PostgreSQL DB
|
{\bf Stores} Certificates / PK details in a PostgreSQL DB.
|
||||||
\item lookup-d4-passivessl
|
\item lookup-d4-passivessl
|
||||||
\footnote{\url{github.com/D4-project/lookup-d4-passivessl}}:
|
\footnote{\url{github.com/D4-project/lookup-d4-passivessl}}:
|
||||||
Exposes the DB through a public REST API
|
{\bf Exposes} the DB through a public REST API.
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
\begin{frame}[t]{Future}
|
\begin{frame}{Future}
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item {\bf Mixing models for passive collection streams} (for privacy) in next version of D4 core server
|
\item {\bf Mixing models for passive collection streams} (for privacy) in next version of D4 core server
|
||||||
\item Interconnecting private D4 sensor networks with other D4 sensor networks (sharing to partners filtered stream)
|
\item {\bf Interconnecting private D4 sensor networks} with other D4 sensor networks (sharing to partners filtered stream)
|
||||||
\item Previewing dataset collected in D4 sensor network and providing {\bf open data stream} (if contributor agrees to share under specific conditions)
|
\item {\bf Previewing datasets} collected in D4 sensor network and providing {\bf open data stream} (if contributor agrees to share under specific conditions)
|
||||||
|
\item {\bf Leverage MISP sharing communities} to augment Threat
|
||||||
|
Intelligence, and provide accurate metrology.
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
|
@ -382,7 +406,9 @@ The D4 server provides a web interface to manage D4 sensors, sessions and analyz
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item Collaboration can include research partnership, sharing of collected streams or improving the software.
|
\item Collaboration can include research partnership, sharing of collected streams or improving the software.
|
||||||
\item Contact: info@circl.lu
|
\item Contact: info@circl.lu
|
||||||
\item \url{https://github.com/D4-Project} - \url{https://twitter.com/d4_project}
|
\item \url{https://github.com/D4-Project}
|
||||||
|
\item \url{https://twitter.com/d4_project}
|
||||||
|
\item \url{https://d4-project.org}
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue