Detecting Worms on the network through flow based analysis

Internet usage graph is always upward facing, as there is lot of information on the internet to learn and develop intellectual skills. We are also silently exposed to the security threats from Worms, Ports scans, DDoS attack and misuse.

Today, enterprise network are facing enormous security threats. Common ways of defending the security threats are using Firewall and IDS(Intrusion detection system).

These Firewall and IDS are signature based and it is possible that security threats surpasses their defense. An additional technology like flow based analytics must be a valuable enhancement which can help to detect the threats that even surpasses the firewall.

What is Flow ?

Flow is defined as a unidirectional sequence of packets (which means there will be two flows for each connection , one from the Initiator to receiver, one from the receiver to Initiator).

A flow can be identified by seven key fields: source IP address, destination IP address, source port number, destination port number, protocol type, type of services, and the router input interface. Based on these seven key fields the router decides the route of a packet.

What is NetFlow Flow?

NetFlow is a Cisco Proprietary protocol which captures all the flows on the routers interfaces and sends to external collector for traffic analytics and security audits.

Every NetFlow packets exported from the device has several key fields, the source and destination IP address, next hop address, input and output interface number, number of packet in the flow, total bytes in the flow, the source and destination port, the protocol, ToS, source and destination AS number, and TCP flags.

NetFlow based security Analytics versus IDS:

NetFlow based security analytics is faster approach to identify the security threats when comparing to digging every packets on the network which IDS does.

NetFlow very useful in zero-day or "mutant attack" detection in cases where signature-based intrusion detection systems would fail, since the flow records are directly exported from the core edge devices. If NetFlow data are interpreted properly, gives in depth visibility on traffic pattern and network anomalies.

Use Case Scenario:

A malware sitting on couple of PC or in some portion of internal network segment is causing a Syn flood(DoS attack), the network with out a flow based traffic and security analytics tool might a face huge task in identifying this threat.Say for an example a network with ManageEngine NetFlow Analyzer with ASAM module facing the above mentioned will easily find out the infected system or segment and take a necessary action to remove the Malware.

How ASAM helps in this situation?

Assume that the PCs or infected network segments(Group of PCs) are connected to a Core layer 3 switch which is currently being monitored in NetFlow Analyzer using NetFlow export, Administrator notices that there is a sudden huge spike on their traffic graphs on a particular port, he suspects that it might be a some security threat.

He now uses the ASAM module to check is there any threat on this particular device.

For easier analysis he is using resource based security threat analysis. The Resource based analysis snapshot tells which particular Router, Source Network, Source IP, Destination Network and Destination IP is having more number of events.

This snapshot helps administrator to easy drill down to problematic Network Segment to find out the offenders, once the list offender IP’s extracted, network administrator can now identify the PCs and remove the malwares using some Anti Virus tool or disconnect those infect PCs from network.

You can download the 30 day trial of ManageEngine NetFlow Analyzer from here.

Reach us on Facebook at NetFlow Analyzer TAC

Catch up with the latest updates in the industry, through our LinkedIn community Bandwidth Monitoring and Traffic Analysis for Enterprises

Praveen Kumar
NetFlow Analyzer Technical Team
Download | Interactive Demo  | Twitter | Customers