427 Botnet fm qxd



Download 6,98 Mb.
Pdf ko'rish
bet179/387
Sana03.12.2022
Hajmi6,98 Mb.
#878307
1   ...   175   176   177   178   179   180   181   182   ...   387
Bog'liq
Botnets - The killer web applications

www.syngress.com
220
Chapter 6 • Ourmon: Overview and Installation
427_Botnet_06.qxd 1/8/07 3:14 PM Page 220


Figure 6.1
Normal Traffic—Pkts Filter
T
IP
It is important to understand what is normal in order to understand
what is abnormal. You need to observe your ourmon graphs and data
daily and over time build up some idea of what is normal. Then you
will be able to spot anomalies.
In Figure 6.2 we see a very abnormal version of the pkts filter.This is a
DDoS attack. Keep in mind that there are thousands of hosts contributing to
this graph. However, it is also possible for one host to put a spike in the graph
with a DoS attack.
If you were the head network engineer and you looked at this graph, you
might reach for the aspirin.There’s an anomaly now. Hopefully, you can spot
it! Instead of the daily peak of 60,000 pps, apparently 870,000 pps have
decided to show up for a brief time.The theoretical maximum for a gigabit
Ethernet connection for 64-byte (minimum size) packets is on the order of
1.4 million pps.This is close enough (and bad). Ourmon and some human
intelligence eventually got to the bottom of this attack. Apparently a student
on campus was having a dispute with another person external to campus.The
other person used a botnet to stage a multiple-system, large DoS attack on
www.syngress.com
Ourmon: Overview and Installation • Chapter 6
221
427_Botnet_06.qxd 1/8/07 3:14 PM Page 221


the PSU student’s IP host (and on port 22, the ssh port) for “revenge.” Many
hosts (1000s) sent small TCP SYN packets to one PSU host. A botnet was
used as the attack vehicle.This attack and similar attacks have damaged net-
work services on campus at times in various ways. It is often the case that a
DDoS attack will do damage to innocent parties by perhaps clogging up the
Internet connection or causing network equipment to crash or suffer
degraded performance. In fact, this attack caused ourmon to more or less stop
during the attack because all the operating system could do was drop packets.
The lesson here is that botnets can cause serious resource problems. We will
return to this case study in Chapter 9 when we give some advanced tech-
niques for interpreting ourmon data. One important lesson here: A remote
DDoS attack via a botnet may take your network (or your network instru-
mentation) off the air.
Figure 6.2
External DDoS Attack
Case Study #2: External Parallel Scan
In the next chapter (Chapter 7), we will talk about some fundamental tools
that ourmon uses to detect anomalies of various kinds.These include scan
detection tools. In Figure 6.3 we see a picture of a particular ourmon feature
called the 
worm graph
that graphs the number of internal (home subnet) or
external network “worms.” A “worm,” in this case, doesn’t really mean hosts
having viruses. It more or less means hosts exhibiting behavior you might
expect from a worm. In ourmon, a host that scans is said to be wormy. We

Download 6,98 Mb.

Do'stlaringiz bilan baham:
1   ...   175   176   177   178   179   180   181   182   ...   387




Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling

kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha


yuklab olish