725 lines
25 KiB
TeX
725 lines
25 KiB
TeX
% Full instructions available at:
|
|
% https://github.com/elauksap/focus-beamertheme
|
|
|
|
\documentclass{beamer}
|
|
\usetheme[numbering=progressbar]{focus}
|
|
\usepackage{tikz}
|
|
\usetikzlibrary{positioning}
|
|
\usetikzlibrary{shapes,arrows}
|
|
\usepackage{transparent}
|
|
\usepackage{fancyvrb}
|
|
\usepackage{tabularx}
|
|
\usepackage{ulem}
|
|
\usepackage{csquotes}
|
|
\usepackage{listings}
|
|
\definecolor{main}{RGB}{47, 161, 219}
|
|
%\definecolor{textcolor}{RGB}{128, 128, 128}
|
|
\definecolor{background}{RGB}{240, 247, 255}
|
|
\definecolor{textcolor}{RGB}{85, 87, 83}
|
|
\title{D4 Project}
|
|
\subtitle{Open and collaborative network monitoring}
|
|
\author{Team CIRCL}
|
|
\titlegraphic{\includegraphics[scale=0.20]{d4-logo.pdf}}
|
|
\institute{\url{https://www.d4-project.org/}}
|
|
\date{2019/09/23}
|
|
|
|
\begin{document}
|
|
\begin{frame}
|
|
\maketitle
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Problem statement}
|
|
\begin{itemize}
|
|
\item CSIRTs (or private organisations) build their {\bf own honeypot, honeynet or blackhole monitoring network}
|
|
\item Designing, managing and operating such infrastructure is a tedious and resource intensive task
|
|
\item {\bf Automatic sharing} between monitoring networks from different organisations is missing
|
|
\item Sensors and processing are often seen as blackbox or difficult to audit
|
|
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}
|
|
\frametitle{Objective}
|
|
\begin{itemize}
|
|
\item Based on our experience with MISP\footnote{\url{https://github.com/MISP/MISP}} where sharing played an important role, we transpose
|
|
the model in D4 project
|
|
\item Keeping the protocol and code base {\bf simple and minimal}
|
|
\item Allowing every organisation to {\bf control and audit their own sensor network}
|
|
\item Extending D4 or {\bf encapsulating legacy monitoring protocols} must be as simple as possible
|
|
\item Ensuring that the sensor server has {\bf no control on the sensor} (unidirectional streaming)
|
|
\item Don't force users to use dedicated sensors and allow {\bf flexibility of sensor support} (software, hardware, virtual)
|
|
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{(short) History}
|
|
\begin{itemize}
|
|
\item D4 Project (co-funded under INEA CEF EU program) started - \textbf{1st November 2018}
|
|
\item D4 encapsulation protocol version 1 published - \textbf{1st December 2018}
|
|
\item v0.1 release of the D4 core\footnote{\url{https://www.github.com/D4-project/d4-core}} including a server and simple D4 C client - \textbf{21st January 2019}
|
|
\item First version of a golang D4 client\footnote{\url{https://www.github.com/D4-project/d4-goclient/}} running on ARM, MIPS, PPC and x86 - \textbf{January 2019}
|
|
\item First Analyzers - \textbf{Spring 2019}
|
|
\item Client Generator - \textbf{Summer 2019}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}
|
|
\frametitle{(short) History}
|
|
\begin{center}
|
|
\resizebox{!}{100pt}{%
|
|
\begin{tabularx}{\linewidth}%
|
|
{>{\setlength\hsize{0.6\hsize}\raggedright}X%
|
|
>{\setlength\hsize{0.4\hsize}\raggedright}X}
|
|
|
|
\hline
|
|
Release & Date \tabularnewline
|
|
\hline
|
|
AIL-framework-v1.5 & Apr. 26, 2019 \tabularnewline
|
|
... & \tabularnewline
|
|
AIL-framework-v2.1 & Aug. 14, 2019 \tabularnewline
|
|
analyzer-d4-balboa-v0.1 & Aug. 19, 2019 \tabularnewline
|
|
analyzer-d4-passivedns-v0.1 & Apr. 5, 2019 \tabularnewline
|
|
analyzer-d4-passivessl-0.1 & Apr. 25, 2019 \tabularnewline
|
|
analyzer-d4-pibs-v0.1 & Apr. 8, 2019 \tabularnewline
|
|
BGP-Ranking-1.0 & Apr. 25, 2019 \tabularnewline
|
|
BGP-Ranking-1.1 & Aug. 19, 2019 \tabularnewline
|
|
d4-core-v0.1 & Jan. 25, 2019 \tabularnewline
|
|
d4-core-v0.2 & Feb. 14, 2019 \tabularnewline
|
|
d4-core-v0.3 & Apr. 8, 2019 \tabularnewline
|
|
d4-goclient-v0.1 & Feb. 14, 2019 \tabularnewline
|
|
d4-goclient-v0.2 & Apr. 8, 2019 \tabularnewline
|
|
d4-sensor-generator-v0.1 & Aug. 22, 2019 \tabularnewline
|
|
d4-server-packer-0.1 & Apr. 25, 2019 \tabularnewline
|
|
IPASN-History-1.0 & Apr. 25, 2019 \tabularnewline
|
|
IPASN-History-1.1 & Aug. 19, 2019 \tabularnewline
|
|
sensor-d4-tls-fingerprinting-0.1 & Apr. 25, 2019 \tabularnewline
|
|
\hline
|
|
|
|
\end{tabularx}%
|
|
}
|
|
\end{center}
|
|
|
|
see \url{https://github.com/D4-Project}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{D4 Overview}
|
|
\includegraphics[scale=0.38]{../../diagram/d4-overview.png}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{D4 Overview - Connecting Sensor Networks}
|
|
\includegraphics[scale=0.46]{../../diagram/mixing-d4-1.pdf}
|
|
{\tiny \url{https://d4-project.org/2019/06/17/sharing-between-D4-sensors.html}}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{What to do with it}
|
|
\begin{itemize}
|
|
\item Passive DNS collection
|
|
\item Passive SSL collection
|
|
\item AIL collection
|
|
\item Correlations, CTI
|
|
\item DDoS Detection
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{D4 Overview: DDoS}
|
|
\includegraphics[width=\textwidth]{../../diagram/theconversation.pdf}
|
|
{\tiny \url{https://d4-project.org/2019/08/29/state-of-the-art-DDoS.html}}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Roadmap - output}
|
|
|
|
CIRCL hosts a server instance for organisations willing to
|
|
contribute to a public dataset without running their own D4 server:
|
|
\begin{itemize}
|
|
\item [\checkmark] Blackhole DDoS
|
|
\item [\checkmark] Passive DNS
|
|
\item [\checkmark] Passive SSL
|
|
\item Gene\footnote{\url{https://github.com/0xrawsec/gene}} / WHIDS\footnote{\url{https://github.com/0xrawsec/whids}} (sysmon)
|
|
\item Maltrail\footnote{\url{https://github.com/stamparm/maltrail}}
|
|
\item BGP mapping
|
|
\item egress filtering mapping
|
|
\item Radio-Spectrum monitoring: 802.11, BLE, \sout{GSM}, etc.
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}
|
|
\frametitle{D4 encapsulation protocol}
|
|
\includegraphics[scale=0.38]{d4-protocol-encapsulation.png}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{D4 Header}
|
|
\begin{tabular}{|l|l|l|}
|
|
\hline
|
|
Name & bit size& Description\\
|
|
\hline
|
|
version & uint 8 & Version of the header \\
|
|
type & uint 8 & Data encapsulated type\\
|
|
uuid & uint 128 & Sensor UUID\\
|
|
timestamp & uint 64 & Encapsulation time\\
|
|
hmac & uint 256 & Authentication header (HMAC-SHA-256-128)\\
|
|
size & uint 32 & Payload size\\
|
|
\hline
|
|
\end{tabular}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}
|
|
\frametitle{D4 Header}
|
|
\framesubtitle{Types}
|
|
\begin{tabular}{|l|l|}
|
|
\hline
|
|
Type & Description\\
|
|
\hline
|
|
0 & Reserved\\
|
|
1 & pcap (libpcap 2.4)\\
|
|
2 & meta header (JSON)\\
|
|
3 & generic log line\\
|
|
4 & dnscap output\\
|
|
5 & pcapng (diagnostic)\\
|
|
6 & generic NDJSON or JSON Lines\\
|
|
7 & generic YAF (Yet Another Flowmeter)\\
|
|
8 & passivedns CSV stream\\
|
|
254 & type defined by meta header (type 2)\\
|
|
\hline
|
|
\end{tabular}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{D4 meta header}
|
|
\framesubtitle{Meta types}
|
|
D4 header includes an easy way to {\bf extend the protocol} (via type 2) without altering the format. Within a D4 session, the initial D4 packet(s) type 2 defines
|
|
the custom headers and then the following packets with type 254 is the custom data encapsulated.
|
|
\small
|
|
\input{meta.tex}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{D4 server}
|
|
\begin{itemize}
|
|
\item D4 core server\footnote{\url{https://github.com/D4-project/d4-core}} is a complete server to handle clients (sensors) including the decapsulation of the D4 protocol, control of sensor registrations, management of decoding protocols and dispatching to adequate decoders/analysers.
|
|
\item D4 server is written in Python 3.6 and runs on standard GNU/Linux distribution.
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{D4 server handling}
|
|
|
|
D4 server reconstructs the encapsulated stream from the D4 sensor and saves it in a Redis stream.
|
|
|
|
\begin{itemize}
|
|
\item Support TLS connection
|
|
\item Unpack D4 header
|
|
\item Verify client secret key (HMAC)
|
|
\item check blocklist
|
|
\item Filter by types (Only accept one connection by type-UUID - except: type 254)
|
|
\item Discard incorrect data
|
|
\item Save data in a Redis Stream (unique for each session)
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{D4 server - worker handler}
|
|
After the stream is processed depending of the type using dedicated worker.
|
|
\begin{itemize}
|
|
\item Worker Manager (one by type)
|
|
\begin{itemize}
|
|
\item Check if a new session is created and valid data are saved in a Redis stream
|
|
\item Launch a new Worker for each session
|
|
\end{itemize}
|
|
\item Worker
|
|
\begin{itemize}
|
|
\item Get data from a stream
|
|
\item Reconstruct data
|
|
\item Save data on disk (with file rotation)
|
|
\item Save data in Redis. Create a queue for D4 Analyzer(s)
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{D4 server - type 254 worker handler}
|
|
\begin{itemize}
|
|
\item Worker custom type (called Worker 2)
|
|
\begin{itemize}
|
|
\item Get type 2 data from a stream
|
|
\item Reconstruct Json
|
|
\item Extract extended type name
|
|
\item Use default type or special extended handler
|
|
\item Save Json on disk
|
|
\item Get type 254 data from a stream
|
|
\item Reconstruct type 254
|
|
\item Save data in Redis. Create a queue for D4 Analyzer(s)
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{D4 server - management interface}
|
|
The D4 server provides a {\bf web interface} to manage D4 sensors, sessions and analyzer.
|
|
\begin{itemize}
|
|
\item Get Sensors status, errors and statistics
|
|
\item Get all connected sensors
|
|
\item Manage Sensors (stream size limit, secret key, ...)
|
|
\item Manage Accepted types
|
|
\item UUID/IP blocklist
|
|
\item Create Analyzer Queues
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{D4 server - main interface}
|
|
\includegraphics[width=\textwidth]{./d4-5.png}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{D4 server - server management}
|
|
\includegraphics[width=\textwidth]{./d4-2.png}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{D4 server - server management}
|
|
\includegraphics[width=\textwidth]{./d4-3.png}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{D4 server - sensor overview}
|
|
\includegraphics[width=\textwidth]{./d4-1.png}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}
|
|
\frametitle{D4 server - sensor management}
|
|
\includegraphics[width=\textwidth]{./d4-4.png}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{}
|
|
{\center Example use-case: migrating a legacy network capture model into a D4 network sensor
|
|
}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}
|
|
\frametitle{Remote network capture}
|
|
CIRCL operated honeybot for multiple years using a simple model of remote network capture.
|
|
\begin{definition}[Principle]
|
|
\begin{itemize}
|
|
\item KISS (Keep it simple stupid) - Unix-like
|
|
\item Linux \& OpenBSD operating systems
|
|
\end{itemize}
|
|
\end{definition}
|
|
|
|
\begin{block}{Sensor}
|
|
\lstset{%
|
|
language=bash,
|
|
backgroundcolor=\color{gray!25},
|
|
basicstyle=\ttfamily,
|
|
breaklines=true,
|
|
columns=fullflexible
|
|
}
|
|
\input{tcpdump.tex}
|
|
\end{block}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Remote network capture}
|
|
\begin{block}{Limitations}
|
|
\begin{itemize}
|
|
\item Scalability $\to$ one port per client
|
|
\item Identification and registration of the client
|
|
\item Integrity of the data
|
|
\end{itemize}
|
|
\end{block}
|
|
|
|
\begin{block}{Encapsulating streams in D4}
|
|
\begin{itemize}
|
|
\item Inspired by the unix command {\tt tee}
|
|
\item Read from standard input
|
|
\item Add the d4 header
|
|
\item Write it on standard output
|
|
\end{itemize}
|
|
\end{block}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}
|
|
\frametitle{Remote network capture with D4}
|
|
\frametitle{Using D4 native client}
|
|
\lstset{%
|
|
language=bash,
|
|
backgroundcolor=\color{gray!25},
|
|
basicstyle=\ttfamily,
|
|
breaklines=true,
|
|
columns=fullflexible
|
|
}
|
|
\input{d4-client.tex}
|
|
|
|
\begin{block}{Configuration directory}
|
|
\begin{tabular}{l|l}
|
|
Parameter & Explanation\\
|
|
\hline
|
|
type & see D4 Header slide\\
|
|
source & standard input\\
|
|
key & HMAC key\\
|
|
uuid & Identifier of the sensor\\
|
|
version & version of the sensor\\
|
|
destination & standard output\\
|
|
snaplen & length of data being read \& written\\
|
|
\end{tabular}
|
|
\end{block}
|
|
\end{frame}
|
|
|
|
|
|
|
|
|
|
\begin{frame}
|
|
\frametitle{}
|
|
\begin{center}
|
|
{\bf A distributed Network telescope to observe DDoS attacks}
|
|
\end{center}
|
|
\vspace{10pt}
|
|
\begin{center}
|
|
\includegraphics[width=.7\textwidth]{../../preso/03-PassTheSalt/eventhorizon.png}
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Motivation}
|
|
DDoS Attacks produce an observable side-effect:
|
|
\begin{center}
|
|
\scalebox{0.8}{\input{../../preso/03-PassTheSalt/bsvol.tex}}
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{What can be derived from backscatter traffic?}
|
|
|
|
\begin{itemize}
|
|
\item External point of view on ongoing Denial of Service attacks:
|
|
\begin{itemize}
|
|
\item {\bf Confirm} if there is a DDoS attack
|
|
\item {\bf Recover} time line of attacked targets
|
|
\item {\bf Confirm} which services (DNS, webserver, $\dots$)
|
|
\item {\bf Observe} Infrastructure changes
|
|
\end{itemize}
|
|
\item {\bf Assess the state of an infrastructure under denial of service attack}
|
|
\begin{itemize}
|
|
\item {\bf Detect} failure/addition of intermediate network equipments, firewalls, proxy servers etc
|
|
\item {\bf Detect} DDoS mitigation devices
|
|
\end{itemize}
|
|
\item {\bf Create} models of DoS/DDoS attacks
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{D4 in this setting}
|
|
|
|
|
|
D4 - for data collection and processing:
|
|
\begin{itemize}
|
|
\item {\bf provide} various points of observation in non contiguous address space,
|
|
\item {\bf aggregate} and {\bf mix} backscatter traffic collected from D4 sensors,
|
|
\item {\bf perform} analysis on big amount of data.
|
|
\end{itemize}
|
|
|
|
D4 - from a end-user perspective:
|
|
\begin{itemize}
|
|
\item {\bf provide} backscatter analysis results,
|
|
\item {\bf provide} daily updates,
|
|
\item {\bf provide} additional relevant (or pivotal) information (DNS, BGP, etc.),
|
|
\item {\bf provide} an API and search capabilities.
|
|
\end{itemize}
|
|
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{First release}
|
|
|
|
\begin{itemize}
|
|
\item[\checkmark]
|
|
analyzer-d4-pibs\footnote{\url{https://github.com/D4-project/analyzer-d4-pibs}}, an analyzer for a D4 network sensor:
|
|
|
|
\begin{itemize}
|
|
\item {\bf processes} data produced by D4 sensors (pcaps),
|
|
\item {\bf displays} potential backscatter traffic on standard output,
|
|
\item {\bf focuses} on TCP SYN flood in this first release.
|
|
|
|
\end{itemize}
|
|
|
|
\item
|
|
analyzer-d4-ipa\footnote{\url{https://github.com/D4-project/analyzer-d4-ipa}},
|
|
\begin{itemize}
|
|
\item {\bf processes} data produced by D4 sensors (pcaps),
|
|
\item {\bf analyze} ICMP packets,
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
|
|
|
|
|
|
\begin{frame}
|
|
\begin{center}
|
|
{\bf Passive DNS}
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Problem statement}
|
|
\begin{itemize}
|
|
\item CIRCL (and other CSIRTs) have their own passive DNS\footnote{\url{https://www.circl.lu/services/passive-dns/}} collection mechanisms
|
|
\item Current {\bf collection models} are affected with DoH\footnote{DNS over HTTPS} and centralised DNS services
|
|
\item DNS answers collection is a tedious process
|
|
\item {\bf Sharing Passive DNS stream} between organisation is challenging due to privacy
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Potential Strategy}
|
|
\begin{itemize}
|
|
\item Improve {\bf Passive DNS collection diversity} by being closer to the source and limit impact of DoH (e.g. at the OS resolver level)
|
|
\item Increasing diversity and {\bf mixing models} before sharing/storing Passive DNS records
|
|
\item Simplify process and tools to install for {\bf Passive DNS collection by relying on D4 sensors} instead of custom mechanisms
|
|
\item Provide a distributed infrastructure for mixing streams and filtering out the sharing to the validated partners
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{First release}
|
|
|
|
\begin{itemize}
|
|
\item[\checkmark]
|
|
analyzer-d4-passivedns\footnote{\url{https://github.com/D4-project/analyzer-d4-passivedns}}, an analyzer for a D4 network sensor:
|
|
|
|
\begin{itemize}
|
|
\item {\bf processes} data produced by D4 sensors (in passivedns CSV format\footnote{\url{https://github.com/gamelinux/passivedns}}),
|
|
|
|
\item{\bf ingests} these into a {\bf Passive DNS server} which can be queried later to search for the Passive DNS records,
|
|
|
|
\item{\bf provides} a lookup server (using on
|
|
redis-compatible backend) that is a Passive DNS REST server compliant to the Common Output Format\footnote{\url{https://tools.ietf.org/html/draft-dulaunoy-dnsop-passive-dns-cof-04}}.
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
|
|
\begin{frame}[t]{Common Output Format}
|
|
\begin{itemize}
|
|
\item {\bf Consistent naming of fields across Passive DNS software} based on the most common Passive DNS implementations
|
|
\item Minimal set of fields to be supported
|
|
\item Minimal set of optional fields to be supported
|
|
\item Way to add "additional" fields via a simple registry mechanism (IANA-like)
|
|
\item Simple and easily parsable format
|
|
\item A gentle reminder regarding privacy aspects of Passive DNS
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}[t,fragile]{Sample output www.terena.org}
|
|
\lstdefinelanguage{JavaScript}{
|
|
keywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break},
|
|
keywordstyle=\color{blue}\bfseries,
|
|
ndkeywords={class, export, boolean, throw, implements, import, this},
|
|
ndkeywordstyle=\color{darkgray}\bfseries,
|
|
identifierstyle=\color{black},
|
|
sensitive=false,
|
|
comment=[l]{//},
|
|
morecomment=[s]{/*}{*/},
|
|
commentstyle=\color{purple}\ttfamily,
|
|
stringstyle=\color{red}\ttfamily,
|
|
morestring=[b]',
|
|
morestring=[b]"
|
|
}
|
|
|
|
\lstset{
|
|
language=JavaScript,
|
|
backgroundcolor=\color{lightgray},
|
|
extendedchars=true,
|
|
basicstyle=\footnotesize\ttfamily,
|
|
showstringspaces=false,
|
|
showspaces=false,
|
|
numbers=left,
|
|
numberstyle=\footnotesize,
|
|
numbersep=9pt,
|
|
tabsize=2,
|
|
breaklines=true,
|
|
showtabs=false,
|
|
captionpos=b
|
|
}
|
|
\lstset{breaklines=true, language=JavaScript}
|
|
\begin{lstlisting}
|
|
{"count": 868, "time_first": 1298398002, "rrtype": "A", "rrname": "www.terena.org", "rdata": "192.87.30.6", "time_last": 1383124252}
|
|
{"count": 89, "time_first": 1383729690, "rrtype": "CNAME", "rrname": "www.terena.org", "rdata": "godzilla.terena.org", "time_last": 1391517643}
|
|
{"count": 110, "time_first": 1298398002, "rrtype": "AAAA", "rrname": "www.terena.org", "rdata": "2001:610:148:dead::6", "time_last": 136670845}
|
|
\end{lstlisting}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}[t]{Mandatory fields}
|
|
\begin{itemize}
|
|
\item \textbf{rrname} : name of the queried resource records
|
|
\begin{itemize}
|
|
\item JSON String
|
|
\end{itemize}
|
|
\item \textbf{rrtype} : resource record type
|
|
\begin{itemize}
|
|
\item JSON String (interpreted type of resource type if known)
|
|
\end{itemize}
|
|
\item \textbf{rdata} : resource records of the query(ied) resource(s)
|
|
\begin{itemize}
|
|
\item JSON String or an array of string if more than one unique triple
|
|
\end{itemize}
|
|
\item \textbf{time\_first} : first time that the resource record triple (rrname, rrtype, rdata) was seen
|
|
\item \textbf{time\_last} : last time that the resource record triple (rrname, rrtype, rdata) was seen
|
|
\begin{itemize}
|
|
\item JSON Number (epoch value) UTC TZ
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}[t]{Optional fields}
|
|
\begin{itemize}
|
|
\item \textbf{count} : how many authoritative DNS answers were received by the Passive DNS collector
|
|
\begin{itemize}
|
|
\item JSON Number
|
|
\end{itemize}
|
|
\item \textbf{bailiwick} : closest enclosing zone delegated to a nameserver served in the zone of the resource records
|
|
\begin{itemize}
|
|
\item JSON String
|
|
\end{itemize}
|
|
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}[t]{Additionals fields}
|
|
\begin{itemize}
|
|
\item \textbf{sensor\_id} : Passive DNS sensor information
|
|
\begin{itemize}
|
|
\item JSON String
|
|
\end{itemize}
|
|
\item \textbf{zone\_time\_first} : specific first/last time seen when imported from a master file
|
|
\item \textbf{zone\_time\_last}
|
|
\begin{itemize}
|
|
\item JSON Number
|
|
\end{itemize}
|
|
\item Additional fields can be requested via \url{https://github.com/adulau/pdns-qof/wiki/Additional-Fields}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}
|
|
\begin{center}
|
|
{\bf Passive SSL revamping}
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Objectives - TLS Fingerprinting}
|
|
{\bf Keep} a log of links between:
|
|
\begin{itemize}
|
|
\item x509 certificates,
|
|
\item ports,
|
|
\item IP address,
|
|
\item client (ja3),
|
|
\item server (ja3s),
|
|
\end{itemize}
|
|
\begin{displayquote}
|
|
``JA3 is a method for creating SSL/TLS client fingerprints that should be easy to produce on any platform and can be easily shared for threat intelligence.''\footnote{https://github.com/salesforce/ja3}
|
|
\end{displayquote}
|
|
|
|
{\bf Pivot} on additional data points during Incident Response
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Objectives - Mind your Ps and Qs}
|
|
{\bf Collect} and {\bf store} x509 certificates and TLS sessions:
|
|
\begin{itemize}
|
|
\item Public keys type and size,
|
|
\item moduli and exponents,
|
|
\item curves parameters.
|
|
\end{itemize}
|
|
{\bf Detect} anti patterns in crypto:
|
|
\begin{itemize}
|
|
\item Shared Public Keys,
|
|
\item Moduli that share one prime factor,
|
|
\item Moduli that share both prime factor,
|
|
\item Small factors,
|
|
\item Nonces reuse / common preffix or suffix, etc.
|
|
\end{itemize}
|
|
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{First release}
|
|
\begin{itemize}
|
|
\item[\checkmark] sensor-d4-tls-fingerprinting
|
|
\footnote{\url{github.com/D4-project/sensor-d4-tls-fingerprinting}}:
|
|
{\bf Extracts} and {\bf fingerprints} certificates, and {\bf computes} TLSH fuzzy hash.
|
|
\item[\checkmark] analyzer-d4-passivessl
|
|
\footnote{\url{github.com/D4-project/analyzer-d4-passivessl}}:
|
|
{\bf Stores} Certificates / PK details in a PostgreSQL DB.
|
|
\item snake-oil-crypto
|
|
\footnote{\url{github.com/D4-project/snake-oil-crypto}}:
|
|
{\bf Runs} weak crypto attacks against the dataset.
|
|
\item lookup-d4-passivessl
|
|
\footnote{\url{github.com/D4-project/lookup-d4-passivessl}}:
|
|
{\bf Exposes} the DB through a public REST API.
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Future}
|
|
\begin{itemize}
|
|
\item {\bf Sensitive information sanitization} by specialized analyzers
|
|
\item {\bf Previewing datasets} collected in D4 sensor network and providing {\bf open data stream} (if contributor agrees to share under specific conditions)
|
|
\item {\bf Leverage MISP sharing communities} to augment Threat
|
|
Intelligence, and provide accurate metrology.
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Use it}
|
|
\begin{itemize}
|
|
\item {\bf Create} sensors easily with the generator \footnote{\url{https://github.com/d4-project/d4-sensor-generator}},
|
|
\item {\bf Manage} your own sensors and servers, {\bf find} shameful bugs and
|
|
{\bf fill} in github issues
|
|
\item Even better, {\bf send} Pull Requests!
|
|
\item {\bf Share} data to public servers to improve the datasets (and detection,
|
|
response, etc.)
|
|
\item {\bf Feed} your MISP instances with D4's findings - {\bf Share} yours
|
|
\item {\bf Leech} data, {\bf write} your own analyzers, {\bf do} research
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Get in touch if you want to join the project, host a sensor or contribute}
|
|
\begin{itemize}
|
|
\item Collaboration can include research partnership, sharing of collected streams or improving the software.
|
|
\item Contact: info@circl.lu
|
|
\item \url{https://github.com/D4-Project}
|
|
\item \url{https://twitter.com/d4_project}
|
|
\item \url{https://d4-project.org}
|
|
\begin{itemize}
|
|
\item
|
|
\href{https://d4-project.org/2019/05/28/passive-dns-tutorial.html}{Passive DNS tutorial}
|
|
\item
|
|
\href{https://d4-project.org/2019/06/17/sharing-between-D4-sensors.html}{Data
|
|
sharing tutorial}
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\end{document}
|