From breno.silva at gmail.com Sun Jan 3 21:53:36 2010 From: breno.silva at gmail.com (Breno Silva) Date: Mon, 4 Jan 2010 00:53:36 -0200 Subject: [Oisf-wg-portscan] Hey In-Reply-To: <65f41b5a0912301530r68942283t1f2f1649c2db565a@mail.gmail.com> References: <4AD3292C.8070702@jonkmans.com> <65f41b5a0910120857o76860ceam8ee1734fa7019f76@mail.gmail.com> <70D072392E56884193E3D2DE09C097A9381E9E@pascal.zaphodb.org> <65f41b5a0910250622qc15513jb35c7b116464a09a@mail.gmail.com> <70D072392E56884193E3D2DE09C097A9382017@pascal.zaphodb.org> <65f41b5a0912301530r68942283t1f2f1649c2db565a@mail.gmail.com> Message-ID: <65f41b5a1001031853t7e93d535p4f5457ac039c8572@mail.gmail.com> Guys, I?m coding a patch for Suricata with some new features for anomaly detection. I will show you soon, Thanks breno On Wed, Dec 30, 2009 at 9:30 PM, Breno Silva wrote: > Hi All, > > I coded a PoC code for testing. > > to compile ... gcc -o ddos ddos.c -lpcap -lm > > ./ddos -i eth0 > > If you can .. please run it into real network. Lets try to simulate ddos > attacks > > It will compute each 200 pkts (at least 32 bytes) captured. > > it is just handle UDP pkts > > Thanks guys > Hope see some comments :) > > Happy new year > > Breno > > > > On Wed, Nov 25, 2009 at 3:07 PM, Tomas L. Byrnes wrote: > >> I?m sorry that this fell through the cracks. I?ve had a hellacious >> month. I?d be happy to test for you. >> >> >> >> >> >> >> >> *From:* oisf-wg-portscan-bounces at openinfosecfoundation.org [mailto: >> oisf-wg-portscan-bounces at openinfosecfoundation.org] *On Behalf Of *Breno >> Silva >> *Sent:* Sunday, October 25, 2009 6:22 AM >> >> *To:* DDoS and Portscan methods discussion >> *Subject:* Re: [Oisf-wg-portscan] Hey >> >> >> >> Hi Tomas, >> >> I have a implementation of this in my internal and external network. >> However my internal network is very big and my external is AS7738 and >> AS8167. >> In both cases it is working well, almost wiithout false positives and good >> rate of attack detection. But in both cases the traffic is highly random >> (internal is less random) ... but working well >> >> However i never tested it in a small LAN. If you have one i can send you a >> code for testing. >> >> What do you think ? >> >> Thanks >> >> Breno >> >> On Sat, Oct 24, 2009 at 3:15 PM, Tomas L. Byrnes >> wrote: >> >> I think the problem with this is that you?re assuming that the PAYLOAD of >> traffic to a given port, especially UDP is highly random in the case of >> normal traffic, and highly self-similar in the case of (D)DOS. >> >> >> >> This is not true, especially for widely used services such as DNS. The >> vast majority of DNS packets are HIGHLY self-similar, especially the ones >> to/from Authoritative Nameservers, which are usually answering queries for >> the exact same RRSETs all the time. >> >> >> >> >> >> >> >> *From:* oisf-wg-portscan-bounces at openinfosecfoundation.org [mailto: >> oisf-wg-portscan-bounces at openinfosecfoundation.org] *On Behalf Of *Breno >> Silva >> *Sent:* Monday, October 12, 2009 8:58 AM >> >> >> *To:* DDoS and Portscan methods discussion >> *Subject:* Re: [Oisf-wg-portscan] Hey >> >> >> >> Hi Guys >> >> >> >> Good to hear from you. >> >> I?m sending two simples codes for discussion if it can be used >> as a part of future ddos detection engine. >> >> The idea is create something to measure the traffic entropy. Most of >> ddos attacks change (decrease) the entropy of certain traffic. >> >> This is a pseudo-code to implement the idea: >> >> >> >> for_each_packet() { >> >> case udp: >> udp_packet[dest port]->count_bit_1_for_the_packet >> udp_packet[dest port]->store_sddr_daddr_ports_etc >> alfa += apply_the_algorithm_for_the_packet(udp_packet[dest >> port]->count_bit_1_for_the_packet) >> countbit1total[dest port] += udp_packet[dest >> port]->count_bit_1_for_the_packet >> >> case tcp: >> tcp_packet[dest port]->count_bit_1_for_the_packet >> tcp_packet[dest port]->store_sddr_daddr_ports_etc >> apply_the_algorithm_for_the_packet(tcp_packet[dest >> port]->count_bit_1_for_the_packet) >> countbit1total[dest port] += tcp_packet[dest >> port]->count_bit_1_for_the_packet >> >> if(we_have_200_packets_in_this_port) >> { >> beta = apply_the_algorithm_for_the_all_packets(udp_packet[dest >> port]->countbit1total) >> >> if(beta < alfa) >> { >> attack detected >> } >> else { >> normal traffic >> } >> } >> } >> >> >> where >> >> >> apply_the_algorithm_for_the_packet : >> >> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >> + log((PKT_BYTES*8))/log(2); >> >> and >> >> apply_the_algorithm_for_the_all_packets : >> >> (PKT_BYTES*8*NUM_PKT_POLL)*(((-(countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))*(log((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))/log(2)) >> - (1 - >> ((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))*(log(1-((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))/log(2)))) >> + log((PKT_BYTES*8*NUM_PKT_POLL))/log(2); >> >> >> I will try to explain the idea behind the algorithm... >> >> Suppose we have 3 complex strings: X, Y and Z >> So... if we can calculate the complexity for each string using some fomula >> C(x), >> >> for a random/very complex string we have : C(X) + C(Y) + C(Z) < C(XYZ) >> >> in other words .. if you have 3 complex things (C(x) C(y) c(z)) .. and >> concatenate them ... you will have something much more complex (C(XYZ)) >> >> make sense ? >> >> >> This is how the algorithm works for ddos detection... measuring a normal >> traffic in a port number .. we will see a lot of random payloads... and >> during an attack.. it will change (if the attacker does not random the >> payload). >> >> So.. for a normal traffic: >> >> Complexity_of(Packet1) + Complexity_of(Packet2) + Complexity_of(PacketN) >> =< All_complexity(Packet1+Packet2+PacketN) >> >> and for a ddos: >> >> Complexity_of(Packet1) + Complexity_of(Packet2) + Complexity_of(PacketN) >> > All_complexity(Packet1+Packet2+PacketN) >> >> >> >> >> >> /* Here we are simulating a normal traffic >> * each bitone represents the distribution of bit 1 in each packet payload >> * and in this case the value of bitone is random >> * >> */ >> >> #include >> #include >> >> float NUM_PKT_POLL = 10; // Number of packets to process in each port >> number >> float PKT_BYTES = 32; // payload bytes to count the bit 1 >> float countonetotal = 0; >> float THR = 0.3; // I will explain it later >> float bitone = 0; >> >> int main() >> { >> int i; >> float kolmogorov_total = 0; >> float kolmogorov_packet = 0; >> >> bitone = 200; >> kolmogorov_packet += >> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >> + log((PKT_BYTES*8))/log(2); >> >> countonetotal += 200; >> bitone = 122; >> >> kolmogorov_packet += >> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >> + log((PKT_BYTES*8))/log(2); >> countonetotal += 122; >> >> bitone = 140; >> kolmogorov_packet += >> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >> + log((PKT_BYTES*8))/log(2); >> countonetotal += 140; >> >> bitone = 150; >> kolmogorov_packet += >> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >> + log((PKT_BYTES*8))/log(2); >> countonetotal += 150; >> >> bitone = 150; >> kolmogorov_packet += >> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >> + log((PKT_BYTES*8))/log(2); >> countonetotal += 150; >> >> bitone = 150; >> kolmogorov_packet += >> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >> + log((PKT_BYTES*8))/log(2); >> countonetotal += 150; >> >> bitone = 150; >> kolmogorov_packet += >> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >> + log((PKT_BYTES*8))/log(2); >> countonetotal += 150; >> >> bitone = 150; >> kolmogorov_packet += >> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >> + log((PKT_BYTES*8))/log(2); >> countonetotal += 150; >> >> bitone = 150; >> kolmogorov_packet += >> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >> + log((PKT_BYTES*8))/log(2); >> countonetotal += bitone; >> >> bitone = 150; >> kolmogorov_packet += >> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >> + log((PKT_BYTES*8))/log(2); >> countonetotal += bitone; >> >> kolmogorov_total = >> (PKT_BYTES*8*NUM_PKT_POLL)*(((-(countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))*(log((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))/log(2)) >> - (1 - >> ((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))*(log(1-((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))/log(2)))) >> + log((PKT_BYTES*8*NUM_PKT_POLL))/log(2); >> >> if(kolmogorov_total < kolmogorov_packet) >> printf("ATTACK DETECTED\n"); >> else >> printf("NORMAL TRAFFIC\n"); >> } >> >> ************************** >> >> >> >> ********* CODE *********** >> >> >> /* This is the same code ... but simulating a ddos attack >> */ >> >> >> #include >> #include >> >> float NUM_PKT_POLL = 10; >> float PKT_BYTES = 32; >> float countonetotal = 0; >> float THR = 0.3; >> float bitone = 0; >> >> int main() >> { >> int i; >> float kolmogorov_total = 0; >> float kolmogorov_packet = 0; >> >> bitone = 200; >> kolmogorov_packet += >> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >> + log((PKT_BYTES*8))/log(2); >> >> countonetotal += 200; >> bitone = 122; >> >> kolmogorov_packet += >> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >> + log((PKT_BYTES*8))/log(2); >> countonetotal += 122; >> >> bitone = 140; >> kolmogorov_packet += >> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >> + log((PKT_BYTES*8))/log(2); >> countonetotal += 140; >> >> bitone = 150; >> kolmogorov_packet += >> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >> + log((PKT_BYTES*8))/log(2); >> countonetotal += 150; >> >> bitone = 150; >> kolmogorov_packet += >> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >> + log((PKT_BYTES*8))/log(2); >> countonetotal += 150; >> >> bitone = 150; >> kolmogorov_packet += >> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >> + log((PKT_BYTES*8))/log(2); >> countonetotal += 150; >> >> bitone = 150; >> kolmogorov_packet += >> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >> + log((PKT_BYTES*8))/log(2); >> countonetotal += 150; >> >> bitone = 150; >> kolmogorov_packet += >> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >> + log((PKT_BYTES*8))/log(2); >> countonetotal += 150; >> >> bitone = 150; >> kolmogorov_packet += >> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >> + log((PKT_BYTES*8))/log(2); >> countonetotal += bitone; >> >> bitone = 150; >> kolmogorov_packet += >> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >> + log((PKT_BYTES*8))/log(2); >> countonetotal += bitone; >> >> kolmogorov_total = >> (PKT_BYTES*8*NUM_PKT_POLL)*(((-(countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))*(log((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))/log(2)) >> - (1 - >> ((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))*(log(1-((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))/log(2)))) >> + log((PKT_BYTES*8*NUM_PKT_POLL))/log(2); >> >> if(kolmogorov_total < kolmogorov_packet) >> printf("ATTACK DETECTED\n"); >> else >> printf("NORMAL TRAFFIC\n"); >> } >> >> On Mon, Oct 12, 2009 at 10:03 AM, Matt Jonkman >> wrote: >> >> Yes! We have all the right people here. Shoot us your idea! >> >> Matt >> >> >> Jeff Dickey wrote: >> > I think what Matt was trying to say was "hey, Breno, everybody with a >> > technical interest in OISF is on the list; don't ask to ask - what's the >> > code you've got?" >> > >> > But I'll join the flood anyway :-) >> > >> > >> > On 12/10/09 07:21 , "Matt Jonkman" wrote: >> > >> >> There's a large number of people on here, we can't have everyone check >> >> in. :) >> >> >> >> What are you thinking about? >> >> >> >> Matt >> >> >> >> Breno Silva wrote: >> >>> Hey Shyaam! >> >>> >> >>> Good to hear from you! >> >>> >> >>> Lets wait more one day to hear from other guys >> >>> >> >>> cheers >> >>> >> >>> Breno >> >>> >> >>> On Sun, Oct 11, 2009 at 7:57 PM, Shyaam Sundhar > >>> > wrote: >> >>> >> >>> Everyone is with you brotha! >> >>> >> >>> Sent from my iPhone >> >>> >> >>> On Oct 11, 2009, at 6:35 PM, Breno Silva > >>> > wrote: >> >>> >> >>>> Hey guys, >> >>>> >> >>>> Who is in the list ? >> >>>> >> >>>> I have a simple code to discuss with you >> >>>> >> >>>> Thanks >> >>>> >> >>>> Breno >> >>>> _______________________________________________ >> >>>> Oisf-wg-portscan mailing list >> >>>> Oisf-wg-portscan at openinfosecfoundation.org >> >>> >> >>> >> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan >> >>> _______________________________________________ >> >>> Oisf-wg-portscan mailing list >> >>> Oisf-wg-portscan at openinfosecfoundation.org >> >>> >> >>> >> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan >> >>> >> >>> >> >>> >> >>> >> ------------------------------------------------------------------------ >> >>> >> >>> _______________________________________________ >> >>> Oisf-wg-portscan mailing list >> >>> Oisf-wg-portscan at openinfosecfoundation.org >> >>> >> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan >> > >> >> -- >> >> -------------------------------------------- >> Matthew Jonkman >> Emerging Threats >> Open Information Security Foundation (OISF) >> Phone 765-429-0398 >> Fax 312-264-0205 >> http://www.emergingthreats.net >> http://www.openinformationsecurityfoundation.org >> -------------------------------------------- >> >> PGP: http://www.jonkmans.com/mattjonkman.asc >> >> >> _______________________________________________ >> >> Oisf-wg-portscan mailing list >> Oisf-wg-portscan at openinfosecfoundation.org >> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan >> >> >> >> >> _______________________________________________ >> Oisf-wg-portscan mailing list >> Oisf-wg-portscan at openinfosecfoundation.org >> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan >> >> >> >> _______________________________________________ >> Oisf-wg-portscan mailing list >> Oisf-wg-portscan at openinfosecfoundation.org >> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openinfosecfoundation.org/pipermail/oisf-wg-portscan/attachments/20100104/e9d81ae0/attachment-0001.html From breno.silva at gmail.com Thu Jan 14 14:30:50 2010 From: breno.silva at gmail.com (Breno Silva) Date: Thu, 14 Jan 2010 17:30:50 -0200 Subject: [Oisf-wg-portscan] Hey In-Reply-To: <65f41b5a1001031853t7e93d535p4f5457ac039c8572@mail.gmail.com> References: <4AD3292C.8070702@jonkmans.com> <65f41b5a0910120857o76860ceam8ee1734fa7019f76@mail.gmail.com> <70D072392E56884193E3D2DE09C097A9381E9E@pascal.zaphodb.org> <65f41b5a0910250622qc15513jb35c7b116464a09a@mail.gmail.com> <70D072392E56884193E3D2DE09C097A9382017@pascal.zaphodb.org> <65f41b5a0912301530r68942283t1f2f1649c2db565a@mail.gmail.com> <65f41b5a1001031853t7e93d535p4f5457ac039c8572@mail.gmail.com> Message-ID: <65f41b5a1001141130q283a2f49nc24f35150ea8faa3@mail.gmail.com> Hi all, I have a suricata version with a entropy rule option. I need some network for test it :) ... Anyone ? I can make a tar os my suricata extra version for you. thanks breno On Mon, Jan 4, 2010 at 12:53 AM, Breno Silva wrote: > Guys, > > I?m coding a patch for Suricata with some new features for anomaly > detection. > > I will show you soon, > > Thanks > > breno > > On Wed, Dec 30, 2009 at 9:30 PM, Breno Silva wrote: > >> Hi All, >> >> I coded a PoC code for testing. >> >> to compile ... gcc -o ddos ddos.c -lpcap -lm >> >> ./ddos -i eth0 >> >> If you can .. please run it into real network. Lets try to simulate ddos >> attacks >> >> It will compute each 200 pkts (at least 32 bytes) captured. >> >> it is just handle UDP pkts >> >> Thanks guys >> Hope see some comments :) >> >> Happy new year >> >> Breno >> >> >> >> On Wed, Nov 25, 2009 at 3:07 PM, Tomas L. Byrnes wrote: >> >>> I?m sorry that this fell through the cracks. I?ve had a hellacious >>> month. I?d be happy to test for you. >>> >>> >>> >>> >>> >>> >>> >>> *From:* oisf-wg-portscan-bounces at openinfosecfoundation.org [mailto: >>> oisf-wg-portscan-bounces at openinfosecfoundation.org] *On Behalf Of *Breno >>> Silva >>> *Sent:* Sunday, October 25, 2009 6:22 AM >>> >>> *To:* DDoS and Portscan methods discussion >>> *Subject:* Re: [Oisf-wg-portscan] Hey >>> >>> >>> >>> Hi Tomas, >>> >>> I have a implementation of this in my internal and external network. >>> However my internal network is very big and my external is AS7738 and >>> AS8167. >>> In both cases it is working well, almost wiithout false positives and >>> good rate of attack detection. But in both cases the traffic is highly >>> random (internal is less random) ... but working well >>> >>> However i never tested it in a small LAN. If you have one i can send you >>> a code for testing. >>> >>> What do you think ? >>> >>> Thanks >>> >>> Breno >>> >>> On Sat, Oct 24, 2009 at 3:15 PM, Tomas L. Byrnes >>> wrote: >>> >>> I think the problem with this is that you?re assuming that the PAYLOAD of >>> traffic to a given port, especially UDP is highly random in the case of >>> normal traffic, and highly self-similar in the case of (D)DOS. >>> >>> >>> >>> This is not true, especially for widely used services such as DNS. The >>> vast majority of DNS packets are HIGHLY self-similar, especially the ones >>> to/from Authoritative Nameservers, which are usually answering queries for >>> the exact same RRSETs all the time. >>> >>> >>> >>> >>> >>> >>> >>> *From:* oisf-wg-portscan-bounces at openinfosecfoundation.org [mailto: >>> oisf-wg-portscan-bounces at openinfosecfoundation.org] *On Behalf Of *Breno >>> Silva >>> *Sent:* Monday, October 12, 2009 8:58 AM >>> >>> >>> *To:* DDoS and Portscan methods discussion >>> *Subject:* Re: [Oisf-wg-portscan] Hey >>> >>> >>> >>> Hi Guys >>> >>> >>> >>> Good to hear from you. >>> >>> I?m sending two simples codes for discussion if it can be used >>> as a part of future ddos detection engine. >>> >>> The idea is create something to measure the traffic entropy. Most of >>> ddos attacks change (decrease) the entropy of certain traffic. >>> >>> This is a pseudo-code to implement the idea: >>> >>> >>> >>> for_each_packet() { >>> >>> case udp: >>> udp_packet[dest port]->count_bit_1_for_the_packet >>> udp_packet[dest port]->store_sddr_daddr_ports_etc >>> alfa += apply_the_algorithm_for_the_packet(udp_packet[dest >>> port]->count_bit_1_for_the_packet) >>> countbit1total[dest port] += udp_packet[dest >>> port]->count_bit_1_for_the_packet >>> >>> case tcp: >>> tcp_packet[dest port]->count_bit_1_for_the_packet >>> tcp_packet[dest port]->store_sddr_daddr_ports_etc >>> apply_the_algorithm_for_the_packet(tcp_packet[dest >>> port]->count_bit_1_for_the_packet) >>> countbit1total[dest port] += tcp_packet[dest >>> port]->count_bit_1_for_the_packet >>> >>> if(we_have_200_packets_in_this_port) >>> { >>> beta = apply_the_algorithm_for_the_all_packets(udp_packet[dest >>> port]->countbit1total) >>> >>> if(beta < alfa) >>> { >>> attack detected >>> } >>> else { >>> normal traffic >>> } >>> } >>> } >>> >>> >>> where >>> >>> >>> apply_the_algorithm_for_the_packet : >>> >>> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >>> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >>> + log((PKT_BYTES*8))/log(2); >>> >>> and >>> >>> apply_the_algorithm_for_the_all_packets : >>> >>> (PKT_BYTES*8*NUM_PKT_POLL)*(((-(countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))*(log((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))/log(2)) >>> - (1 - >>> ((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))*(log(1-((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))/log(2)))) >>> + log((PKT_BYTES*8*NUM_PKT_POLL))/log(2); >>> >>> >>> I will try to explain the idea behind the algorithm... >>> >>> Suppose we have 3 complex strings: X, Y and Z >>> So... if we can calculate the complexity for each string using some >>> fomula C(x), >>> >>> for a random/very complex string we have : C(X) + C(Y) + C(Z) < C(XYZ) >>> >>> in other words .. if you have 3 complex things (C(x) C(y) c(z)) .. and >>> concatenate them ... you will have something much more complex (C(XYZ)) >>> >>> make sense ? >>> >>> >>> This is how the algorithm works for ddos detection... measuring a normal >>> traffic in a port number .. we will see a lot of random payloads... and >>> during an attack.. it will change (if the attacker does not random the >>> payload). >>> >>> So.. for a normal traffic: >>> >>> Complexity_of(Packet1) + Complexity_of(Packet2) + Complexity_of(PacketN) >>> =< All_complexity(Packet1+Packet2+PacketN) >>> >>> and for a ddos: >>> >>> Complexity_of(Packet1) + Complexity_of(Packet2) + Complexity_of(PacketN) >>> > All_complexity(Packet1+Packet2+PacketN) >>> >>> >>> >>> >>> >>> /* Here we are simulating a normal traffic >>> * each bitone represents the distribution of bit 1 in each packet >>> payload >>> * and in this case the value of bitone is random >>> * >>> */ >>> >>> #include >>> #include >>> >>> float NUM_PKT_POLL = 10; // Number of packets to process in each port >>> number >>> float PKT_BYTES = 32; // payload bytes to count the bit 1 >>> float countonetotal = 0; >>> float THR = 0.3; // I will explain it later >>> float bitone = 0; >>> >>> int main() >>> { >>> int i; >>> float kolmogorov_total = 0; >>> float kolmogorov_packet = 0; >>> >>> bitone = 200; >>> kolmogorov_packet += >>> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >>> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >>> + log((PKT_BYTES*8))/log(2); >>> >>> countonetotal += 200; >>> bitone = 122; >>> >>> kolmogorov_packet += >>> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >>> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >>> + log((PKT_BYTES*8))/log(2); >>> countonetotal += 122; >>> >>> bitone = 140; >>> kolmogorov_packet += >>> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >>> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >>> + log((PKT_BYTES*8))/log(2); >>> countonetotal += 140; >>> >>> bitone = 150; >>> kolmogorov_packet += >>> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >>> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >>> + log((PKT_BYTES*8))/log(2); >>> countonetotal += 150; >>> >>> bitone = 150; >>> kolmogorov_packet += >>> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >>> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >>> + log((PKT_BYTES*8))/log(2); >>> countonetotal += 150; >>> >>> bitone = 150; >>> kolmogorov_packet += >>> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >>> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >>> + log((PKT_BYTES*8))/log(2); >>> countonetotal += 150; >>> >>> bitone = 150; >>> kolmogorov_packet += >>> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >>> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >>> + log((PKT_BYTES*8))/log(2); >>> countonetotal += 150; >>> >>> bitone = 150; >>> kolmogorov_packet += >>> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >>> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >>> + log((PKT_BYTES*8))/log(2); >>> countonetotal += 150; >>> >>> bitone = 150; >>> kolmogorov_packet += >>> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >>> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >>> + log((PKT_BYTES*8))/log(2); >>> countonetotal += bitone; >>> >>> bitone = 150; >>> kolmogorov_packet += >>> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >>> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >>> + log((PKT_BYTES*8))/log(2); >>> countonetotal += bitone; >>> >>> kolmogorov_total = >>> (PKT_BYTES*8*NUM_PKT_POLL)*(((-(countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))*(log((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))/log(2)) >>> - (1 - >>> ((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))*(log(1-((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))/log(2)))) >>> + log((PKT_BYTES*8*NUM_PKT_POLL))/log(2); >>> >>> if(kolmogorov_total < kolmogorov_packet) >>> printf("ATTACK DETECTED\n"); >>> else >>> printf("NORMAL TRAFFIC\n"); >>> } >>> >>> ************************** >>> >>> >>> >>> ********* CODE *********** >>> >>> >>> /* This is the same code ... but simulating a ddos attack >>> */ >>> >>> >>> #include >>> #include >>> >>> float NUM_PKT_POLL = 10; >>> float PKT_BYTES = 32; >>> float countonetotal = 0; >>> float THR = 0.3; >>> float bitone = 0; >>> >>> int main() >>> { >>> int i; >>> float kolmogorov_total = 0; >>> float kolmogorov_packet = 0; >>> >>> bitone = 200; >>> kolmogorov_packet += >>> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >>> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >>> + log((PKT_BYTES*8))/log(2); >>> >>> countonetotal += 200; >>> bitone = 122; >>> >>> kolmogorov_packet += >>> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >>> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >>> + log((PKT_BYTES*8))/log(2); >>> countonetotal += 122; >>> >>> bitone = 140; >>> kolmogorov_packet += >>> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >>> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >>> + log((PKT_BYTES*8))/log(2); >>> countonetotal += 140; >>> >>> bitone = 150; >>> kolmogorov_packet += >>> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >>> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >>> + log((PKT_BYTES*8))/log(2); >>> countonetotal += 150; >>> >>> bitone = 150; >>> kolmogorov_packet += >>> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >>> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >>> + log((PKT_BYTES*8))/log(2); >>> countonetotal += 150; >>> >>> bitone = 150; >>> kolmogorov_packet += >>> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >>> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >>> + log((PKT_BYTES*8))/log(2); >>> countonetotal += 150; >>> >>> bitone = 150; >>> kolmogorov_packet += >>> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >>> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >>> + log((PKT_BYTES*8))/log(2); >>> countonetotal += 150; >>> >>> bitone = 150; >>> kolmogorov_packet += >>> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >>> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >>> + log((PKT_BYTES*8))/log(2); >>> countonetotal += 150; >>> >>> bitone = 150; >>> kolmogorov_packet += >>> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >>> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >>> + log((PKT_BYTES*8))/log(2); >>> countonetotal += bitone; >>> >>> bitone = 150; >>> kolmogorov_packet += >>> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >>> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >>> + log((PKT_BYTES*8))/log(2); >>> countonetotal += bitone; >>> >>> kolmogorov_total = >>> (PKT_BYTES*8*NUM_PKT_POLL)*(((-(countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))*(log((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))/log(2)) >>> - (1 - >>> ((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))*(log(1-((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))/log(2)))) >>> + log((PKT_BYTES*8*NUM_PKT_POLL))/log(2); >>> >>> if(kolmogorov_total < kolmogorov_packet) >>> printf("ATTACK DETECTED\n"); >>> else >>> printf("NORMAL TRAFFIC\n"); >>> } >>> >>> On Mon, Oct 12, 2009 at 10:03 AM, Matt Jonkman >>> wrote: >>> >>> Yes! We have all the right people here. Shoot us your idea! >>> >>> Matt >>> >>> >>> Jeff Dickey wrote: >>> > I think what Matt was trying to say was "hey, Breno, everybody with a >>> > technical interest in OISF is on the list; don't ask to ask - what's >>> the >>> > code you've got?" >>> > >>> > But I'll join the flood anyway :-) >>> > >>> > >>> > On 12/10/09 07:21 , "Matt Jonkman" wrote: >>> > >>> >> There's a large number of people on here, we can't have everyone check >>> >> in. :) >>> >> >>> >> What are you thinking about? >>> >> >>> >> Matt >>> >> >>> >> Breno Silva wrote: >>> >>> Hey Shyaam! >>> >>> >>> >>> Good to hear from you! >>> >>> >>> >>> Lets wait more one day to hear from other guys >>> >>> >>> >>> cheers >>> >>> >>> >>> Breno >>> >>> >>> >>> On Sun, Oct 11, 2009 at 7:57 PM, Shyaam Sundhar >> >>> > wrote: >>> >>> >>> >>> Everyone is with you brotha! >>> >>> >>> >>> Sent from my iPhone >>> >>> >>> >>> On Oct 11, 2009, at 6:35 PM, Breno Silva >> >>> > wrote: >>> >>> >>> >>>> Hey guys, >>> >>>> >>> >>>> Who is in the list ? >>> >>>> >>> >>>> I have a simple code to discuss with you >>> >>>> >>> >>>> Thanks >>> >>>> >>> >>>> Breno >>> >>>> _______________________________________________ >>> >>>> Oisf-wg-portscan mailing list >>> >>>> Oisf-wg-portscan at openinfosecfoundation.org >>> >>> >>> >>> >>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan >>> >>> _______________________________________________ >>> >>> Oisf-wg-portscan mailing list >>> >>> Oisf-wg-portscan at openinfosecfoundation.org >>> >>> >>> >>> >>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan >>> >>> >>> >>> >>> >>> >>> >>> >>> ------------------------------------------------------------------------ >>> >>> >>> >>> _______________________________________________ >>> >>> Oisf-wg-portscan mailing list >>> >>> Oisf-wg-portscan at openinfosecfoundation.org >>> >>> >>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan >>> > >>> >>> -- >>> >>> -------------------------------------------- >>> Matthew Jonkman >>> Emerging Threats >>> Open Information Security Foundation (OISF) >>> Phone 765-429-0398 >>> Fax 312-264-0205 >>> http://www.emergingthreats.net >>> http://www.openinformationsecurityfoundation.org >>> -------------------------------------------- >>> >>> PGP: http://www.jonkmans.com/mattjonkman.asc >>> >>> >>> _______________________________________________ >>> >>> Oisf-wg-portscan mailing list >>> Oisf-wg-portscan at openinfosecfoundation.org >>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan >>> >>> >>> >>> >>> _______________________________________________ >>> Oisf-wg-portscan mailing list >>> Oisf-wg-portscan at openinfosecfoundation.org >>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan >>> >>> >>> >>> _______________________________________________ >>> Oisf-wg-portscan mailing list >>> Oisf-wg-portscan at openinfosecfoundation.org >>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openinfosecfoundation.org/pipermail/oisf-wg-portscan/attachments/20100114/bec1a449/attachment-0001.html From jan.kaestner at siemens.com Fri Jan 15 09:46:47 2010 From: jan.kaestner at siemens.com (Kaestner, Jan) Date: Fri, 15 Jan 2010 15:46:47 +0100 Subject: [Oisf-wg-portscan] Hey In-Reply-To: <65f41b5a1001141130q283a2f49nc24f35150ea8faa3@mail.gmail.com> References: <4AD3292C.8070702@jonkmans.com> <65f41b5a0910120857o76860ceam8ee1734fa7019f76@mail.gmail.com> <70D072392E56884193E3D2DE09C097A9381E9E@pascal.zaphodb.org> <65f41b5a0910250622qc15513jb35c7b116464a09a@mail.gmail.com> <70D072392E56884193E3D2DE09C097A9382017@pascal.zaphodb.org> <65f41b5a0912301530r68942283t1f2f1649c2db565a@mail.gmail.com> <65f41b5a1001031853t7e93d535p4f5457ac039c8572@mail.gmail.com> <65f41b5a1001141130q283a2f49nc24f35150ea8faa3@mail.gmail.com> Message-ID: Hi Breno, how need the test network be like? If you download the document "Whitepaper; Security concept PCS 7 and WinCC - main document: http://support.automation.siemens.com/WW/view/en/26462131 " from Siemens, you will find on the three last pages a detailed description, which is as nearly as my testlab is configured and structured (lab is bit less). With best regards, Jan Kaestner Siemens AG Industry Sector Industry Automation Division Industrial Automation Systems I IA AS RD DH K5 Oestliche Rheinbrueckenstr. 50 76187 Karlsruhe, Germany Tel.: +49 (721) 595-3138 mailto:jan.kaestner at siemens.com From: oisf-wg-portscan-bounces at openinfosecfoundation.org [mailto:oisf-wg-portscan-bounces at openinfosecfoundation.org] On Behalf Of Breno Silva Sent: Thursday, January 14, 2010 8:31 PM To: DDoS and Portscan methods discussion Subject: Re: [Oisf-wg-portscan] Hey Hi all, I have a suricata version with a entropy rule option. I need some network for test it :) ... Anyone ? I can make a tar os my suricata extra version for you. thanks breno On Mon, Jan 4, 2010 at 12:53 AM, Breno Silva > wrote: Guys, I?m coding a patch for Suricata with some new features for anomaly detection. I will show you soon, Thanks breno On Wed, Dec 30, 2009 at 9:30 PM, Breno Silva > wrote: Hi All, I coded a PoC code for testing. to compile ... gcc -o ddos ddos.c -lpcap -lm ./ddos -i eth0 If you can .. please run it into real network. Lets try to simulate ddos attacks It will compute each 200 pkts (at least 32 bytes) captured. it is just handle UDP pkts Thanks guys Hope see some comments :) Happy new year Breno On Wed, Nov 25, 2009 at 3:07 PM, Tomas L. Byrnes > wrote: I'm sorry that this fell through the cracks. I've had a hellacious month. I'd be happy to test for you. From: oisf-wg-portscan-bounces at openinfosecfoundation.org [mailto:oisf-wg-portscan-bounces at openinfosecfoundation.org] On Behalf Of Breno Silva Sent: Sunday, October 25, 2009 6:22 AM To: DDoS and Portscan methods discussion Subject: Re: [Oisf-wg-portscan] Hey Hi Tomas, I have a implementation of this in my internal and external network. However my internal network is very big and my external is AS7738 and AS8167. In both cases it is working well, almost wiithout false positives and good rate of attack detection. But in both cases the traffic is highly random (internal is less random) ... but working well However i never tested it in a small LAN. If you have one i can send you a code for testing. What do you think ? Thanks Breno On Sat, Oct 24, 2009 at 3:15 PM, Tomas L. Byrnes > wrote: I think the problem with this is that you're assuming that the PAYLOAD of traffic to a given port, especially UDP is highly random in the case of normal traffic, and highly self-similar in the case of (D)DOS. This is not true, especially for widely used services such as DNS. The vast majority of DNS packets are HIGHLY self-similar, especially the ones to/from Authoritative Nameservers, which are usually answering queries for the exact same RRSETs all the time. From: oisf-wg-portscan-bounces at openinfosecfoundation.org [mailto:oisf-wg-portscan-bounces at openinfosecfoundation.org] On Behalf Of Breno Silva Sent: Monday, October 12, 2009 8:58 AM To: DDoS and Portscan methods discussion Subject: Re: [Oisf-wg-portscan] Hey Hi Guys Good to hear from you. I?m sending two simples codes for discussion if it can be used as a part of future ddos detection engine. The idea is create something to measure the traffic entropy. Most of ddos attacks change (decrease) the entropy of certain traffic. This is a pseudo-code to implement the idea: for_each_packet() { case udp: udp_packet[dest port]->count_bit_1_for_the_packet udp_packet[dest port]->store_sddr_daddr_ports_etc alfa += apply_the_algorithm_for_the_packet(udp_packet[dest port]->count_bit_1_for_the_packet) countbit1total[dest port] += udp_packet[dest port]->count_bit_1_for_the_packet case tcp: tcp_packet[dest port]->count_bit_1_for_the_packet tcp_packet[dest port]->store_sddr_daddr_ports_etc apply_the_algorithm_for_the_packet(tcp_packet[dest port]->count_bit_1_for_the_packet) countbit1total[dest port] += tcp_packet[dest port]->count_bit_1_for_the_packet if(we_have_200_packets_in_this_port) { beta = apply_the_algorithm_for_the_all_packets(udp_packet[dest port]->countbit1total) if(beta < alfa) { attack detected } else { normal traffic } } } where apply_the_algorithm_for_the_packet : (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); and apply_the_algorithm_for_the_all_packets : (PKT_BYTES*8*NUM_PKT_POLL)*(((-(countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))*(log((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))/log(2)) - (1 - ((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))*(log(1-((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))/log(2)))) + log((PKT_BYTES*8*NUM_PKT_POLL))/log(2); I will try to explain the idea behind the algorithm... Suppose we have 3 complex strings: X, Y and Z So... if we can calculate the complexity for each string using some fomula C(x), for a random/very complex string we have : C(X) + C(Y) + C(Z) < C(XYZ) in other words .. if you have 3 complex things (C(x) C(y) c(z)) .. and concatenate them ... you will have something much more complex (C(XYZ)) make sense ? This is how the algorithm works for ddos detection... measuring a normal traffic in a port number .. we will see a lot of random payloads... and during an attack.. it will change (if the attacker does not random the payload). So.. for a normal traffic: Complexity_of(Packet1) + Complexity_of(Packet2) + Complexity_of(PacketN) =< All_complexity(Packet1+Packet2+PacketN) and for a ddos: Complexity_of(Packet1) + Complexity_of(Packet2) + Complexity_of(PacketN) > All_complexity(Packet1+Packet2+PacketN) /* Here we are simulating a normal traffic * each bitone represents the distribution of bit 1 in each packet payload * and in this case the value of bitone is random * */ #include #include float NUM_PKT_POLL = 10; // Number of packets to process in each port number float PKT_BYTES = 32; // payload bytes to count the bit 1 float countonetotal = 0; float THR = 0.3; // I will explain it later float bitone = 0; int main() { int i; float kolmogorov_total = 0; float kolmogorov_packet = 0; bitone = 200; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 200; bitone = 122; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 122; bitone = 140; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 140; bitone = 150; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 150; bitone = 150; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 150; bitone = 150; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 150; bitone = 150; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 150; bitone = 150; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 150; bitone = 150; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += bitone; bitone = 150; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += bitone; kolmogorov_total = (PKT_BYTES*8*NUM_PKT_POLL)*(((-(countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))*(log((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))/log(2)) - (1 - ((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))*(log(1-((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))/log(2)))) + log((PKT_BYTES*8*NUM_PKT_POLL))/log(2); if(kolmogorov_total < kolmogorov_packet) printf("ATTACK DETECTED\n"); else printf("NORMAL TRAFFIC\n"); } ************************** ********* CODE *********** /* This is the same code ... but simulating a ddos attack */ #include #include float NUM_PKT_POLL = 10; float PKT_BYTES = 32; float countonetotal = 0; float THR = 0.3; float bitone = 0; int main() { int i; float kolmogorov_total = 0; float kolmogorov_packet = 0; bitone = 200; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 200; bitone = 122; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 122; bitone = 140; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 140; bitone = 150; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 150; bitone = 150; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 150; bitone = 150; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 150; bitone = 150; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 150; bitone = 150; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 150; bitone = 150; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += bitone; bitone = 150; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += bitone; kolmogorov_total = (PKT_BYTES*8*NUM_PKT_POLL)*(((-(countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))*(log((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))/log(2)) - (1 - ((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))*(log(1-((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))/log(2)))) + log((PKT_BYTES*8*NUM_PKT_POLL))/log(2); if(kolmogorov_total < kolmogorov_packet) printf("ATTACK DETECTED\n"); else printf("NORMAL TRAFFIC\n"); } On Mon, Oct 12, 2009 at 10:03 AM, Matt Jonkman > wrote: Yes! We have all the right people here. Shoot us your idea! Matt Jeff Dickey wrote: > I think what Matt was trying to say was "hey, Breno, everybody with a > technical interest in OISF is on the list; don't ask to ask - what's the > code you've got?" > > But I'll join the flood anyway :-) > > > On 12/10/09 07:21 , "Matt Jonkman" > wrote: > >> There's a large number of people on here, we can't have everyone check >> in. :) >> >> What are you thinking about? >> >> Matt >> >> Breno Silva wrote: >>> Hey Shyaam! >>> >>> Good to hear from you! >>> >>> Lets wait more one day to hear from other guys >>> >>> cheers >>> >>> Breno >>> >>> On Sun, Oct 11, 2009 at 7:57 PM, Shyaam Sundhar >>> >> wrote: >>> >>> Everyone is with you brotha! >>> >>> Sent from my iPhone >>> >>> On Oct 11, 2009, at 6:35 PM, Breno Silva >>> >> wrote: >>> >>>> Hey guys, >>>> >>>> Who is in the list ? >>>> >>>> I have a simple code to discuss with you >>>> >>>> Thanks >>>> >>>> Breno >>>> _______________________________________________ >>>> Oisf-wg-portscan mailing list >>>> Oisf-wg-portscan at openinfosecfoundation.org >>> > >>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan >>> _______________________________________________ >>> Oisf-wg-portscan mailing list >>> Oisf-wg-portscan at openinfosecfoundation.org >>> > >>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan >>> >>> >>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> Oisf-wg-portscan mailing list >>> Oisf-wg-portscan at openinfosecfoundation.org >>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > -- -------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc _______________________________________________ Oisf-wg-portscan mailing list Oisf-wg-portscan at openinfosecfoundation.org http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan _______________________________________________ Oisf-wg-portscan mailing list Oisf-wg-portscan at openinfosecfoundation.org http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan _______________________________________________ Oisf-wg-portscan mailing list Oisf-wg-portscan at openinfosecfoundation.org http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openinfosecfoundation.org/pipermail/oisf-wg-portscan/attachments/20100115/15bbf1ec/attachment-0001.html From breno.silva at gmail.com Fri Jan 15 10:44:53 2010 From: breno.silva at gmail.com (Breno Silva) Date: Fri, 15 Jan 2010 13:44:53 -0200 Subject: [Oisf-wg-portscan] Hey In-Reply-To: References: <4AD3292C.8070702@jonkmans.com> <65f41b5a0910120857o76860ceam8ee1734fa7019f76@mail.gmail.com> <70D072392E56884193E3D2DE09C097A9381E9E@pascal.zaphodb.org> <65f41b5a0910250622qc15513jb35c7b116464a09a@mail.gmail.com> <70D072392E56884193E3D2DE09C097A9382017@pascal.zaphodb.org> <65f41b5a0912301530r68942283t1f2f1649c2db565a@mail.gmail.com> <65f41b5a1001031853t7e93d535p4f5457ac039c8572@mail.gmail.com> <65f41b5a1001141130q283a2f49nc24f35150ea8faa3@mail.gmail.com> Message-ID: <65f41b5a1001150744g13c0fc53ne7d600cc63a7a134@mail.gmail.com> Hi Jan, Thanks for your attention. We need a real network traffic for the first test. I'd like to have at least real traffic at ports 80, 443 and 445. Next we will run the suricata entropy version with some entropy keyword rules enabled: alert tcp any any -> any 80 (msg:"HTTP L7 Attack detected - 48 bytes"; entropy:type kl7,track by_dst,count 100,bytes 48,timeout 60; sid: 1;) alert tcp any any -> any 443 (msg:"HTTPS L7 Attack detected - 48 bytes"; entropy:type kl7,track by_dst,count 100,bytes 48,timeout 60; sid: 1;) alert tcp any any -> any 445 (msg:"Miscrosoft-DS L7 Attack detected or worm - 48 bytes"; entropy:type kl7,track by_dst,count 100,bytes 48,timeout 60; sid: 1;) alert tcp any any -> any 80 (msg:"HTTP L7 Attack detected - 150 bytes"; entropy:type kl7,track by_dst,count 100,bytes 150,timeout 60; sid: 1;) alert tcp any any -> any 443 (msg:"HTTPS L7 Attack detected - 150 bytes"; entropy:type kl7,track by_dst,count 100,bytes 150,timeout 60; sid: 1;) alert tcp any any -> any 445 (msg:"Miscrosoft-DS L7 Attack detected or worm - 150 bytes"; entropy:type kl7,track by_dst,count 100,bytes 150,timeout 60; sid: 1;) alert tcp any any -> any 80 (msg:"HTTP L7 Attack detected - 256 bytes"; entropy:type kl7,track by_dst,count 100,bytes 256,timeout 60; sid: 1;) alert tcp any any -> any 443 (msg:"HTTPS L7 Attack detected - 256 bytes"; entropy:type kl7,track by_dst,count 100,bytes 256,timeout 60; sid: 1;) alert tcp any any -> any 445 (msg:"Miscrosoft-DS L7 Attack detected or worm - 256 bytes"; entropy:type kl7,track by_dst,count 100,bytes 256,timeout 60; sid: 1;) Lets run the suricata and see with we have some false-positives. After that we will start some DDoS/DoS/Worm simulation attacks Do you think you can help me ? Thanks Breno On Fri, Jan 15, 2010 at 12:46 PM, Kaestner, Jan wrote: > Hi Breno, > > > > how need the test network be like? > > If you download the document ?Whitepaper; Security concept PCS 7 and WinCC > - main document: http://support.automation.siemens.com/WW/view/en/26462131? from Siemens, you will find on the three last pages a detailed > description, which is as nearly as my testlab is configured and structured > (lab is bit less). > > > > With best regards, > Jan Kaestner > > Siemens AG > Industry Sector > Industry Automation Division > Industrial Automation Systems > I IA AS RD DH K5 > Oestliche Rheinbrueckenstr. 50 > 76187 Karlsruhe, Germany > Tel.: +49 (721) 595-3138 > mailto:jan.kaestner at siemens.com > > *From:* oisf-wg-portscan-bounces at openinfosecfoundation.org [mailto: > oisf-wg-portscan-bounces at openinfosecfoundation.org] *On Behalf Of *Breno > Silva > *Sent:* Thursday, January 14, 2010 8:31 PM > > *To:* DDoS and Portscan methods discussion > *Subject:* Re: [Oisf-wg-portscan] Hey > > > > Hi all, > > > > I have a suricata version with a entropy rule option. > > > > I need some network for test it :) ... Anyone ? I can make a tar os my > suricata extra version for you. > > > > thanks > > > > breno > > On Mon, Jan 4, 2010 at 12:53 AM, Breno Silva > wrote: > > Guys, > > > > I?m coding a patch for Suricata with some new features for anomaly > detection. > > > > I will show you soon, > > > > Thanks > > > > breno > > On Wed, Dec 30, 2009 at 9:30 PM, Breno Silva > wrote: > > Hi All, > > I coded a PoC code for testing. > > to compile ... gcc -o ddos ddos.c -lpcap -lm > > ./ddos -i eth0 > > If you can .. please run it into real network. Lets try to simulate ddos > attacks > > It will compute each 200 pkts (at least 32 bytes) captured. > > it is just handle UDP pkts > > Thanks guys > Hope see some comments :) > > Happy new year > > Breno > > > > On Wed, Nov 25, 2009 at 3:07 PM, Tomas L. Byrnes wrote: > > I?m sorry that this fell through the cracks. I?ve had a hellacious month. > I?d be happy to test for you. > > > > > > > > *From:* oisf-wg-portscan-bounces at openinfosecfoundation.org [mailto: > oisf-wg-portscan-bounces at openinfosecfoundation.org] *On Behalf Of *Breno > Silva > *Sent:* Sunday, October 25, 2009 6:22 AM > > > *To:* DDoS and Portscan methods discussion > *Subject:* Re: [Oisf-wg-portscan] Hey > > > > Hi Tomas, > > I have a implementation of this in my internal and external network. > However my internal network is very big and my external is AS7738 and > AS8167. > In both cases it is working well, almost wiithout false positives and good > rate of attack detection. But in both cases the traffic is highly random > (internal is less random) ... but working well > > However i never tested it in a small LAN. If you have one i can send you a > code for testing. > > What do you think ? > > Thanks > > Breno > > On Sat, Oct 24, 2009 at 3:15 PM, Tomas L. Byrnes wrote: > > I think the problem with this is that you?re assuming that the PAYLOAD of > traffic to a given port, especially UDP is highly random in the case of > normal traffic, and highly self-similar in the case of (D)DOS. > > > > This is not true, especially for widely used services such as DNS. The vast > majority of DNS packets are HIGHLY self-similar, especially the ones to/from > Authoritative Nameservers, which are usually answering queries for the exact > same RRSETs all the time. > > > > > > > > *From:* oisf-wg-portscan-bounces at openinfosecfoundation.org [mailto: > oisf-wg-portscan-bounces at openinfosecfoundation.org] *On Behalf Of *Breno > Silva > *Sent:* Monday, October 12, 2009 8:58 AM > > > *To:* DDoS and Portscan methods discussion > *Subject:* Re: [Oisf-wg-portscan] Hey > > > > Hi Guys > > > > Good to hear from you. > > I?m sending two simples codes for discussion if it can be used > as a part of future ddos detection engine. > > The idea is create something to measure the traffic entropy. Most of > ddos attacks change (decrease) the entropy of certain traffic. > > This is a pseudo-code to implement the idea: > > > > for_each_packet() { > > case udp: > udp_packet[dest port]->count_bit_1_for_the_packet > udp_packet[dest port]->store_sddr_daddr_ports_etc > alfa += apply_the_algorithm_for_the_packet(udp_packet[dest > port]->count_bit_1_for_the_packet) > countbit1total[dest port] += udp_packet[dest > port]->count_bit_1_for_the_packet > > case tcp: > tcp_packet[dest port]->count_bit_1_for_the_packet > tcp_packet[dest port]->store_sddr_daddr_ports_etc > apply_the_algorithm_for_the_packet(tcp_packet[dest > port]->count_bit_1_for_the_packet) > countbit1total[dest port] += tcp_packet[dest > port]->count_bit_1_for_the_packet > > if(we_have_200_packets_in_this_port) > { > beta = apply_the_algorithm_for_the_all_packets(udp_packet[dest > port]->countbit1total) > > if(beta < alfa) > { > attack detected > } > else { > normal traffic > } > } > } > > > where > > > apply_the_algorithm_for_the_packet : > > (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) > - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) > + log((PKT_BYTES*8))/log(2); > > and > > apply_the_algorithm_for_the_all_packets : > > (PKT_BYTES*8*NUM_PKT_POLL)*(((-(countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))*(log((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))/log(2)) > - (1 - > ((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))*(log(1-((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))/log(2)))) > + log((PKT_BYTES*8*NUM_PKT_POLL))/log(2); > > > I will try to explain the idea behind the algorithm... > > Suppose we have 3 complex strings: X, Y and Z > So... if we can calculate the complexity for each string using some fomula > C(x), > > for a random/very complex string we have : C(X) + C(Y) + C(Z) < C(XYZ) > > in other words .. if you have 3 complex things (C(x) C(y) c(z)) .. and > concatenate them ... you will have something much more complex (C(XYZ)) > > make sense ? > > > This is how the algorithm works for ddos detection... measuring a normal > traffic in a port number .. we will see a lot of random payloads... and > during an attack.. it will change (if the attacker does not random the > payload). > > So.. for a normal traffic: > > Complexity_of(Packet1) + Complexity_of(Packet2) + Complexity_of(PacketN) > =< All_complexity(Packet1+Packet2+PacketN) > > and for a ddos: > > Complexity_of(Packet1) + Complexity_of(Packet2) + Complexity_of(PacketN) > > All_complexity(Packet1+Packet2+PacketN) > > > > > > /* Here we are simulating a normal traffic > * each bitone represents the distribution of bit 1 in each packet payload > * and in this case the value of bitone is random > * > */ > > #include > #include > > float NUM_PKT_POLL = 10; // Number of packets to process in each port > number > float PKT_BYTES = 32; // payload bytes to count the bit 1 > float countonetotal = 0; > float THR = 0.3; // I will explain it later > float bitone = 0; > > int main() > { > int i; > float kolmogorov_total = 0; > float kolmogorov_packet = 0; > > bitone = 200; > kolmogorov_packet += > (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) > - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) > + log((PKT_BYTES*8))/log(2); > > countonetotal += 200; > bitone = 122; > > kolmogorov_packet += > (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) > - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) > + log((PKT_BYTES*8))/log(2); > countonetotal += 122; > > bitone = 140; > kolmogorov_packet += > (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) > - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) > + log((PKT_BYTES*8))/log(2); > countonetotal += 140; > > bitone = 150; > kolmogorov_packet += > (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) > - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) > + log((PKT_BYTES*8))/log(2); > countonetotal += 150; > > bitone = 150; > kolmogorov_packet += > (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) > - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) > + log((PKT_BYTES*8))/log(2); > countonetotal += 150; > > bitone = 150; > kolmogorov_packet += > (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) > - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) > + log((PKT_BYTES*8))/log(2); > countonetotal += 150; > > bitone = 150; > kolmogorov_packet += > (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) > - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) > + log((PKT_BYTES*8))/log(2); > countonetotal += 150; > > bitone = 150; > kolmogorov_packet += > (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) > - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) > + log((PKT_BYTES*8))/log(2); > countonetotal += 150; > > bitone = 150; > kolmogorov_packet += > (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) > - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) > + log((PKT_BYTES*8))/log(2); > countonetotal += bitone; > > bitone = 150; > kolmogorov_packet += > (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) > - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) > + log((PKT_BYTES*8))/log(2); > countonetotal += bitone; > > kolmogorov_total = > (PKT_BYTES*8*NUM_PKT_POLL)*(((-(countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))*(log((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))/log(2)) > - (1 - > ((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))*(log(1-((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))/log(2)))) > + log((PKT_BYTES*8*NUM_PKT_POLL))/log(2); > > if(kolmogorov_total < kolmogorov_packet) > printf("ATTACK DETECTED\n"); > else > printf("NORMAL TRAFFIC\n"); > } > > ************************** > > > > ********* CODE *********** > > > /* This is the same code ... but simulating a ddos attack > */ > > > #include > #include > > float NUM_PKT_POLL = 10; > float PKT_BYTES = 32; > float countonetotal = 0; > float THR = 0.3; > float bitone = 0; > > int main() > { > int i; > float kolmogorov_total = 0; > float kolmogorov_packet = 0; > > bitone = 200; > kolmogorov_packet += > (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) > - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) > + log((PKT_BYTES*8))/log(2); > > countonetotal += 200; > bitone = 122; > > kolmogorov_packet += > (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) > - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) > + log((PKT_BYTES*8))/log(2); > countonetotal += 122; > > bitone = 140; > kolmogorov_packet += > (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) > - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) > + log((PKT_BYTES*8))/log(2); > countonetotal += 140; > > bitone = 150; > kolmogorov_packet += > (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) > - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) > + log((PKT_BYTES*8))/log(2); > countonetotal += 150; > > bitone = 150; > kolmogorov_packet += > (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) > - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) > + log((PKT_BYTES*8))/log(2); > countonetotal += 150; > > bitone = 150; > kolmogorov_packet += > (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) > - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) > + log((PKT_BYTES*8))/log(2); > countonetotal += 150; > > bitone = 150; > kolmogorov_packet += > (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) > - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) > + log((PKT_BYTES*8))/log(2); > countonetotal += 150; > > bitone = 150; > kolmogorov_packet += > (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) > - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) > + log((PKT_BYTES*8))/log(2); > countonetotal += 150; > > bitone = 150; > kolmogorov_packet += > (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) > - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) > + log((PKT_BYTES*8))/log(2); > countonetotal += bitone; > > bitone = 150; > kolmogorov_packet += > (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) > - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) > + log((PKT_BYTES*8))/log(2); > countonetotal += bitone; > > kolmogorov_total = > (PKT_BYTES*8*NUM_PKT_POLL)*(((-(countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))*(log((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))/log(2)) > - (1 - > ((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))*(log(1-((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))/log(2)))) > + log((PKT_BYTES*8*NUM_PKT_POLL))/log(2); > > if(kolmogorov_total < kolmogorov_packet) > printf("ATTACK DETECTED\n"); > else > printf("NORMAL TRAFFIC\n"); > } > > On Mon, Oct 12, 2009 at 10:03 AM, Matt Jonkman > wrote: > > Yes! We have all the right people here. Shoot us your idea! > > Matt > > > Jeff Dickey wrote: > > I think what Matt was trying to say was "hey, Breno, everybody with a > > technical interest in OISF is on the list; don't ask to ask - what's the > > code you've got?" > > > > But I'll join the flood anyway :-) > > > > > > On 12/10/09 07:21 , "Matt Jonkman" wrote: > > > >> There's a large number of people on here, we can't have everyone check > >> in. :) > >> > >> What are you thinking about? > >> > >> Matt > >> > >> Breno Silva wrote: > >>> Hey Shyaam! > >>> > >>> Good to hear from you! > >>> > >>> Lets wait more one day to hear from other guys > >>> > >>> cheers > >>> > >>> Breno > >>> > >>> On Sun, Oct 11, 2009 at 7:57 PM, Shyaam Sundhar >>> > wrote: > >>> > >>> Everyone is with you brotha! > >>> > >>> Sent from my iPhone > >>> > >>> On Oct 11, 2009, at 6:35 PM, Breno Silva >>> > wrote: > >>> > >>>> Hey guys, > >>>> > >>>> Who is in the list ? > >>>> > >>>> I have a simple code to discuss with you > >>>> > >>>> Thanks > >>>> > >>>> Breno > >>>> _______________________________________________ > >>>> Oisf-wg-portscan mailing list > >>>> Oisf-wg-portscan at openinfosecfoundation.org > >>> > >>> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > >>> _______________________________________________ > >>> Oisf-wg-portscan mailing list > >>> Oisf-wg-portscan at openinfosecfoundation.org > >>> > >>> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > >>> > >>> > >>> > >>> > ------------------------------------------------------------------------ > >>> > >>> _______________________________________________ > >>> Oisf-wg-portscan mailing list > >>> Oisf-wg-portscan at openinfosecfoundation.org > >>> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > > > > -- > > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Open Information Security Foundation (OISF) > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > http://www.openinformationsecurityfoundation.org > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > _______________________________________________ > > Oisf-wg-portscan mailing list > Oisf-wg-portscan at openinfosecfoundation.org > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > > > > > _______________________________________________ > Oisf-wg-portscan mailing list > Oisf-wg-portscan at openinfosecfoundation.org > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > > > > > _______________________________________________ > Oisf-wg-portscan mailing list > Oisf-wg-portscan at openinfosecfoundation.org > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > > > > > > > > _______________________________________________ > Oisf-wg-portscan mailing list > Oisf-wg-portscan at openinfosecfoundation.org > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openinfosecfoundation.org/pipermail/oisf-wg-portscan/attachments/20100115/26772790/attachment-0001.html From breno.silva at gmail.com Wed Jan 27 15:17:55 2010 From: breno.silva at gmail.com (Breno Silva) Date: Wed, 27 Jan 2010 18:17:55 -0200 Subject: [Oisf-wg-portscan] Hey In-Reply-To: <65f41b5a1001150744g13c0fc53ne7d600cc63a7a134@mail.gmail.com> References: <65f41b5a0910120857o76860ceam8ee1734fa7019f76@mail.gmail.com> <70D072392E56884193E3D2DE09C097A9381E9E@pascal.zaphodb.org> <65f41b5a0910250622qc15513jb35c7b116464a09a@mail.gmail.com> <70D072392E56884193E3D2DE09C097A9382017@pascal.zaphodb.org> <65f41b5a0912301530r68942283t1f2f1649c2db565a@mail.gmail.com> <65f41b5a1001031853t7e93d535p4f5457ac039c8572@mail.gmail.com> <65f41b5a1001141130q283a2f49nc24f35150ea8faa3@mail.gmail.com> <65f41b5a1001150744g13c0fc53ne7d600cc63a7a134@mail.gmail.com> Message-ID: <65f41b5a1001271217i23afd9d2wef104e8f3e41a39a@mail.gmail.com> Hi all, I have tested our PoC with Brant. After some tests and adjustments we define this rules and suricata run without false-positives: alert tcp any any -> x.y.0.2 80 (msg:"Entropy TCP PORT 80 - 100 bytes"; entropy:type kl7,track by_dst,count 300,bytes 100,timeout 100; sid: 999999801;) #alert tcp any any -> any 445 (msg:"Entropy TCP PORT 445 - 48 bytes"; entropy:type kl7,track by_dst,count 100,bytes 48,timeout 100; sid: 999999802;) alert tcp $EXTERNAL_NET any -> x.y.0.2 443 (msg:"Entropy TCP PORT 443 - 48 bytes"; entropy:type kl7,track by_dst,count 100,bytes 48,timeout 100; sid: 999999803;) alert tcp $EXTERNAL_NET any -> x.y.0.2 21 (msg:"Entropy TCP PORT 21 - 48 bytes"; entropy:type kl7,track by_dst,count 100,bytes 48,timeout 100;sid:999999804;) alert tcp any any -> any 22 (msg:"Entropy TCP PORT 22 - 160 bytes"; entropy:type kl7,track by_dst,count 500,bytes 32,timeout 100; sid: 999999805;) After that i sent some HTTP Flood attacks (small attacks) and it detected very quickly :) I'm still coding a patch to send for someone who want to test :) Thanks Breno On Fri, Jan 15, 2010 at 1:44 PM, Breno Silva wrote: > Hi Jan, > > Thanks for your attention. We need a real network traffic for the first > test. > I'd like to have at least real traffic at ports 80, 443 and 445. > > Next we will run the suricata entropy version with some entropy keyword > rules enabled: > > alert tcp any any -> any 80 (msg:"HTTP L7 Attack detected - 48 bytes"; > entropy:type kl7,track by_dst,count 100,bytes 48,timeout 60; sid: 1;) > alert tcp any any -> any 443 (msg:"HTTPS L7 Attack detected - 48 bytes"; > entropy:type kl7,track by_dst,count 100,bytes 48,timeout 60; sid: 1;) > alert tcp any any -> any 445 (msg:"Miscrosoft-DS L7 Attack detected or worm > - 48 bytes"; entropy:type kl7,track by_dst,count 100,bytes 48,timeout 60; > sid: 1;) > > alert tcp any any -> any 80 (msg:"HTTP L7 Attack detected - 150 bytes"; > entropy:type kl7,track by_dst,count 100,bytes 150,timeout 60; sid: 1;) > alert tcp any any -> any 443 (msg:"HTTPS L7 Attack detected - 150 bytes"; > entropy:type kl7,track by_dst,count 100,bytes 150,timeout 60; sid: 1;) > alert tcp any any -> any 445 (msg:"Miscrosoft-DS L7 Attack detected or worm > - 150 bytes"; entropy:type kl7,track by_dst,count 100,bytes 150,timeout > 60; sid: 1;) > > alert tcp any any -> any 80 (msg:"HTTP L7 Attack detected - 256 bytes"; > entropy:type kl7,track by_dst,count 100,bytes 256,timeout 60; sid: 1;) > alert tcp any any -> any 443 (msg:"HTTPS L7 Attack detected - 256 bytes"; > entropy:type kl7,track by_dst,count 100,bytes 256,timeout 60; sid: 1;) > alert tcp any any -> any 445 (msg:"Miscrosoft-DS L7 Attack detected or worm > - 256 bytes"; entropy:type kl7,track by_dst,count 100,bytes 256,timeout > 60; sid: 1;) > > Lets run the suricata and see with we have some false-positives. > After that we will start some DDoS/DoS/Worm simulation attacks > > > Do you think you can help me ? > > Thanks > > Breno > > > On Fri, Jan 15, 2010 at 12:46 PM, Kaestner, Jan wrote: > >> Hi Breno, >> >> >> >> how need the test network be like? >> >> If you download the document ?Whitepaper; Security concept PCS 7 and WinCC >> - main document: >> http://support.automation.siemens.com/WW/view/en/26462131 ? from Siemens, >> you will find on the three last pages a detailed description, which is as >> nearly as my testlab is configured and structured (lab is bit less). >> >> >> >> With best regards, >> Jan Kaestner >> >> Siemens AG >> Industry Sector >> Industry Automation Division >> Industrial Automation Systems >> I IA AS RD DH K5 >> Oestliche Rheinbrueckenstr. 50 >> 76187 Karlsruhe, Germany >> Tel.: +49 (721) 595-3138 >> mailto:jan.kaestner at siemens.com >> >> *From:* oisf-wg-portscan-bounces at openinfosecfoundation.org [mailto: >> oisf-wg-portscan-bounces at openinfosecfoundation.org] *On Behalf Of *Breno >> Silva >> *Sent:* Thursday, January 14, 2010 8:31 PM >> >> *To:* DDoS and Portscan methods discussion >> *Subject:* Re: [Oisf-wg-portscan] Hey >> >> >> >> Hi all, >> >> >> >> I have a suricata version with a entropy rule option. >> >> >> >> I need some network for test it :) ... Anyone ? I can make a tar os my >> suricata extra version for you. >> >> >> >> thanks >> >> >> >> breno >> >> On Mon, Jan 4, 2010 at 12:53 AM, Breno Silva >> wrote: >> >> Guys, >> >> >> >> I?m coding a patch for Suricata with some new features for anomaly >> detection. >> >> >> >> I will show you soon, >> >> >> >> Thanks >> >> >> >> breno >> >> On Wed, Dec 30, 2009 at 9:30 PM, Breno Silva >> wrote: >> >> Hi All, >> >> I coded a PoC code for testing. >> >> to compile ... gcc -o ddos ddos.c -lpcap -lm >> >> ./ddos -i eth0 >> >> If you can .. please run it into real network. Lets try to simulate ddos >> attacks >> >> It will compute each 200 pkts (at least 32 bytes) captured. >> >> it is just handle UDP pkts >> >> Thanks guys >> Hope see some comments :) >> >> Happy new year >> >> Breno >> >> >> >> On Wed, Nov 25, 2009 at 3:07 PM, Tomas L. Byrnes >> wrote: >> >> I?m sorry that this fell through the cracks. I?ve had a hellacious month. >> I?d be happy to test for you. >> >> >> >> >> >> >> >> *From:* oisf-wg-portscan-bounces at openinfosecfoundation.org [mailto: >> oisf-wg-portscan-bounces at openinfosecfoundation.org] *On Behalf Of *Breno >> Silva >> *Sent:* Sunday, October 25, 2009 6:22 AM >> >> >> *To:* DDoS and Portscan methods discussion >> *Subject:* Re: [Oisf-wg-portscan] Hey >> >> >> >> Hi Tomas, >> >> I have a implementation of this in my internal and external network. >> However my internal network is very big and my external is AS7738 and >> AS8167. >> In both cases it is working well, almost wiithout false positives and good >> rate of attack detection. But in both cases the traffic is highly random >> (internal is less random) ... but working well >> >> However i never tested it in a small LAN. If you have one i can send you a >> code for testing. >> >> What do you think ? >> >> Thanks >> >> Breno >> >> On Sat, Oct 24, 2009 at 3:15 PM, Tomas L. Byrnes >> wrote: >> >> I think the problem with this is that you?re assuming that the PAYLOAD of >> traffic to a given port, especially UDP is highly random in the case of >> normal traffic, and highly self-similar in the case of (D)DOS. >> >> >> >> This is not true, especially for widely used services such as DNS. The >> vast majority of DNS packets are HIGHLY self-similar, especially the ones >> to/from Authoritative Nameservers, which are usually answering queries for >> the exact same RRSETs all the time. >> >> >> >> >> >> >> >> *From:* oisf-wg-portscan-bounces at openinfosecfoundation.org [mailto: >> oisf-wg-portscan-bounces at openinfosecfoundation.org] *On Behalf Of *Breno >> Silva >> *Sent:* Monday, October 12, 2009 8:58 AM >> >> >> *To:* DDoS and Portscan methods discussion >> *Subject:* Re: [Oisf-wg-portscan] Hey >> >> >> >> Hi Guys >> >> >> >> Good to hear from you. >> >> I?m sending two simples codes for discussion if it can be used >> as a part of future ddos detection engine. >> >> The idea is create something to measure the traffic entropy. Most of >> ddos attacks change (decrease) the entropy of certain traffic. >> >> This is a pseudo-code to implement the idea: >> >> >> >> for_each_packet() { >> >> case udp: >> udp_packet[dest port]->count_bit_1_for_the_packet >> udp_packet[dest port]->store_sddr_daddr_ports_etc >> alfa += apply_the_algorithm_for_the_packet(udp_packet[dest >> port]->count_bit_1_for_the_packet) >> countbit1total[dest port] += udp_packet[dest >> port]->count_bit_1_for_the_packet >> >> case tcp: >> tcp_packet[dest port]->count_bit_1_for_the_packet >> tcp_packet[dest port]->store_sddr_daddr_ports_etc >> apply_the_algorithm_for_the_packet(tcp_packet[dest >> port]->count_bit_1_for_the_packet) >> countbit1total[dest port] += tcp_packet[dest >> port]->count_bit_1_for_the_packet >> >> if(we_have_200_packets_in_this_port) >> { >> beta = apply_the_algorithm_for_the_all_packets(udp_packet[dest >> port]->countbit1total) >> >> if(beta < alfa) >> { >> attack detected >> } >> else { >> normal traffic >> } >> } >> } >> >> >> where >> >> >> apply_the_algorithm_for_the_packet : >> >> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >> + log((PKT_BYTES*8))/log(2); >> >> and >> >> apply_the_algorithm_for_the_all_packets : >> >> (PKT_BYTES*8*NUM_PKT_POLL)*(((-(countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))*(log((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))/log(2)) >> - (1 - >> ((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))*(log(1-((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))/log(2)))) >> + log((PKT_BYTES*8*NUM_PKT_POLL))/log(2); >> >> >> I will try to explain the idea behind the algorithm... >> >> Suppose we have 3 complex strings: X, Y and Z >> So... if we can calculate the complexity for each string using some fomula >> C(x), >> >> for a random/very complex string we have : C(X) + C(Y) + C(Z) < C(XYZ) >> >> in other words .. if you have 3 complex things (C(x) C(y) c(z)) .. and >> concatenate them ... you will have something much more complex (C(XYZ)) >> >> make sense ? >> >> >> This is how the algorithm works for ddos detection... measuring a normal >> traffic in a port number .. we will see a lot of random payloads... and >> during an attack.. it will change (if the attacker does not random the >> payload). >> >> So.. for a normal traffic: >> >> Complexity_of(Packet1) + Complexity_of(Packet2) + Complexity_of(PacketN) >> =< All_complexity(Packet1+Packet2+PacketN) >> >> and for a ddos: >> >> Complexity_of(Packet1) + Complexity_of(Packet2) + Complexity_of(PacketN) >> > All_complexity(Packet1+Packet2+PacketN) >> >> >> >> >> >> /* Here we are simulating a normal traffic >> * each bitone represents the distribution of bit 1 in each packet payload >> * and in this case the value of bitone is random >> * >> */ >> >> #include >> #include >> >> float NUM_PKT_POLL = 10; // Number of packets to process in each port >> number >> float PKT_BYTES = 32; // payload bytes to count the bit 1 >> float countonetotal = 0; >> float THR = 0.3; // I will explain it later >> float bitone = 0; >> >> int main() >> { >> int i; >> float kolmogorov_total = 0; >> float kolmogorov_packet = 0; >> >> bitone = 200; >> kolmogorov_packet += >> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >> + log((PKT_BYTES*8))/log(2); >> >> countonetotal += 200; >> bitone = 122; >> >> kolmogorov_packet += >> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >> + log((PKT_BYTES*8))/log(2); >> countonetotal += 122; >> >> bitone = 140; >> kolmogorov_packet += >> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >> + log((PKT_BYTES*8))/log(2); >> countonetotal += 140; >> >> bitone = 150; >> kolmogorov_packet += >> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >> + log((PKT_BYTES*8))/log(2); >> countonetotal += 150; >> >> bitone = 150; >> kolmogorov_packet += >> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >> + log((PKT_BYTES*8))/log(2); >> countonetotal += 150; >> >> bitone = 150; >> kolmogorov_packet += >> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >> + log((PKT_BYTES*8))/log(2); >> countonetotal += 150; >> >> bitone = 150; >> kolmogorov_packet += >> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >> + log((PKT_BYTES*8))/log(2); >> countonetotal += 150; >> >> bitone = 150; >> kolmogorov_packet += >> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >> + log((PKT_BYTES*8))/log(2); >> countonetotal += 150; >> >> bitone = 150; >> kolmogorov_packet += >> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >> + log((PKT_BYTES*8))/log(2); >> countonetotal += bitone; >> >> bitone = 150; >> kolmogorov_packet += >> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >> + log((PKT_BYTES*8))/log(2); >> countonetotal += bitone; >> >> kolmogorov_total = >> (PKT_BYTES*8*NUM_PKT_POLL)*(((-(countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))*(log((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))/log(2)) >> - (1 - >> ((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))*(log(1-((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))/log(2)))) >> + log((PKT_BYTES*8*NUM_PKT_POLL))/log(2); >> >> if(kolmogorov_total < kolmogorov_packet) >> printf("ATTACK DETECTED\n"); >> else >> printf("NORMAL TRAFFIC\n"); >> } >> >> ************************** >> >> >> >> ********* CODE *********** >> >> >> /* This is the same code ... but simulating a ddos attack >> */ >> >> >> #include >> #include >> >> float NUM_PKT_POLL = 10; >> float PKT_BYTES = 32; >> float countonetotal = 0; >> float THR = 0.3; >> float bitone = 0; >> >> int main() >> { >> int i; >> float kolmogorov_total = 0; >> float kolmogorov_packet = 0; >> >> bitone = 200; >> kolmogorov_packet += >> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >> + log((PKT_BYTES*8))/log(2); >> >> countonetotal += 200; >> bitone = 122; >> >> kolmogorov_packet += >> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >> + log((PKT_BYTES*8))/log(2); >> countonetotal += 122; >> >> bitone = 140; >> kolmogorov_packet += >> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >> + log((PKT_BYTES*8))/log(2); >> countonetotal += 140; >> >> bitone = 150; >> kolmogorov_packet += >> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >> + log((PKT_BYTES*8))/log(2); >> countonetotal += 150; >> >> bitone = 150; >> kolmogorov_packet += >> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >> + log((PKT_BYTES*8))/log(2); >> countonetotal += 150; >> >> bitone = 150; >> kolmogorov_packet += >> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >> + log((PKT_BYTES*8))/log(2); >> countonetotal += 150; >> >> bitone = 150; >> kolmogorov_packet += >> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >> + log((PKT_BYTES*8))/log(2); >> countonetotal += 150; >> >> bitone = 150; >> kolmogorov_packet += >> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >> + log((PKT_BYTES*8))/log(2); >> countonetotal += 150; >> >> bitone = 150; >> kolmogorov_packet += >> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >> + log((PKT_BYTES*8))/log(2); >> countonetotal += bitone; >> >> bitone = 150; >> kolmogorov_packet += >> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >> + log((PKT_BYTES*8))/log(2); >> countonetotal += bitone; >> >> kolmogorov_total = >> (PKT_BYTES*8*NUM_PKT_POLL)*(((-(countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))*(log((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))/log(2)) >> - (1 - >> ((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))*(log(1-((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))/log(2)))) >> + log((PKT_BYTES*8*NUM_PKT_POLL))/log(2); >> >> if(kolmogorov_total < kolmogorov_packet) >> printf("ATTACK DETECTED\n"); >> else >> printf("NORMAL TRAFFIC\n"); >> } >> >> On Mon, Oct 12, 2009 at 10:03 AM, Matt Jonkman >> wrote: >> >> Yes! We have all the right people here. Shoot us your idea! >> >> Matt >> >> >> Jeff Dickey wrote: >> > I think what Matt was trying to say was "hey, Breno, everybody with a >> > technical interest in OISF is on the list; don't ask to ask - what's the >> > code you've got?" >> > >> > But I'll join the flood anyway :-) >> > >> > >> > On 12/10/09 07:21 , "Matt Jonkman" wrote: >> > >> >> There's a large number of people on here, we can't have everyone check >> >> in. :) >> >> >> >> What are you thinking about? >> >> >> >> Matt >> >> >> >> Breno Silva wrote: >> >>> Hey Shyaam! >> >>> >> >>> Good to hear from you! >> >>> >> >>> Lets wait more one day to hear from other guys >> >>> >> >>> cheers >> >>> >> >>> Breno >> >>> >> >>> On Sun, Oct 11, 2009 at 7:57 PM, Shyaam Sundhar > >>> > wrote: >> >>> >> >>> Everyone is with you brotha! >> >>> >> >>> Sent from my iPhone >> >>> >> >>> On Oct 11, 2009, at 6:35 PM, Breno Silva > >>> > wrote: >> >>> >> >>>> Hey guys, >> >>>> >> >>>> Who is in the list ? >> >>>> >> >>>> I have a simple code to discuss with you >> >>>> >> >>>> Thanks >> >>>> >> >>>> Breno >> >>>> _______________________________________________ >> >>>> Oisf-wg-portscan mailing list >> >>>> Oisf-wg-portscan at openinfosecfoundation.org >> >>> >> >>> >> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan >> >>> _______________________________________________ >> >>> Oisf-wg-portscan mailing list >> >>> Oisf-wg-portscan at openinfosecfoundation.org >> >>> >> >>> >> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan >> >>> >> >>> >> >>> >> >>> >> ------------------------------------------------------------------------ >> >>> >> >>> _______________________________________________ >> >>> Oisf-wg-portscan mailing list >> >>> Oisf-wg-portscan at openinfosecfoundation.org >> >>> >> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan >> > >> >> -- >> >> -------------------------------------------- >> Matthew Jonkman >> Emerging Threats >> Open Information Security Foundation (OISF) >> Phone 765-429-0398 >> Fax 312-264-0205 >> http://www.emergingthreats.net >> http://www.openinformationsecurityfoundation.org >> -------------------------------------------- >> >> PGP: http://www.jonkmans.com/mattjonkman.asc >> >> >> _______________________________________________ >> >> Oisf-wg-portscan mailing list >> Oisf-wg-portscan at openinfosecfoundation.org >> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan >> >> >> >> >> _______________________________________________ >> Oisf-wg-portscan mailing list >> Oisf-wg-portscan at openinfosecfoundation.org >> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan >> >> >> >> >> _______________________________________________ >> Oisf-wg-portscan mailing list >> Oisf-wg-portscan at openinfosecfoundation.org >> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan >> >> >> >> >> >> >> >> _______________________________________________ >> Oisf-wg-portscan mailing list >> Oisf-wg-portscan at openinfosecfoundation.org >> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openinfosecfoundation.org/pipermail/oisf-wg-portscan/attachments/20100127/ad2d94fc/attachment-0001.html From breno.silva at gmail.com Thu Jan 28 13:28:17 2010 From: breno.silva at gmail.com (Breno Silva) Date: Thu, 28 Jan 2010 16:28:17 -0200 Subject: [Oisf-wg-portscan] Hey In-Reply-To: <65f41b5a1001271217i23afd9d2wef104e8f3e41a39a@mail.gmail.com> References: <70D072392E56884193E3D2DE09C097A9381E9E@pascal.zaphodb.org> <65f41b5a0910250622qc15513jb35c7b116464a09a@mail.gmail.com> <70D072392E56884193E3D2DE09C097A9382017@pascal.zaphodb.org> <65f41b5a0912301530r68942283t1f2f1649c2db565a@mail.gmail.com> <65f41b5a1001031853t7e93d535p4f5457ac039c8572@mail.gmail.com> <65f41b5a1001141130q283a2f49nc24f35150ea8faa3@mail.gmail.com> <65f41b5a1001150744g13c0fc53ne7d600cc63a7a134@mail.gmail.com> <65f41b5a1001271217i23afd9d2wef104e8f3e41a39a@mail.gmail.com> Message-ID: <65f41b5a1001281028r7b4fcc4dg46407f54a57c209a@mail.gmail.com> Hi all, Sending the initial patch. The supported rule syntax is: alert tcp any any -> x.y.0.2 80 (msg:"Entropy TCP PORT 80 - 100 bytes"; entropy:type kl7,track by_dst,count 300,bytes 100,timeout 100; sid: 999999801;) where into entropy option: type = kl7 (We only support one algorithm at this moment) track = by_dst or by_src (like threshold rules) count = N pkts (it will tell to the engine to wait for N pkts to compute) bytes = N bytes (It will tell to algorithm just handle packets with at least N bytes and will use those bytes to compute. So if you define 100 bytes to protect a HTTP server in your network... if the attacker send pkts with just 50 bytes .. it will not compute. So bytes is better when it is small... however you need to find a good lenght for your network. timeout = N seconds (It will tell to the engine to clen the hash table if no packet passwd during this period of time. The options COUNT and BYTES is very important and maybe different for each protocols and maybe different between networks and hosts. So it require some admin/security guys time to tunning it. Sometimes working with this two options ... you can for example... turns bytes option smaller, incresing the count options .. and vice-versa. A simple log will be dumped into entropy.log.[time] file. Any questions... comments ... feel free to post here or send me an email. The patch require more time with bug fixes and thread safe code. I will do that soon. Thanks Breno On Wed, Jan 27, 2010 at 6:17 PM, Breno Silva wrote: > Hi all, > > I have tested our PoC with Brant. After some tests and adjustments we > define this rules and suricata run without false-positives: > > alert tcp any any -> x.y.0.2 80 (msg:"Entropy TCP PORT 80 - 100 bytes"; > entropy:type kl7,track by_dst,count 300,bytes 100,timeout 100; sid: > 999999801;) > #alert tcp any any -> any 445 (msg:"Entropy TCP PORT 445 - 48 bytes"; > entropy:type kl7,track by_dst,count 100,bytes 48,timeout 100; sid: > 999999802;) > alert tcp $EXTERNAL_NET any -> x.y.0.2 443 (msg:"Entropy TCP PORT 443 - 48 > bytes"; entropy:type kl7,track by_dst,count 100,bytes 48,timeout 100; sid: > 999999803;) > > alert tcp $EXTERNAL_NET any -> x.y.0.2 21 (msg:"Entropy TCP PORT 21 - 48 > bytes"; entropy:type kl7,track by_dst,count 100,bytes 48,timeout > 100;sid:999999804;) > alert tcp any any -> any 22 (msg:"Entropy TCP PORT 22 - 160 bytes"; > entropy:type kl7,track by_dst,count 500,bytes 32,timeout 100; sid: > 999999805;) > > > After that i sent some HTTP Flood attacks (small attacks) and it detected > very quickly :) > > I'm still coding a patch to send for someone who want to test :) > > > Thanks > > Breno > > > > On Fri, Jan 15, 2010 at 1:44 PM, Breno Silva wrote: > >> Hi Jan, >> >> Thanks for your attention. We need a real network traffic for the first >> test. >> I'd like to have at least real traffic at ports 80, 443 and 445. >> >> Next we will run the suricata entropy version with some entropy keyword >> rules enabled: >> >> alert tcp any any -> any 80 (msg:"HTTP L7 Attack detected - 48 bytes"; >> entropy:type kl7,track by_dst,count 100,bytes 48,timeout 60; sid: 1;) >> alert tcp any any -> any 443 (msg:"HTTPS L7 Attack detected - 48 bytes"; >> entropy:type kl7,track by_dst,count 100,bytes 48,timeout 60; sid: 1;) >> alert tcp any any -> any 445 (msg:"Miscrosoft-DS L7 Attack detected or >> worm - 48 bytes"; entropy:type kl7,track by_dst,count 100,bytes >> 48,timeout 60; sid: 1;) >> >> alert tcp any any -> any 80 (msg:"HTTP L7 Attack detected - 150 bytes"; >> entropy:type kl7,track by_dst,count 100,bytes 150,timeout 60; sid: 1;) >> alert tcp any any -> any 443 (msg:"HTTPS L7 Attack detected - 150 bytes"; >> entropy:type kl7,track by_dst,count 100,bytes 150,timeout 60; sid: 1;) >> alert tcp any any -> any 445 (msg:"Miscrosoft-DS L7 Attack detected or >> worm - 150 bytes"; entropy:type kl7,track by_dst,count 100,bytes >> 150,timeout 60; sid: 1;) >> >> alert tcp any any -> any 80 (msg:"HTTP L7 Attack detected - 256 bytes"; >> entropy:type kl7,track by_dst,count 100,bytes 256,timeout 60; sid: 1;) >> alert tcp any any -> any 443 (msg:"HTTPS L7 Attack detected - 256 bytes"; >> entropy:type kl7,track by_dst,count 100,bytes 256,timeout 60; sid: 1;) >> alert tcp any any -> any 445 (msg:"Miscrosoft-DS L7 Attack detected or >> worm - 256 bytes"; entropy:type kl7,track by_dst,count 100,bytes >> 256,timeout 60; sid: 1;) >> >> Lets run the suricata and see with we have some false-positives. >> After that we will start some DDoS/DoS/Worm simulation attacks >> >> >> Do you think you can help me ? >> >> Thanks >> >> Breno >> >> >> On Fri, Jan 15, 2010 at 12:46 PM, Kaestner, Jan > > wrote: >> >>> Hi Breno, >>> >>> >>> >>> how need the test network be like? >>> >>> If you download the document ?Whitepaper; Security concept PCS 7 and >>> WinCC - main document: >>> http://support.automation.siemens.com/WW/view/en/26462131 ? from >>> Siemens, you will find on the three last pages a detailed description, which >>> is as nearly as my testlab is configured and structured (lab is bit less). >>> >>> >>> >>> With best regards, >>> Jan Kaestner >>> >>> Siemens AG >>> Industry Sector >>> Industry Automation Division >>> Industrial Automation Systems >>> I IA AS RD DH K5 >>> Oestliche Rheinbrueckenstr. 50 >>> 76187 Karlsruhe, Germany >>> Tel.: +49 (721) 595-3138 >>> mailto:jan.kaestner at siemens.com >>> >>> *From:* oisf-wg-portscan-bounces at openinfosecfoundation.org [mailto: >>> oisf-wg-portscan-bounces at openinfosecfoundation.org] *On Behalf Of *Breno >>> Silva >>> *Sent:* Thursday, January 14, 2010 8:31 PM >>> >>> *To:* DDoS and Portscan methods discussion >>> *Subject:* Re: [Oisf-wg-portscan] Hey >>> >>> >>> >>> Hi all, >>> >>> >>> >>> I have a suricata version with a entropy rule option. >>> >>> >>> >>> I need some network for test it :) ... Anyone ? I can make a tar os my >>> suricata extra version for you. >>> >>> >>> >>> thanks >>> >>> >>> >>> breno >>> >>> On Mon, Jan 4, 2010 at 12:53 AM, Breno Silva >>> wrote: >>> >>> Guys, >>> >>> >>> >>> I?m coding a patch for Suricata with some new features for anomaly >>> detection. >>> >>> >>> >>> I will show you soon, >>> >>> >>> >>> Thanks >>> >>> >>> >>> breno >>> >>> On Wed, Dec 30, 2009 at 9:30 PM, Breno Silva >>> wrote: >>> >>> Hi All, >>> >>> I coded a PoC code for testing. >>> >>> to compile ... gcc -o ddos ddos.c -lpcap -lm >>> >>> ./ddos -i eth0 >>> >>> If you can .. please run it into real network. Lets try to simulate ddos >>> attacks >>> >>> It will compute each 200 pkts (at least 32 bytes) captured. >>> >>> it is just handle UDP pkts >>> >>> Thanks guys >>> Hope see some comments :) >>> >>> Happy new year >>> >>> Breno >>> >>> >>> >>> On Wed, Nov 25, 2009 at 3:07 PM, Tomas L. Byrnes >>> wrote: >>> >>> I?m sorry that this fell through the cracks. I?ve had a hellacious month. >>> I?d be happy to test for you. >>> >>> >>> >>> >>> >>> >>> >>> *From:* oisf-wg-portscan-bounces at openinfosecfoundation.org [mailto: >>> oisf-wg-portscan-bounces at openinfosecfoundation.org] *On Behalf Of *Breno >>> Silva >>> *Sent:* Sunday, October 25, 2009 6:22 AM >>> >>> >>> *To:* DDoS and Portscan methods discussion >>> *Subject:* Re: [Oisf-wg-portscan] Hey >>> >>> >>> >>> Hi Tomas, >>> >>> I have a implementation of this in my internal and external network. >>> However my internal network is very big and my external is AS7738 and >>> AS8167. >>> In both cases it is working well, almost wiithout false positives and >>> good rate of attack detection. But in both cases the traffic is highly >>> random (internal is less random) ... but working well >>> >>> However i never tested it in a small LAN. If you have one i can send you >>> a code for testing. >>> >>> What do you think ? >>> >>> Thanks >>> >>> Breno >>> >>> On Sat, Oct 24, 2009 at 3:15 PM, Tomas L. Byrnes >>> wrote: >>> >>> I think the problem with this is that you?re assuming that the PAYLOAD of >>> traffic to a given port, especially UDP is highly random in the case of >>> normal traffic, and highly self-similar in the case of (D)DOS. >>> >>> >>> >>> This is not true, especially for widely used services such as DNS. The >>> vast majority of DNS packets are HIGHLY self-similar, especially the ones >>> to/from Authoritative Nameservers, which are usually answering queries for >>> the exact same RRSETs all the time. >>> >>> >>> >>> >>> >>> >>> >>> *From:* oisf-wg-portscan-bounces at openinfosecfoundation.org [mailto: >>> oisf-wg-portscan-bounces at openinfosecfoundation.org] *On Behalf Of *Breno >>> Silva >>> *Sent:* Monday, October 12, 2009 8:58 AM >>> >>> >>> *To:* DDoS and Portscan methods discussion >>> *Subject:* Re: [Oisf-wg-portscan] Hey >>> >>> >>> >>> Hi Guys >>> >>> >>> >>> Good to hear from you. >>> >>> I?m sending two simples codes for discussion if it can be used >>> as a part of future ddos detection engine. >>> >>> The idea is create something to measure the traffic entropy. Most of >>> ddos attacks change (decrease) the entropy of certain traffic. >>> >>> This is a pseudo-code to implement the idea: >>> >>> >>> >>> for_each_packet() { >>> >>> case udp: >>> udp_packet[dest port]->count_bit_1_for_the_packet >>> udp_packet[dest port]->store_sddr_daddr_ports_etc >>> alfa += apply_the_algorithm_for_the_packet(udp_packet[dest >>> port]->count_bit_1_for_the_packet) >>> countbit1total[dest port] += udp_packet[dest >>> port]->count_bit_1_for_the_packet >>> >>> case tcp: >>> tcp_packet[dest port]->count_bit_1_for_the_packet >>> tcp_packet[dest port]->store_sddr_daddr_ports_etc >>> apply_the_algorithm_for_the_packet(tcp_packet[dest >>> port]->count_bit_1_for_the_packet) >>> countbit1total[dest port] += tcp_packet[dest >>> port]->count_bit_1_for_the_packet >>> >>> if(we_have_200_packets_in_this_port) >>> { >>> beta = apply_the_algorithm_for_the_all_packets(udp_packet[dest >>> port]->countbit1total) >>> >>> if(beta < alfa) >>> { >>> attack detected >>> } >>> else { >>> normal traffic >>> } >>> } >>> } >>> >>> >>> where >>> >>> >>> apply_the_algorithm_for_the_packet : >>> >>> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >>> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >>> + log((PKT_BYTES*8))/log(2); >>> >>> and >>> >>> apply_the_algorithm_for_the_all_packets : >>> >>> (PKT_BYTES*8*NUM_PKT_POLL)*(((-(countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))*(log((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))/log(2)) >>> - (1 - >>> ((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))*(log(1-((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))/log(2)))) >>> + log((PKT_BYTES*8*NUM_PKT_POLL))/log(2); >>> >>> >>> I will try to explain the idea behind the algorithm... >>> >>> Suppose we have 3 complex strings: X, Y and Z >>> So... if we can calculate the complexity for each string using some >>> fomula C(x), >>> >>> for a random/very complex string we have : C(X) + C(Y) + C(Z) < C(XYZ) >>> >>> in other words .. if you have 3 complex things (C(x) C(y) c(z)) .. and >>> concatenate them ... you will have something much more complex (C(XYZ)) >>> >>> make sense ? >>> >>> >>> This is how the algorithm works for ddos detection... measuring a normal >>> traffic in a port number .. we will see a lot of random payloads... and >>> during an attack.. it will change (if the attacker does not random the >>> payload). >>> >>> So.. for a normal traffic: >>> >>> Complexity_of(Packet1) + Complexity_of(Packet2) + Complexity_of(PacketN) >>> =< All_complexity(Packet1+Packet2+PacketN) >>> >>> and for a ddos: >>> >>> Complexity_of(Packet1) + Complexity_of(Packet2) + Complexity_of(PacketN) >>> > All_complexity(Packet1+Packet2+PacketN) >>> >>> >>> >>> >>> >>> /* Here we are simulating a normal traffic >>> * each bitone represents the distribution of bit 1 in each packet >>> payload >>> * and in this case the value of bitone is random >>> * >>> */ >>> >>> #include >>> #include >>> >>> float NUM_PKT_POLL = 10; // Number of packets to process in each port >>> number >>> float PKT_BYTES = 32; // payload bytes to count the bit 1 >>> float countonetotal = 0; >>> float THR = 0.3; // I will explain it later >>> float bitone = 0; >>> >>> int main() >>> { >>> int i; >>> float kolmogorov_total = 0; >>> float kolmogorov_packet = 0; >>> >>> bitone = 200; >>> kolmogorov_packet += >>> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >>> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >>> + log((PKT_BYTES*8))/log(2); >>> >>> countonetotal += 200; >>> bitone = 122; >>> >>> kolmogorov_packet += >>> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >>> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >>> + log((PKT_BYTES*8))/log(2); >>> countonetotal += 122; >>> >>> bitone = 140; >>> kolmogorov_packet += >>> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >>> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >>> + log((PKT_BYTES*8))/log(2); >>> countonetotal += 140; >>> >>> bitone = 150; >>> kolmogorov_packet += >>> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >>> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >>> + log((PKT_BYTES*8))/log(2); >>> countonetotal += 150; >>> >>> bitone = 150; >>> kolmogorov_packet += >>> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >>> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >>> + log((PKT_BYTES*8))/log(2); >>> countonetotal += 150; >>> >>> bitone = 150; >>> kolmogorov_packet += >>> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >>> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >>> + log((PKT_BYTES*8))/log(2); >>> countonetotal += 150; >>> >>> bitone = 150; >>> kolmogorov_packet += >>> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >>> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >>> + log((PKT_BYTES*8))/log(2); >>> countonetotal += 150; >>> >>> bitone = 150; >>> kolmogorov_packet += >>> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >>> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >>> + log((PKT_BYTES*8))/log(2); >>> countonetotal += 150; >>> >>> bitone = 150; >>> kolmogorov_packet += >>> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >>> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >>> + log((PKT_BYTES*8))/log(2); >>> countonetotal += bitone; >>> >>> bitone = 150; >>> kolmogorov_packet += >>> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >>> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >>> + log((PKT_BYTES*8))/log(2); >>> countonetotal += bitone; >>> >>> kolmogorov_total = >>> (PKT_BYTES*8*NUM_PKT_POLL)*(((-(countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))*(log((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))/log(2)) >>> - (1 - >>> ((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))*(log(1-((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))/log(2)))) >>> + log((PKT_BYTES*8*NUM_PKT_POLL))/log(2); >>> >>> if(kolmogorov_total < kolmogorov_packet) >>> printf("ATTACK DETECTED\n"); >>> else >>> printf("NORMAL TRAFFIC\n"); >>> } >>> >>> ************************** >>> >>> >>> >>> ********* CODE *********** >>> >>> >>> /* This is the same code ... but simulating a ddos attack >>> */ >>> >>> >>> #include >>> #include >>> >>> float NUM_PKT_POLL = 10; >>> float PKT_BYTES = 32; >>> float countonetotal = 0; >>> float THR = 0.3; >>> float bitone = 0; >>> >>> int main() >>> { >>> int i; >>> float kolmogorov_total = 0; >>> float kolmogorov_packet = 0; >>> >>> bitone = 200; >>> kolmogorov_packet += >>> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >>> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >>> + log((PKT_BYTES*8))/log(2); >>> >>> countonetotal += 200; >>> bitone = 122; >>> >>> kolmogorov_packet += >>> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >>> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >>> + log((PKT_BYTES*8))/log(2); >>> countonetotal += 122; >>> >>> bitone = 140; >>> kolmogorov_packet += >>> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >>> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >>> + log((PKT_BYTES*8))/log(2); >>> countonetotal += 140; >>> >>> bitone = 150; >>> kolmogorov_packet += >>> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >>> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >>> + log((PKT_BYTES*8))/log(2); >>> countonetotal += 150; >>> >>> bitone = 150; >>> kolmogorov_packet += >>> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >>> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >>> + log((PKT_BYTES*8))/log(2); >>> countonetotal += 150; >>> >>> bitone = 150; >>> kolmogorov_packet += >>> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >>> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >>> + log((PKT_BYTES*8))/log(2); >>> countonetotal += 150; >>> >>> bitone = 150; >>> kolmogorov_packet += >>> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >>> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >>> + log((PKT_BYTES*8))/log(2); >>> countonetotal += 150; >>> >>> bitone = 150; >>> kolmogorov_packet += >>> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >>> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >>> + log((PKT_BYTES*8))/log(2); >>> countonetotal += 150; >>> >>> bitone = 150; >>> kolmogorov_packet += >>> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >>> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >>> + log((PKT_BYTES*8))/log(2); >>> countonetotal += bitone; >>> >>> bitone = 150; >>> kolmogorov_packet += >>> (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) >>> - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) >>> + log((PKT_BYTES*8))/log(2); >>> countonetotal += bitone; >>> >>> kolmogorov_total = >>> (PKT_BYTES*8*NUM_PKT_POLL)*(((-(countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))*(log((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))/log(2)) >>> - (1 - >>> ((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))*(log(1-((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))/log(2)))) >>> + log((PKT_BYTES*8*NUM_PKT_POLL))/log(2); >>> >>> if(kolmogorov_total < kolmogorov_packet) >>> printf("ATTACK DETECTED\n"); >>> else >>> printf("NORMAL TRAFFIC\n"); >>> } >>> >>> On Mon, Oct 12, 2009 at 10:03 AM, Matt Jonkman >>> wrote: >>> >>> Yes! We have all the right people here. Shoot us your idea! >>> >>> Matt >>> >>> >>> Jeff Dickey wrote: >>> > I think what Matt was trying to say was "hey, Breno, everybody with a >>> > technical interest in OISF is on the list; don't ask to ask - what's >>> the >>> > code you've got?" >>> > >>> > But I'll join the flood anyway :-) >>> > >>> > >>> > On 12/10/09 07:21 , "Matt Jonkman" wrote: >>> > >>> >> There's a large number of people on here, we can't have everyone check >>> >> in. :) >>> >> >>> >> What are you thinking about? >>> >> >>> >> Matt >>> >> >>> >> Breno Silva wrote: >>> >>> Hey Shyaam! >>> >>> >>> >>> Good to hear from you! >>> >>> >>> >>> Lets wait more one day to hear from other guys >>> >>> >>> >>> cheers >>> >>> >>> >>> Breno >>> >>> >>> >>> On Sun, Oct 11, 2009 at 7:57 PM, Shyaam Sundhar >> >>> > wrote: >>> >>> >>> >>> Everyone is with you brotha! >>> >>> >>> >>> Sent from my iPhone >>> >>> >>> >>> On Oct 11, 2009, at 6:35 PM, Breno Silva >> >>> > wrote: >>> >>> >>> >>>> Hey guys, >>> >>>> >>> >>>> Who is in the list ? >>> >>>> >>> >>>> I have a simple code to discuss with you >>> >>>> >>> >>>> Thanks >>> >>>> >>> >>>> Breno >>> >>>> _______________________________________________ >>> >>>> Oisf-wg-portscan mailing list >>> >>>> Oisf-wg-portscan at openinfosecfoundation.org >>> >>> >>> >>> >>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan >>> >>> _______________________________________________ >>> >>> Oisf-wg-portscan mailing list >>> >>> Oisf-wg-portscan at openinfosecfoundation.org >>> >>> >>> >>> >>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan >>> >>> >>> >>> >>> >>> >>> >>> >>> ------------------------------------------------------------------------ >>> >>> >>> >>> _______________________________________________ >>> >>> Oisf-wg-portscan mailing list >>> >>> Oisf-wg-portscan at openinfosecfoundation.org >>> >>> >>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan >>> > >>> >>> -- >>> >>> -------------------------------------------- >>> Matthew Jonkman >>> Emerging Threats >>> Open Information Security Foundation (OISF) >>> Phone 765-429-0398 >>> Fax 312-264-0205 >>> http://www.emergingthreats.net >>> http://www.openinformationsecurityfoundation.org >>> -------------------------------------------- >>> >>> PGP: http://www.jonkmans.com/mattjonkman.asc >>> >>> >>> _______________________________________________ >>> >>> Oisf-wg-portscan mailing list >>> Oisf-wg-portscan at openinfosecfoundation.org >>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan >>> >>> >>> >>> >>> _______________________________________________ >>> Oisf-wg-portscan mailing list >>> Oisf-wg-portscan at openinfosecfoundation.org >>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan >>> >>> >>> >>> >>> _______________________________________________ >>> Oisf-wg-portscan mailing list >>> Oisf-wg-portscan at openinfosecfoundation.org >>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan >>> >>> >>> >>> >>> >>> >>> >>> _______________________________________________ >>> Oisf-wg-portscan mailing list >>> Oisf-wg-portscan at openinfosecfoundation.org >>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openinfosecfoundation.org/pipermail/oisf-wg-portscan/attachments/20100128/b4a4d909/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Entropy-Support.patch Type: text/x-patch Size: 40992 bytes Desc: not available Url : http://lists.openinfosecfoundation.org/pipermail/oisf-wg-portscan/attachments/20100128/b4a4d909/0001-Entropy-Support-0001.bin