VERN PAXSON ON FIGHTING HACKERS IN REAL-TIME

November 9, 2000

transcribed & edited by Tim Staub, associate editor LIVEwire

Dallas, Texas — The SC2000/Lawrence Berkley National Laboratory HPC Speaker was Vern Paxson, who discussed “BRO – Detecting and Shutting Down Internet Attackers in Real Time”. Following are edited selections from that talk:

The intrusion detection system running operationally.

Its role in the laboratory is to detect attackers, and shut them down, either automatically or with manual intervention. It was concieved five years ago. The basic model is going to watch our sites traffic, extract traffic of interest, piece it into activity and then analize that activity for attacks. One of the goals was to learn about attacks in real time; people want to know about attacks in real time. As soon as the attack occurs, we wanted to catch it. That greatly expands our ability to stop the attacks.

We very much wanted an extensible system, and one in which the mechanism for the basic detection of activity is very separate of what to do about the activity, what constitutes an attack. Since events are quite generic what we do about the events is specific to our site, we tailor that for the specific site. Each environment is different, so the notions of what to do are different according to the site.

Another important goal was that we don’t make stupid mistakes when we make our policies. This led to the development of a specialized policy language thats very heavy on language elements for analizing network traffic and attacks. BRO is unique, in regard to various commercial offerings, it was a design assumption the monitor would be under attack. Not the actual monitor under attack but the attacker would know the monitor is there and be trying to avoid detection. Users can spit out a real time notification, they can record logs to disk and they can envoke programs.

So, some examples of what the event engine does; now, its role is to do generic analysis, it is not an engine that says, now, the following constitutes an attack, here’s what to do. The levels about; what is the activity, if it’s fairly low level, for example their connection may be an attempted connection or a connection finished, and these are just connections regardless of the protocol. Then there’s application level events, that are specific for type of use of the network, so there’s FTP requests, a retrieve or authentification. There’s specific ones, say, someone asks a port mapper to get to a port. For example, someone doing a log in session,has typed a line – here’s the line. These are particular to specific protocols. BRO allows you to allocate resources acording to what you have available. Say, you don’t want to analize FTP’s, you don’t have to use resources for that. You can concentrate on higher level attempts. BRO detects many ways of trying to fly under the monitors radar that are built into the system.

There are a number of analizers associated with the system. For all TCP connections we can get a lot of information just from the start, stop packets. This is cheap, because they only happen at the beginning and the end, it doesn’t matter how much volume there was. So from these we know about the connection; when it started, what was the presumed service, because it uses a particular well known port, what host was involved, how much data moved in either direction. From that then we can detect port and address scanning. Just by keeping track up how many different ports the host connects to or how many different addresses. The natural way to express this in BRO, which is in tables, which we through in the different ports or addresses that get connected to. This means we pick up stealth scans for free.

There are a bunch of different analizers for FTP. TELNET and RLOGIN are better; one of our main ways of detecting attacks. Keystroke and pause differences are very important because we look for strings, patterns, that reflect common commands attackers issue and the output that they see. For example: one of the common lines is the format that one of the common sniffer programs uses. Then they list the connection thats just been sniffed looks at the output commands. The sniffer will trigger this pattern. In running TELNET and RLOGIN analizers, nothing else, at UC Berkley we found out 120 break-ins in five months, a little under one a day. These are not attempted break-ins, these are successful break-ins. About sixty of those were successful root compromises. This is very powerful and, very sobering. The attack rate at a large university is really high.

The monitor can also take action, and again this is according to whatever your policy happens to be. There are different ways that it can react; one is that it can envoke a program called “reset”, which will reset a TCP connection and it will forge a series of packets that will be interpreted by one end of the connection as the other end as having told it to abruptly shut down. The more powerful thing that BRO does is envoke a program called “drop connectivity”. This talks to our border router and says any traffic from this address we don’t want; throw it away. Basically what this does is turn BRO into a reactive particle. We can decide what’s hostile, and turn them off. If we’re scanned, they touch a few of the addresses and are thrown away.

The next issue is; at some point hackers can fake us out and get us to drop connectivity to someone that we don’t really want dropped. Someone that you need to talk with. That is an on going issue, how to deal with that. Right now, we have lists of hosts and networks that we will not drop. And I expect that this will evolve when attackers start to launch denial of service using this mechanism.

BRO is running full time on the Laurence Berkley DMZ, the Joint Genome Initiative, NERSC and ICSI in addition to about ten other sites. So we can deploy these boxes with a furvor and get a lot of coverage. Access at UC Berkley is about 30,000 packets per second, and we’re running here at SC2000.

So at the Berkley Lab we see about 250 million packets per day. We do about 1.5 million connections per day. We’re dropping 40 scans a day, about half of those are Web crawlers and we can put in exceptions to let them clawl us. So there’s twenty guys a day that would like to break into us. And we’re most prowd of our felon, facing sentencing next January, Max Butler, a perported security “white hat” who did attacks we detected a couple years ago, basically the first attacker who exploited “bind overflow attacks”. He broke into a large number of machines, including some Air Force machines; which was not a good idea. He was nailed, in large part because we had very good logs as he transited across our DMZ.

============================================================

Subscribe to HPCwire's Weekly Update!

Be the most informed person in the room! Stay ahead of the tech trends with industy updates delivered to you every week!

Mira Supercomputer Enables Cancer Research Breakthrough

November 11, 2019

Dynamic partial-wave spectroscopic (PWS) microscopy allows researchers to observe intracellular structures as small as 20 nanometers – smaller than those visible by optical microscopes – in three dimensions at a mill Read more…

By Staff report

IBM Adds Support for Ion Trap Quantum Technology to Qiskit

November 11, 2019

After years of percolating in the shadow of quantum computing research based on superconducting semiconductors – think IBM, Rigetti, Google, and D-Wave (quantum annealing) – ion trap technology is edging into the QC Read more…

By John Russell

Tackling HPC’s Memory and I/O Bottlenecks with On-Node, Non-Volatile RAM

November 8, 2019

On-node, non-volatile memory (NVRAM) is a game-changing technology that can remove many I/O and memory bottlenecks and provide a key enabler for exascale. That’s the conclusion drawn by the scientists and researcher Read more…

By Jan Rowell

What’s New in HPC Research: Cosmic Magnetism, Cryptanalysis, Car Navigation & More

November 8, 2019

In this bimonthly feature, HPCwire highlights newly published research in the high-performance computing community and related domains. From parallel programming to exascale to quantum computing, the details are here. Read more…

By Oliver Peckham

Machine Learning Fuels a Booming HPC Market

November 7, 2019

Enterprise infrastructure investments for training machine learning models have grown more than 50 percent annually over the past two years, and are expected to shortly surpass $10 billion, according to a new market fore Read more…

By George Leopold

AWS Solution Channel

Making High Performance Computing Affordable and Accessible for Small and Medium Businesses with HPC on AWS

High performance computing (HPC) brings a powerful set of tools to a broad range of industries, helping to drive innovation and boost revenue in finance, genomics, oil and gas extraction, and other fields. Read more…

IBM Accelerated Insights

Atom by Atom, Supercomputers Shed Light on Alloys

November 7, 2019

Alloys are at the heart of human civilization, but developing alloys in the Information Age is much different than it was in the Bronze Age. Trial-by-error smelting has given way to the use of high-performance computing Read more…

By Oliver Peckham

IBM Adds Support for Ion Trap Quantum Technology to Qiskit

November 11, 2019

After years of percolating in the shadow of quantum computing research based on superconducting semiconductors – think IBM, Rigetti, Google, and D-Wave (quant Read more…

By John Russell

Tackling HPC’s Memory and I/O Bottlenecks with On-Node, Non-Volatile RAM

November 8, 2019

On-node, non-volatile memory (NVRAM) is a game-changing technology that can remove many I/O and memory bottlenecks and provide a key enabler for exascale. Th Read more…

By Jan Rowell

MLPerf Releases First Inference Benchmark Results; Nvidia Touts its Showing

November 6, 2019

MLPerf.org, the young AI-benchmarking consortium, today issued the first round of results for its inference test suite. Among organizations with submissions wer Read more…

By John Russell

Azure Cloud First with AMD Epyc Rome Processors

November 6, 2019

At Ignite 2019 this week, Microsoft's Azure cloud team and AMD announced an expansion of their partnership that began in 2017 when Azure debuted Epyc-backed ins Read more…

By Tiffany Trader

Nvidia Launches Credit Card-Sized 21 TOPS Jetson System for Edge Devices

November 6, 2019

Nvidia has launched a new addition to its Jetson product line: a credit card-sized (70x45mm) form factor delivering up to 21 trillion operations/second (TOPS) o Read more…

By Doug Black

In Memoriam: Steve Tuecke, Globus Co-founder

November 4, 2019

HPCwire is deeply saddened to report that Steve Tuecke, longtime scientist at Argonne National Lab and University of Chicago, has passed away at age 52. Tuecke Read more…

By Tiffany Trader

Spending Spree: Hyperscalers Bought $57B of IT in 2018, $10B+ by Google – But Is Cloud on Horizon?

October 31, 2019

Hyperscalers are the masters of the IT universe, gravitational centers of increasing pull in the emerging age of data-driven compute and AI.  In the high-stake Read more…

By Doug Black

Cray Debuts ClusterStor E1000 Finishing Remake of Portfolio for ‘Exascale Era’

October 30, 2019

Cray, now owned by HPE, today introduced the ClusterStor E1000 storage platform, which leverages Cray software and mixes hard disk drives (HDD) and flash memory Read more…

By John Russell

Supercomputer-Powered AI Tackles a Key Fusion Energy Challenge

August 7, 2019

Fusion energy is the Holy Grail of the energy world: low-radioactivity, low-waste, zero-carbon, high-output nuclear power that can run on hydrogen or lithium. T Read more…

By Oliver Peckham

Using AI to Solve One of the Most Prevailing Problems in CFD

October 17, 2019

How can artificial intelligence (AI) and high-performance computing (HPC) solve mesh generation, one of the most commonly referenced problems in computational engineering? A new study has set out to answer this question and create an industry-first AI-mesh application... Read more…

By James Sharpe

Cray Wins NNSA-Livermore ‘El Capitan’ Exascale Contract

August 13, 2019

Cray has won the bid to build the first exascale supercomputer for the National Nuclear Security Administration (NNSA) and Lawrence Livermore National Laborator Read more…

By Tiffany Trader

DARPA Looks to Propel Parallelism

September 4, 2019

As Moore’s law runs out of steam, new programming approaches are being pursued with the goal of greater hardware performance with less coding. The Defense Advanced Projects Research Agency is launching a new programming effort aimed at leveraging the benefits of massive distributed parallelism with less sweat. Read more…

By George Leopold

AMD Launches Epyc Rome, First 7nm CPU

August 8, 2019

From a gala event at the Palace of Fine Arts in San Francisco yesterday (Aug. 7), AMD launched its second-generation Epyc Rome x86 chips, based on its 7nm proce Read more…

By Tiffany Trader

D-Wave’s Path to 5000 Qubits; Google’s Quantum Supremacy Claim

September 24, 2019

On the heels of IBM’s quantum news last week come two more quantum items. D-Wave Systems today announced the name of its forthcoming 5000-qubit system, Advantage (yes the name choice isn’t serendipity), at its user conference being held this week in Newport, RI. Read more…

By John Russell

Ayar Labs to Demo Photonics Chiplet in FPGA Package at Hot Chips

August 19, 2019

Silicon startup Ayar Labs continues to gain momentum with its DARPA-backed optical chiplet technology that puts advanced electronics and optics on the same chip Read more…

By Tiffany Trader

Crystal Ball Gazing: IBM’s Vision for the Future of Computing

October 14, 2019

Dario Gil, IBM’s relatively new director of research, painted a intriguing portrait of the future of computing along with a rough idea of how IBM thinks we’ Read more…

By John Russell

Leading Solution Providers

ISC 2019 Virtual Booth Video Tour

CRAY
CRAY
DDN
DDN
DELL EMC
DELL EMC
GOOGLE
GOOGLE
ONE STOP SYSTEMS
ONE STOP SYSTEMS
PANASAS
PANASAS
VERNE GLOBAL
VERNE GLOBAL

Intel Confirms Retreat on Omni-Path

August 1, 2019

Intel Corp.’s plans to make a big splash in the network fabric market for linking HPC and other workloads has apparently belly-flopped. The chipmaker confirmed to us the outlines of an earlier report by the website CRN that it has jettisoned plans for a second-generation version of its Omni-Path interconnect... Read more…

By Staff report

Kubernetes, Containers and HPC

September 19, 2019

Software containers and Kubernetes are important tools for building, deploying, running and managing modern enterprise applications at scale and delivering enterprise software faster and more reliably to the end user — while using resources more efficiently and reducing costs. Read more…

By Daniel Gruber, Burak Yenier and Wolfgang Gentzsch, UberCloud

Dell Ramps Up HPC Testing of AMD Rome Processors

October 21, 2019

Dell Technologies is wading deeper into the AMD-based systems market with a growing evaluation program for the latest Epyc (Rome) microprocessors from AMD. In a Read more…

By John Russell

Intel Debuts Pohoiki Beach, Its 8M Neuron Neuromorphic Development System

July 17, 2019

Neuromorphic computing has received less fanfare of late than quantum computing whose mystery has captured public attention and which seems to have generated mo Read more…

By John Russell

Rise of NIH’s Biowulf Mirrors the Rise of Computational Biology

July 29, 2019

The story of NIH’s supercomputer Biowulf is fascinating, important, and in many ways representative of the transformation of life sciences and biomedical res Read more…

By John Russell

Xilinx vs. Intel: FPGA Market Leaders Launch Server Accelerator Cards

August 6, 2019

The two FPGA market leaders, Intel and Xilinx, both announced new accelerator cards this week designed to handle specialized, compute-intensive workloads and un Read more…

By Doug Black

With the Help of HPC, Astronomers Prepare to Deflect a Real Asteroid

September 26, 2019

For years, NASA has been running simulations of asteroid impacts to understand the risks (and likelihoods) of asteroids colliding with Earth. Now, NASA and the European Space Agency (ESA) are preparing for the next, crucial step in planetary defense against asteroid impacts: physically deflecting a real asteroid. Read more…

By Oliver Peckham

When Dense Matrix Representations Beat Sparse

September 9, 2019

In our world filled with unintended consequences, it turns out that saving memory space to help deal with GPU limitations, knowing it introduces performance pen Read more…

By James Reinders

  • arrow
  • Click Here for More Headlines
  • arrow
Do NOT follow this link or you will be banned from the site!
Share This