427 Botnet fm qxd

Network Infrastructure:Tools and Techniques
Switches can have port-mirroring features to allow you to send
packets to a sniffer.
A hub can be a “low-rez” solution if you want to do sniffing when
packet counts are low.
Tcpdump and Wireshark are open-source sniffers.
If you find a bot client with a sniffer, remember to also watch any
suspicious external hosts talking to the bot client. Such a host could
be a bot server, and you might see it connecting to other local hosts.
SNMP using RRDTOOL graphics can be very useful for seeing
DoS attacks via graphics.
SNMP on all switch ports could help you trace down an interior
DoS attack through a switch hierarchy, especially if a fake IP source
address is being used or other monitoring gear has been knocked
offline due to the DoS attack.
Netflow tools include open-source tools like flow-tools and Silktools.
Netflow data is more compact than packets and can give you a log of
recent network activity.
Stored netflow data can be useful for searching when you have an
explicit search target such as a suspicious IP address.
Netflow can be used to see DoS attacks and scanning as well as more
conventional traffic monitoring.
Firewall ACLs can alert you to hosts on the inside that have been
hacked via their logs.
Firewalls should block port 25 for hosts using DHCP.Those hosts
should send e-mail to a local mail server (which could filter the e-
mail for viruses).This helps reduce the incidents of malware sending
spam outward from the enterprise.
Firewalls should minimally block Microsoft File Share ports such as
135-139 and 445 as well as SQL ports 1433 and 1434.

Download 6,98 Mb.

Do'stlaringiz bilan baham: