It is not easy to track the traffic behavior with just SNMP based or other tools as no technology provides an in depth information as NetFlow. To use NetFlow or cFlowd for traffic analysis, all you need is a device that is capable of exporting NetFlow / sFlow or similar flow packets. The sweet part of this is that NetFlow or similar flows are supported on most of the devices from the major vendors thus removing the need for additional equipment and hardware purchases. NetFlow Analyzer, which can be installed on a server in your network would receive the exported packets to generate reports about bandwidth and traffic. With no additional configuration to get the reports, setting up and reporting all happens in a matter of minutes.
Lets now delve into how the traffic patterns outlined in the last blog can be analyzed easily with NetFlow Analyzer using NetFlow data.
The first point we had talked about is the necessity of the bots to locate the C&C servers for updates and how this is done through DNS requests. Thus, seeing a large volume of DNS requests from the network is something to be concerned about.
NetFlow data can report in detail about the traffic and show you the applications passing through the interfaces. Monitoring the OUT traffic on the WAN link will show if there are any DNS requests to the Internet from the network and how much of the total traffic was taken up by these requests. You can also drill down on the application to find the hosts involved with the traffic. NetFlow Analyzer can also generate alerts if the DNS requests leaving the network exceeds an expected percentage. This can be done from ‘Alert Profiles’ under ‘Admin Operations’ where the alert for IN or OUT traffic with specific criteria can be set and have the alerts send as an email or SNMP trap.
After having located the C&C server, the bots communicate with them over IRC to receive the update commands on attacks to be performed or for updating the bot itself. If see your internal hosts communicating a lot over IRC, this should definitely be checked. To track this, you can take a look at the LAN or WAN interface and look at the applications being used. The ‘Application’ tab will show you if IRC is being used and the hosts involved with IRC traffic. Here again, you can make use of alerts to alert you or if you are expecting zero percent IRC traffic from the network, create an IP Group associating the IRC application and this grouping will show you even the smallest volume of IRC traffic in an easy to view category removing the needs for drill down and searches.
The last point we talked about was on how the botnets involved with email spamming can be identified. Since such bots sends millions of emails to all sort of email addresses, keep a watch on the SMTP traffic to the outside and get alerted for an unusually large volume of SMTP traffic. Here too you can make use of the IP Group option for tracking specific application behavior and this blog should help you on application tracking with IP Groups.
The features and capabilities of NetFlow Analyzer does not end here. You can make use of various options like customizable dashboard to track the top applications from the network, use IP Groups and alerts to inform you on traffic behavior, have reports exported to PDF, CSV or even instantly emailed and much more. Try ManageEngine NetFlow Analyzer 30 day trial with free technical support to have a hands on experience on what more you can do with NetFlow Analyzer.
Download | Interactive Demo | Product overview video
Regards,
Don Thomas Jacob
Pingback: Twitted by dashokkumar