- how to manage the Internet user behavior?
How to distribute the various types of traffic?
In this case, you can use NetFlow, an effective tool to meet the needs of network traffic management.
NetFlow was originally developed by Cisco.
Cisco's NetFlow also has multiple versions, such as V5, V7, V8, and V9. Currently NetFlow V5 is the mainstream.
the flow of an IP data package defines at least the following 7 key elements:
Source IP address;
Destination IP address;
Source port number;
Destination port number;
Type of the third layer agreement;
TOS field;
Logical port of network device input/output (if index)
Example 1: CodeRed's Flow features are destination port=80, packets=3, size=144bytes. Although on the Internet, normal behaviors that conform to the above characteristics exist (such as using ICQ), a host that is generally used normally will not send out a large number of these messages in a few consecutive periods of time.
take several different time periods, such as 5 minutes each, if the flow that meets the characteristics in each time period is greater than the upper limit, it can be judged as Code Red.
Example 2: A host infected with Nimda virus will initiate a large number of connections to external addresses (usually TCP port 80). The flow feature of Nimda is that each Flow represents a connection with destination port=80. If a normal client is in a period of time If the number of flows within (for example, 5 minutes) is too large, it is likely to be infected by viruses or have other attacks against HTTP.
if Apache Http Server is infected with Slapper Worm, a large number of Http packets will also be generated.
take several different time periods, each of 5 minutes, if the flow that meets the characteristics in each time period exceeds the upper limit, it can be judged as Nimda virus or other attack behavior.
Example 3: Worm.Sasser is characterized by an IP that initiates a TCP connection on port 445 to multiple randomly generated IPs at the same time.
the same source IP, a large number of different destination IPs, and the destination port is 445. When the flow meets the upper limit, it can be considered as an oscillator virus.
Example 4: the notorious Microsoft SQL-Server vulnerability caused a great impact. Its characteristic is a TCP stream with a destination port of 1433.
Example 5: Analyze DOS attack traffic with NetFlow
DOS can use the defects of the TCP protocol to open a half-open TCP connection through SYN, occupying system resources, so that legitimate users are excluded and cannot establish a normal TCP connection.
the detection of ICMP attacks can be based on the following conditions: In several consecutive time periods, assuming that each time period is 5 minutes, ICMP packets in each time period are greater than 5000
another DDOS attack is SYN flooding, which is characterized by the SYN in the TCP header being set and a large number of SYN characteristic packets. The Flag bit is provided in the NetFlow output format, which creates conditions for us to judge SYN attacks
the condition for detecting SYN flooding is: in several consecutive time periods, assuming that each time period is 5 minutes, a large number of data packets with flag=2 are generated. Normal connections will not generate so many data packets with flag=2, so it can Set the threshold to 5000
If the number of data packets with flag=2 sent by the host exceeds 1000, it can be considered that the host is launching an attack.
Case 6: Application of NetFlow in Network Forensics
Fprobe: Send data stream from remote host;
NfSen: NetFlow analysis graphical front end;
Nfdump: NetFlow acquisition module;
the network data is received at the network interface, and then the collected data is converted by the Fprobe program according to certain rules and formats (Netflow format), and then sent to the system's port 555 (check/etc/default/fprobe for details),
Then the Nfdump program in the Nfsen system will store the converted data in the/var/cache/nfdump/flows/directory,
and finally read it by the web front-end program Nfsen
https://blog.birost.com/a?ID=01050-fc6121cf-d8ec-44a8-b796-8a023ac12588
- When computers need to talk to one another, they establish communication channels, commonly referred to as connections. (Technically speaking, these communication channels can only be called connections when the TCP protocol is involved.) A flow refers to any connection or connection-like communication channel.
a flow is defined by its 5-tuple, a collection of five data points:
The source and destination IP addresses exchanging information
The source and destination ports, if any (ICMP, for example, doesn’t use ports)
The protocol
Flow identifies a communication channel, and all packets sharing the same 5-tuple fields belong to the same flow.
NetFlow is functionality built into network devices that collects measurements for each flow and exports them to another system for analysis. NetFlow captures a number of details, including the timestamp of a flow’s first and last packets (and therefore its duration), the total number of bytes and packets exchanged, and a summary of the flags used in TCP connections.
By collecting and analyzing this flow data, we can learn details about how the network is being used. Flow analysis is helpful in troubleshooting network issues, identifying bandwidth hogs, and tracking which external IPs or countries you’re exchanging data with
Having this information is important, but what you can do it is what really matters. This data can help you answer questions like:
Who’s using banned applications, like BitTorrent?
Who’s hogging bandwidth and slowing down the network?
Why your web server is receiving so many connections from North Korea?
What was a hacked server connected to during an infection?
Why use NetFlow?
Simply stated, you should use NetFlow because it gives you deep network visibility.
configuring NetFlow on the main router connected to the internet (R1) lets you monitor all the traffic in and out of the company, and to watch for any attacks on the servers in the DMZ. This is typically referred to as north-south traffic.
If you enable NetFlow on the main switch connecting the different departments (S1), you also gain instant visibility into all internal network traffic as well, typically referred to as east-west traffic.
NetFlow vs. SNMP
Similar to NetFlow, SNMP has a concept of agents (analogous to a flow exporter) and managers (analogous to a flow collector).
NetFlow and SNMP have some similarities, but it’s where they differ that’s most interesting. While they can both be used to monitor the throughput of a network, only NetFlow provides visibility into the what and the where of the traffic
There is a bit of a difference however with data collection. With NetFlow, there is only one way to get data from the flow exporter to the flow collector. The flow exporter actively sends data to the flow collector. SNMP, on the other hand, has two ways of getting data from an agent to a manager. SNMP can utilize traps, a push notification from the agent to the manager, or SNMP polls, a pull request to the agent, initialized from a manager. SNMP polling is the primary way most network management systems collect performance data.
Another major difference between NetFlow and SNMP is that NetFlow focuses only on traffic passing through a network device. SNMP allows network administrators to collect data on other device performance metrics, such as CPU and memory utilization, and even into hardware health information – like fan speed and temperature.
Where SNMP falls short on giving network admins visibility into the what and the where of the traffic, NetFlow is there to fill in that gap.
Limitations of NetFlow
NetFlow identifies the device but not necessarily the user
NetFlow records the IP address at the time of data collection
if you use Network Address Translation (NAT) in your network, and do the NetFlow collection after you’ve NAT’d the traffic (on the ‘outside’ interface of a firewall), you won’t see the internal IPs associated with that traffic. I’ve been in this spot once or twice, trying to troubleshoot who is consuming all that bandwidth when every flow says “it’s the firewall!” You’ll want to ensure you’re always collecting flow traffic from an interface where you’ll see your internal IPs, before it is NAT’d.
NetFlow doesn’t see inside the flows
The 5-tuple of information collected by NetFlow is actually extracted out of the header of an IP packet.
The solution? Many organizations look to Deep Packet Inspection (DPI), including TLS inspection, as a way of peering inside the network traffic to analyze it for security threats and policy compliance
The inspection appliances need to sit in-line with the traffic and adds an additional failure point.
There are privacy implications to doing DPI on all traffic.
It can be cost prohibitive for some organizations.
NetFlow can be used for monitoring, but not active management
NetFlow doesn’t tell you where a device is connected
https://www.auvik.com/franklyit/blog/netflow-basics/
