Transcript CURELAN TECHNOLOGY Co., LTD Flowviewer FM-800A
CURELAN TECHNOLOGY Co., LTD Flowviewer FM-800A
CURELAN TECHNOLOGY Co., LTD
www.CureLan.com
1
Introduce Product Major Functions
Quota Management (IPv4 & IPv6) and current traffic monitor.
Peer-to-Peer (P2P) filter.
P2P Report. Netflow or sFlow traffic report. Worm detection(NBAD). Automatically block infected IPs from L3 Switch by ACL .(for Cisco, Foundry, Alcatel, Extreme) or Automatically block by Flowviewer.
Port Scan and SSH Password Guess Attacks Report. (NBAD) RDP Password Guess Attacks Report. (NBAD) List of Possible UDP Flood Attacks Report. (NBAD) List of Possible DOS Attacks Report. (NBAD) Port Scan and SSH Password Guess Detection and Blocking. Blocked by Flowviewer .
RDP Password Guess Detection and Blocking. Blocking method: Blocked by Flowviewer .
UDP Flood Attack Detection and Blocking. Blocking method: Apply ACL command to core switch. DOS Attack Detection and Blocking. Blocking method: Apply ACL command to core switch. 2
Agenda
Classification by Function
Automatic detection of RDP and SSH attacks.
Automatic prevention of UDP Flood and DOS attacks.
Dynamic Traffic Query can identify suspect network traffic and check the IP against a list of known and offenders.
3
Network Security Threats Case-1
Virus
:
Using normal packet data a virus compromises PCs, potentially leading to the destruction of personal computer hard disk data or storage memory and also causing the PC to slow and so on. The destructive characteristics of those programs are limited to personal computers.
Hacker
:
In the computer security context, a hacker is someone who seeks and exploits weaknesses in a computer system or computer network. Hackers may be motivated by a multitude of reasons, such as profit, protest, or challenge.
The hackers can use a port scan Trojan to discover the network vulnerabilities. They can also scan the unit's Port Service, so some units will change the original Port Service number leaving the network open to further hacking activities.
By using a Port Scan hackers can scan the unit's Port Service, allowing Trojans to invade a specific port by guessing the password. After the success of these Trojans horse programs the computer then becomes a zombie computer and potentially part of a botnet.
4
Network Security Threats Case-2
After the successful hacking of the zombie computer, this can lead to other internal computer intrusion and through the use of a key logging program the hacker can determine if the computer is a personal computer or a server, because the personal computer will be shutdown regularly by the user while a server is very rarely shutdown. If it is a server this is a suitable method to relay and attack the target IP. The server may also contain valuable data which can be stolen by the hacker.
Through the Port Scan program hackers can exploit the known insecurities of ports 53 and 123 and can then create a DNS Amplification Attack via port 53 (DOS Attacks), this type of attack can also be created by using port 123 NTP (Network Time Protocol) reflection attacks. (UDP Flood Attacks)
If your device is using network behavior analysis(NBA) to identify hacker intrusion and attack, you do not need to use the feature value (Pattern). Network behavior analysis is the collection of all network IP data to determine, by identifying anomalous network data, intrusion and hacking attacks. NBA allows for the rapid detection of network attacks by analyzing ALL network data unlike the pattern detection method which is restricted to identifying attacks based on set patterns of network activity. Hackers can bypass this detection method by regularly changing the pattern of their attacks every 2 or 3 days.
5
Hacking Methods
Bypass network security by exploiting SSH and RDP vulnerabilities.
Known Microsoft operating system vulnerabilities(see note below) and PHP, C++ database vulnerabilities. These methods exploit bugs that even software and operating system developers are not aware of in their systems. This is the best situation from a hacker’s point of view as these types of attacks cannot be detected or stopped until developers identify the bug and release updated software to fix the problem.
Note: Hackers can use injection of CSS codes on insecure web sites allowing them to access confidential user data on the host server. A google safety engineer also pointed out that there is evidence that Microsoft was aware of this vulnerability as early as 2008 . At present users must rely on their browsers to deal with this vulnerability.
No network security product can ever protect from all attacks, for example, a Trojan horse attached during P2P
、
APP and Spear Phishing is undetectable. Luckily, server equipment does not receive and send mails or use P2P downloads automatically, therefore any action of this kind is on a personal computer. Most hacks focus on one computer and then use the intranet to attack other IPs until they locate the server IP that allows access to confidential data. Another method is to slip Trojans to individual PCs then using the relay function to take down the network. The FM-800A provides RDP
、
SSH attack detection and blocking functions.
6
Hacker steals confidential data of file server Flowveiwer has solution
Most intranet attacks are performed via RDP, the RDP password guessing attack detection function is unique and available only in Flowviewer FM-800A. The Flowviewer system can detect and automatically send ACLs (Access Control List Entries) to Core Switch (Layer 3) to prevent attacks. As seen below: a list of possible RDP Attacks report, Number 3, 5, 6 and 7 illustrate this type of intranet attack.
Outlined in the red column, we can see an internal source IP ( 140.xxx.xxx.229
) attacked 9 IPs ( 140.xxx.xxx.3, 140.xxx.xxx.2, and so on) at the same time.
It is possible that the source IP of number 3, 5, 6 and 7 are the victims of the Spear Phishing.
Figure is a successful example of FM-800A detecting the RDP attack.
7
Exclusive technology : RDP Attacks-1
On 2012/06/04, our RDP Attack detect function detected a hacker using 222.133.38.22 (Src IP) trying to compromise 140 .
XXX .
101.4
(Dst IP). Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to another computer. Clients exist for most versions of Microsoft Windows (including Windows Mobile), Linux, Unix, Mac OS X, Android, and other modern operating systems.
8
RDP Attacks-2
Trace of the source IP of RDP attack.
222.133.38.22 (Source IP) is from China.
All series of Flowviewer FM-800A can query IP address using Geotool and whois web site.
9
SSH Password Guess Attacks Report
Many attacks go through the SSH route, the Flowviewer system can detect and automatically send ACLs (Access Control List Entries) to Core Switch (Layer 3) to prevent attacks. As seen below: a list of Possible SSH Attacks.
FM-800A detected and blocked the IP 203.125.203.23 that used the SSH password guess attack to compromise a certain university's IP on 2013/08/23.
10
Real Case
Hackers compromised the intranet IP successfully by SSH password guessing then implanted the Trojans on September 12
th
, 2010.
After three days, hackers attacked the external IP by using UDP Flood Attacks with intranet IPs that had been implanted with the Trojans.
11
Example of an SSH Attack
The IP ( 218.29.100.122
) tried to attack TANet between September 9 th and 12 th . The targets were National Sun Yat-sen University, National Chung Cheng University and the Ministry of Education Computer Center. There were as many as 160000 individual attack during this period.
Hackers( 218.29.100.122
) tried to invade one University IP 140 .
XXX .
XXX .
134 (Server) and another University Server Farm on September 11 th & 12 th .
Hackers successfully invaded the servers of these two universities. Using the same method, hackers can invade the networks of commercial companies and gain access to confidential information. For example customer credit card details.
12
Successful detection of SSH intrusion attempts-1
Hackers( 218.29.100.122
) try to invade the XXX University IP 140 .
XXX .
XXX .
134 (Server) on September 11 th .
Hackers( 218.29.100.122
) try to invade the YYY University Server Farm on September 11 th .
13
Successful detection of SSH intrusion attempts-2
Hackers( 218.29.100.122
) try to invade the XXX University IP 140.
XXX.XXX
.134
(Server) on September 12 th .
Hackers( 218.29.100.122
) try to invade the YYY University Server Farm on September 12 th .
14
Successful hacker attack : September 12
th
UDP Flood Attacks begins September 15
th
.
Why do hackers try to implant Trojan horse programs to servers via SSH?
Taking the IP 218.29.100.122
as an example. On 9/12, the TANet intrusion finishes, but it then starts to attack the IP 93.114.111.187(it belongs to an ISP based in Romania) by UDP Flood attack. Although we do not know why hackers do these attacks, but they used IP 218.29.100.122
(Server) to intrude 140.
XXX.XXX.
134 (Server) . It’s purpose is to attack the ISP in Romania by UDP Flood attack. The following description is a real case.
15
Real Case : UDP Flood Attack on September 15
th
Example: XXX university has a server which was implanted with Trojan horse programs and launched a UDP Flood Attack to a foreign IP. 218.29.100.122 and invaded 140.
XXX.XXX.
134 and then attacked the Romanian ISP(IP:93.114.111.187) via UDP Flood Attack on September 15 th .
As shown below, the time duration was 2010-09-15 11:57:59 --> 2010-09-15 12:00:23. There is 1.63
GB of network traffic but the number of transmission packets is as high as 22,464,848 , so we can know it is indeed a UDP Flood Attack event. Within 5 minutes, the Flowviewer was abled to detect the UDP Flood attack and send an email to notify administrators and write ACL commands to the Core Switch to block the attack.
16
Defense Methods
The FM-800A collects real time IP network traffic and analyzes it to identify unusual or suspicious behavior, rather than using the defined terms. Therefore the system doesn't take into account the names of the attacks, that is to say network administrators don't have to waste time in researching the names of hacker attacks.
1.UDP Flood Attacks
:
Make a large number of traffic, fake UDP packages to attack a special IP. Weaken the intranet so it cannot work normally. This IP can be the HTTP file server, Web server, DNS server and so on.
2.DOS Attacks
:
Make a large number of sessions (flows), fake TCP packages to attack a special IP. Weaken the intranet so it cannot work normally. This IP can be the HTTP file server, Web server, DNS server and so on.
FM-800A automatically blocks UDP Flood attacks and DOS attacks.
17
UDP Flood Attack(DNS Amplification Attack) Attacks National
XXX
University -1
On November 29, 2010, a central national university internal IP was attacked by three foreign IPs:
212.59.6.158
(Lithuania)
202.104.151.201
(Chinese)
124.127.117.86
(Chinese) via UDP Flood Attack. This attack caused the entire campus network to shut down.
18
UDP Flood Attack(DNS Amplification Attack) Attacks National
XXX
University -2
Highlighted below we can see the flows which 212.59.6.158 attacked 140.
XXX.XXX.
131 with. As the following figure shows, that time duration is 2010-11-29 06:41:53 - > 2010 11-29 06:46:12. It produced 23,566,887 packets in 5 minutes, the graph clearly shows that the Flowviewer can accurately and automatically detect the UDP Flood Attacks from 140.
XXX.XXX.
131 . From the following report, we can identify that the hacker attacked the target via port 53 and it is a DNS Amplification Attack.
19
Detection of UDP Flood Attack Event
After detecting the UDP Flood Attack, the Flowviewer will send a notification e-mail to administrators and write ACL commands to the Core Switch to block the attacking IP.
According to the time duration, the packet number and traffic are correlated, we can identify that it is a UDP flood attack.
20
NTP reflection attacks (UDP Flood Attacks)
:
The Hacker relays 140.
XXX.XXX.
2 to attack 192.99.18.64 via port 123, this attack is an NTP reflection attack.
21
Detection of DOS Attack Event
The Flowviewer can detect DOS attacks and notify the administrator by e-mail. It can also automatically block the IP by itself.
140.
XXX.XXX.
174. is used as a DOS Relay source to attack 113.107.174.140. The flows (Sessions) are up to 53,706,960 and the traffic was 105.44 GB .
The attack will cause internal network performance to fall sharply and even cause the entire internal network to shut down, so we can see that a DOS Relay IP is not just a problem for a single user it is also a problem for the entire network.
22
Comparison Chart between FM-800A, IPS and Spyware
Type
Installation Type
Flowviewer FM-800A
In-line / Listen
IPS
In-line
spyware
Each PC Default Type When the Intranet is being attacked Using network behavior anomaly detection(NBAD) technology hacker attacks can be detected and intrusion can be blocked not just by the Flowviewer, but it can also use ACL commands to the L3 Core Switch to block the attacking IP.
