The frequency of cyber attacks increased a variety of vectors (e.g. unprotected IoT device botnets, Attack as a Service software, SSL-based attacks, etc.) and their overall sophistication has made them a serious threat to networks around the World. Governments, militaries, financial institutions, tech companies, ISPs, enterprises and even private individuals are not sufficiently prepared to effectively oppose them, so bad guys keep wrecking havoc on online services, revenues, reputation, and privacy.
Conventional firewalls and anti-viruses, as signature-based perimeter and end-point defenses, are indeed good for known attacks and can do a fair job of defending networks against basic malware threats (e.g. viruses, worms). However, this approach requires an overwhelming processing resource and extensive threat database and still cannot prevent 100% of threats. In addition, these systems may even become targets themselves thus making them unreliable, extremely complex to implement, expensive to maintain and also unreliable...
1. Outside attacks - on edge routers (to provide NAT, FW and proxy data)
2. Inside attacks - on distribution routers (core routers should be relieved for their main purpose)
This is why NetFlow analytics is used as alternative, complementary, dedicated and independent anomaly-based defense. Together with other Intrusion Detection Systems (IDS) - log analytics, route analytics, user analytics and Deep Packet Inspection (DPI), it is an integral part of overall network security strategy. It enables networks to adapt and become immune to attacks, by focusing on detecting and responding to atypical events called IoC (Indicator of Compromise). This approach is good for unknown ("zero-day", no signature-based) attacks, such as Denial of Service and Data Leakage, that are even more critical, thus making it very cost-efficient and practical in real-life.
EMBRACE CHAOS & LEARN TO REACT
by Ido Portal, fitness coach
(Be ready to overcome whatever variable is thrown at you.)
Based on our previous experiences, these are the top uses of NetFlow for network security:
1. Denial of Service (DoS)
As one of the most popular and destructive attacks comes from infected devices (botnets) with the aim of harming network online services and infrastructure.
The source of the attack can be a single botnet AKA Non-distributed, or a whole army of them AKA Distributed Denial of Service (DDoS) attack. Attacks can come from Outside or from Inside of your network, which can target your or even some other network. And, attacks can be Volumetric, designed to bring down services and they are easier to detect, but also Non-volumetric that squeeze beneath system alert thresholds just enough to make services degraded. Most popular types are UDP flood, ICMP/ping flood, SYN flood, NTP amplification, DNS amplification, etc.
Main vectors of impact can be:
a) Connection flooding - e.g. by opening and closing TCP connections, server becomes overwhelmed and can not process legitimate connections.
b) Bandwidth flooding - with a huge amount of packets sent to a host, router link becomes congested and legitimate packets cannot be forwarded.
c) Diversion operation - where DoS is used only as a smokescreen to distract network security officers away from some other simultaneous and more dangerous action.
2. Data leakage
As one of the most Advanced Persistent Threats (APTs) - aimed toward a specific target that slips under the radar by using sophisticated stealthy techniques. Perpetrator acts as a device hijacker, taking over its command and control functions and uploads sensitive data (usernames/passwords, credit cards, emails, source code, documentation, etc.) to some external storage. Such vital data exposure to the public or even selling it to the 3rd party could bring harm to the target. In return not do so, often ransom is required.
3. Port scan
Is typically used as a preparation for an attack and can be a good indication of things to come. Attackers want to probe network defenses by discovering running services and exploit potential weak points to penetrate them. Most common techniques are TCP scan, SYN scan, FIN scan, UDP scan, ICMP/ping scan, etc.
4. Blackholing review
In order to verify and report about performance of firewalls, it is useful to review discarded traffic (traffic routed to Null interface). In case routing is based on threshold throughput or volume rates, it may also happen that good traffic is discarded.
5. Employee abuse
Employees unwanted content visits and even usage of their own phones, tablets and laptops (BYOD), indirectly exposes network to a risk of malware and device hijack.
More automated tools can also recognize abnormal traffic pattern based on a base-line and types of attack from internal database (NBAD), distinguish publicly or privately blacklisted IPs as potential attackers (Host reputation), and even remotely trigger blackholing on edge routers (RTBG). However, it is worth noting that this system, no matter how precise, smart and automated it may be, can still bring false positives about what is atypical and what isn't. For this reason, human intelligence to inspect data, verify actual threatening behavior and adjust system for the future is still necessary and is, in fact, irreplaceable.
Here are some useful links, for further reading:
DDoS by NTP Amplification, NetVizura
How to configure Remotely Triggered Black Hole routing to protect from DDOS attacks, Router Freak
Network Security and Visibility through NetFlow, Richard Laval (Cisco)
NetFlow Security Monitoring For Dummies, Mike Chapple (Cisco)
Global Application & Network Security Report 2016-2017, Radware
Computer Networking, James F. Kurose, Keith W. Ross
Embrace Chaos & Learn to React, Ido portal on London Real