427 Botnet fm qxd

Figure 6.1
Normal Traffic—Pkts Filter
T
IP
It is important to understand what is normal in order to understand
what is abnormal. You need to observe your ourmon graphs and data
daily and over time build up some idea of what is normal. Then you
will be able to spot anomalies.
In Figure 6.2 we see a very abnormal version of the pkts filter.This is a
DDoS attack. Keep in mind that there are thousands of hosts contributing to
this graph. However, it is also possible for one host to put a spike in the graph
with a DoS attack.
If you were the head network engineer and you looked at this graph, you
might reach for the aspirin.There’s an anomaly now. Hopefully, you can spot
it! Instead of the daily peak of 60,000 pps, apparently 870,000 pps have
decided to show up for a brief time.The theoretical maximum for a gigabit
Ethernet connection for 64-byte (minimum size) packets is on the order of
1.4 million pps.This is close enough (and bad). Ourmon and some human
intelligence eventually got to the bottom of this attack. Apparently a student
on campus was having a dispute with another person external to campus.The
other person used a botnet to stage a multiple-system, large DoS attack on
www.syngress.com
Ourmon: Overview and Installation • Chapter 6
221
427_Botnet_06.qxd 1/8/07 3:14 PM Page 221

the PSU student’s IP host (and on port 22, the ssh port) for “revenge.” Many
hosts (1000s) sent small TCP SYN packets to one PSU host. A botnet was
used as the attack vehicle.This attack and similar attacks have damaged net-
work services on campus at times in various ways. It is often the case that a
DDoS attack will do damage to innocent parties by perhaps clogging up the
Internet connection or causing network equipment to crash or suffer
degraded performance. In fact, this attack caused ourmon to more or less stop
during the attack because all the operating system could do was drop packets.
The lesson here is that botnets can cause serious resource problems. We will
return to this case study in Chapter 9 when we give some advanced tech-
niques for interpreting ourmon data. One important lesson here: A remote
DDoS attack via a botnet may take your network (or your network instru-
mentation) off the air.
Figure 6.2
External DDoS Attack
Case Study #2: External Parallel Scan
In the next chapter (Chapter 7), we will talk about some fundamental tools
that ourmon uses to detect anomalies of various kinds.These include scan
detection tools. In Figure 6.3 we see a picture of a particular ourmon feature
called the 
worm graph
that graphs the number of internal (home subnet) or
external network “worms.” A “worm,” in this case, doesn’t really mean hosts
having viruses. It more or less means hosts exhibiting behavior you might
expect from a worm. In ourmon, a host that scans is said to be wormy. We

Download 6,98 Mb.

Do'stlaringiz bilan baham: