GLOBAL GUARD MEETING
March 23, 1999
3085 ENG II
1:00-2:00 p.m.

In attendance:
Karl Levitt (KL), Jeff Rowe (JR), Chris Wee (CW), David O’Brien (DOB), David Klotz (DK), and Steven Templeton (ST)



TOPICS Papers/Upcoming conferences
Summarize/Revisit SMURF Attack
    1. Papers/Upcoming Conferences
      1. Applications Conference (Due May 28th): ST - misuse; IDIP discovery coordinator/cost model, JH - LaSCO
      2. Raid (Due May 21st): Global Guard, Response
      3. IEEE Networks (Due June 1st): GrIDS, IDIP (update Applications conference), CYC database
      4. Karl needs to finish the progress report using 1/2 Stuart's work.
    2. Summarize/Revisit SMURF Attack
      1. ST: We're trying to determine the attacker's intention; what you will see; the attacker's motivation; the information needed to ID a SMURF. We've built up a small feature set; it's not clear exactly what's going on. There are differences between the spoofed Mac and the non-spoofed Mac.
      2. Possible Motives: Take up bandwidth (DOS), frame someone else, tickle the ID response system to attack someone else.
      3. Goals (Answer the following questions):
        1. Are we seeing an attack?
          1. Probability that it is an attack - correlate with fact base
          2. Determine likelihood - between probability and certainty factor
          3. Is it an attack, a diagnostic problem, random problem, typo?
        2. Is the attack dangerous/serious?
        3. Where is the attack coming from?
        4. Is the attack likely to spread?
          1. Is it confined to the local network?
          2. Can we catch it and stop future iterations?
        5. What information do we see?
          1. If we only see some information, what can we infer about the nature of the attack?
          2. What else could be responsible for this activity?
            1. Rate issue - if local, activity is more likely to be legitimate.
        6. What can we do? Response
          1. May need to hold off judgement, correlate with facts before doing response.
X = primary target subnet Y = other subnet Zi = some other host site
X = broadcast address for X Y = broadcast address for Y Zi ÏX u Y
X = X - {X} Y = Y - {Y}  
Xi = some host in X Yi = some host in Y  
     
a = actual address of attacker Î {Zi,Xi}
b = source address in attack packet Î {Zi, Xi, Yi, Y, X, Zj}
g = destination address in attack packet Î {Xj, X}
     
Cases: destination address of Attack = X Attack: (a ,b ,g, icmp echo request) for Smurf
a
b
g=X
Zi
Zi
Non-spoofed Smurf
 
Xi
N/A
 
Yi
Spoofed smurf à Yi
 
X
Feedback magnify X à X
 
Y
Magnify X à Y
 
Zj
X à Zj
a
b
Mac
Spoofed Mac
Xi
Zi
 
Ö
 
Xi
Ö
 
 
Yi
 
Ö
 
X
Ö
Ö
 
Y
 
Ö
 
Zj
   
 
Xj
 
Ö