Automatic Network Protection Scenarios Using NetFlow Vojt � ch Krmí � ek, Jan Vykopal {krmicek|vykopal}@ics.muni.cz FloCon 2012 January 9-12, Austin, Texas
Part I Flow-based Network Protection Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 2 / 23
Goals and Components Goals of Network Protection Using NetFlow data to protect network. Defending perimeter against attacks from outside . Automated attack detection. Suitable for high speed networks (10 Gbps+). System Parts Sensors ( ⇒ NetFlow data). Control center ( ⇒ commands). Active network components ( ⇒ blocking/filtering). HAMOC platform – both sensor and active component. Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 3 / 23
General Architecture of Network Protection Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 4 / 23
NfSen/NFDUMP Collector Toolset Architecture Web Front-End User Plugins Command-Line Interface Periodic Update Tasks and Plugins NFDUMP Backend NetFlow v5/v9 NfSen – NetFlow Sensor – http://nfsen.sf.net/ NFDUMP – NetFlow display – http://nfdump.sf.net/ Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 5 / 23
Methods for Data Analysis TCP SYN scanning detection Simple, e ff ective general method, low false positive rate. Honeypot monitoring Uses subnet allocated for high- and low-interaction honeypots. Eliminates false positives, mainly catches hosts from outside. Brute force attack detection Similar flows may be symptoms of this attack. Suitable even for encrypted services such as SSH. Round trip time anomaly detection (D)DOSes overwhelm servers and increase response time. Abrupt increase of RTT may point to attack/misconfiguration. Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 6 / 23
HAMOC Hardware Platform Features Tra ffi c distribution among multiple CPU cores. Network applications with hardware acceleration. Capable of concurrent monitoring/blocking/filtering/etc. Low-speed networks – SW alternative (NetFlow/iptables). Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 7 / 23
Network Protection – Deployment Scenarios Scenarios NetFlow probes + control center + RTBH 1 filtering HAMOC as NetFlow probe and firewall HAMOC as redirection to quarantine (phishing) HAMOC as NetFlow probe and active attack tool HAMOC as NetFlow probe and tra � c limiter 1 Remote Triggered Black Hole Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 8 / 23
Part II Network Protection Scenarios Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 9 / 23
NetFlow Probes + Control Center + RTBH Filtering Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 10 / 23
HAMOC as NetFlow Probe and Firewall Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 11 / 23
HAMOC as Redirection to Quarantine (Phishing) Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 12 / 23
HAMOC as NetFlow Probe and Active Attack Tool Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 13 / 23
HAMOC as NetFlow Probe and Tra � c Limiter Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 14 / 23
Part III Network Protection Use Case: SSH Dictionary Attack and HAMOC Firewall Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 15 / 23
I. Attacker Performs SSH Horizontal Scan Attacker Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 16 / 23
II. Attacker Starts SSH Dictionary Attack Attacker Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 17 / 23
III. Center Detects Attack/Inserts Blocking Rule Attacker Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 18 / 23
Recommend
More recommend