Uses NBAD to automatically find and block the attack by writing ACL to core switch or the FM-800A itself.
IPS equipment uses feature codes (Pattern) to detect hacker attacks and intrusion, feature code (Pattern) update is slow leaving systems vulnerable to attack. Also there is a high error rate on the threshold value (threshold) setting function if you set the threshold value too low.
Only focuses on “Intranet to Internet”.
Cannot find the attack from the Intranet.
Pattern It can only be used by pattern. If pattern updates too fast or the worm is unknown, then it is useless.
23
Comparison Chart between FM-800A, IPS and Spyware
Type
Flow, IP, Port Traffic Quota Search and Report IP/Port Search at any time
Flowviewer FM-800A
Internet Intranet Intranet Internet Intranet Intranet We can focus on the times of Source IP, Destination IP, Protocol Source IP, Destination Port, flow direction IPS Only focus on “Inter to Intra” and sometimes “Intra to Inter” X P2P Types Processor Speed 9 types include 11 programs (even if those programs update, we can still find and block them) Uses patterns for defense. If the P2P programs update, the IP’s can’t block successfully.
6 seconds (30Mbps ~ 3Gbps) > 20 minutes (30Mbps)
spyware
X X X X
24
The Blind Spot of IPS Equipment
IPS equipment uses a feature code (Pattern) scheme to identify the external network hacker attacks by feature codes (Pattern) and threshold (threshold) setting function and then block the hacker. However the hacker through P2P, APP, Spear Phishing and other methods of intrusion into the internal network computer, can then by using implanted Trojan zombie computers on the internal network bypass IPS detection methods as these are designed to block external attacks only.
IPS equipment uses a feature code (Pattern) to detect hacker attacks and intrusion. Feature code (Pattern) update is slow, and the threshold value (threshold) setting function error rate is very high.
Just like the USA Inc Arbor Networks, Mazu Networks, Lancope , the Flowviewer device uses NBAD (Network Behavior Anomaly Detection) technology with synchronization and does not use feature code(Pattern) and so does not suffer from slow updates and very high false positive rate problems with the threshold function.
25
DNS Amplification Attack-1
26
DNS Amplification Attack-2
As shown in above, when a hacker slipped a Trojan on PC4 , the hacker changed the inquiry packet sourced IP as target A, and this is the IP the hacker attacked. The fake IP would ask domain name data for Local DNS, but the DNS Server doesn’t have that data. Therefore, the DNS Server would ask for data from the Public DNS. When Domain name data is transferred back to the DNS Server, the DNS Server would transfer data back to the fake IP. However, that IP is Public IP on the Internet and is not on the Intranet. Thus, the domain name data which the Local DNS asked for will be transferred to the Internet Public IP. As you can see, PC4 had been slipped the Trojan, so PC4 would continuously ask for domain name data from the Local DNS, and the Local DNS would continuously transfer the data to the Internet Public IP. This method of attack is called a DNS Amplification Attack.
27
DNS Amplification Attack-3
Here we can see how hackers used huge sessions (Flows) to paralyze a website or a server. This is an example to illustrate how our FM-800A can detect and stop network attacks.
On Oct. 11 th , 2013, a hacker used at Ukrainian IP 80.91.160.129
(sourced IP) to make a huge sessions (Flows) to paralyze port 53 of the DNS server at Wu Feng University. The method of attack was to use a sessions (flows) on every single port service. As shown above the picture, we can see there were 9,436 sessions (flows).
28
Zoom In 9,436 Sessions(Flows) report
A UDP connection is a connection which does not include sessions (Flows), that’s why hackers use packets of only 69 Bytes with every single Port Service as shown above the picture, FM-800A receives Netflow data, and Netflow will take every single Port Service as a session (Flow).
29
DNS Amplification Attack-4
According to the analysis data above , we made a chart to show how hackers used a huge UDP connection to paralyze the port 53 of the DNS server. This chart shows the UDP connection flows per second, by the 37 th second, there is a maximum of 206 UDP connections.
30
DNS Attacks: How to avoid firewall detection
The following are real cases showing that firewall Dos Protections (Threshold function) cannot protect the IP from attacks by hackers.
We set up an IP UDP connection (sessions/packets) with 300 UDP packets per second, to ensure that the firewall will then block this IP. However, in this case, there are only 206 UDP packets per second. This means that the attack cannot be detected by the firewall. When setting firewall thresholds, it is not effective to block an IP for just 300 UDP packets per second. Hackers always want to bypass the firewall and that includes changing the attack pattern every 2 or 3 days. In this case, NBAD (Network Behavior Anomaly Detection) is the best and most effective way to keep networks secure and free from outside attacks.
31
Real-time Query of Dynamic Traffic
The query can be adjusted at any time to analyze the individual IP address and show all of the destination IPs it has contacted. This function can identify the details of any potential crime and be used as evidence later on.
The following figure shows the source IP( 120.
XXX.XXX.
39 ) and lists the destination IPs it contacted during May 20, 2014 from 12:30 to 13:30. The destination IP is the IP address of the website or server . The IP in blue means it was accessed via port 80 and the IP in green represents those not using port 80.
32
FM-800A Configuration : Inline Mode
33
Automatically Prevent Hacker Intrusion and Attack in Inline Mode
Even in the event of a combined hardware and system failure , the Flowviewer, utilizing auto by-pass mode, will not have any adverse effect on network connections or stability.
The Flowviewer FM-800A device provides automatic blocking of hacker intrusions and attacks.
Automatic blocking of external IPs. (When hackers want to intrude on internal network via the Internet.)
The Flowviewer can automatically write ACL commands to the Core Switch to block attacks via intranet to intranet.
34
Flowviewer FM-800A Can Block Automatically
Flowviewer FM-800A can automatically stop the SSH Password Guess Attacks, RDP Password Guess Attacks, UDP Flood Attacks and DOS Attacks , by sending ACLs (Access Control List Entries) to Core Switch (Layer 3). As we can see, the target company includes Cisco, Foundry, Alcatel and Extreme etc.
35
Traffic Quota Function
36
Introduction of Traffic Quota Control
On campus, this function may be used to control the network traffic on the dorm. For government or enterprise, the function can be set to limit network traffic. Therefore, network limits can be set at different levels for different network groups depending on their requirements. When the user quota is exceeded, the quota manager can: (1) Blocking(Block the user’s IP address). (2) Bandwidth limit(Rate limit). The system allows the user to choose either Bandwidth limit or Block IP for different groups at the same time.
The system can prevent the increase of bandwidth as a method to solve network traffic problems.
37
Traffic Monitor Function Introduction
Traffic Monitor can monitor real time traffic, including total up/down/bi direction traffic, current up/down/bi-direction speed and peak up/down/bi direction speed.
38
Forced Disconnection Function
When managers find an IP improperly using network resources or performing any malicious acts (such as setting others’ IP address) they can block this IP manually.
39
Traffic Analysis of Individual Units on the Internal Network
A unit IP Group can be defined and used to display the network traffic usage rate of this IP group, which is then displayed in a pie chart.
This can be used to identify network problems using a unit IP group to show that units individual flow analysis.
40
P2P function
The flowviewer system can use P2P Pattens to filter P2P traffic such as : BitTorrent;AppleJuice;WinMX;SoulSeek;Ares、AresLite;Gnutella ; Foxy ; eDonkey、eMule、Kademlia;KaZaA、FastTrack;Direct Connect; Xunlei、 Thunder ;PPStream、QQLive、feidian、POCO、QVOD;SIP(VoIP).
P2P white list
:
IP or subnet can be added to P2P white list and will never be blocked from using P2P applications.
41
P2P White List
IP or subnet can be added to P2P white list and will never be blocked from using P2P applications.
42
Worm IP Blocking Function
The system provides an ACL(Access Control List) blocking function.
