FlowScan at the University of Wisconsin-Madison Copyright Dave Plonka and Perry Brunelli, 2001. This work is the intellectual property of the authors.

Slides:

Advertisements

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Advertisements

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

FIREWALLS Chapter 11.

Another Tale Ted Krupicka Associate Director University Information Services Pacific University Forest Grove, Oregon Copyright Ted Krupicka,

Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.

Data Communications and Computer Networks Chapter 1 CS 3830 Lecture 5 Omar Meqdadi Department of Computer Science and Software Engineering University of.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Firewall Lalitha Jammalamadaka. Agenda 1. Introduction 2.Types of firewalls 3.How a software firewall works 4.Methods to control traffic 5.Making the.

Firewalls and Intrusion Detection Systems

Network Security Testing Techniques Presented By:- Sachin Vador.

Networking Theory (part 2). Internet Architecture The Internet is a worldwide collection of smaller networks that share a common suite of communication.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Definition : Computer Virus A computer program with the characteristic feature of being able to generate copies of itself, and thereby spread. Additionally.

Lecture 3 Introduction 1-1 Chapter 1: roadmap 1.1 What is the Internet? 1.2 Network edge  end systems, access networks, links 1.3 Network core  circuit.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

1-1 Internet Overview: roadmap 1.1 What is the Internet? 1.2 Network edge  end systems, access networks, links 1.3 Network core  circuit switching, packet.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Lesson 19: Configuring Windows Firewall

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

A Signal Analysis of Network Traffic Anomalies Paul Barford, Jeffrey Kline, David Plonka, and Amos Ron.

Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.

Lesson 19 Internet Basics.

Using Argus Audit Trails to Enhance IDS Analysis Jed Haile Nitro Data Systems

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Forensic and Investigative Accounting

1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Intranet, Extranet, Firewall. Intranet and Extranet.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

Chapter 6: Packet Filtering

Lesson 2 — The Internet and the World Wide Web

Copyright 2003 CCNA 1 Chapter 9 TCP/IP Transport and Application Layers By Your Name.

IP Flow Measurement & Analysis with FlowScan IPAM Workshop, Los Angeles, March 21, 2002 Dave Plonka Division of Information Technology,

Honeypot and Intrusion Detection System

ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.

Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave.

1 The Research on Analyzing Time- Series Data and Anomaly Detection in Internet Flow Yoshiaki HARADA Graduate School of Information Science and Electrical.

Linux+ Guide to Linux Certification Chapter Fifteen Linux Networking.

--Harish Reddy Vemula Distributed Denial of Service.

An Overview of the Internet: The Internet: Then and Now How the Internet Works Major Features of the Internet.

1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.

FlowScan at the University of Wisconsin Perry Brunelli, Network Services.

1 CSCD 443/533 Advanced Networks Lecture 10 Usage and Network Measurement Fall 2013 Reading: See References at end.

1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.

CS 3830 Day 5 Introduction 1-1. Announcements  Program 1 due today at 3pm  Program 2 posted by tonight (due next Friday at 3pm)  Quiz 1 at the end.

Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.

1 Firewalls G53ACC Chris Greenhalgh. 2 Contents l Attacks l Principles l Simple filters l Full firewall l Books: Comer ch

The Internet The internet is simply a worldwide computer network that uses standardised communication protocols to transmit and exchange data.

ECE Prof. John A. Copeland fax Office: GCATT Bldg.

Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.

Packet Filtering COMP 423. Packets packets datagram To understand how firewalls work, you must first understand packets. Packets are discrete blocks of.

FlowScan A Network Traffic Reporting and Visualization Tool Dave Plonka

©Stephen Kingham SIP Protocol overview SIP Workshop APAN Taipei Taiwan 23rd Aug 2005 By Stephen Kingham

Interpreting Network Traffic Flows Bill Jensen, Paul Nazario and Perry Brunelli.

Network Sniffer Anuj Shah Advisor: Dr. Chung-E Wang Department of Computer Science.

Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF

DoS/DDoS attack and defense

1 Virtual Dark IP for Internet Threat Detection Akihiro Shimoda & Shigeki Goto Waseda University

Unit 2 Personal Cyber Security and Social Engineering Part 2.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.

Comparison of Network Attacks COSC 356 Kyler Rhoades.

Port Scanning James Tate II

Firewall – Survey Purpose of a Firewall Characteristic of a firewall

A Distributed DoS in Action

Networking Theory (part 2)

Networking Essentials For Firewall-1 Administrators

Networking Theory (part 2)

Presentation transcript:

FlowScan at the University of Wisconsin-Madison Copyright Dave Plonka and Perry Brunelli, This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyrightstatement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

FlowScan at the University of Wisconsin-Madison Dave Plonka and Perry Brunelli

Agenda What is FlowScan? Interpreting Sample Graphs Network Events of Interest

What is FlowScan? FlowScan is a freely-available network traffic reporting and visualization tool. Its development began in December 1998, and it was first released in March There are hundreds of users today including campuses and ISP’s. FlowScan analyzes data exported by Internet Protocol routers.

What is FlowScan FlowScan counts flows by protocol, application, user population, or Internet connection. –Protocols include TCP and UDP. –Applications include (SMTP), file sharing (e.g. KaZaA). –User populations are subnets such as schools or departments.

What is a Flow? “An IP flow is a unidirectional series of IP packets of a given protocol (and port where applicable), traveling between a source and destination, within a certain period of time.” K. Claffy, G. Polyzos, H. Werner-Braun, c References:

These flows represent an ftp file transfer that lasted 9 seconds. Two bi-directional Internet connections, comprised of a total of 430 packets containing 380,122 bytes, are summarized into just five flows.

Flow-based passive measurement Active measurements examine traffic which is introduced into the network solely for the purpose of measurement. Passive measurements examine existing traffic, in an attempt to minimize the impact of the measurement itself. In actuality, the flows are the accounting record or log of activity reported by the router.

Example collector receives flow data from the router and writes it to disk. FlowScan parses/massages data from cflowd and stores the results in RRD format. RRDtool graph produces graphs from RRD files.

Interpreting FlowScan Graphs Horizontal axis is time, current time to the right. Vertical axis indicates magnitude of measurement, usually in bits, packets, or flows per second. Outbound traffic is upwards, Inbound traffic is downwards (mnemonic: pejorative `bottom feeders'). Colored bars show traffic classification and are stacked (not overlaid) to show the total.

Fall 2000 Traffic 48 hours

Fall 2000 Traffic - Continued

Fall 2001 Traffic

Fall 2001 Traffic – Continued

Network Events of Interest The Rise and Fall, and Rise of Peer-to-Peer Rate-limiting changes: Packateer Packetshaper Under Attack: Code Red and Nimda worm propagation Flash Crowds: Linux release, campus events Denial of Service (DoS) Distributed Denial of Service (DDoS)

Peer-to-Peer as presented by FlowScan

Packeteer Installed 5-Oct-2001

… by Protocol 5-Oct-2001

Code Red Worm Propagation The following graph shows the difference between the number of UW-Madison IP addresses that have transmitted traffic and the number that have received traffic. These values are plotted independently for each of UW-Madison's four class B networks. This metric represents the number of campus host IP addresses that participated in "monologues" - one way exchanges of IP information with hosts in the outside world. A negative value indicates that more source addresses have received IP traffic than have generated outbound IP traffic. Negative numbers in the plot are an indication of inbound "scanning" or probing behavior (such as that done by the hosts in the outside world that were infected with the Code Red worm) because those scans often attempt to talk to unused campus IP addresses or to hosts which simply do not respond because of firewall policies.

Code Red Worm Propagation

Nimda Propagation

Flash Events, Flash Crowds Larry Niven's 1973 SF short story "Flash Crowd“ predicted that one consequence of cheap teleportation would be huge crowds materializing almost instantly at the sites of interesting news stories. Twenty years later the term passed into common use on the Internet to describe exponential spikes in website or server usage when one passes a certain threshold of popular interest.

Linux Release Events

The Titan Arum

Inbound DSL DoS A campus DSL user's host (640Kbps download) was the recipient of 50,000 packets per second, which totaled over 10 megabits per second.

…Inbound DSL DoS

A Distributed Denial of Service Attack On Monday, July 9, 2001, UW-Madison network engineers discovered that for the past two days, various campus hosts running the Windows IIS HTTP server were enlisted as slaves in an outbound Distributed-Denial-of-Service attack. The outbound traffic consisted of large ICMP ECHO packets to a small set of destination "victim" hosts.

Outbound Distributed DoS flood from 30+ Campus Hosts

Same DDoS flood from another campus

The Knight IRC Robot Coordinated via Internet Relay Chat (IRC) using "robots". Independent observations reported aggregates over 500Mbs

References FlowScan: –net.doit.wisc.edu/~plonka/FlowScan/#FlowScan_Resources –wwwstats.net.wisc.edu Denial of Service: –www-cse.ucsd.edu/~savage – Code Red Analysis: –

Summary/Questions