Richard Peirce
Manager of Network Services
Boston Properties

When wondering what to write about for our blog, came this question from a user. They needed to get alerts when the hosts in his network communicated with a set of blacklisted IP Address. Felt this could be useful for a number of users which is why we now have this blog here.

For his requirement, the user could have opted for an expensive flow based anomaly detection solution and achieve it the costly way. The cost effective method was to work with features already available in the easy to use, all software bandwidth monitoring solution from ManageEngine, which is NetFlow Analyzer.

Now in detail about what was wanted and how this can be done.

There is a set of IP Addresses with which the hosts in a company's network is not expected to communicate. If there is traffic either to or from these blacklisted IPs, the network administrator needs to be alerted, find the violating host and then carry out cautionary steps.

NetFlow (or any similar flows), with its capabilities for in-depth reports, is the only technology that can tell you about the application used, source and destination of traffic, priority of the traffic and much more. NetFlow Analyzer, which supports all the major flow formats, has an IP Group feature with which you can group together IP Address/Network or Range and monitor the traffic to and from it. Making use of this, one can create an IP Group and associate all the blacklisted IP Addresses with it. When creating the IP Group, the speed which is taken for utilization calculation is set at the lowest possible value, 1bps. This way, even a single conversation will account for more than 1 percentage utilization.

A combination of simple features for proactive troubleshooting !

Download | Interactive Demo | Product overview video

Regards,
Don Thomas Jacob

NetFlow technology and ManageEngine NetFlow Analyzer makes bandwidth monitoring and traffic analysis easy by giving you detailed reports about the traffic, applications used, source and destination of traffic, traffic conversations, DSCP based QoS values and so on. All these reports, available for time periods ranging from the last minute to the time at which the product was installed, can show the hosts participating in the traffic making further analysis easier and aiding in proactive network troubleshooting.

But there is a dark side to this coin. The number of hosts involved in the traffic can be quite large and in case of huge networks, a daily or weekly reports will involve a few thousands of IP Addresses. Identifying the top 10 or so hosts from their IP Address could be easy, but what if there are more than hundred conversations in each of your main interfaces? Here, you can make use of the 'Resolve DNS' option available to resolve the IP Address to the DNS name making identification easier.

The DNS name resolution makes use of the mapping available in your primary or secondary DNS server to resolve the DNS names for IP Address. The names displayed using this resolution will be based on your organization's standard naming policy and may not be easiest of the names to remember ! This is why NetFlow Analyzer has an option for custom DNS names. Custom or user defined DNS names can be set in the product for any number of IP Addresses and the next time you opt for showing the DNS names, it is these names that will be shown overriding the system resolved DNS names.

To set your own DNS names, navigate to Product Settings - Server Settings, and here under the DNS Settings option click on the 'Add/Modify' option next to the 'User defined DNS names' option. You can also set user defined DNS names for IP Address from the Source or Destination tab using the edit icon next to an IP Address shown in the reports. A small feature that is a big help to the large enterprises !

Having discussed about what are the traffic patterns to be checked for to identify bot behavior, we will now look at how NetFlow / cFlowd data with ManageEngine NetFlow Analyzer can make the tracking much more easier. In case you have not read the PART 1 of this blog which outlines the traffic patterns related to bot behavior in a network, do catch up with it.

It is not easy to track the traffic behavior with just SNMP based or other tools as no technology provides an in depth information as NetFlow. To use NetFlow or cFlowd for traffic analysis, all you need is a device that is capable of exporting NetFlow / sFlow or similar flow packets. The sweet part of this is that NetFlow or similar flows are supported on most of the devices from the major vendors thus removing the need for additional equipment and hardware purchases. NetFlow Analyzer, which can be installed on a server in your network would receive the exported packets to generate reports about bandwidth and traffic. With no additional configuration to get the reports, setting up and reporting all happens in a matter of minutes.

Lets now delve into how the traffic patterns outlined in the last blog can be analyzed easily with NetFlow Analyzer using NetFlow data.

The first point we had talked about is the necessity of the bots to locate the C&C servers for updates and how this is done through DNS requests. Thus, seeing a large volume of DNS requests from the network is something to be concerned about.
NetFlow data can report in detail about the traffic and show you the applications passing through the interfaces. Monitoring the OUT traffic on the WAN link will show if there are any DNS requests to the Internet from the network and how much of the total traffic was taken up by these requests. You can also drill down on the application to find the hosts involved with the traffic. NetFlow Analyzer can also generate alerts if the DNS requests leaving the network exceeds an expected percentage. This can be done from 'Alert Profiles' under 'Admin Operations' where the alert for IN or OUT traffic with specific criteria can be set and have the alerts send as an email or SNMP trap.

After having located the C&C server, the bots communicate with them over IRC to receive the update commands on attacks to be performed or for updating the bot itself. If see your internal hosts communicating a lot over IRC, this should definitely be checked. To track this, you can take a look at the LAN or WAN interface and look at the applications being used. The 'Application' tab will show you if IRC is being used and the hosts involved with IRC traffic. Here again, you can make use of alerts to alert you or if you are expecting zero percent IRC traffic from the network, create an IP Group associating the IRC application and this grouping will show you even the smallest volume of IRC traffic in an easy to view category removing the needs for drill down and searches.

Another work of the bots is to spread further and this is done by scanning hosts in the subnet for vulnerable hosts. The scanning is done by sending small burst of packets in the subnet checking for host vulnerabilities. You can easily track the traffic based on packets for each interface from the Traffic - Packets tab. This should show you easily if there is an increase in the number of packets in the LAN without a large increase in traffic volume.

Download | Interactive Demo | Product overview video

Regards,
Don Thomas Jacob