| IntroductionThe war in Iraq and the War
| |
| | widely available on most high-end
|
| on Terror have changed the focus of all
| |
| | routers for user tracking and real time
|
| three
| |
| | data flow
|
| levels of government. Federal, state and
| |
| | analysis. Netflow brings transparent
|
| local government - all three are
| |
| | view what is happening in your network.
|
| seeking better ways to protect
| |
| | There are
|
| themselves, their equipment and data
| |
| | several methods how to detect if "your"
|
| while
| |
| | network is under attack.
|
| working amid pressure-filled and
| |
| | Packet size distribution. Many short
|
| dangerous situations. Of course, security
| |
| | packets (more than 60%) may signify
|
|
| |
| | suspicious traffic.
|
| has been the buzzword on Capitol Hill
| |
| | Many connections from single host to
|
| for some time, but generally speaking,
| |
| | considerable destinations.
|
| physical security took initial priority,
| |
| | Using reserved or private IP address on
|
| followed by outer system protection
| |
| | the Internet.
|
| through intrusion detection and patch
| |
| | Excessive number of ICMP messages.
|
| management. Security at the application
| |
| | In the latest version of Caligare Flow
|
| level hasn't happened yet and is really
| |
| | Inspector software there is implemented
|
| the most critical. Attacks are becoming
| |
| | packet
|
| more sophisticated than worms or even
| |
| | distribution statistic. In our company
|
| viruses, and can shut down entire
| |
| | we are using small honey pot network
|
| systems.There are a lot of ways to
| |
| | (without any
|
| monitor and analyze your network traffic
| |
| | real stations) for attack analyzing. You
|
| and protect it
| |
| | can use the following steps to locate the
|
| from Internet intrusions. Organizations
| |
| | source
|
| commonly use a firewall for network
| |
| | of the problem and some tips on how to
|
| protection.
| |
| | filter suspicious traffic.Finding
|
| Although firewall logs often provide a
| |
| | infected stations in your network
|
| huge information regarding intrusion
| |
| | NetFlow Inspector software is the ideal
|
| attempts,
| |
| | tool for detecting worm sources (infected
|
| sometimes might be of too much data to
| |
| | stations)
|
| sort through when there is a problem you
| |
| | in your network. Trends menu may be used
|
| cannot resolve it quickly. Some
| |
| | for this type of analysis. The following
|
| organizations also use intrusion
| |
| | example
|
| detection systems (IDS)
| |
| | gives you information on how to find
|
| on border routers to analyze incoming
| |
| | infected stations in your local
|
| traffic for patterns that indicate
| |
| | network.Log into Caligare Flow Inspector
|
| specific
| |
| | and run the following steps:
|
| problems. But firewall or intrusion
| |
| |
|
| detection system is used primarily on
| |
| | Select collector that stores netflow
|
| borders
| |
| | data exports (in our case: router R01).
|
| with the Internet, rather than on
| |
| | In the table selector choose current
|
| internal networks. This is one of reason
| |
| | hourly table.
|
| why
| |
| | Select statistic: source host
|
| Cisco's NetFlow came to the
| |
| | distributions.
|
| rescue.Netflow Overview
| |
| | Set source interface (Gigabit Ethernet 1
|
| Netflow is a traffic monitoring and
| |
| | 1).
|
| analyzing technology developed by Darren
| |
| | Set destination interface (not Gigabit
|
| Kerr
| |
| | Ethernet 1/1).
|
| and Barry Bruins at Cisco Systems.
| |
| | Run search query.
|
| Netflow describes the method for a router
| |
| | After displaying source host
|
|
| |
| | distributions you can view top ten source
|
| and/or intelligent switch to export
| |
| | IP addresses
|
| statistics about the data flow, and this
| |
| | sorted by number of used unique
|
| built-in feature is found on most Cisco
| |
| | destination IP addresses. These source
|
| routers ( as well as
| |
| | IP addresses are candidates on the
|
| Juniper ( Extreme Networks (
| |
| | infected stations.Check result and select
|
| Riverstone ( etc. NetFlow technology
| |
| | possible infected stations (infected
|
| provides the data necessary to
| |
| | station pool more than
|
| effectively analyze trend and baseline
| |
| | 500 unique destinations in most cases).
|
| application
| |
| | Ignore your servers that are normally
|
| data as it passes through the network.
| |
| | heavy
|
| It can then be exported to a reporting
| |
| | used. Web or application servers
|
| package and can provide the information
| |
| | normally generate many connections to
|
| necessary to manage critical business
| |
| | many destinations.Write top 5 sources to
|
| applications.What is Netflow?
| |
| | notebook and then continue to infected
|
| Netflow is defined as a unidirectional
| |
| | station confirmation step.
|
| sequence of packets between a given
| |
| | For each candidate IP address run the
|
| source
| |
| | following query:
|
| and destination which means there will
| |
| |
|
| be two flows for each connection session,
| |
| | Set statistic: destination ports by
|
|
| |
| | packet.
|
| one from the server to client, one from
| |
| | Source IP address:
|
| the client to server. In order to
| |
| | Run search query.
|
| distinguish flows from one another, the
| |
| | Check destination ports that are in use
|
| source and destination addresses,
| |
| | by potentially infected station. In most
|
| protocol and port numbers are used. The
| |
| | case
|
| Type of Service and source input
| |
| | (when station is infected) you will see
|
| interface index are also used to
| |
| | some of following ports: netbios (137,
|
| uniquely identify the flow to which a
| |
| | 138, 139),
|
| packet
| |
| | microsoft-ds (445), ms-sql-s (1433), www
|
| belongs. A flow is determined to have
| |
| | (80, 3128) etc (see picture 4).Now, is a
|
| ended when it has been idle for a
| |
| | good time to consider if your candidate
|
| specified
| |
| | is infected or not. Decision is
|
| length of time, when it has become older
| |
| | yours, because only you know "your"
|
| than a specified age (30 minutes by
| |
| | network and servers. If a station opens
|
| default) or when the flow is a TCP
| |
| | more
|
| connection a FIN or RST has been sent.
| |
| | than 500 unique destination connections
|
| The
| |
| | to port 1433, this seems like very
|
| router may expire flows more
| |
| | suspicious activity.How to find out who
|
| aggressively if it is running out of
| |
| | attacked my network?
|
| cache space.A number of router vendors
| |
| | The infected station tries to open a
|
| have implemented their version of
| |
| | connection to all the servers in your
|
| netflow, but version
| |
| | network. You can simply locate this
|
| 5 is now the most common. For a NDE
| |
| | attack
|
| version 5, every single UDP packet
| |
| | by finding the source host that is
|
| contains
| |
| | trying to open a connection to various
|
| one flow header and thirty flow records
| |
| | destinations in your local network.Check
|
| at maximum. Every flow record is made up
| |
| | caption "Finding worm sources in your
|
| of several base fields and the rest
| |
| | network" and how to find these source
|
| which include: next hop address, output
| |
| | hosts. Sophisticated worm sources do NOT
|
| interface number, number of packets in
| |
| | pool your whole network, but instead
|
| the flow, total bytes in the flow, source
| |
| | randomly or pseudo-randomly try to open
|
|
| |
| | from time to time a single host
|
| and destination AS number, source and
| |
| | connection.
|
| destination network length and TCP flags
| |
| | Locating these attackers is difficult
|
| (cumulative OR of TCP flags).What is
| |
| | but NOT impossible! You can use TCP flags
|
| Caligare Flow Inspector?
| |
| | and
|
| Caligare Flow Inspector (
| |
| | ICMP tracking. When the attacker tries
|
| is a unique network software solution
| |
| | to open the TCP connection to an unused
|
| for companies,
| |
| | destination IP address the TCP SYN flag
|
| who need to plan, build, maintain and
| |
| | is set. If the connection is successful
|
| manage their network and at the same time
| |
| | you will see cumulative TCP flags SYN
|
|
| |
| | and ACK, if the connection is
|
| keep their network more secure and
| |
| | unsuccessful
|
| efficient. Caligare Flow Inspector is a
| |
| | you will see only flows with SYN flag.
|
| web-based bandwidth monitoring tool that
| |
| | You can count the unsuccessful
|
| uses NetFlow data export to provide
| |
| | connections
|
| detailed traffic statistics that help
| |
| | for every source IP address outside your
|
| answer who, what, when, where of
| |
| | network and source, the one with the most
|
| bandwidth
| |
| |
|
| usage.CFI software was engineered to
| |
| | of connections found is your attacker
|
| create a secure network-monitoring
| |
| | candidate. If attacker is using UDP
|
| platform
| |
| | protocol
|
| based on industry standards that will
| |
| | and pools your whole network, an
|
| fit your existing security policies.
| |
| | excessive number of ICMP messages will
|
| The results are the ability to monitor
| |
| | then be
|
| in real time, significantly reducing
| |
| | generated.How to find out who attacked
|
| the time it takes to identify problem
| |
| | me?
|
| and troubleshoot. CFI keeps track of
| |
| | If you suspect (or know) that your
|
| what is happening in your corporate
| |
| | station is victim to an attack, then you
|
| network, detecting attacks, and warning
| |
| | probably
|
| you of problematic network users. All
| |
| | want to know who is the attacker.
|
| information about network activities
| |
| | Locating the attacker is simple if
|
| are archived in a central
| |
| | source IP address
|
| database.Baseline Analysis
| |
| | is NOT spoofed. Select "Trends" menu and
|
| A baseline analysis is a model
| |
| | use "Source host by packet" statistic.
|
| describing what "normal" network activity
| |
| | Type in
|
| is
| |
| | your IP address (victim) into
|
| according to some historical traffic
| |
| | destination host field and run search
|
| pattern; any other traffic that falls
| |
| | query. Result is a
|
| outside the scope of this traffic
| |
| | list of source hosts who communicated
|
| pattern will be flagged as malicious.
| |
| | with you sorted by number of packets.
|
| A trend analysis reports
| |
| | Often the
|
| is the most common and basic method of
| |
| | first host located is the attacker. In
|
| doing flow-based
| |
| | case source IP address is spoofed (often
|
| analysis. In netflow analysis is main
| |
| | used
|
| focus on records that have some "special
| |
| | reserved or private IP address) you can
|
| high traffic volume" attribute,
| |
| | only locate source interface through that
|
| especially the value of those flow fields
| |
| |
|
| that
| |
| | malicious traffic going into your
|
| deviate significantly from an
| |
| | station. You can not filter this attacker
|
| established historical baseline. Normally
| |
| | if he uses
|
| there
| |
| | random source IP address, you can only
|
| are two ways to make use of baseline
| |
| | contact provider or your ISP peer
|
| analysis methods: top sessions and top
| |
| | operator.Protection and Prevention
|
| data.Top sessions
| |
| | You can use many protection mechanisms,
|
| A top sessions means a single host tries
| |
| | these are widely available through access
|
| to open an abnormally high volume of
| |
| |
|
| connections to a single node or block of
| |
| | lists on Cisco routers.
|
| nodes. The most reasons for these
| |
| |
|
| activities are worms, denial of service
| |
| | Create new access list: ip access-list
|
| attacks and network scans.Common clients
| |
| | extended
|
| connecting to the Internet should keep a
| |
| | Add block rule: deny ip any
|
| relatively normal connection
| |
| | Repeat step 2 for each attacker
|
| frequency. But if a host is infected
| |
| | Permit any other traffic
|
| with a worm, it will absolutely act
| |
| | Check access list rules: show ip
|
| different.
| |
| | access-list
|
| It will mostly open a huge number of
| |
| | Apply access list on source interface:
|
| connections to the destination for its
| |
| | ip access-group in
|
| attemptsto infect the next batch of
| |
| | Example:
|
| victims.
| |
| | configure terminal
|
| For the same reason, when a
| |
| | ip access-list extended
|
| lesser-skilled "script kiddies" is
| |
| | block_attackerdeny ip 10.0.0.0
|
| scanning a large block
| |
| | 0.255.255.255 anydeny ip 192.168.0.0
|
| of addresses for certain vulnerable
| |
| | 0.0.255.255 anydeny ip 80.95.102.33
|
| services, we will see especially high
| |
| | 0.0.0.0 anypermit ip any anypermit pim
|
| volume
| |
| | any anypermit igmp any anyexit
|
| sessions sent out by that single IP
| |
| | interface GigabitEthernet 1/1ip
|
| address.We can also use top sessions
| |
| | access-group block_attacker inexit
|
| method to detect many kinds of network
| |
| | Be very careful before updating access
|
| abuses, such as
| |
| | list! On many routers the default rule is
|
| checking the flow records for port 25
| |
| | drop
|
| connection requests sent out by every
| |
| | any traffic if access list exists. We
|
| single
| |
| | recommend removing access list from
|
| host in real time. In a given duration,
| |
| | interface then
|
| for any host, if the statistics of port
| |
| | creating a new access list and reassign
|
| 25
| |
| | it to interface. On picture 3 is the
|
| requests are above a 'normal' value, it
| |
| | result of
|
| could be considered to be a spammer or
| |
| | applying access list on our router R01
|
| someone
| |
| | that was applied at 10:03.Summary
|
| infected with some kinds of email worm.
| |
| | This attack detection manual has
|
| It would be better for the Internet as a
| |
| | discussed the flow-based analysis of
|
| whole
| |
| | malicious traffic
|
| if service providers started using this
| |
| | and abnormal activities. With top
|
| technology and shut down the spammers
| |
| | sessions and top data methods, network
|
| upon
| |
| | administrators
|
| detection.Top data streams
| |
| | can simply detect network anomalies in
|
| A second method of using baseline
| |
| | real time more effectively. There is no
|
| analysis is top data. This can be defined
| |
| | universal
|
| as a large
| |
| | process on how to find source of attack,
|
| amount of network data transferred in a
| |
| | but with Caligare Flow Inspector software
|
| certain period of time from a single host
| |
| | we may
|
| to a
| |
| | make your corporate network run
|
| single destination or block of
| |
| | better.Full story with images and
|
| destinations.The Top hosts that transfer
| |
| | examples is on the: delivers the most
|
| traffic data to or from the outside in an
| |
| | intelligent and secure networking
|
| enterprise should
| |
| | solutions in the industry,
|
| be ranked into relatively fixed groups.
| |
| | and we back the program with our
|
| If this pattern changes, and a new host
| |
| | commitment to making our partners
|
| suddenly
| |
| | successful. We measure
|
| appears in the Top hosts matrix, an
| |
| | success in terms of customer
|
| alert should be triggered.How to find out
| |
| | satisfaction, as well as partner
|
| if I am being attacked?
| |
| | profitability. Caligare is
|
| Traffic inspection and analysis is a
| |
| | providing the Linux based software, to
|
| very complex problem. On the market there
| |
| | provide a solution that dramatically
|
| are many
| |
| | reduces the
|
| tools as IDS, network traffic dump or
| |
| | cost of providing security, for the
|
| network probes, but lack of them can
| |
| | midsize and large businesses or agencies.
|
| process big
| |
| | Our goal
|
| traffic volume (e.g. 10TB/hour). We
| |
| | is to help our customers get an
|
| decided to use netflow data export (NDE)
| |
| | efficient software tool at a reasonable
|
| that is
| |
| | price.
|
