Level 3 Communications

Chris Richter

Are You a Good Packet or a Bad Packet?

“Who are you? Why are you here? Where are you going? Where have you been? Who have you been in contact with on your way here? You look suspicious to me, so why should I trust you?”

No, this is not a blog about grilling spies, operatives or subversives. It’s about interrogating IP packets – the couriers of the data that empowers our global networks – and uncovering their true missions. Just as humans can reveal a great deal about themselves and their motives through their behaviors and actions, so can packets. You can tell a lot about a packet from knowing what it looks like, where it’s been and where it’s headed.

If you look closely, you’re bound to find enough information to determine if a packet is good or bad – without even knowing the contents of its payload. For example, you can figure out if it contains malware intended to deliver the next devastating cyber-attack. A packet’s intention, so to speak, will reveal itself if you know what to look for and put the necessary work into identifying its characteristics and behaviors.

For starters, just taking a gander at packet headers can tell you a lot. Packets are the fundamental units that transport data from one point to another in the network. Packets come in different shapes and sizes, and each contains a header that contains identifying information. Header contents include the sender’s and recipient’s IP addresses, packet length and how many “hops” (routers, switches and access points) the packet is allowed to make before expiring.

Knowing header information, such as packet origin, destination and all the hops in between, starts to build a picture of what kind of a packet you’re dealing with.

Why Packets?

When analyzing network packets from a security standpoint, the primary question is, “Will this particular packet deliver a nefarious payload?” Even with firewalls, antivirus, content filtering and other security tools in place, an organization can still suffer an attack. Hackers have become extremely savvy at writing code to evade detection. For instance, some packets are designed to evade all antivirus programs in existence, automatically morphing whenever detected by an anti-malware tool.

Faced with this level of cunning, cybersecurity researchers must analyze traffic flows and individual packet traits to prevent attacks. This isn’t unlike detective work, where you’re putting together pieces of evidence to solve a mystery, or medical research that studies patterns to predict an outcome.

A packet’s derived reputation and behavior help predict what the outcome might be once the packet is delivered. A packet might be carrying a piece of code that doesn’t look like malware, but when reassembled with other components, forms a malware program. Or a packet could contain data meant to break into an Active Directory system with a fake ID that can go undetected for weeks or months. Malware authors use all kinds of tricks to avoid detection. So, how can you determine whether a packet is carrying a malicious payload if you can’t look inside it?  

Suspicious Traffic

By looking at packet traffic, you can track packet behavior. You might determine certain types of packets are “sniffing around” specific areas a few minutes every other day or several hours a week. If you’re paying attention, you start to see patterns that indicate an attack is imminent. You might also determine a packet could be nefarious if it is communicating with an anonymized proxy-server, or with servers located in rogue nation-states.

This field of research, called behavior analytics, is becoming increasingly important in cybersecurity. As quantum mechanics promises unbreakable encryption algorithms, and vast amounts of data (including malware) can be embedded within DNA, cybersecurity professionals must look at new techniques to defend their organizations’ data. Global network service providers have a satellite-like view of the movement of a huge amount of traffic, including the hops a packet takes on its journey from origin to destination – an essential component of packet behavior analysis.

Denial of service attack on centralized server

Many times, attackers conduct test runs, as happened with the DDoS (distributed denial of service) assault on DNS (domain name server) service provider Dyn in October 2016. If we can identify these test runs by examining traffic flows and packet traits, we can help intended targets protect themselves. 


Unwitting Accomplices

Studying packets and traffic is becoming more critical as vast legions of objects and machines become connected through the Internet of Things (IoT). In addition to computers, attackers can find ways to hijack home routers, appliances and other devices to deliver cyber attacks. In the 2016 Dyn attack, security webcams were used.

hand holding a smart phone during a skype video

Anyone can be an unwitting accomplice in an attack. A user sitting happily on a FaceTime or Skype session with a colleague may not even realize their smartphone or laptop has been turned into an attack bot. The user may notice that suddenly the frame begins to pixelate or freeze, or the sound gets garbled. In some instances, these hiccups are the effects of an attack underway.

Hackers are experts at finding vulnerabilities in everyday appliances and devices before product manufacturers even notice the flaws. And you can bet that if hackers find a vulnerability, they’ll find a way to exploit it.

Share the Wealth

When Level 3 cybersecurity analysts detect indicators of compromise (IOC), we notify the targets – including organizations that are not our customers. Many times, companies have no idea they are under attack until we tell them that, say, data is being exfiltrated from their network to a server in Eastern Europe or some other unintended destination.

We’re able to proactively warn businesses because, as a large internet service provider, we can study and observe packet headers and general behavior 24/7. As traffic flows through our network, we monitor massive volumes of data that inform us when hackers are up to no good. We use machine learning, heuristics and other techniques to identify not just IOCs, but also predictors of compromise (POCs). There’s no need to see what’s inside a packet – the packet’s history and behavior patterns provide insights that help us understand and forecast things to come – capabilities we believe are the future of data security.

Of course, other providers also collect this type of data and notify their targeted customers. At Level 3, we believe all providers should be sharing information about hackers and malware, not just with customers and victims, but with each other. In doing so, we would strengthen the cybersecurity ecosystem. By sharing intelligence more freely, we will all be better equipped to identify when a packet is a good packet or a bad packet.