The Afterglow Effect and Peer 2 Peer
Networks
Jay Radcliffe
June 2010
GIAC: GSEC Gold, GCIH Gold, GCIA Gold,
GCFA, GLEG, GLIT, GSPA, GLDR, GPEN,
GWAPT
SANS Technology Institute - Candidate for Master of Science Degree
1
1
Objective
• How statistical analysis can be used to
view network connections?
• What type of connection patterns can
be found in peer to peer afterglow
traffic?
• Can any type of pattern or markers be
identified that could indicate malicious
post-termination connections?
SANS Technology Institute - Candidate for Master of Science Degree
2
What is P2P Networking?
• Peer to Peer networking is a distributed
architecture designed to make file
sharing more efficient.
• Bit Torrent is a P2P methodology using
trackers to track who is participating in
the sharing of a single torrent which
may contain one or more files.
SANS Technology Institute - Candidate for Master of Science Degree
3
P2P Afterglow
• An “Afterglow” connection is one that
occurs after the client has terminated
the P2P session.
• The tracker will remove the IP address
from the list of participating clients after
a certain period of time, usually less
then 20 minutes
SANS Technology Institute - Candidate for Master of Science Degree
4
Test Setup
• Client sits behind a firewall with a
monitoring box running snort
• Snort rules setup to record new
TCP connections (SYN only) and
UDP connections on the specified
unique port number
SANS Technology Institute - Candidate for Master of Science Degree
5
Test Conditions
• Initiate a Bit Torrent P2P session
using a Fedora Installation DVD ISO
image. Terminate torrent session
after twelve hours.
• Continue monitoring for 14 hours
after termination tracking afterglow
connections
SANS Technology Institute - Candidate for Master of Science Degree
6
Test Data Results
• Connections will be tallied in 10 minute
increments (00:00-00:10: 20
connections)
SANS Technology Institute - Candidate for Master of Science Degree
7
Results (Quantitative)
• Data had non-standard distribution.
This skews typical statistical analysis.
• All three test runs had wide variance in
standard deviation and skew.
Trial #1
N
170
Trial #2
Skew
3.38
312
9.99
(17.05)
5.51
Kurtosis
13.72
0.28
Mean (SD)
1.54 (3.41)
Trial #3
526
15.31 (60.66)
176.60
54.92
SANS Technology Institute - Candidate for Master of Science Degree
8
Results (Qualitative)
SANS Technology Institute - Candidate for Master of Science Degree
9
Results (Source Country)
• Using Whois/ARIN data to lookup the
source countries of the afterglow
connections
Trial #1
Trial #2
USA
26.77% USA
Brazil
24.80% China
Poland
Thailand
Russia
7.87% France
Great
7.87% Britain
Netherlan
7.48% ds
Trial #3
29.73% USA
20.36%
7.68% Brazil
6.41%
4.87% Russia
5.81%
4.55% Canada
5.23%
4.29% China
4.47%
SANS Technology Institute - Candidate for Master of Science Degree
10
Unique Anomaly
SANS Technology Institute - Candidate for Master of Science Degree
11
Unique Anomaly
• Theories on why there are spikes every
two hours:
– Unique client code (Timeout/retry, cached
client list)
– Dropped or Filtered Traffic
– Malicious Retry to verify disconnection
SANS Technology Institute - Candidate for Master of Science Degree
12
Study Limitations
• Limited number of Trial runs
• Identical “safe” torrent files
• Wide variance in data connection rates
SANS Technology Institute - Candidate for Master of Science Degree
13
Directions for the Future
• Ideas for follow-up research
– Client identification (Certain P2P clients might have
a fingerprint or signature)
– Packet Analysis (Flags or structure in Afterglow
connections to identify malicious or non-typical
connections)
– Traffic Analysis (Do other protocols/attacks exhibit
similar patterns like 2 hour retry with 5 attempts)
– Torrent Variance (Movies, music, etc.)
SANS Technology Institute - Candidate for Master of Science Degree
14
Summary
• Certain qualitative statistical analysis
can be used to look at network traffic
for anomalies and patterns.
Quantitative analysis is more difficult.
• Unexplained connection patterns exist
in P2P afterglow connections.
SANS Technology Institute - Candidate for Master of Science Degree
15