Manish Karir

A Survey of Botnet Technology and Defenses

Global Internet threats have undergone a profound transformation from attacks designed solely to disable infrastructure to those that also target people and organizations. At the center of many of these attacks are collections of compromised computers, or Botnets, remotely controlled by the attackers, and whose members are located in homes, schools, businesses, and governments around the world [6]. In this survey paper we provide a brief look at how existing botnet research, the evolution and future of botnets, as well as the goals and visibility of today’s networks intersect to inform the field of botnet technology and defense.

Characterizing Dark DNS Behavior

Security researchers and network operators increasingly rely on information gathered from honeypots and sensors deployed on darknets, or unused address space, for attack detection. While the attack traffic gleaned from such deployments has been thoroughly scrutinized, little attention has been paid to DNS queries targeting these addresses. In this paper, we introduce the concept of dark DNS, the DNS queries associated with darknet addresses, and characterize the data collected from a large operational network by our dark DNS sensor. We discuss the implications of sensor evasion via DNS reconnaissance and emphasize the importance of reverse DNS authority when deploying darknet sensors to prevent attackers from easily evading monitored darknets. Finally, we present honeydns, a tool that complements existing network sensors and low-interaction honeypots by providing simple DNS services.

Flamingo: Visualizing Internet Traffic

In this paper we describe a set of visualization techniques that can help the task of operating and managing a network by representing network traffic information in a concise and intuitive manner. We have implemented these visualization techniques in Flamingo, a software tool that can be used to explore Internet traffic flow data. Flamingo is able to process live Netflow data in real-time and present a set of interactive visualizations and associated manipulation tools that can help users in network data analysis. Flamingo is comprised of a server and a client component. The Flamingo server is responsible for receiving raw Netflow feeds from devices in the network that can sample traffic, and then sending processed information to the client for display. The Flamingo client receives data from the server and provides concise intuitive data visualizations, 3D space navigation, as well as filtering capabilities that can help the operator to extract or monitor specific information of interest. Flamingo also supports a playback mode which allows users to select specific historical Netflow data for visualization. We illustrate with the help of simple examples, based on traffic data from a busy Internet backbone router, how Flamingo can be used to perform network monitoring tasks as well as network security related data forensics

VAST: visualizing autonomous system topology

Extracting specific and relevant information regarding the Internets BGP routing topology is a challenging task. In this paper we present a set of techniques that can be used to visualize various aspects of the Internet topology. We have implemented our visualization techniques in a unique tool called VAST (Visualizing Autonomous System Topology). With the help of simple illustrative examples we describe how our visualizations allow security researchers to extract relevant information quickly from raw BGP routing datasets. VAST provides visualizations that represent information about both the overall topological properties of the Internet as well as individual Autonomous System (AS) behavior.

Understanding IPv6 internet background radiation

We report the results of a study to collect and analyze IPv6 Internet background radiation. This study, the largest of its kind, collects unclaimed traffic on the IPv6 Internet by announcing five large covering prefixes; these cover the majority of allocated IPv6 space on todays Internet. Our analysis characterizes the nature of this traffic across regions, over time, and by the allocation and routing status of the intended destinations, which we show help to identify the causes of this traffic. We compare results to unclaimed traffic in IPv4, and highlight case studies that explain a large fraction of the data or highlight notable properties. We describe how announced covering prefixes differ from traditional network telescopes, and show how this technique can help both network operators and the research community identify additional potential issues and misconfigurations in this critical Internet transition period.

BGP-Inspect - Extracting Information from Raw BGP Data

While BGP routing datasets, consisting of raw routing data, are freely available and easy to obtain, extracting any useful information is tedious. Currently, researcher and network operators implement their own custom data processing tools and scripts. A single tool that provides easy access to the information within large raw BGP datasets could be used by both communities to avoid re-writing these tools each time. Moreover, providing not just raw BGP messages, but some commonly used summary statistics as well can help guide deeper custom analyses. Based on these observations this paper describes the first steps towards building a scalable tool. We describe the various techniques and algorithms we have used to build an efficient generic tool called BGP-Inspect. When dealing with large datasets, dataset size, lookup speed, and data processing time are the most challenging issues. We describe our implementations of chunked compressed files and B+ tree indices that attempt to address these issues. We then provide an evaluation of our implementations. Finally, we provide some example scenarios and case studies where BGP-Inspect can provide useful insight into the management and operation of complex BGP based networks. An efficient and flexible back-end custom BGP message database, coupled with an intuitive and easy to use Web-based query front-end makes BGP-Inspect a unique and powerful tool

Understanding IPv6 populations in the wild

With the global exhaustion of the IPv4 address pool, there has been significant interest in understanding the adoption of IPv6. Previous studies have shown that IPv6 traffic continues to be a very small fraction of the overall total traffic in any network, but its use is gradually increasing. Utilizing a novel display advertising approach to reach behind NAT and other firewall devices, we engage in a seven-month study of IPv6 in which we observe 14M unique IPv6 addresses including native IPv6, teredo, as well as 6to4. We exploit the intrinsic information within IPv6 addresses in order to infer IPv6 properties, such as, coarse grained geographic location, ISPs, the use of native IPv6 versus transition techniques, cone NAT usage, and even network interface manufacturer identifiers. We find that while the number of native IPV6 addresses in the wild is small (1.3%) a large number of IPv6 hosts are IPv6 capable via transition techniques such as teredo and 6to4.

Characterization of blacklists and tainted network traffic

Threats to the security and availability of the network have contributed to the use of Real-time Blackhole Lists (RBLs) as an attractive method for implementing dynamic filtering and blocking. While RBLs have received considerable study, little is known about the impact of these lists in practice. In this paper, we use nine different RBLs from three different categories to perform the evaluation of RBL tainted traffic at a large regional Internet Service Provider.

TCP In the IPSEC Environment

Satellite based networks can transport data for diverse set of applications. Most Internet applications which use Transmission Control Protocol (TCP) need special handling for efficient operation at high speeds. Recently, support for IPSEC is getting widespread in IPv4 networks and it is likely to be mandatory in future IPv6 networks. However when IPSEC is used, TCP headers will be encrypted. High speed TCP connections can suffer from poor performance over networks with high latency, which is the case for geosynchronous satellite links. Performance enhancing proxies (PEP) serve to optimize protocol performance over satellite links by examining and suitably processing TCP headers. Since IPSEC obscures the TCP headers which proxies rely upon, the two technologies are incompatible. This paper describes the salient points of TCP over satellite links, performance enhancing proxies, and describes in detail the TCP enhancements necessary for its efficient operation in the combined IPSEC and satellite environment. The standardization for such a TCP profile being carried out in the Telecommunications Industry Association (TIA) under their Satellite Communications Division will be briefly described. The performance comparison of the different TCP enhancements is also discussed.

Integrated product and process designenvironment tool for manufacturing T/R modules

We present a decision-making assistant tool for an integrated product and process design environment for manufacturing applications. Specifically, we target microwave modules that use electro-mechanical components and require optimal solutions to reduce cost, improve quality, and gain leverage in time to market the product. This tool will assist the product and process designer to improve their productivity and enable them to cooperate and coordinate their designs through a common design interface. We consider a multiobjective optimization model that determines components and processes for a given conceptual design for microwave modules. This model outputs a set of solutions that the Pareto optimal concerning cost, quality, and other metrics. In addition, we identify system integration issues for manufacturing applications, and propose an architecture that will serve as a building block to our continuing research in virtual manufacturing applications.