427 Botnet fm qxd

There is a lot of information on the Internet about netflow tools.You
need only visit www.cisco.com and search on 
netflow
to find voluminous
information. In addition to information on Cisco, we include a tip section as
a suggestion for places to look for more netflow tools and information.
T
IP
Silk tools: http://silktools.sourceforge.net
Flow tools: www.splintered.net/sw/flow-tools
Dave Plonka’s RRDTOOL-based FlowScan tool (other tools, too):
http://net.doit.wisc.edu/~plonka/packages.html
FlowScan in action at UW-Madison: wwwstats.net.wisc.edu
Paper by Jana Dunn (2001) about security applications of netflow:
www.sans.org/reading_room/whitepapers/commerical/778.php
Security-oriented tutorial to netflow by Yiming Gong (2004) in two
sections: www.securityfocus.com/infocus/1796 and
www.securityfocus.com/infocus/1802
Firewalls and Logging 
During the Blaster and Welchia worm outbreaks, the first signs of the out-
break were not picked up by our AV tools; rather, they were noticed in the
firewall logs.The outbound traffic from these worms trying to recruit others
was blocked and recorded by the firewall. In our daily examination of the
previous night’s traffic, we noted a dramatic increase in the number of
blocked messages, all on the same port. Because the information security pro-
fession had recently warned about the potential vulnerabilities, we knew
exactly what it was as soon as we saw it. It was several days before our AV
product began to detect the worm.The point is that firewall logs can be very
useful in spotting infected hosts, especially when you are denying bad things
from getting in or out. I am not a lawyer, but since there are firewalls to fit
every size organization and budget, not having one is probably grounds for
claims of negligence.This is the modern-day equivalent of a tug boat operator
whose tug sank because he didn’t purchase a weather radio even after all of
his colleagues had bought one.The argument of “having a high-speed pipe

Download 6,98 Mb.

Do'stlaringiz bilan baham: