NSC 93-2213-E-110-045



Similar documents
Network Monitoring On Large Networks. Yao Chuan Han (TWCERT/CC)

Cisco IOS Flexible NetFlow Technology

Analysis of a Distributed Denial-of-Service Attack

Get Your FIX: Flow Information export Analysis and Visualization

Research on Errors of Utilized Bandwidth Measured by NetFlow

Security Toolsets for ISP Defense

CISCO INFORMATION TECHNOLOGY AT WORK CASE STUDY: CISCO IOS NETFLOW TECHNOLOGY

Flow Based Traffic Analysis

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS

Fuzzy Network Profiling for Intrusion Detection

Strategies to Protect Against Distributed Denial of Service (DD

NetFlow use cases. ICmyNet / NetVizura. Miloš Zeković, milos.zekovic@soneco.rs. ICmyNet Chief Customer Officer Soneco d.o.o.

Application of Netflow logs in Analysis and Detection of DDoS Attacks

Fuzzy Network Profiling for Intrusion Detection

Viete, čo robia Vaši užívatelia na sieti? Roman Tuchyňa, CSA

Network forensics 101 Network monitoring with Netflow, nfsen + nfdump

Introduction of Intrusion Detection Systems

Intrusion Detections Systems

An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks

HP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide

Introduction to Netflow

Firewalls and Intrusion Detection

Question: 3 When using Application Intelligence, Server Time may be defined as.

Enabling NetFlow on Virtual Switches ESX Server 3.5

Computer Technology Department, De La Salle University, 2401 Taft Ave., Manila

Network Monitoring and Management NetFlow Overview

WhatsUpGold. v NetFlow Monitor User Guide

Case Study: Instrumenting a Network for NetFlow Security Visualization Tools

Firewalls Overview and Best Practices. White Paper

PANDORA FMS NETWORK DEVICE MONITORING

WHITE PAPER WHAT HAPPENED?

Firewall Firewall August, 2003

ICND2 NetFlow. Question 1. What are the benefit of using Netflow? (Choose three) A. Network, Application & User Monitoring. B.

2010 Carnegie Mellon University. Malware and Malicious Traffic

NetFlow Tips and Tricks

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Netflow Overview. PacNOG 6 Nadi, Fiji

Network Management & Monitoring

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.

Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík

How To Set Up Foglight Nms For A Proof Of Concept

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

Plugging Network Security Holes using NetFlow. Loopholes in todays network security solutions and how NetFlow can help

Flow Analysis Versus Packet Analysis. What Should You Choose?

nfdump and NfSen 18 th Annual FIRST Conference June 25-30, 2006 Baltimore Peter Haag 2006 SWITCH

Network Monitoring Comparison

PANDORA FMS NETWORK DEVICES MONITORING

CHAPTER 1 WhatsUp Flow Monitor Overview. CHAPTER 2 Configuring WhatsUp Flow Monitor. CHAPTER 3 Navigating WhatsUp Flow Monitor

Emerald. Network Collector Version 4.0. Emerald Management Suite IEA Software, Inc.

Using The Paessler PRTG Traffic Grapher In a Cisco Wide Area Application Services Proof of Concept

OfficeScan 10 Enterprise Client Firewall Updated: March 9, 2010

Network Monitoring and Traffic CSTNET, CNIC

Intrusion Forecasting Framework for Early Warning System against Cyber Attack

Project Proposal Active Honeypot Systems By William Kilgore University of Advancing Technology. Project Proposal 1

Security Event Management. February 7, 2007 (Revision 5)

Signature-aware Traffic Monitoring with IPFIX 1

Capacity Management Plan

Monitoring and analyzing audio, video, and multimedia traffic on the network

Beyond Monitoring Root-Cause Analysis

Wharf T&T Limited DDoS Mitigation Service Customer Portal User Guide

How To Monitor A Network On A Network With Bro (Networking) On A Pc Or Mac Or Ipad (Netware) On Your Computer Or Ipa (Network) On An Ipa Or Ipac (Netrope) On

How To Create A Network Monitoring System (Flowmon) In Avea-Tech (For Free)

Demystifying the Myth of Passive Network Discovery and Monitoring Systems

Flow Analysis. Make A Right Policy for Your Network. GenieNRM

Unified network traffic monitoring for physical and VMware environments

Network Monitoring as an essential component of IT security

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Network Visibility Guide

Network Based Intrusion Detection Using Honey pot Deception

Traffic Analysis With Netflow. The Key to Network Visibility

Network Threat Behavior Analysis Monitoring Guide. McAfee Network Security Platform 6.1

NetFlow: What is it, why and how to use it? Miloš Zeković, ICmyNet Chief Customer Officer Soneco d.o.o.

Network Instruments white paper

Product Overview. Product Family. Product Features. Powerful intrusion detection and monitoring capacity

Cisco IPS Manager Express

A Critical Investigation of Botnet

DDoS Protection Technology White Paper

Traffic Analysis with Netflow The Key to Network Visibility

A Layperson s Guide To DoS Attacks

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

WATCHFUL EYE. data for all of your network connections,

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Exercise 7 Network Forensics

NetStream (Integrated) Technology White Paper HUAWEI TECHNOLOGIES CO., LTD. Issue 01. Date

Denial of Service Attacks, What They are and How to Combat Them

Gaining Operational Efficiencies with the Enterasys S-Series

NetFlow Tracker Overview. Mike McGrath x ccie CTO mike@crannog-software.com

Edge Configuration Series Reporting Overview

Internet Management and Measurements Measurements

Cisco Performance Visibility Manager 1.0.1

Datasheet. Cover. Datasheet. (Enterprise Edition) Copyright 2015 Colasoft LLC. All rights reserved. 0

THE ROLE OF IDS & ADS IN NETWORK SECURITY

How To Protect A Dns Authority Server From A Flood Attack

Hillstone T-Series Intelligent Next-Generation Firewall Whitepaper: Abnormal Behavior Analysis

Take the NetFlow Challenge!

How To Protect Your Network From Attack From A Hacker On A University Server

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

Integrated Traffic Monitoring

First Line of Defense

Transcription:

NSC93-2213-E-110-045 2004 8 1 2005 731 94 830

Introduction 1 Nowadays the Internet has become an important part of people s daily life. People receive emails, surf the web sites, and chat with friends on the Internet everyday. Unfortunately the Internet is not secure as we more rely on it for personal or business purposes. Malicious probes, stealthy intrusions, and worms spreading happen on the Internet constantly. Undoubtedly security has become one of the most important and urgent issues on the Internet. It must be a common thought of all the Internet users that we need reliable and efficient network services with strong and confident network security. Real-time network traffic monitoring provides the network administrators the status and the patterns of the network traffic and the signs of any possible abnormal traffic and possible potential problems within the administrative domain. During a development of an incident, the attacker might send packets to inquire or collect the detailed information of the target system. In the early stage of spreading, if there is one monitoring system to detect the irregular activities and to gather related information, the network administrators may identify the possible attack through the monitoring and thus can respond to the situation in time to prevent it from getting worse. The audit trail of the network activity can be collected for future investigation, such as what happened, how or why it happened and how to prevent in the future. These logs might be the only evidence of intrusion, in case the victim s logs have been compromised. The network administrators typically use the SNMP-based tools to collect network traffic count from network service equipments like a switch or a router supporting SNMP protocol. These tools usually consist of two components. One, namely the collector, is to collect SNMP data, and the other, the grapher, is to generate HTML formatted output containing traffic loading image which provides a live and visual representation of the network traffic and traffic trends in time-series data of the network. These traditional SNMP-based traffic monitoring tools, such as MRTG [1] and Cricket [2] may provide abnormal warning that there is something strange--an unexpected increase in traffic may indicate that a security incident is being in progress--but SNMP-based tools only provide information about levels and changes in traffic volume. For security purposes, the volume-changing information is insufficient for network administrators to determine whether there is anything wrong with the network and to find out the trouble. Making a judgment needs more detailed data to be provided. Packet sniffers and other packet sniffing related tools are prevalent recently and have been deployed rapidly at present. These tools capture the traffic packets, decode the packet header fields, and even dig into the packet content to provide much more detailed information. Although they can provide details on packet activity, they lack information on the network as a whole. They typically focus on the content of single network packets, not on global network activities, and thus lack high-level support to management activities. 1 This work has been published in FIRST 2005 conference on Computer Security and Incident Handling

Timely analysis and storing this usually tremendous volume of traffic data sometimes can be impractical in some environments, especially on large scale and busy networks. Increasing traffic bandwidth and throughput make data capture and analysis more problematic and unstable when the traffic is heavy. There may be a breakdown when the traffic is too heavy to handle with. Furthermore, the purpose of these tools is usually and originally designed for detecting individual attacking event, not for monitoring overall network traffic condition. Accordingly using them for monitoring networks will be awkward and breakable. The most important is that we are unwilling at all to create an artificial bottleneck and uncertain factor in our network for network monitoring and network information gathering. As we described above, the network administrators have realistic and pressing needs of getting more detailed information about the live network than the traditional SNMP-based tools can provide. Furthermore they don t either want to sacrifice performance and stability of the network for using packet sniffing tools. Moreover while worm spreading and DoS attacks have been the most critical problems that network administrators are facing at present time, they should have the capability to detect the puzzle as soon as possible. Consequently we desire to develop a new network monitoring method and even build a practical system for network administrators to help them to examine real time network utilization statistics, look at traffic patterns, and perform early detection of worm propagation and DoS attacks. The Proposed Mechanism and the system We propose a network monitoring mechanism based on NetFlow log. First, the collecting module collects the flow logs exported from NetFlow-supported networking devices, writes the collected flow records into the disk periodically. The statistic module then reads in and perform summarization and produces the visual statistic report on-line. The administrator can understand the current status of the traffic pattern in real time based on the statistic report. The flows will be examined later more thoroughly and comprehensively to see if there is an on-going event. If a suspicious activity is found, the system alerts. The proposed system is illustrated in Figure 1 and the modules will be described in detail below. Figure 1: The proposed system

Collecting Module The router groups the records of the expired flows into the NetFlow export UDP datagrams and an exported datagram generally contains several flow records. Hence, the capturing daemon is used to capture the UDP packets, storing the NetFlow records in its internal format, and rotate the records into the disk for further analysis. A fixed amount of disk space is allocated for such storage. Hence, the records are kept and flushed away periodically once the analysis is done. The number of the records might occupy extremely large space, such as tens even hundreds of megabytes in several minutes in a high traffic network. Hence, the length of the period of the analysis would be affected by the disk space and the maximum traffic load of the network. Therefore, the disk size should be carefully chosen to fit in the user and network equirements. To accelerate the speed of the analysis speed on the flow records, a RAM disk could be used to store the flow files temporarily. Access time of RAM disk is much faster than that of a real disk. Statistic Analysis Module The traffic analysis module examines each flow, maintains the counts of the attribute values, and summarizes and stores the statistics into the database. The statistic information during a period of time will be shown in a visual form in web pages, including the number (count) of flows in each protocol (TCP, UDP, ICMP), the count of application ports, the bandwidth consumption per host, and so on. The network administrator can monitor the network with such visual graphs and hence can understand the network performance, bandwidth utilization, application usage distribution and the big talkers. We observe that monitoring the traffic by flows can spot the anomalies more efficiently than that by bytes, since some anomaly might not cause a large variation in traffic volume (in bps), but it could have an impact on flow counts, such as small packet-size DoS attacks. It is also important to watch the TopN service ports and hosts as we could discover which application or host consumes the most bandwidth. A quiet port or host becoming a big talker might be a sign of anomaly. We also found that the summarized information of the selected services ports should be plotted into separate graphs and the anomaly could then be identified more easily. Figure 2 shows a single graph aggregating all the selected services, while Figure 3 shows the same situation with separate graphs. The single aggregating graph suppresses the variation of the counts and might not be able to spot the unusual event through such visual graph. Hence, the proposed system provides separate graphs for the monitored services

Figure 2: Graph with aggregation Rule Based Analysis Module Figure 3: Graphs without aggregation Statistic traffic information helps network administrator shorten the management time, but some attacks may need further analysis and reaction in real time. Hence, the proposed system establishes rules to alerts the attacks such as DOS, DDOS, port scan,

network scan, and worm. DoS or DDoS attacks often have the pattern of a distributed or a single source IP address sending out similar small packets targeted at a particular host. Hence, the system will collect abnormal amount of the flows with this pattern in a short time. A threshold is set to find the abnormal traffic load. Port scan may produce small packets, SYN or ACK or UDP, from the same source host to the same destination host, while network scan targets to the different hosts on the same network, not different ports on a specific host. The system needs to know the worm behavior a priori to discover the worm activity. Worms usually scans the specific port, such as TCP 80 port, on random targets. The packets and bytes of the flow are usually the same. For example, Slammer worm generates 404 byte packets, destined at UDP 1434 port to randomly generated hosts. We can use these known characteristics on the destination port, packets, and bytes and establish the filtering rules to discover the worm propagation. Results The practical real network, the campus network of the National Sun Yat-Sen University, is used to evaluate the proposed system. The experimental results are shown as follows. The network administrators use to aggregate different data on the same graph to present simultaneously and comparatively, but such data aggregation might make the information obfuscating. As we can see in figure 4, we almost can see no information except TCP protocol traffic variation. Hence, It is practical to show the different protocol on a separate graph. Note that as what we have emphasized repeatedly, it is beneficial to monitor the flow changes rather than bytes. The peaks in of the flow graph shown in Figure 5 illustrate that the ICMP connection burst might indicate a suspicious event was on-going. The network administrator can then query which TopN hosts in that period of time cause that ICMP traffic and may identify the attack host. The proposed mechanism provides the network administrator a visual aid graphs to show the abnormal traffic and a query system to allow the administrator to do further investigation and to identify the attack origin.

