transcribed & edited by Tim Staub, associate editor LIVEwire
Dallas, Texas — The SC2000/Lawrence Berkley National Laboratory HPC Speaker was Vern Paxson, who discussed “BRO – Detecting and Shutting Down Internet Attackers in Real Time”. Following are edited selections from that talk:
The intrusion detection system running operationally.
Its role in the laboratory is to detect attackers, and shut them down, either automatically or with manual intervention. It was concieved five years ago. The basic model is going to watch our sites traffic, extract traffic of interest, piece it into activity and then analize that activity for attacks. One of the goals was to learn about attacks in real time; people want to know about attacks in real time. As soon as the attack occurs, we wanted to catch it. That greatly expands our ability to stop the attacks.
We very much wanted an extensible system, and one in which the mechanism for the basic detection of activity is very separate of what to do about the activity, what constitutes an attack. Since events are quite generic what we do about the events is specific to our site, we tailor that for the specific site. Each environment is different, so the notions of what to do are different according to the site.
Another important goal was that we don’t make stupid mistakes when we make our policies. This led to the development of a specialized policy language thats very heavy on language elements for analizing network traffic and attacks. BRO is unique, in regard to various commercial offerings, it was a design assumption the monitor would be under attack. Not the actual monitor under attack but the attacker would know the monitor is there and be trying to avoid detection. Users can spit out a real time notification, they can record logs to disk and they can envoke programs.
So, some examples of what the event engine does; now, its role is to do generic analysis, it is not an engine that says, now, the following constitutes an attack, here’s what to do. The levels about; what is the activity, if it’s fairly low level, for example their connection may be an attempted connection or a connection finished, and these are just connections regardless of the protocol. Then there’s application level events, that are specific for type of use of the network, so there’s FTP requests, a retrieve or authentification. There’s specific ones, say, someone asks a port mapper to get to a port. For example, someone doing a log in session,has typed a line – here’s the line. These are particular to specific protocols. BRO allows you to allocate resources acording to what you have available. Say, you don’t want to analize FTP’s, you don’t have to use resources for that. You can concentrate on higher level attempts. BRO detects many ways of trying to fly under the monitors radar that are built into the system.
There are a number of analizers associated with the system. For all TCP connections we can get a lot of information just from the start, stop packets. This is cheap, because they only happen at the beginning and the end, it doesn’t matter how much volume there was. So from these we know about the connection; when it started, what was the presumed service, because it uses a particular well known port, what host was involved, how much data moved in either direction. From that then we can detect port and address scanning. Just by keeping track up how many different ports the host connects to or how many different addresses. The natural way to express this in BRO, which is in tables, which we through in the different ports or addresses that get connected to. This means we pick up stealth scans for free.
There are a bunch of different analizers for FTP. TELNET and RLOGIN are better; one of our main ways of detecting attacks. Keystroke and pause differences are very important because we look for strings, patterns, that reflect common commands attackers issue and the output that they see. For example: one of the common lines is the format that one of the common sniffer programs uses. Then they list the connection thats just been sniffed looks at the output commands. The sniffer will trigger this pattern. In running TELNET and RLOGIN analizers, nothing else, at UC Berkley we found out 120 break-ins in five months, a little under one a day. These are not attempted break-ins, these are successful break-ins. About sixty of those were successful root compromises. This is very powerful and, very sobering. The attack rate at a large university is really high.
The monitor can also take action, and again this is according to whatever your policy happens to be. There are different ways that it can react; one is that it can envoke a program called “reset”, which will reset a TCP connection and it will forge a series of packets that will be interpreted by one end of the connection as the other end as having told it to abruptly shut down. The more powerful thing that BRO does is envoke a program called “drop connectivity”. This talks to our border router and says any traffic from this address we don’t want; throw it away. Basically what this does is turn BRO into a reactive particle. We can decide what’s hostile, and turn them off. If we’re scanned, they touch a few of the addresses and are thrown away.
The next issue is; at some point hackers can fake us out and get us to drop connectivity to someone that we don’t really want dropped. Someone that you need to talk with. That is an on going issue, how to deal with that. Right now, we have lists of hosts and networks that we will not drop. And I expect that this will evolve when attackers start to launch denial of service using this mechanism.
BRO is running full time on the Laurence Berkley DMZ, the Joint Genome Initiative, NERSC and ICSI in addition to about ten other sites. So we can deploy these boxes with a furvor and get a lot of coverage. Access at UC Berkley is about 30,000 packets per second, and we’re running here at SC2000.
So at the Berkley Lab we see about 250 million packets per day. We do about 1.5 million connections per day. We’re dropping 40 scans a day, about half of those are Web crawlers and we can put in exceptions to let them clawl us. So there’s twenty guys a day that would like to break into us. And we’re most prowd of our felon, facing sentencing next January, Max Butler, a perported security “white hat” who did attacks we detected a couple years ago, basically the first attacker who exploited “bind overflow attacks”. He broke into a large number of machines, including some Air Force machines; which was not a good idea. He was nailed, in large part because we had very good logs as he transited across our DMZ.