NetFlow has abundant information which can be used to perform security analysis and detect abnormal network activities. In this blog, I am going to discuss about the complexities involved in analyzing huge set of flow records and how can we overcome this problems by using ManageEngine NetFlow Analyzer.
Network forensics can be done using the raw NetFlow data and not top N. Top N data only gives a coarse grained view of network activities and this aggregation increases the probability of missing some abnormal network activities and less intensive attacks.
Currently NetFlow Analyzer has the capability of storing raw flows to the maximum of 1month(can be configured to store for an year) for network forensics. This helps network administrators to investigate any network incidence or deviation in regular traffic patterns. “Troubleshooting Reports” from ManageEngine NetFlow Analyzer are generated from millions of raw NetFlow records to provide complete visibility over any particular conversation or an attack on the network. In addition to reporting traffic, applications and conversations, it offers valuable insights like number of conversation initiated from any source and filtering it based on a particular TCP flags or TOS bits and significantly reduces time taken to identify the root cause of any network incident.
We have known that only few of the TCP segments carry data and others are simply acknowledgements for a previously received data or a new request. Such as the popular three way handshake utilizes the SYNs and ACKs mechanism available in the TCP protocol to help complete the connection before the data is transferred.
A typical TCP-SYN worm scan sent out lot of SYN packets to vulnerable services in other hosts and tries DOS (Denial of Service).
TCP-SYN scan propagation could result in
A. The destination host is alive and running a vulnerable service on the targeted port which could lead to a DoS attack.
B. The destination host is alive and the targeted port is closed
C. No such destination host
When a worm tries to propagate, the destination addresses are typically generated at random, and normally there will be a large number of destination hosts that are not living or functional. Therefore we can expect to see a large number of SYN bits sets in the flow records associated with the worm infected host.
Let’s see how “Troubleshooting Reports” are helpful in identifying a SYN scan and infected hosts. Generally TCP-SYN worm scan analysis is effective at switch level because of the visibility of LAN IP addresses. So it is better to choose a LAN interface/port for SYN scan analysis.
1. First step is to identify the conversations with only the SYN bit set. Using ManageEngine NetFlow Analyzer, it is possible to filter out potential sources trying to contact large number of destinations with SYN bit set.
2. In the second step, we can drill down from each and every potential source to analyze the type of traffic. As you see in the below picture it seems to be a W32.Spybot.ACYR worm spreading through an un-patched windows machine using port 2967.
When a worm scans random IP addresses and ports, destinations may send out RST/ACK request if the ports are closed or not functional. With NetFlow ingress flow export, if the destination receives too many RST/ACK, it could be a worm attack on the destination.
Hope this gives an idea to use the product for typical network security analysis. Please write to netflowanalyzer-support@manageengine.com for any further clarification.
Download (30 day trial) | Interactive Demo | Product overview video
Regards,
Raj
