Institute for Security Technology Studies (ISTS)
      
SEARCH: 
  Advanced Search  
Dartmouth CollegeInstitute for Security Technology Studies ISTS
Cyber and Homeland Security Research & Development
Contents
Mission
Project Descriptions
ISTS Contents
ISTS Home
About
Sponsors
Contact Us
Director's Office & Special Projects
Cyber Security & Trust Research Center (CSTR Center)
Emergency Readiness & Response Research Center (ER3 Center)
Project Archives
Library
People
Events
Newsroom
Jobs & Internships
Links of Interest:
Dartmouth College
Dartmouth Centers Forum
  "Freedom & Technology"
TheI3P
others
E-Mail Webmaster


<< Back to Early Worm Detection

DIB:S - Scan Detection & Correlation

DIB:S PDF
How to Participate
Memo of Agreement
Perl Userspace DIB:S Client Added 04/28/04
Project Leads
Additional DIB:S Documentation

Project Summary:

The Dartmouth ICMP Bcc: System, DIB:S, is a method of inferring malicious traffic by analyzing the ICMP type 3 (unreachable) messages that result from unsolicited IP datagrams being addressed to non-existent or otherwise unreachable hosts.

The majority of attacks on vulnerable systems is carried out by malicious processes generating large numbers of IP addresses, blindly selecting their targets, and attempting to exploit a particular vulnerability or set of vulnerabilities on hosts that respond within that group of addresses. Data gathered up to and including the Code Red and Nimda worms indicate that the vast majority of these packets never reach their addressed destination, on the contrary, over 80% of all responses to blind targeted attack packets are router-generated ICMP unreachable messages. By introducing a Bcc: (Blind carbon copy, as in email) facility within the routers that generate ICMP unreachable messages, these copies, in aggregate, can be correlated in realtime to watch for trends such as worm propagation, distributed scans, etc.

Internet Control Message Protocol, or ICMP, is a set of standards by which devices speaking IP (Internet Protocol) can tell each other about the status of communications. From rfc792: Occasionally a gateway or destination host will communicate with a source host, for example, to report an error in datagram processing. For such purposes this protocol, the Internet Control Message Protocol (ICMP), is used. ICMP, uses the basic support of IP as if it were a higher level protocol, however, ICMP is actually an integral part of IP, and must be implemented by every IP module. One such error is when the destination host is not present, or otherwise unreachable. The router responsible for the destination address's larger IP network will, after a failed attempt to map a link-layer address to the network address, notify the sender that the datagram could not be delivered. The message type is identified by the first byte of the ICMP message, in this case having a value of 3.

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|     Type      |     Code      |          Checksum             |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                             unused                            |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|      Internet Header + 64 bits of Original Data Datagram      |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Also included in the message is a portion of the original IP datagram. As specified in rfc1122, this included data must contain the original IP header and at least the first 8 bytes of next layer(s) data. No maximum is specified.

When a system is generating large numbers of unsolicited datagrams (blind targeting) and delivery is attempted, many, if not most of these datagrams fail to reach their addressed destination. The resulting volume of ICMP type 3 messages (IT3Ms) is visible only at the network(s) immediately upstream of the originator. Intercepting this traffic would raise many questions of privacy and liability, and as such has not proven effective except in larger organizations where the transit path external to a network segment is within the organization's control. Instead of "sniffing" these messages as they transit between the router and origin, a DIB:S participant router will send a duplicate IT3M to a collection & analysis point.

By using customized router operating system kernels that create the duplicate messages simultaneous with the originals, performance impact on DIB:S test routers has been negligable.  It is, of course, advised that all routers be configured to rate limit icmp messages, as per Juniper appnote 350001 and Cisco Security Advisory: ICMP Unreachable Vulnerability in Cisco 12000 Series Internet Router 

The DIB:S research team hopes to correlate these IT3Ms in near realtime to gain a global view of unsolicited IP traffic patterns.


How to participate:

Networks with any unoccupied IP address space are invited to participate in this project. Right now, the only supported router OS is Linux 2.4.x, and the DIB:S support can be statically built, or modular. Click here to download the DIB:S kernel patches and install documentation. Be sure to read the Memorandum of Agreement carefully before committing any resources to DIB:S. We will have a bootable CD-based router iso image available shortly. Subscribe to dibs-announce@ists.dartmouth.edu to be notified when this is ready for download.

Commercial router vendors are invited to partner with ISTS to produce DIB:S enabled TCP/IP stacks for their OS. Contact gbakos@ists.dartmouth.edu for information.


Perl Userspace DIB:S Client (Added 04/28/04)

Download files




Project Leads:

George Bakos

Vincent Berk



Additional DIB:S Documentation

Simulating Realistic Network Worm Traffic for Worm Warning System Design and Testing [PDF Format]

Designing a Framework for Active Worm Detection on Global Networks [PDF Format]

Using Sensor Networks and Data Fusion for Early Detection of Active Worms [PDF Format]

Early Detection of Internet Worms [MS PowerPoint]

Active Internet Worms and the Dartmouth ICMP BCC: System [HTML]

Early Detection of Internet Worm Activity by Metering ICMP Destination Unreachable Activity [PDF Format]



Top
Copyright © 2003-2006 Trustees of Dartmouth College