427 Botnet fm qxd

Figure 5.2
DoS Attack: Cricket/SNMP Router CPU Utilization
Figure 5.3
DoS Attack: Cricket/SNMP Graph of Single Host Traffic
SNMP setup pretty much follows our discussion about probes and analysis
boxes in the previous section. Cricket runs on a collection (analysis) box and
probes switches and routers with SNMP requests every 5 minutes. Results are
made available on the Web as graphs. Information is baselined over a year. As
a tool, Cricket has a nice setup that is object-oriented in terms of configura-
tion commands.This allows bits of configuration that are more global to be
easily applied to subsets of switch or router hosts.
www.syngress.com
Botnet Detection: Tools and Techniques • Chapter 5
145
427_Botnet_05.qxd 1/9/07 9:59 AM Page 145

In practice, it is a very good idea to put every router or switch port in an
enterprise (and every router or switch that has an SNMP CPU utilization
variable) into your SNMP configuration. As a result, by looking at graphs like
those produced by Cricket, you might be able to actually 
find
an internal
attacking host. Sometimes the problem with an attack is that if you do not
have other sources of information, you may not know the IP address of the
attacker. (Netflow or ourmon in the next chapter might help here, but large
DoS attacks can put some tools out of commission.) Worse, you might also
not know where the attacking host is physically located. In extreme cases,
network engineers have had to chase hosts down through a hierarchy of
switches in wiring closets using a sniffer. Sometimes SNMP-based tools might
be able to extract configuration labels from network interfaces in switches and
routers and display them with the relevant graph.Thus labeling interfaces in
switches and routers with location information, IP addresses, or DNSNAMES
can be extremely useful in a crisis situation.This is especially important when
you have a DoS attack, as in Figure 5.3. If this attack is headed out to the
Internet, it can easily plug up a more external WAN circuit because WAN
circuits typically have less bandwidth than internal Ethernet NICs. A host
with a gigabit NIC launching an attack outward bound is both very possible
and very traumatic for both you and any upstream ISP.
Netflow
SNMP tools might only give you information about the amount of traffic in
your network and not tell you anything much about either traffic types or IP
network-to-network traffic flows. As a result, other tools such as netflow can
be used to peer more deeply into the net to deduce busy networks and to do
protocol analysis. Netflow was originally designed by Cisco as a router-
speedup mechanism. Later it became an industry standard for network moni-
toring and is useful for analyzing routing (BGP/AS traffic matrixing) as well
as IP network-to-network traffic. As with SNMP, a network-monitoring tool
can be used to detect anomalies such as DoS attacks. Furthermore, because
netflow data includes IP addresses and ports, it can be used to look for scan-
ning attacks.
Netflow has many formats at this point, but traditionally a flow is more or
less defined as a one-way data tuple consisting of the following: IP source and

Download 6,98 Mb.

Do'stlaringiz bilan baham: