Describe the PeerShark approach to monitoring network traffic in order to detect P2P DDOS attacks.
- [Voiceover] Peer-to-peer, or P2P networks, are those in which there is no central server and all activity is managed by self-organizing nodes on the network, with many nodes being not only consumers of the service, but part of its infrastructure. One of the most significant P2P networks is Skype. The number of P2P networks fluctuates, but with the rapid emergence of the Internet of Things, there's a new role for P2P to play at the IoT device level. This is already being seen in traffic light systems, which use node-to-node communications at the end points.
Traditional botnets operate around a central system of command and control servers. These form a single point of failure, and are prime targets for takedown operations, which neutralizes the botnets. As P2P networks have no centralized server, they lack a single point of failure. This resilience has attracted the attention of botnet owners, who are now building botnets in which implants or bots communicate, pass on commands, and update other bots in a P2P manner. Such botnets have proved to be extremely resilient.
'Storm worm' is an example of such a botnet, being prevalent in 2008, and infecting over a million computers. PeerShark is an analytical tool used to detect P2P botnets by differentiating P2P botnet traffic from P2P network traffic. It uses behavior monitoring, and so can detect botnets whether or not traffic is encrypted, a big advantage with contemporary botnets. PeerShark focuses on observing the different conversations which happen between P2P peers.
The conversations are extracted from packet headers, either in real time or after the event from network traffic captures. A set of features is extracted which classifies the network behavior, for example the duration of the conversation, the inter arrival time of packets, the amount of data exchanged, and the number of packets exchanged. Conversation monitoring is becoming a much more powerful approach, as big data analytics are being applied to security monitoring. The ability to monitor conversations for slow and low activity such as beaconing enables detection of the more stealthy botnets.
PeerShark has four major components. The first is the packet filtering module. This takes raw packet data and isolates those which have a valid IPv4 header. From each packet, the source IP destination, IP payload, length, and timestamp are extracted and stored for future use. The second is the conversation creation module. This takes the output of the packet filtering module, and creates a list of conversations by aggregating packets according to peer addresses. The conversation aggregation module is used to aggregate the conversations created in the conversation creation module.
This can take conversations that are spread by hours or days and bring them together into a single view of the P2P conversation characteristics. The final module is the classification module, which uses supervised machine learning algorithms for training its model and classifying the information coming from the earlier modules. PeerShark was evaluated using network trace datasets obtained from the University of Georgia. Data from two P2P applications, eMule and uTorrent, and two P2P botnet applications, Waledac and Storm, were used as test traffic.
Network packet captures were used to create and then further aggregate conversations, and then used to create a training dataset for each application. 50,000 conversations of each application were used. Subsequent deployment of PeerShark after training resulted in a classification accuracy of about 95% with a very low false positive rate. PeerShark is clearly very effective at classifying known P2P systems. PeerShark does not handle unknown P2P networks, as it has no training for them, and further research is required to incorporate additional classification techniques.
Note: Our Ethical Hacking series will map to the 18 parts of the EC-Council's certification exam. This course maps to the 09 Denial of Service domain.
- What is denial of service?
- SYN flooding
- Smurf and URL flooding
- Deauthenticating a wireless host
- Flooding HTTP
- Using BlackEnergy
- Flooding SIP
- Detecting DoS with PeerShark
- Defeating DoS attacks