SSHCure: a flow-based SSH intrusion detection system

SSH attacks are a main area of concern for network managers, due to the danger associated with a successful compromise. Detecting these attacks, and possibly compromised victims, is therefore a crucial activity. Most existing network intrusion detection systems designed for this purpose rely on the inspection of individual packets and, hence, do not scale to today's high-speed networks. To overcome this issue, this paper proposes SSHCure, a flow-based intrusion detection system for SSH attacks. It employs an efficient algorithm for the real-time detection of ongoing attacks and allows identification of compromised attack targets. A prototype implementation of the algorithm, including a graphical user interface, is implemented as a plugin for the popular NfSen monitoring tool. Finally, the detection performance of the system is validated with empirical traffic data

Unveiling SSHCure 3.0: Flow-based SSH Compromise Detection

Network-based intrusion detection systems have always been designed to report on the presence of attacks. Due to the sheer and ever-increasing number of attacks on the Internet, Computer Security Incident Response Teams (CSIRTs) are overwhelmed with attack reports. For that reason, there is a need for the detection of compromises rather than compromise attempts, since those incidents are the ones that have to be taken care of. In previous works, we have demonstrated and validated our state-of-the-art compromise detection algorithm that works on exported flow data, i.e, data exported using NetFlow or IPFIX. The detection algorithm has been implemented as part of our open-source intrusion detection system SSHCure.\ud In this demonstration, we showcase the latest release of SSHCure, which includes many new features, such as an overhauled user interface design based on user surveys, integration with incident reporting tools, blacklist integration and IPv6 support. Attendees will be able to explore SSHCure in a semi-live fashion by means of practical examples of situations that CSIRT members encounter in their daily activities

IPv6-specific misconfigurations in the DNS

With the Internet transitioning from IPv4 to IPv6, the number of IPv6-specific DNS records (AAAA) increases. Misconfigurations in these records often go unnoticed, as most systems are provided with connectivity over both IPv4 and IPv6, and automatically fall back to IPv4 in case of connection problems. With IPv6-only networks on the rise, such misconfigurations result in servers or services rendered unreachable. Using long-term active DNS measurements over multiple zones, we qualify and quantify these IPv6-specific misconfigurations. Applying pattern matching on AAAA records revealed which configuration mistakes occur most, the distribution of faulty records per DNS operator, and how these numbers evolved over time. We show that more than 97% of invalid records can be categorized into one of our ten defined main configuration mistakes. Furthermore, we show that while the number and ratio of invalid records decreased over the last two years, the number of DNS operators with at least one faulty AAAA record increased. This emphasizes the need for easily applicable checks in DNS management systems, for which we provide recommendations in the conclusions of this work

Flow-Based Network Management: A Report from the IRTF NMRG Workshop

This is the report on the Workshop on Flow-Based Network Management, held within the 37th IRTF NMRG meeting, during IETF 93, on 24th July 2015, in Prague, Czech Republic. Following the tradition of the IRTF NMRG, the workshop focused on technologies, developments, and challenges of using flow-level traffic measurements for network management

SSH compromise detection using NetFlow/IPFIX

Dictionary attacks against SSH daemons are a common type of brute-force attack, in which attackers perform authentication attempts on a remote machine. By now, we are used to observing a steady number of SSH dictionary attacks in our networks every day; however, these attacks should not be underestimated. Once compromised, machines can cause serious damage by joining botnets, distributing illegal content, or participating in DDoS attacks. The threat of SSH attacks was recently stressed again by the Ponemon 2014 SSH Security Vulnerability Report, which states that 51% of the surveyed companies have been compromised via SSH in the last 24 months. Even more attacks should be expected in the future; several renowned organizations, such as OpenBL and DShield, report a tripled number of SSH attacks between August 2013 and April 2014. After April 2014, the number of hosts blacklisted by OpenBL for SSH abuse continued to grow and peaks at all-time high values. These numbers emphasize the need for a scalable solution that tells security teams exactly which systems have been compromised and should therefore be taken care of. This is where our open-source IDS SSHCure comes into play. SSHCure is a flow-based Intrusion Detection System (IDS) and the first network-based IDS that is able to detect whether an attack has resulted in a compromise. By analyzing the aggregated network data received from edge routers, it analyzes the SSH behavior of all hosts in a network. Successful deployments—in networks ranging from Web hosting companies and campus networks up to nation-wide backbone networks—have shown that SSHCure is capable of analyzing SSH traffic in real-time and can therefore be deployed in any network with flow export enabled. The latest version of SSHCure features a completely overhauled compromise detection algorithm. The algorithm has been validated using almost 100 servers, workstations and honeypots, featuring an accuracy close to 100%

OpenFlow-based link dimensioning

In this demo we will demonstrate the possibility of using OpenFlow traffic measurements for link dimensioning purposes. Our solution runs on top of the Ryu OpenFlow controller and retrieves per-flow statistics metered at the OpenFlow switch. The statistics are obtained by using messages defined by the OpenFlow protocol. These statistics are then applied to a flow-based link dimensioning approach, originally proposed to operate with NetFlow input. By demonstrating our solution in a testbed, we are able to compare the OpenFlow-based approach with a NetFlow-based one and with the actual traffic demands calculated directly from the packet traces. With that, we show how quality of OpenFlow measurements affects the link dimensioning and how feasible their use in such applications is

Assessing the quality of flow measurements from OpenFlow devices

Since its initial proposal in 2008, OpenFlow has evolved to become today’s main enabler of Software-Defined Networking. OpenFlow specifies operations for network forwarding devices and a communication protocol between data and control planes. Although not primarily designed as a traffic measurement tool, many works have proposed to use measured data from OpenFlow to support, e.g., traffic engineering or security in OpenFlow-enabled networks. These works, however, generally do not question or address the quality of actual measured data obtained from OpenFlow devices. Therefore, in this paper we assess the quality of measurements in real OpenFlow devices from multiple vendors. We demonstrate that inconsistencies and measurement artifacts can be found due to particularities of different OpenFlow implementations, making it impractical to deploy an OpenFlow measurement-based approach in a network consisting of devices from multiple vendors. In addition, we show that the accuracy of measured packet and byte counts and duration for flows vary among the tested devices, and in some cases counters are not even implemented for the sake of forwarding performance

SSHCure: SSH Intrusion Detection using NetFlow and IPFIX

With this poster, we present our SSH Intrusion Detection System named SSHCure: it is the first IDS capable of distinguishing successful attacks from unsuccessful attacks, thus detecting actual compromises. As powerful as SSH is to administrators, as attractive it is to anyone with malicious intents. Measurements showing more than 700 attacks on NRENs per day emphasize this. This number is also the source of the main problem in existing detection systems: while 699 of these attacks are typically unsuccessful and therefore not interesting to network administrators or CSIRT members, a single successful one is. And its consequences possibly include severe damage to the target hosts themselves, others hosts in the network, or even the network itself: an NREN should be informed as quickly as possible when this happens, so adequate actions can be undertaken.\ud In SSHCure, we implement a detection algorithm based on flow export technologies, i.e. NetFlow and IPFIX. A flow-based approach offers clear performance benefits over packet-based approaches in large-scale networks. The packet payloads are not available in flow data, making it more privacy preserving, while the loss of information (in comparison to a packet-based approach) is limited due to the encrypted nature of SSH. We show however, that flow data offers sufficient information to perform accurate detection. Moreover, flow export technologies are widely available on high-end networking devices. SSHCure is a plugin for NfSen – a flow collector for NetFlow and IPFIX, used by many in the NREN community – and therefore easy to install and use within all kinds of networks. The adoption of SSHCure underlines this, as it is currently deployed at several large commercial ISPs, CERTs and NRENs. All of these types of organizations need to be able to act swiftly when a compromise has been observed, and SSHCure is designed to support in that: the web-interface offers clear insight on the situation, including detailed information on both attacker and targets, comprehensible visualisations of network flows, and raw flow data for extensive analysis if needed. This is backed up by a flexible notification system, and (currently under development) integration with incident reporting systems via standard protocols (e.g. IODEF or X-ARF).\ud SSHCure, available via Sourceforge, has been in development for 2.5 years, and is still actively being developed and supported. The first prototype was presented at the Autonomous Infrastructure, Management and Security conference (AIMS) in 2012, and promising results were achieved. With the latest available version, we performed extensive validation using datasets from both campus and backbone networks. Results show detection rates up to 100%.\ud By presenting our poster at TNC, we hope to expand our audience and explain how NRENs can benefit from SSHCure in their operations