"CSU-Ying-MC2"
VAST 2012 Challenge
Mini-Challenge 2:
Ying Zhao, Central South Univeristy, zhaoying511@gmail.com
Fangfang Zhou, Central South University, zhouffang@gmail.com PRIMARY
Student Team: NO
Tool(s):
Qt for C++ [ http://qt.nokia.com/ ]
Eclipse for Java [ http://www.eclipse.org/ ]
Video:
Video watch: Ying MC2 VAST Challenge 2012
Answers to Mini-Challenge 2 Questions:
MC 2.1 Using your visual analytics tools, can you identify
what noteworthy events took place for the time period covered in the firewall
and IDS logs? Provide screen shots of your visual analytics tools that
highlight the five most noteworthy events of security concern, along with
explanations of each event.
1. Event: GPL NetBios SMB Events
Workstation, 172.23.5.110, tried to attack DNS server, 172.23.0.10, by “GPL NETBIOS SMB IPC$ Unicode share access” and “GPL NETBIOS SMB Session Setup NTMLSSP Unicode asn1 overflow attempt” every 12 minutes from 17:25 on April 6 to 8:49 on April 7. He also launched “GPL NETBIOS SMB-DS IPC$ Unicode share access” and “GPL NETBIOS SMB-DS Session Setup NTMLSSP Unicode asn1 overflow attempt” every few minutes from 17:00 on April 5 to 9:00 on April 7. Although there are many other workstations launched the 4 kinds of the NetBios attacks, the attacking number of this workstation is the most.
Figure1 GPL NETBIOS SMB Events launched by 172.23.5.110
2. Event: Attacking Database on Firewall Sever
Around 21:47 on April 5 when seven colored dots were drawn on the bar of outer histogram, some database visiting alerts were observed, including “ET POLICY Suspicious inbound to MSSQL port 1433”,” ET POLICY Suspicious inbound to Oracle SQL port 1521”, “ET POLICY Suspicious inbound to mySQL port 3306” and “ET POLICY Suspicious inbound to PostgreSQL port 5432”. Further, we find the attacker is 172.23.240.156, and the destination is firewall server, 172.23.0.1. At the same time, the attacker also launched “ET SCAN Potential VNC Scan 5800-5820”, “ET SCAN Potential VNC Scan 5900-5920” and “GPL SNMP request TCP” to firewall server.
Figure 2 Attacking database on firewall sever by 172.23.240.156.
3. Event: Brute Force Attack to Firewall
From 0:00 to 0:30 on April 6, the workstation, 172.23.231.69, launched 4 high risk attacks, including “ET SCAN Rapid POP3 Connections - Possible Brute Force Attack”, “ET SCAN Rapid IMAP Connections - Possible Brute Force Attack”, “ET SCAN Rapid IMAPS Connections - Possible Brute Force Attack” and “ET SCAN Rapid POP3S Connections - Possible Brute Force Attack”, to firewall server. During this period of time, it also launched 4 database attacks, Oracle SQL, MSSQL, MySQL and PostgreSQL and VNC Scan from 5800-5820 and 5900-5920.
Figure 3. Brute force attacks to firewall server by 172.23.231.69
4. Event: Regular database attacking
Workstation, 172.23.236.8, launched 3 times of 4 database attackings, including PostergreSQL, MSSQL, Oracle SQL and my SQL, to firewall server at around 23:20-23:29 on April 5, 0:07-0:16 and 3:17-3:27 on April 6 respectively. The workstation also launched “GPL SNMP request tcp”, “ET SCAN Potential SSH Scan”, “ET SCAN Potential VNC Scan 5800-5820” and “ET SCAN Potential VNC Scan 5900-5920” during the database attacking.
Workstations, 172.23.234.58 and 172.23.232.4 have the similar behavior with the workstation, 172.23.236.8. They launched 4 kinds of database attacking and SSH, VNC Scan from 0:28 to 1:28 and from 1:22 to 1:32 on April 6 respectively. The workstations, 172.23.234.58, attacked the database on firewall server more than 10 times in the hour.
Figure 4. Regular database attacking by 172.23.236.8, 172.23.234.58 and 172.23.232.4
5. Event: External websites visiting
There are a few external websites, such as 10.32.5.54, 10.32.5.56 and 10.32.5.53, attacking workstations 172.23.134.X in almost every minute.
Figure 5 Frequent websites visiting
MC 2.2 What security
trend is apparent in the firewall and IDS logs over the course of the two days
included here? Illustrate the identified trend with an informative and
innovative visualization.
Figure 6 shows the attacks from 17:55 on April 5, and ends at 7:20 on April 6. There are a large amount of high risk attacks launched during this period of time. The detailed analysis has been shown in MC 2.1. Our system detected the dangerous time and marked the red triangles on the bars of outer histogram to help the network security administrator.
Figure 7 shows the attacks from 17:20 on April 6 to 9:00 on April 7. We can see that there is periodicity for the sum of alerts and types of alert from the outer histogram. The top three of alert types are “GPL NETBIOS SMB IPC$ Unicode share access” in pink, “GPL NETBIOS SMB Session Setup NTMLSSP Unicode asn1 overflow attempt” in light green and “ET POLICY IRC authorization message” in green. The sources of the first two alerts are workstations in 172.23.0.X and 172.23.1.X, and the destination is DNS server. Another alert is that a few external websites attack workstations in intranet. From analyzing the periodical behavior, we can predict the trend of the future situation of the network security.
Figure 6 security trend in the first day Figure 7. security trend in the secound day
Root causes:
- The Firewall Server and DNS Server are likely compromised.
- Workstations in Intranet, such as 172.23.231.69, 172.23.232.4, 172.23.234.58, 172.23.236.8, 172.23.240.156 and 172.23.1.110, are dangerous, because they attacked the firewall server with high risk behavior.
- The external websites 10.32.5.53-56 visited workstation in Intranet too frequently.
Actions:
- The resisting ability of Firewall Server and DNS Sever should be strengthened.
- Workstations, 172.23.231.69, 172.23.232.4, 172.23.234.58, 172.23.236.8, 172.23.240.156 and 172.23.1.110, should be quarantined.
- The external websites 10.32.5.53-56 should be supervised.