Figure 4 Traffic volume (in bps) of the IP protocols Figure 5: Flow graph of the ICMP protocol During the experimental time, monitoing the network with a separate flow graph for each well-know service, we observe that a discrepancy flow volume between the incoming and outgoing TCP port 22 (ssh service). A normal connection should consist of two unidirectional flows and the number of the flows in both directions in a network normally would be the same or approximately equivalent. An unbalanced flow volume between the two directions might signal an on-going event. Figure 6 shows the flow graphs in different time intervals, 5 minutes, half hour, two hours, and one day. All of the flow graphs indicate that the outbound

flows are exceptionally higher than the inbound flows. Therefore, we explored the raw flow files or query Ntop hosts to see why there were so many unusual flows. We found that several hosts on our network connected to TCP port 22 of a particular host outside continually and repeated. Such traffic pattern indicates a possible DDoS attack on the network. Further investigation or query is needed to spot the attack site Figure 6: Flow graphs of TCP port 22 An intrusion of worm usually goes through a specific port, eg. A vulnerable service, sometimes, so the traffic of the specific port should be monitored. Therefore, we can detect the attacking instances or the worm propagation as soon as possible and can launch countermeasures promptly to defend against. When the Microsoft vulnerability, MS04-011 [8], is announced, the traffic through TCP port 443 (HTTPS service) needs to be monitored. During the experimental time, we observe the abnormal traffic from that port as shown in Figure 7.

Figure 7: Flow graph of TCP port 443 After exploring the flow records further, we found suspicious scans coming from a single source host, sending to multiple victims of a specific network, and having the same packets and bytes. Such abnormal flow may be generated by an attacking tool or a worm. The proposed system could find the abnormal traffic through the flow graphs showing the real-time traffic statistic information and the further analysis can find the attack site or identify the problem. The administrator can use the pattern to detect other suspicious activities afterwards. According to this collected pattern, then we do discover more and more questionable traffic of the same characteristic spreading on the network. Conclusions Many security events happened on the network nowadays. The administrators seek a solution to shorten the network management time in a large network and to find the malicious activities in progress as soon as possible in order to launch effective and efficient countermeasures to defend against. They often monitor the network by collecting the real time traffic data, but they might find it may be too little or too much information. Too less information might not be able to discover the on-going event, while too much information may require more analysis effort and could not be able to discover the anomaly promptly. The proposed mechanism use flow information to monitor a large network in real-time. Based on the experimental data collected from the real network, campus network of a university, we found that the proposed mechanism based on flow log does help the network administrator monitor a large network in a timely manner and that the flow graphs and the flow records provide enough information for the network administrators to identify suspicious network abuse in a large network. We also discover that separate flow graph for each monitored service is easier to identify anomaly than aggregated flow graph of all monitored services, especially detecting DOS attacks and worm propagation.

The proposed mechanism use rule-based approach to filter well-known worm or DOS attack flows. Data mining or artificial intelligent approach may be used to discover the spreading of unknown worms or new DOS attacks from the flow records. 1. Tobias Oetiker, Dave Rand. MULTI ROUTER TRAFFIC GRAPHER, http://people.ee.ethz.ch/~oetiker/webtools/mrtg/ 2. Jeff R. Allen, http://cricket.sourceforge.net/ 3. http://www.mrtg.org 4. http://www.ntop.org/ntop.html 5. http://www.tcpdump.org 6. http://ipaudit.sourceforge.net 7. Cisco White Paper. NetFlow Services and Applications http://www.cisco.com/warp/public/cc/pd/iosw/ioft/neflct/tech/napps_wp.pdf 8. http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx 9. Cisco, NetFlow Services Solutions Guide http://www.cisco.com/univercd/cc/td/doc/cisintwk/intsolns/netflsol/nfwhite.htm 10. Dave Plonka, FlowScan: A Network Traffic Flow Reporting and Visualization Tool 11. http://net.doit.wisc.edu/~plonka/lisa/flowscan/out.ps.gz 12. John-Paul Navarro, Bill Nickless, & Linda Winkler - Argonne National Laboratory, Combining Cisco NetFlow Exports with Relational Database 13. Technology for Usage Statistics, Intrusion Detection, and Network Forensics http://www.splintered.net/sw/flow-tools/http://net.doit.wisc.edu/~plonka/flowscan/ 14. Daniel W. McRobb, cflowd configuration, 1998-1999. 15. http://www.caida.org/tools/measurement/cflowd/configuration/configuration.html 16. http://www.splintered.net/sw/flow-tools/docs/flow-capture.html 17. http://www.splintered.net/sw/flow-tools/docs/flow-nfilter.html 18. http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/ 19. http://jkflow.sourceforge.net/ 20. http://net.doit.wisc.edu/~plonka/cflow/

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information