Flowviewer can block by itself, and can also notify the administrator while blocking IPs. It can also set white list IPs that can bypass the blocking function. The feature can work on the following Layer 3 switches: Cisco, Foundry, Alcatel, H3C and Extreme.
43
Built-in standard feature with the difference functionality table
Flowviewer Type peer-to-peer (P2P) filter FM-200A/AS Yes FM-800A Yes P2P Report Quota Management function and current traffic monitor Yes Yes Yes Yes Netflow or sFlow traffic report worm detection(NBAD) Automatic block infected IPs from L3 Switch by ACL Port Scan and SSH Password Guess Attacks Report RDP Attack Report Automatic block Port Scan and SSH Password Guess Attacks Automatic block RDP Attacks UDP Flood Attacks and DOS Attacks Detection Report Automatic block UDP Flood Attacks and DOS Attacks Detection Public Report(Hyperlinks) Yes Yes Yes No No No No No No Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes 44
Telecoms Solutions
Most telecoms Companies provide an IDC(Internet Data Center) and the IDC service provides customer websites with the ability to detect DDoS
(
Distributed Denial of Service
)
attacks.
Therefore, detecting UDP Flood Attacks becomes the most important function. Flowviewer FM-800A has the ability to accurately detect hacker IPs and send ACLs (Access Control List Entries) to Core Switch (Layer 3) that cuts off UDP Flood Attacks and prevents IDC(Internet Data Center) customer websites or business application servers from being paralyzed. 45
UDP Flood Attacks: a real world example
Below is an example of the Flowviewer FM-800A successfully detecting an attack from an external IP( 140 .xxx.xxx.
183 ) to a university in Taiwan.
Using a Flowviewer FM-800A a Telecoms Company can protect an IDC(Internet Data Center)client from hacker attacks.
46
Conclusion
No single device can detect all hacker attacks. But our device can detect most types of hacker attacks.
There is no solution for P2P and Spear Phishing but our device has a way to deal with these problems. We can do this using our RDP detect functionality. The Flowviewer FM-800A is the only system with this exclusive functionality on the market.
47
Our reference sites
Important Customer: National Center for High-Performance Computing
l Main Service : Cross-Campus WLAN Roaming Mechanism.
l Our Product–Flowivewer–use netflow traffic report feature to trace IPs that controlled by Botnet and notify the administrators who’s in charge of the IP address. School:
National Chung Hsing University (NCHU) National Kaohsiung Marine University National pingtung University of Science&Technology
I-Shou University ; Chinese culture University National University of Tainan National Taichung University National Changhua University of Education ; WuFeng University
Nanya Institute of Technology Ling Tung University
National Taichung Nurs ing College
Military:
Chung Cheng Armed Preparatory School
National Defense University
R.O.C Military Academy Government:
Kaohsiung City Government
Taitung County Government
Financial Supervisory Commission, Financial Examination Bureau Other: Show Chwan Memorial Hospital
﹐
Mega International Commercial Bank, Fist
48
Customers
49
Performance and Function
Flowviewer Models FM-800A Form Factor 2 U
Attack Mitigation Performance and Function
MRTG MAX: ~2Gbps Up to 6 million concurrent unidirectional application sessions over an IP network Quota Management function and current traffic monitor Peer-to-Peer filter and P2P Report Netflow or sFlow traffic report worm detection (NBAD) Automatic ACL block infected Ips SSH and RDP Password Guess Attacks Report UDP Flood Attacks Report DOS Relay Attack Report Automatic block Worm, Port Scan, SSH and RDP Password Guess, Port Scan, UDP Flood Attack and DOS Attack.
Inline Mode Hardware & Software Bypass NIC
2 Port 10/100/1000 BaseT 2 Port 1000 Base-SX 50
Demo site for Flowviewer FM-800A device
http://140.130.102.146
Account: guest
Password: 1234
51
Contact us
Office
:
15F-1, No,255, Jiuru 2 nd rd., Sanmin District, Kaohsiung City 807, Taiwan(R.O.C) TEL:+886-7-311-5186 FAX:+886-7-311-5178 Email: [email protected]
Website : www.curelan.com 52