427 Botnet fm qxd

payload that exploited a SQL server and created a fearsome Internetwide flash
storm in just a few minutes.
Here we are going to briefly look at two ourmon facilities for watching
for UDP anomalies.The first is the 
UDP port report
, which, like the TCP port
report, is collected every 30 seconds. On the main Web page, the UDP port
report is called 
udpreport.txt
.The second UDP facility is the RRDTOOL-
based 
UDP weight graph,
and it is called the 
top udpreport weight graph
on the
main Web page.There is no UDP summarization at this time. In Chapter 9
we will tie UDP anomalies to the event log and ourmon’s automated packet
capture feature, so we will return to the UDP case history that we present
here one more time. For reference purposes, let’s call this “Case Study #5:
UDP Scan.”
First let’s look at one example of a UDP-based DOS attack that is coming
from the outside.There are a number of ways that we might spot that this
attack happened, including looking at the ourmon system event log, or per-
haps looking at the fundamental packets graph (as in Case Study #1) because
it is often the case that a well-connected host can put a spike in that graph, or
as in this case we could look at our UDP weight graph itself.The UDP
weight graph gives us an RRDTOOL picture of recent UDP anomalies.
You’ll note that in Figure 7.4 there was a large spike at 12:40 or so during
the previous day.
The UDP weight graph graphs a metric called the 
UDP work weight
. So as
with TCP and its port report, there is also a UDP port report and per IP host
UDP work weight. In the UDP port report, for each UDP host address we
compute a UDP work weight based on a 30-second packet count.The work
weight is computed more or less as follows:
UDP ww = UDP packets sent * ICMP errors returned

Download 6,98 Mb.

Do'stlaringiz bilan baham: