427 Botnet fm qxd

SNMP
In Figures 5.2 and 5.3 we show two examples of DoS attacks as captured
with an open-source SNMP tool called Cricket (see http://cricket.source-
forge.net). Cricket uses RRDTOOL to make graphs (see
http://oss.oetiker.ch/rrdtool/rrdworld/ for other possible tools that use
RRDTOOL). Figure 5.2 graphs an SNMP MIB variable that shows router
CPU utilization.This is an integer variable that varies from 0 to 100 percent,
the latter of which means that the CPU utilization is very high.This router is
“having a bad day” due to a DoS attack that has forced its CPU utilization to
be astronomical for a long period of time.This can impact the router’s perfor-
mance in many ways, including damaging your ability to log into it as an
administrator, reducing its ability to route, and possibly damaging its ability to
respond to SNMP probes from SNMP managers trying to learn about the
attack. Note that the attack went on for at least 12 hours and was finally
caught and eliminated.You can see that the load finally dropped drastically
around noon.
Figure 5.3 shows a switch port graph. Here the SNMP system is graphing
bytes in and bytes out from a given switch port hooked up to a single host.
Graphing input and output (of bytes or packets) is probably the most tradi-
tional SNMP measurement of all. Here a host has been hacked and has
launched a DoS attack outward bound. We know it is outward bound because
this graph is taken from the switch’s point of view. For the switch, “in” means
“out from the host” because traffic is coming into the switch port. Probably
this host only has a 100 megabit Ethernet card; otherwise, the DoS attack
would have been worse. (But it is still pretty bad.) A router CPU utilization
graph, of course, does not tell which host launched the attack. But the correct
switch port graph is a pretty useful giveaway. If nothing else, you can physical
or remotely access the switch and disable the switch port.

Download 6,98 Mb.

Do'stlaringiz bilan baham: