427 Botnet fm qxd

RRDTOOL graph that shows the total number of packets seen by the probe
and the operating system buffer drops, which are packets that did not get to
the probe. Drops may occur because the system is doing too much work.This
could be because the NIC interrupt system and CPU are just not fast enough
to get the job done.The name here might be said to be a misnomer. We
obviously cannot store dropped packets. However, the name refers to the
trigger threshold. Because the pcap library can count dropped packets even
though they are not stored, we choose to trigger on a drop threshold. If our
probe is not dropping packets or at least is dropping packets in a regular way,
we can choose to make it try to store packets when something really 
big
comes along—and something big might be a botnet-related DOS attack. So
the threshold is the RRDTOOL current drop value in the associated packets
graph. Our config language is as follows:
# drop packets event trigger - this is in pkts/sec
drop_trigger 20000 40000 /usr/dumps
This means if we are dropping 20,000 packets or more, store 40,000
packets in the output file.The output file format is as follows:
drops..dmp
It is counterintuitive that this particular trigger might actually work. It has
worked on some occasions, and on some occasions it has failed.This is
because we can state that triggers will work better in general if they are
looking for something that is well defined in the packet stream.The 
tworm
and UDP triggers both have a better logical signal-to-noise ratio, which in
this case means that the packets stored are more likely to be what has caused
the trigger threshold to be exceeded. If you see a lot of packets per second in
your network and you store them all, you might not be able to find what
caused the problem. So, it is better if the answer more closely approximates
the problem. In the case of the 
drops
trigger, this is not necessarily the case,
because there is no filtering at all. Any packet seen is stored. However, if there
is a very large DoS attack, it is quite possible that all the packets actually seen
by the probe will only be DoS packets. In fact, the bigger the DoS attack, the
more likely this outcome becomes. In the next section we will look at some
actual examples of this trigger system at work and learn how to analyze the
outputs.

Download 6,98 Mb.

Do'stlaringiz bilan baham: