| IntroductionThe war in Iraq and the War on | | | | probes, but lack of them can process big |
| Terror have changed the focus of all three | | | | traffic volume (e.g. 10TB/hour). We decided to |
| levels of government. Federal, state and local | | | | use netflow data export (NDE) that is |
| government - all three are | | | | widely available on most high-end routers for |
| seeking better ways to protect themselves, their | | | | user tracking and real time data flow |
| equipment and data while | | | | analysis. Netflow brings transparent view what is |
| working amid pressure-filled and dangerous | | | | happening in your network. There are |
| situations. Of course, security | | | | several methods how to detect if "your" |
| has been the buzzword on Capitol Hill for some | | | | network is under attack. |
| time, but generally speaking, physical security took | | | | Packet size distribution. Many short packets |
| initial priority, followed by outer system protection | | | | (more than 60%) may signify suspicious traffic. |
| through intrusion detection and patch | | | | Many connections from single host to |
| management. Security at the application level | | | | considerable destinations. |
| hasn't happened yet and is really the most critical. | | | | Using reserved or private IP address on the |
| Attacks are becoming more sophisticated than | | | | Internet. |
| worms or even viruses, and can shut down entire | | | | Excessive number of ICMP messages. |
| systems.There are a lot of ways to monitor and | | | | In the latest version of Caligare Flow Inspector |
| analyze your network traffic and protect it | | | | software there is implemented packet |
| from Internet intrusions. Organizations commonly | | | | distribution statistic. In our company we are using |
| use a firewall for network protection. | | | | small honey pot network (without any |
| Although firewall logs often provide a huge | | | | real stations) for attack analyzing. You can use |
| information regarding intrusion attempts, | | | | the following steps to locate the source |
| sometimes might be of too much data to sort | | | | of the problem and some tips on how to filter |
| through when there is a problem you | | | | suspicious traffic.Finding infected stations in your |
| cannot resolve it quickly. Some organizations also | | | | network |
| use intrusion detection systems (IDS) | | | | NetFlow Inspector software is the ideal tool for |
| on border routers to analyze incoming traffic for | | | | detecting worm sources (infected stations) |
| patterns that indicate specific | | | | in your network. Trends menu may be used for |
| problems. But firewall or intrusion detection | | | | this type of analysis. The following example |
| system is used primarily on borders | | | | gives you information on how to find infected |
| with the Internet, rather than on internal | | | | stations in your local network.Log into Caligare |
| networks. This is one of reason why | | | | Flow Inspector and run the following steps: |
| Cisco's NetFlow came to the rescue.Netflow | | | | |
| Overview | | | | Select collector that stores netflow data exports |
| Netflow is a traffic monitoring and analyzing | | | | (in our case: router R01). |
| technology developed by Darren Kerr | | | | In the table selector choose current hourly table. |
| and Barry Bruins at Cisco Systems. Netflow | | | | Select statistic: source host distributions. |
| describes the method for a router | | | | Set source interface (Gigabit Ethernet 1/1). |
| and/or intelligent switch to export statistics about | | | | Set destination interface (not Gigabit Ethernet 1 |
| the data flow, and this | | | | 1). |
| built-in feature is found on most Cisco routers ( | | | | Run search query. |
| as well as | | | | After displaying source host distributions you can |
| Juniper ( Extreme Networks ( | | | | view top ten source IP addresses |
| Riverstone ( etc. NetFlow technology | | | | sorted by number of used unique destination IP |
| provides the data necessary to effectively | | | | addresses. These source |
| analyze trend and baseline application | | | | IP addresses are candidates on the infected |
| data as it passes through the network. It can | | | | stations.Check result and select possible infected |
| then be exported to a reporting | | | | stations (infected station pool more than |
| package and can provide the information | | | | 500 unique destinations in most cases). Ignore |
| necessary to manage critical business | | | | your servers that are normally heavy |
| applications.What is Netflow? | | | | used. Web or application servers normally |
| Netflow is defined as a unidirectional sequence of | | | | generate many connections to many |
| packets between a given source | | | | destinations.Write top 5 sources to notebook and |
| and destination which means there will be two | | | | then continue to infected station confirmation |
| flows for each connection session, | | | | step. |
| one from the server to client, one from the | | | | For each candidate IP address run the following |
| client to server. In order to | | | | query: |
