427 Botnet fm qxd

Case Studies: Things 
That Go Bump in the Night
Before we take the plunge and give an overview of ourmon’s architecture,
let’s first present four real-world case studies that we will reinforce as we go
along. Here we will just briefly present some ourmon outputs in the form of
reports or Web graphs and discuss them a little bit. Don’t worry if you don’t
get all the details here. First let’s understand the big picture and details will
emerge in later chapters. Each case study has a short name tag to go with it
and there are four in all. One thing to point out is that all these cases are
botnet related. We should also point out that all four cases have been collected
from the Portland State University network. PSU currently has about 10,000
Ethernet switch ports with 26,000 students and faculty and a gigabit connec-
tion to the Internet. It’s a large network and can be said to be typical of larger
enterprise networks.
Case Study #1: DDoS 
(Distributed Denial of Service)
Ourmon uses graphics based on Tobias Oetiker’s popular RRDtool system
(http://oss.oetiker.ch/rrdtool). Figure 6.1 shows a typical RRDtool graph
used in ourmon. In this case, the graph (or 
filter 
in ourmon lingo) is called the
pkts filter,
which shows how many packets per second (pps) the ourmon
system is processing. It also shows whether the operating system and ourmon
collection system are dropping packets.The system will drop packets when
there is too much work to do and not enough time. In this case, we are not
dropping packets. We see a daily 
stripchart,
where the current time (now) is on
the right-hand side and “moves” left based on ourmon’s cycle time of 30 sec-
onds. In other words, the graph is updated twice a minute. Essentially, this is a
normal graph and shows PSU’s normal daily traffic with an early afternoon
peak of 60k pps.

Download 6,98 Mb.

Do'stlaringiz bilan baham: