automatic network protection scenarios using netflow
TRANSCRIPT
![Page 1: Automatic Network Protection Scenarios Using NetFlow](https://reader031.vdocuments.mx/reader031/viewer/2022020620/61e34b59170f103ac870c0da/html5/thumbnails/1.jpg)
Automatic Network ProtectionScenarios Using NetFlow
Vojt�ch Krmí�ek, Jan Vykopal{krmicek|vykopal}@ics.muni.cz
FloCon 2012January 9-12, Austin, Texas
![Page 2: Automatic Network Protection Scenarios Using NetFlow](https://reader031.vdocuments.mx/reader031/viewer/2022020620/61e34b59170f103ac870c0da/html5/thumbnails/2.jpg)
Part I
Flow-based Network Protection
Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 2 / 23
![Page 3: Automatic Network Protection Scenarios Using NetFlow](https://reader031.vdocuments.mx/reader031/viewer/2022020620/61e34b59170f103ac870c0da/html5/thumbnails/3.jpg)
Goals and Components
Goals of Network ProtectionUsing NetFlow data to protect network.Defending perimeter against attacks from outside.Automated attack detection.Suitable for high speed networks (10 Gbps+).
System PartsSensors (∆ NetFlow data).Control center (∆ commands).Active network components (∆ blocking/filtering).HAMOC platform – both sensor and active component.
Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 3 / 23
![Page 4: Automatic Network Protection Scenarios Using NetFlow](https://reader031.vdocuments.mx/reader031/viewer/2022020620/61e34b59170f103ac870c0da/html5/thumbnails/4.jpg)
General Architecture of Network Protection
Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 4 / 23
![Page 5: Automatic Network Protection Scenarios Using NetFlow](https://reader031.vdocuments.mx/reader031/viewer/2022020620/61e34b59170f103ac870c0da/html5/thumbnails/5.jpg)
NfSen/NFDUMP Collector Toolset Architecture
NetFlowv5/v9
NFDUMP Backend
Periodic Update Tasks and Plugins
Web Front-End User Plugins Command-LineInterface
NfSen – NetFlow Sensor – http://nfsen.sf.net/NFDUMP – NetFlow display – http://nfdump.sf.net/
Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 5 / 23
![Page 6: Automatic Network Protection Scenarios Using NetFlow](https://reader031.vdocuments.mx/reader031/viewer/2022020620/61e34b59170f103ac870c0da/html5/thumbnails/6.jpg)
Methods for Data AnalysisTCP SYN scanning detection
Simple, e�ective general method, low false positive rate.
Honeypot monitoringUses subnet allocated for high- and low-interaction honeypots.Eliminates false positives, mainly catches hosts from outside.
Brute force attack detectionSimilar flows may be symptoms of this attack.Suitable even for encrypted services such as SSH.
Round trip time anomaly detection(D)DOSes overwhelm servers and increase response time.Abrupt increase of RTT may point to attack/misconfiguration.
Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 6 / 23
![Page 7: Automatic Network Protection Scenarios Using NetFlow](https://reader031.vdocuments.mx/reader031/viewer/2022020620/61e34b59170f103ac870c0da/html5/thumbnails/7.jpg)
HAMOC Hardware PlatformFeatures
Tra�c distribution among multiple CPU cores.Network applications with hardware acceleration.Capable of concurrent monitoring/blocking/filtering/etc.Low-speed networks – SW alternative (NetFlow/iptables).
Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 7 / 23
![Page 8: Automatic Network Protection Scenarios Using NetFlow](https://reader031.vdocuments.mx/reader031/viewer/2022020620/61e34b59170f103ac870c0da/html5/thumbnails/8.jpg)
Network Protection – Deployment Scenarios
ScenariosNetFlow probes + control center + RTBH1 filteringHAMOC as NetFlow probe and firewallHAMOC as redirection to quarantine (phishing)HAMOC as NetFlow probe and active attack toolHAMOC as NetFlow probe and tra�c limiter
1Remote Triggered Black HoleKrmicek et al. Automatic Network Protection Scenarios Using NetFlow 8 / 23
![Page 9: Automatic Network Protection Scenarios Using NetFlow](https://reader031.vdocuments.mx/reader031/viewer/2022020620/61e34b59170f103ac870c0da/html5/thumbnails/9.jpg)
Part II
Network Protection Scenarios
Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 9 / 23
![Page 10: Automatic Network Protection Scenarios Using NetFlow](https://reader031.vdocuments.mx/reader031/viewer/2022020620/61e34b59170f103ac870c0da/html5/thumbnails/10.jpg)
NetFlow Probes + Control Center + RTBH Filtering
Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 10 / 23
![Page 11: Automatic Network Protection Scenarios Using NetFlow](https://reader031.vdocuments.mx/reader031/viewer/2022020620/61e34b59170f103ac870c0da/html5/thumbnails/11.jpg)
HAMOC as NetFlow Probe and Firewall
Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 11 / 23
![Page 12: Automatic Network Protection Scenarios Using NetFlow](https://reader031.vdocuments.mx/reader031/viewer/2022020620/61e34b59170f103ac870c0da/html5/thumbnails/12.jpg)
HAMOC as Redirection to Quarantine (Phishing)
Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 12 / 23
![Page 13: Automatic Network Protection Scenarios Using NetFlow](https://reader031.vdocuments.mx/reader031/viewer/2022020620/61e34b59170f103ac870c0da/html5/thumbnails/13.jpg)
HAMOC as NetFlow Probe and Active Attack Tool
Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 13 / 23
![Page 14: Automatic Network Protection Scenarios Using NetFlow](https://reader031.vdocuments.mx/reader031/viewer/2022020620/61e34b59170f103ac870c0da/html5/thumbnails/14.jpg)
HAMOC as NetFlow Probe and Tra�c Limiter
Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 14 / 23
![Page 15: Automatic Network Protection Scenarios Using NetFlow](https://reader031.vdocuments.mx/reader031/viewer/2022020620/61e34b59170f103ac870c0da/html5/thumbnails/15.jpg)
Part III
Network Protection Use Case:SSH Dictionary Attackand HAMOC Firewall
Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 15 / 23
![Page 16: Automatic Network Protection Scenarios Using NetFlow](https://reader031.vdocuments.mx/reader031/viewer/2022020620/61e34b59170f103ac870c0da/html5/thumbnails/16.jpg)
I. Attacker Performs SSH Horizontal Scan
Attacker
Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 16 / 23
![Page 17: Automatic Network Protection Scenarios Using NetFlow](https://reader031.vdocuments.mx/reader031/viewer/2022020620/61e34b59170f103ac870c0da/html5/thumbnails/17.jpg)
II. Attacker Starts SSH Dictionary Attack
Attacker
Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 17 / 23
![Page 18: Automatic Network Protection Scenarios Using NetFlow](https://reader031.vdocuments.mx/reader031/viewer/2022020620/61e34b59170f103ac870c0da/html5/thumbnails/18.jpg)
III. Center Detects Attack/Inserts Blocking Rule
Attacker
Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 18 / 23
![Page 19: Automatic Network Protection Scenarios Using NetFlow](https://reader031.vdocuments.mx/reader031/viewer/2022020620/61e34b59170f103ac870c0da/html5/thumbnails/19.jpg)
IV. New SSH Attack, Blocked at the Border
Attacker
Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 19 / 23
![Page 20: Automatic Network Protection Scenarios Using NetFlow](https://reader031.vdocuments.mx/reader031/viewer/2022020620/61e34b59170f103ac870c0da/html5/thumbnails/20.jpg)
V. Regular User Can Access Network, Attacker Not
Attacker
RegularUser
Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 20 / 23
![Page 21: Automatic Network Protection Scenarios Using NetFlow](https://reader031.vdocuments.mx/reader031/viewer/2022020620/61e34b59170f103ac870c0da/html5/thumbnails/21.jpg)
Part IV
Conclusion
Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 21 / 23
![Page 22: Automatic Network Protection Scenarios Using NetFlow](https://reader031.vdocuments.mx/reader031/viewer/2022020620/61e34b59170f103ac870c0da/html5/thumbnails/22.jpg)
Conclusion
Role of IP Flow Monitoring in High Speed NetworksFlow-based monitoring suitable for large networks.Observe and automatically inspect 24x7 network data.Possible future deployment in 10Gbps/40Gbps/100Gbpsnetworks.
Automatic Network ProtectionClass of attacks can be detected automatically.Automatic network protection supports operators.Detect and block attacks before hosts are infected.Not usable in every situation – limitations.
Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 22 / 23
![Page 23: Automatic Network Protection Scenarios Using NetFlow](https://reader031.vdocuments.mx/reader031/viewer/2022020620/61e34b59170f103ac870c0da/html5/thumbnails/23.jpg)
Thank you for your attention!
Vojt�ch Krmí�ek et al.{krmicek|vykopal}@ics.muni.cz
Project CYBERhttp://www.muni.cz/ics/cyber
Automatic NetworkProtection Scenarios
Using NetFlow
This material is based upon work supported by theCzech Ministry of Defence under Contract No. OVMASUN200801.
Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 23 / 23