Network forensics 101 Network monitoring with Netflow, nfsen + nfdump

Network forensics 101 Network monitoring with Netflow, nfsen + nfdump www.enisa.europa.eu

Agenda Intro to netflow Metrics Toolbox (Nfsen + Nfdump) Demo www.enisa.europa.eu 2

What is Netflow Netflow = Netflow is a traffic monitoring technology developed by Cisco Networks. Flows are unidirectional/bidirectional and contain connection related data such as: Source and destination IP address. Source and destination port. Source and destination AS. Protocol ( TCP, UDP, ICMP etc. ), TCP flags. Logical input and output interfaces. Bytes and packet counters. www.enisa.europa.eu 3

Background - OSI layer model Netflow contains information from layers 3 and 4. [Packets + Segments] www.enisa.europa.eu 4

Pcap vs Netflow TCP/IPv4 Header Netflow TCP/IPv4 Netflow UDP http://www.cisco.com/web/about/ac123/ac147/images/ipj/ipj_7-3/anatomy_figure_1.gif www.enisa.europa.eu 5

Netflow <=> Call logs Netflow it s like detailed phone bill for your network traffic. Contains metadata of network packets without the actual payload. Full pcap 100GB Netflow 375MB www.enisa.europa.eu 6

Netflow versions Netflow versions available http://en.wikipedia.org/wiki/netflow www.enisa.europa.eu 7

Netflow example Netflow SYN SYN-ACK 1.1.1.1 ACK GET /index.html 2.2.2.2 ACK (Content) Date flow start Duration Proto Src Ip addr:port Dst IP addr:port Flags Packets Bytes 2013-12-12 15:00:34.320 TCP 1.1.1.1:5431 - > 2.2.2.2:80..S 10 849 2013-12-12 15:00:35.350 TCP 2.2.2.2:80 -> 1.1.1.1:5431 A.S 13 13443 www.enisa.europa.eu 8

Uni-directional vs Bi-directional Uni-directional netflow Host A -> Host B Host B -> Host A Src Dst Dst Src Bi-directional netflow Host A <-> Host B Src Dst www.enisa.europa.eu 9

Flow sampling Flow sampling is used to reduce load on routers by limiting the number of packets selected for analysis Not all the traffic might be relevant for our purpose. - Samples can be taken every n packets - Sample particular time intervals - Discard not relevant ports & interfaces - Collect only for particular subnets - Random sampling & deterministic sampling www.enisa.europa.eu 10

Architecture considerations www.enisa.europa.eu 11

Adversaries www.enisa.europa.eu 12

Security metrics & Security goals Security metrics Peak on particular ports (139, 445 etc ) Top talkers / Top bandwidth consumers Increased numbers of concurrent connections to the web server Large number of SYN packets Connections to suspicious IPs Connections to a-typical ports Security goals Investigate past attacks (forensics) Detect on-going attacks Prevent against future attacks www.enisa.europa.eu 13

Netflow analysis and visualization Overview Details Flows on demand www.enisa.europa.eu 14

Go with the flow Example of how to activate netflow export. Cisco IOS netflow export example: Router(config)#ip flow-export version 5 Router(config)#ip flow-export source FastEthernet 2/48 Router(config)#ip flow-export destination 10.1.1.1 2060 Router(config)#interface FastEthernet2/48 Router(config-if)#ip route-cache flow www.enisa.europa.eu 15

Toolbox nfsen + nfdump Nfsen Web based frontend Display flows Framework to automate tasks http://nfsen.sourceforge.net/ NfDump Collect and store flows Process flows on cmd-line www.enisa.europa.eu 16

nfdump ( v1.5.7 ) features: Nfdump CMD line based tool comparable to tcpdump. Written in C, designed to be fast. Stores netflow data in time sliced files. Supports sflow, netflow format v5,v7 and v9. All processing options support IPv4 and IPv6. Powerful pcap like filter syntax: ( proto tcp and dst net 172.16/16 and src port > 1024 and bytes < 600 ) or ( bps > 1k and ip in [ www.switch.ch 192.168.0.0/24 ].. Flexible flow aggregation: srcip,dstip,srcport,dstport,srcas,dstas,proto Efficient filter engine: > 6 Mio flows/s on 3GHz Intel. Lots of fast Top N statistics. User defined output formats. www.enisa.europa.eu 17

Nfdump Nfdump architecture www.enisa.europa.eu 18

Nfdump syntax Protocol version: inet or ipv4 inet6 or ipv6 Protocol: TCP, UDP, ICMP or Proto <num> Ip address: IP a.b.c.d or HOST a.b.c.d SourceDestination: SRC or DST Network: NET a.b.c.d / num Port: <SourceDestination> PORT [comp]<num> TCP Flags: flags <tcpflags> A. ACK S. SYN F. FIN R. Reset P. Push U. Urgent X all flags Packets, Pkt/s Bytes: packets [comp] num [scale] bytes [comp] num [scale] pps [comp] num [scale] Examples: host 1.1.1.1 host 1.1.1.1 and port 123 net 192.168.1.0/24 and not host tcp and (src ip 1.1.1.1 or dst ip 2.2.2.2) and flags S and bytes > 800 www.enisa.europa.eu 19

Nfsen general overview page Nfsen - home www.enisa.europa.eu 20

Nfsen - nav Nfsen navigation page www.enisa.europa.eu 21

Netflow processing output Nfsen - out www.enisa.europa.eu 22

Netflow profile & alert tab Nfsen - profile www.enisa.europa.eu 23

Profile: Nfsen more about profiles Custom view of netflow data with filters applied Can be created on historical netflow data as well as live data (static, continuous) Can contain one or more channels Channel are incoming sources of netflow, for ex: firewall, border router, webserver, dmz etc www.enisa.europa.eu 24

Intro to the scenarios 1. Boot the imported VM image ENISA_CERT_Exercises.ova 2. Log into `Trainee` account (user:trainee, pass:exercises) 3. `cd /home/trainee/desktop` On the desktop there are two scripts: `nfsen_start.sh`, `nfsen_stop.sh` First run the `./nfsen_stop.sh` afterwards run the `./nfsen_starts.sh` 4. The netflow data is available in the folder `/data/nfsen/profiles-data/live/upstream1` www.enisa.europa.eu 25

The story We are working in ITSec dep. for a big ISP. There is a netflow collector for monitoring the ISP address space. The ISP has received a report about a Ddos attack being carried by a customer 1 Identify when the attack was carried 2 Identify the target of the attack Identify what IPs are involved in the attack 3 Identify modus operandi Mitigation measures www.enisa.europa.eu 26

Step.1 Lets check the overview panel `cd /data/nfsen/profiles-data/live/upstream1` `ls lhs` (long-listing format + human readable + sorted) What do we notice? www.enisa.europa.eu 27

Step.1 www.enisa.europa.eu 28

Step.2 Top 10 statistics for DST IP ordered by flows/packets/bytes www.enisa.europa.eu 29

Step.2+ Top 10 flow records aggregated by dstip www.enisa.europa.eu 30

Step.2+ continued We have our victim www.enisa.europa.eu 31

Step.3 Role of the attacked server? www.enisa.europa.eu 32

Step.4 Attackers Who are the badboys? www.enisa.europa.eu 33

How the attack was carried out? Step.5 How? www.enisa.europa.eu 34

Online demo At the following link there is production nfsen: http://anfmon.ucsd.edu/nfsen/nfsen.php www.enisa.europa.eu 35

Wireshark & pcap intro Wireshark capture & display filters A capture filter is used to select which packets should be saved to disk while capturing. For capture filters Wireshark uses the BPF syntax. (BPF is module that runs in the kernel) like tcpdump Display filters are used to change the view of a capture file. They take advantage of the full dissection of all packets. This makes it possible to do very complex and advanced filtering when analyzing a network tracefile. http://packetlife.net/media/library/13/wireshark_display_filt ers.pdf www.enisa.europa.eu 36

Wireshark & pcap intro Capture filter Display filter www.enisa.europa.eu 37

Example capture/display filters Example capture filters: host 172.18.5.4 net 192.168.0.0/24 host www.example.com and not (port 80 or port 25) dst port 135 and tcp port 135 and ip[2:2]==48 Example display filters: www.enisa.europa.eu 38

Pcap = packet capture Pcap analysis part 1 Step 1. Go to: cd /home/trainer/documents/exercises/07_nf/adds We will investigate the following pcap: drive-by-download_fast-flux.pcap Open it with wireshark One of the customer IPs got infected. Let s try to figure out how. See `dns` & `http` requests www.enisa.europa.eu 39

Pcap part 2 First let s play with display filters, filtering different protocols Filter: dns Who is our client? Which is the dns server? What kind of interesting requests/answers we spot? Now lets try to exclude legitimate IPs and see http requests Filter:!(ip.addr == 195.187.7.66 ip.addr == 193.59.201.62 ip.addr == 213.199.161.251) && http Can we spot anything in particular? www.enisa.europa.eu 40

tshark tcpdump Tshark [ -2 ] [ -a <capture autostop condition> ]... [ -b <capture ring buffer option>]... [ - B <capture buffer size> ] [ -c <capture packet count> ] [ -C <configuration profile> ] [ - d <layer type>==<selector>,<decode-as protocol> ] [ -D ] [ -e <field> ] [ - E <field print option> ] [ -f <capture filter> ] [ -F <file format> ] [ -g ] [ -h ] [ - H <input hosts file> ] [ -i <capture interface> - ] [ -I ] [ -K <keytab> ] [ -l ] [ -L ] [ -n ] [ -N <name resolving flags> ] [ -o <preference setting> ]... [ -O <protocols> ] [ -p ] [ - P ] [ -q ] [ -Q ] [ -r <infile> ] [ -R <Read filter> ] [ -Y <display filter> ] [ - s <capture snaplen> ] [ -S <separator> ] [ -t ad a r d dd e ] [ - T pdml psml ps text fields ] [ -v ] [ -V ] [ -w <outfile> - ] [ -W <file format option>] [ -x ] [ -X <extension option>] [ -y <capture link type> ] [ -z <statistics> ] [ <capture filter> ] tshark R http.request T fields e http.host -r drive-by-download_fast-flux.pcap tshark R http.request T fields e http.request.uri r drive-by-download_fastflux.pcap tshark R http.request T fields e http.request.full_uri r drive-by-download_fastflux.pcap Can you see any malicious requests? tshark r drive-by-download_fast-flux.pcap R dns T fields e dns.qry.name e dns.resp.addr e dns.resp.ttl www.enisa.europa.eu 41