| distinguish flows from one another, the source | | | | |
| and destination addresses, | | | | Set statistic: destination ports by packet. |
| protocol and port numbers are used. The Type | | | | Source IP address: |
| of Service and source input | | | | Run search query. |
| interface index are also used to uniquely identify | | | | Check destination ports that are in use by |
| the flow to which a packet | | | | potentially infected station. In most case |
| belongs. A flow is determined to have ended | | | | (when station is infected) you will see some of |
| when it has been idle for a specified | | | | following ports: netbios (137, 138, 139), |
| length of time, when it has become older than a | | | | microsoft-ds (445), ms-sql-s (1433), www (80, |
| specified age (30 minutes by | | | | 3128) etc (see picture 4).Now, is a good time to |
| default) or when the flow is a TCP connection a | | | | consider if your candidate is infected or not. |
| FIN or RST has been sent. The | | | | Decision is |
| router may expire flows more aggressively if it | | | | yours, because only you know "your" network |
| is running out of cache space.A number of router | | | | and servers. If a station opens more |
| vendors have implemented their version of | | | | than 500 unique destination connections to port |
| netflow, but version | | | | 1433, this seems like very |
| 5 is now the most common. For a NDE version | | | | suspicious activity.How to find out who attacked |
| 5, every single UDP packet contains | | | | my network? |
| one flow header and thirty flow records at | | | | The infected station tries to open a |
| maximum. Every flow record is made up | | | | connection to all the servers in your network. |
| of several base fields and the rest which include: | | | | You can simply locate this attack |
| next hop address, output | | | | by finding the source host that is trying to open |
| interface number, number of packets in the flow, | | | | a connection to various |
| total bytes in the flow, source | | | | destinations in your local network.Check caption |
| and destination AS number, source and | | | | "Finding worm sources in your network" and how |
| destination network length and TCP flags | | | | to find these source |
| (cumulative OR of TCP flags).What is Caligare | | | | hosts. Sophisticated worm sources do NOT pool |
| Flow Inspector? | | | | your whole network, but instead |
| Caligare Flow Inspector ( | | | | randomly or pseudo-randomly try to open from |
| is a unique network software solution for | | | | time to time a single host connection. |
| companies, | | | | Locating these attackers is difficult but NOT |
| who need to plan, build, maintain and manage | | | | impossible! You can use TCP flags and |
| their network and at the same time | | | | ICMP tracking. When the attacker tries to open |
| keep their network more secure and efficient. | | | | the TCP connection to an unused |
| Caligare Flow Inspector is a | | | | destination IP address the TCP SYN flag is set. If |
| web-based bandwidth monitoring tool that uses | | | | the connection is successful |
| NetFlow data export to provide | | | | you will see cumulative TCP flags SYN and ACK, |
| detailed traffic statistics that help answer who, | | | | if the connection is unsuccessful |
| what, when, where of bandwidth | | | | you will see only flows with SYN flag. You can |
| usage.CFI software was engineered to create a | | | | count the unsuccessful connections |
| secure network-monitoring platform | | | | for every source IP address outside your |
| based on industry standards that will fit your | | | | network and source, the one with the most |
| existing security policies. | | | | of connections found is your attacker candidate. |
| The results are the ability to monitor in real time, | | | | If attacker is using UDP protocol |
| significantly reducing | | | | and pools your whole network, an excessive |
| the time it takes to identify problem and | | | | number of ICMP messages will then be |
| troubleshoot. CFI keeps track of | | | | generated.How to find out who attacked me? |
| what is happening in your corporate network, | | | | If you suspect (or know) that your station is |
| detecting attacks, and warning | | | | victim to an attack, then you probably |
| you of problematic network users. All information | | | | want to know who is the attacker. Locating the |
| about network activities | | | | attacker is simple if source IP address |
| are archived in a central database.Baseline | | | | is NOT spoofed. Select "Trends" menu and use |
| Analysis | | | | "Source host by packet" statistic. Type in |
| A baseline analysis is a model describing what | | | | your IP address (victim) into destination host field |
| "normal" network activity is | | | | and run search query. Result is a |
| according to some historical traffic pattern; any | | | | list of source hosts who communicated with you |
| other traffic that falls | | | | sorted by number of packets. Often the |
| outside the scope of this traffic pattern will be | | | | first host located is the attacker. In case source |
| flagged as malicious. | | | | IP address is spoofed (often used |
| A trend analysis reports | | | | reserved or private IP address) you can only |
| is the most common and basic method of doing | | | | locate source interface through that |
| flow-based | | | | malicious traffic going into your station. You can |
| analysis. In netflow analysis is main focus on | | | | not filter this attacker if he uses |
| records that have some "special | | | | random source IP address, you can only contact |
| high traffic volume" attribute, especially the value | | | | provider or your ISP peer operator.Protection and |
| of those flow fields that | | | | Prevention |
| deviate significantly from an established historical | | | | You can use many protection mechanisms, these |
| baseline. Normally there | | | | are widely available through access |
| are two ways to make use of baseline analysis | | | | lists on Cisco routers. |
| methods: top sessions and top data.Top sessions | | | | |
| A top sessions means a single host tries to open | | | | Create new access list: ip access-list extended |
| an abnormally high volume of | | | | Add block rule: deny ip any |
| connections to a single node or block of nodes. | | | | Repeat step 2 for each attacker |
| The most reasons for these | | | | Permit any other traffic |
| activities are worms, denial of service attacks | | | | Check access list rules: show ip access-list |
| and network scans.Common clients connecting to | | | | Apply access list on source interface: ip |
| the Internet should keep a relatively normal | | | | access-group in |
| connection | | | | Example: |
| frequency. But if a host is infected with a worm, | | | | configure terminal |
| it will absolutely act different. | | | | ip access-list extended block_attackerdeny ip |
| It will mostly open a huge number of connections | | | | 10.0.0.0 0.255.255.255 anydeny ip 192.168.0.0 |
| to the destination for its attemptsto infect the | | | | 0.0.255.255 anydeny ip 80.95.102.33 0.0.0.0 |
| next batch of victims. | | | | anypermit ip any anypermit pim any anypermit |
| For the same reason, when a lesser-skilled "script | | | | igmp any anyexit |
| kiddies" is scanning a large block | | | | interface GigabitEthernet 1/1ip access-group |
| of addresses for certain vulnerable services, we | | | | block_attacker inexit |
| will see especially high volume | | | | Be very careful before updating access list! On |
| sessions sent out by that single IP address.We | | | | many routers the default rule is drop |
| can also use top sessions method to detect | | | | any traffic if access list exists. We recommend |
| many kinds of network abuses, such as | | | | removing access list from interface then |
| checking the flow records for port 25 connection | | | | creating a new access list and reassign it to |
| requests sent out by every single | | | | interface. On picture 3 is the result of |
| host in real time. In a given duration, for any | | | | applying access list on our router R01 that was |
| host, if the statistics of port 25 | | | | applied at 10:03.Summary |
| requests are above a 'normal' value, it could be | | | | This attack detection manual has discussed the |
| considered to be a spammer or someone | | | | flow-based analysis of malicious traffic |
| infected with some kinds of email worm. It would | | | | and abnormal activities. With top sessions and top |
| be better for the Internet as a whole | | | | data methods, network administrators |
| if service providers started using this technology | | | | can simply detect network anomalies in real time |
| and shut down the spammers upon | | | | more effectively. There is no universal |
| detection.Top data streams | | | | process on how to find source of attack, but |
| A second method of using baseline analysis is top | | | | with Caligare Flow Inspector software we may |
| data. This can be defined as a large | | | | make your corporate network run better.Full |
| amount of network data transferred in a certain | | | | story with images and examples is on the: |
| period of time from a single host to a | | | | delivers the most intelligent and secure networking |
| single destination or block of destinations.The Top | | | | solutions in the industry, |
| hosts that transfer traffic data to or from the | | | | and we back the program with our commitment |
| outside in an enterprise should | | | | to making our partners successful. We measure |
| be ranked into relatively fixed groups. If this | | | | success in terms of customer satisfaction, as |
| pattern changes, and a new host suddenly | | | | well as partner profitability. Caligare is |
| appears in the Top hosts matrix, an alert should | | | | providing the Linux based software, to provide a |
| be triggered.How to find out if I am being | | | | solution that dramatically reduces the |
| attacked? | | | | cost of providing security, for the midsize and |
| Traffic inspection and analysis is a very complex | | | | large businesses or agencies. Our goal |
| problem. On the market there are many | | | | is to help our customers get an efficient |
| tools as IDS, network traffic dump or network | | | | software tool at a reasonable price. |