Network behavior analysis and DoS attacks

Welcome to the final blog in a three-part series on network behavior analysis through the eyes of Plixer International. You may also wish to review the first installment: Intrusion detection systems vs. network behavior analysis: Which do you need? As well as the second installment: NetFlow analytics vs. network behavior analysis

Michael Patterson
For this third and final blog, Plixer CEO Michael Patterson answers nine questions regarding attack strategies that crackers are using to harm networks and whether network behavior analysis can be useful in combating these attacks. 1. What exactly is a DoS Attack? A denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users.

Although the means to, motives for and targets of a DoS attack may vary, it generally comprises the concerted, malevolent efforts of a person or persons to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. Collections of compromised systems used in some types of DDoS attacks are known as botnets.

Stachledraht DDos Attack
---------------------------------------- 2. How would you describe a Botnet? A Botnet is a collection of software robots, or bots, which run autonomously and automatically. They run on groups of "zombie" computers controlled remotely by crackers. This can also refer to the network of computers using distributed computing software. ---------------------------------------- 3. Can you explain a Peer-to-peer DDoS? Yes, attackers have found a way to exploit a number of bugs in peer-to-peer servers to initiate DDoS attacks. The most aggressive of these peer-to-peer-DDoS attacks exploits DC++. Peer-to-peer attacks are different from regular botnet-based attacks. With peer-to-peer there is no botnet and the attacker doesn't have to communicate with the clients it subverts. Instead, the attacker acts as a 'puppet master,' instructing clients of large peer-to-peer file sharing hubs to disconnect from their peer-to-peer network and to connect to the victim’s website instead. As a result, several thousand computers may aggressively try to connect to a target website. While a typical web server can handle a few hundred connections/sec before performance begins to degrade, most web servers fail almost instantly under five or six thousand connections/sec. ---------------------------------------- 4. Can NetFlow be used to identify worm propagations? Well, not usually. Traditional DDoS worm propagations can easily be identified using signatures. Using these, an application compares bits to the data field of each packet. In most NetFlow collection environments today, the data field is not available. Cisco IOS NetFlow Infrastructure
Cisco IOS NetFlow Infrastructure
Flexible NetFlow isn’t widely available, but it does allow a trigger to initiate an immediate cache which will actually capture the first several hundred bytes of each packet. The capture could then be fed to a packet analyzer or Intrusion Detection System (IDS). However, there is a problem with this immediate cache idea: there often isn’t enough information available in NetFlow v5 or v9 to detect many worm propagations, so vendors will have to be creative on how and when to trigger an immediate cache with Flexible NetFlow. This is still up in the air. Cisco IOS Flexible NetFlow Flow Monitors and Collection of the Export Data
Cisco IOS Flexible NetFlow Flow Monitors and Collection of the Export Data
---------------------------------------- 5. What about sFlow? This sampling technology is usually setup to capture 1 in every 100 or 1000 packets per interface of a switch. Finer samples can be configured (e.g. every other packet with Foundry), however, the packet volume created can quickly overwhelm most collectors. Due to its sampling nature, some feel that sFlow is inherently not as useful as NetFlow for many IP based Network Behavior Analysis algorithms. One might suggest connecting sFlow switches to a NetFlow probe to extend the investment. ---------------------------------------- 6. What can be done with today’s NetFlow technology to find out which end systems are slowly spreading the infection? In short, Version 5, the most popular version of NetFlow provides TCP flags which are useful to identify a DDoS attack once it is underway but, catching the actual propagation of the bot can be very difficult with NetFlow without some type of Flow Analytics. ---------------------------------------- 7. What are TCP Flags? This is kind of a big question and I suggest that you read Yiming Gong’s article. To summarize, a three-way handshake that starts a normal TCP connection involves:

First a client will send a SYN packet to the destination host
Then destination host sends back a SYN/ACK packet
The client acknowledges the destination host's acknowledgment
A connection is established

The figure below illustrates this handshake:

Illustrates This Handshake
For example, let's say a SYN packet arrives at the destination port of a host. If the port is open, the SYN request sent from the worm will be responded to. This is regardless of whether or not the service running on that port is vulnerable. Then the standard TCP three-way handshake will be completed and subsequent packets carrying other TCP flags such as PUSH and ACK will be followed. One way a DDoS attack is identified using NetFlow v5 is by:

Searching through the collected flow records and filtering out all flow records that have only the SYN bit set
Extracting the source IP addresses of every flow record
Counting the occurrence of every unique IP
Then sorting the records by the number of counts for each one

Following the above process, a suitable list of potentials is generated. A threshold can be set depending on the network size and traffic volume. Hosts whose counters are above the threshold can be considered potentially malicious. Again, this is not the only way to identify a DDoS attack. ---------------------------------------- 8. What is Plixer doing to help companies recognize bad behaviors? We released a Flow Analytics tool which watches flow patterns. Patterns are accumulated and anomalies trigger an indicator called the Concern Index (CI). As more algorithms trigger on the same host, the Concern Index value increases. Flow Analytics Screenshot

Flow Analytics Screenshot
Hosts with a higher concern index or count can trigger alarms and ultimately require attention from the network administrator. ---------------------------------------- 9. Is it true that nothing can stop the Storm Worm? From what I have read, nothing today can detect the proliferation of the Storm Worm. Storm's delivery mechanism changes regularly. It started out as PDF spam, then its programmers started using e-cards and YouTube invites -- anything to entice users to click on a phony link. Storm also started posting blog-comment spam, again trying to trick viewers into clicking infected links. While these sorts of things are pretty standard worm tactics, it does highlight how Storm is constantly shifting at all levels. Storm maintains two types of infected hosts "command and control" and "workers". They all communicate using a P2P (Peer to Peer) network like BitTorrent increasing the difficulty to track and shut down. The C2 (command and control) hosts just sit and wait and they keep track of 20-30 worker hosts each. These infected hosts generate almost no traffic and use a "fast-flux" DNS system to keep security people guessing. Storm also rewrites itself to keep Antivirus software from identifying it. Nobody has figured out how to consistently identify this virus. Storm runs as a root kit on your host so you can’t easily see it and uses almost no CPU or memory. Scary! What’s worse, if you sense something is wrong and perform a security scan on a suspect host, it could notify the botnet and DDOS your network! There are potentially 20 million hosts infected, waiting for instructions to attack and nobody knows how to stop it. The only way to vaguely identify the traffic is to look deep inside the P2P packet. If that is encrypted, suspicions rise.

How do you believe network behavior analysis can be used more effectively in combating network attacks?

Contact Brad Reese
http://www.BradReese.Com Search 31,427 Cisco Job Openings Post Cisco Network Engineer Jobs View 1,595 items of Refurbished Cisco Examine CCIE Resumes Consider 697 Cisco Certified Network Engineer Resumes

Visit Brad Reese on Twitter

Visit Brad Reese on Twitter

Copyright © 2008 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022