Next Generation Network Traffic Monitoring and Anomaly Detection Petr Springl springl@invea-tech.com
INVEA-TECH University spin-off company 10 years of development, participation in EU funded projects project Liberouter and programmable hardware, 10 mil Euro invested, creation of world's unique technologies Company profile Strong academic background: CESNET, MU, VUT Founded 2007 Expansion onto foreign markets since 2010: UK, US, Canada, Germany, Japan and others Key products: FlowMon: network traffic monitoring ADS: detection of anomalies, operational and security issues FlowMon + ADS = a complete solution for monitoring and security 2/42
Reference GEÁNT2, Federica monitoring of 7 European backbones CZ Ministry of Defense (via VDI META) Korea Telecom AVG, Aegon CESNET T-Mobile and more... 3/42
Agenda Network & Security interesting/surprising statistics? standard security tools overview Network Traffic & Security Monitoring FlowMon Solution Introduction Use Case Discovery of Botnet Chuck Norris 4/42
22.10.2012 Network & Security
Malware Source: McAfee Threats Report: Fourth Quarter 2011 6/42
Botnets infected devices Source: McAfee Threats Report: Fourth Quarter 2011 7/42
Botnets infected devices Source: McAfee Threats Report: Fourth Quarter 2011 8/42
Attackers Motivation Source: Radware 2011 Global Application & Network Security Report 9/42
Data Breaches Source: McAfee Threats Report: Fourth Quarter 2011 10/42
Botnet as a Service Source: McAfee Threats Report: First Quarter 2011 11/42
How to face attacks Attacks against any organization (SMBs, enterprises, government, education or other organizations) are rising Attackers use different approaches and attack types hacking, cracking, dictionary attacks, DOS/DDOS attacks, attacks against services, social engineering, identity theft, botnets Organizations don t know which specific threats to fight Many attacks are undetectable by standard approaches Advanced Persistent Threats, Zero-Day attacks, Polymorphic malware, What possibilities are there for organizations? for ISPs? 12/42
Organizations Perimeter Security firewall, IDS/IPS, UTM, application firewall, web filter, email security, remote access Endpoint Security antivirus, personal firewall, antimalware, antirootkit, endpoint DLP Internal Network Security network traffic visibility flow monitoring, NBA - Network Behavior Analysis, automatic anomalies detection 13/42
ISPs ISPs are in different situation Have to face to the same threats, but don t have so many possibilities how to do that ISPs shouldn t protect only themselves, but also help to protect their customers protect Internet from their customers 14/42
ISPs Network Elements Security switches, routers configuration, secure management, services Network Security routing, rate limiting, filtering, redundancy Incident Detection alert from customer, ISP or other IDS, syslogs, SNMP monitoring network traffic visibility flow monitoring, NBA - Network Behavior Analysis, automatic anomalies detection 15/42
Summary All the tools and approaches mentioned are very important from a security point of view Most are aimed at protection from known threats and attackers That s why continuous monitoring and detailed information about activities in the network is important provides complete visibility into network able to detect sophisticated attacks (APTs, zero-day attacks) - even that which are not detected by other approaches 16/42
22.10.2012 Network Traffic & Security Monitoring
Flow Monitoring Principles IP flows monitoring packet headers analysis only content (packets payload) is not monitored Modern method for network monitoring NetFlow v5/v9 Cisco standard 18/42
Architecture Source of network statistics switches, routers, specialized probes or other devices network traffic monitoring - generate and export flow data Flow data collectors flow data storage, collection & analysis 19/42
Network Traffic Monitoring Benefits Complete Network Visibility real-time & historically TOP N statistics (users/customers, services, sites) user defined profiles (based on user filters) drill down up to any communication alerting & reporting Security Enhancement, Incidents Tracking Benefits also for network management fast, precise and effective troubleshooting network performance monitoring trending, capacity planning, traffic engineering IP traffic based accounting and billing network management costs reduction 20/42
Network Behavior Analysis (NBA) Automatic advanced analysis of flow (NetFlow) data Modern approach to network security Undesirable behavior patterns detection internal and external threats undesirable services and application Behavior analysis behavior profiles anomalies and suspicious behavior detection Behavior detection NBA is about higher visibility in the behavior of your network to cover gabs left by signature based mechanism. Paul E. Proctor, Vice President, GARTNER Network level Signature detection Host level 21/42
NBA Benefits Internal & external attacks detection Fast overview about any events in the network including problem indication Enables to fight modern sophisticated attacks Detection of threats which are undetectable by standard approaches Effective for encrypted traffic 22/42
22.10.2012 FlowMon solution
FlowMon Network Under Control Innovative network traffic & security monitoring solution using IP flows Based on NetFlow v5/v9 and IPFIX technology Provides information about who communicates with whom, how long, what protocol, traffic volume and more Best price/performance ratio in the industry Solution for networks of all dimensions Exceptional customer benefits Your network under control! 24/42
FlowMon Architecture FlowMon Probes passive standalone source of network statistics (NetFlow / IPFIX data) FlowMon Collectors visualization and evaluation of network statistics FlowMon plugins FlowMon ADS - automatic traffic analysis for reveal operational & security issues 25/42
FlowMon Probe High-performance standalone probe - source of IP flow records in NetFlow v5,9 and IPFIX format L2/L3 invisible - transparent for monitored network Standard and hardware accelerated models Remote configuration via a user-friendly web GUI 10/100/1000 Ethernet, 10 GbE, IPv4, IPv6, MPLS, VLAN Maintenance-free appliance with simple configuration Built-in collector (data storage redundancy) 26/42
FlowMon Probe Models Compact rack mount (1U) NetFlow probes Standard models suitable for the most networks, excellent price/performance ratio performance more than 500 k packets per second for 1GbE port up to 5 M packets per second for 10GbE port models from 1x 100MbE port up to 4x 10GbE ports Hardware-accelerated models (Pro) suitable for large networks and backbone links wire speed performance 10GbE models available, 40/100GbE models available soon 27/42
FlowMon Collector Standalone appliance for long term storage of flow statistics from multiple sources (probes, routers, switches) Support for NetFlow/IPFIX/sFlow data storage & analysis Professional solution for mid-size and large networks RAID, redundant power, remote management storage capacity from 1TB up to hundreds TBs unique performance more than 200k flows/s processing 28/42
FlowMon Collector - GUI Graphs, tables and form for further data processing Top N statistics (users, sites, services) Predefined set of profiles/views for standard protocols User defined profiles (based on IP address or ports) Intelligent reporting (online/offline email/pdf/csv reports) Profile support and automatic alerts (e-mail, syslog, SNMP etc.) 29/42
FlowMon Plugins 30/42
FlowMon ADS Undesirable behavior detection Attacks Undesirable services Operational and configuration problems Behavior profiles computing Communication partners Anomaly detection Traffic volume and structure Intuitive user interface Immediate network problems indication Interactive event visualization Integration with information from DNS, WHOIS, geolocation services Complex filtering, alerting, reporting 31/42
FlowMon ADS Detection of undesirable patterns in communication Attacks (port scanning, dictionary attacks, DOS/DDOS, telnet protocol) Data traffic anomalies (DNS, multicast, non-standard communications) Undesirable applications (P2P networks, anonymizer) Internal security problems (viruses, spyware, botnets) Mail traffic (outgoing spam) Operational problem (delays, high traffic, reverse DNS records) 32/42
FlowMon Benefits Long-term statistics storage about traffic Network capacity planning Connectivity optimization Peering agreements optimization Attacks, anomalies and suspicious behavior detection Data retention law fulfillment Accounting and billing based on traffic amount Possibility to graphs and tables integration to your IS 33/42
22.10.2012 Use Case Discovery of Botnet Chuck Norris prepared in cooperation with CSIRT-MU
Botnet Chuck Norris Lot of attempts from all over the world to connect to TELNET service discovered by network security monitoring (flow monitoring) at Masaryk University Who nowadays use TELNET??? Why do devices from all over the world try to connect to TELNET port? Following detailed analysis lead to botnet revelation 35/42
Botnet Chuck Norris Back tracking infected devices are ADSL modems, WIFI routers Analysis of infected device Connection to C&C server Analysis of botnet behavior 36/42
Botnet Chuck Norris Attacks linux servers ADSL modems, WIFI routers Infected devices try to infect other devices port scanning TELNET dictionary attack only 15 passwords!!!! connect to C&C central server, which send him commands (IRC) 37/42
Botnet Chuck Norris Compilation timestamp in pnscan tool July 2008 First file uploaded to distribution servers May 2009 Botnet discovery at Masaryk University December 2009 Trying to shutdown the botnet (CSIRT-MU) Chuck Norris v2 May 2010 Different modification till nowadays Hydra Aidra??? 38/42
Attacks Continue 39/42
Chuck Norris - summary Attacks poorly-configured Linux MIPSEL devices - ADSL modems, WIFI routers, users are not aware about the malicious activities missing anti-malware solution to detect it possible to manipulate with complete traffic to/from the network Attack based on trivial dictionary attack (15 passwords) Lot of network operators underestimated possibility of trivial attack Discovered at Masaryk University. The malware got the Chuck Norris moniker from a comment in its source code [R]anger Killato : in nome di Chuck Norris! 40/42
INVEA-TECH @ PLNOG 2012 Is network traffic & security monitoring interesting for you? Visit our next presentation @ PLNOG 2012 FlowMon Network Traffic & Security Monitoring in Examples Tomorrow at 11:50 New Technology section Visit our booth and discuss with us 41/42
Thank you for your attention High-Speed Networking Technology Partner Petr Špringl springl@invea-tech.com 00420 511 205 252 INVEA-TECH a.s. U Vodárny 2965/2 616 00 Brno Czech Republic www.invea-tech.com 42/42