Cisco NetFlow | Part 2 – What is Flow Analytics™?

Posted in detect network threats, NetFlow Analysis, Network Health Report, network threat detection, Network Traffic Analysis on June 5th, 2013 by Jake
Cisco NetFlow | Part 2 – What is Flow Analytics™?

In this blog, I will be continuing Part 1 of the “What is Flow Analytics™?” Series. In this blog I will be going over what the different algorithms do and how you can use them to better your network traffic analysis.

By default, some of the network behavior analysis algorithms are enabled globally across all NetFlow exporting devices. These algorithms are usually used to show the “top” domains/hosts/conversations..etc across your network. These can be very useful in troubleshooting network slowness or when trying to monitor a threat that can be going on across your network.Network Traffic Analysis

Most of the algorithms listed below need to be enabled on a per device basis, since certain algorithms in conjunction with certain devices (such as print servers) can trigger false positives. To get you the most accurate network traffic analysis and threat monitoring you will need to create exclusions for the IP’s triggering false positives.

  • Breach Attempts Violation: Looks for many small flows from one source to one destination. This can indicate things such as a brute force password attack. A typical scenario would be a dictionary attack on an SSH server.
  • Custom Reports Thresholds: Any saved reports that have an inbound threshold are executed sequentially by this algorithm.  Clicking on the name of this algorithm in the Flow Analytics™ Overview gadget, will launch the Custom Filters gadget.
  • DDoS Violation: Identifies a Distributed Denial of Service attack such as those that can be launched by a BOTNET.
  • DNS Violation: Alerts when a host initiates an excessive number of DNS queries. This can help to identify hosts that may be infected with a mailer worm or other issues that require  an inordinate number DNS look-ups.
  • FIN Scan: The FIN scan’s “stealth” frames are unusual because they are sent to a device without first going through the normal TCP handshaking.
  • ICMP Destination Unreachable: This is a message that comes back from the router to the requesting host stating that it doesn’t have a route to the destination network of the target host.
  • ICMP Port Unreachable Algorithm: This is a message that comes back from the destination server stating that it will not open communication on the specified port requested by the host.
  • Internet Threats: This algorithm goes out to an Internet site every hour and downloads an updated list of known hosts that end systems on the network should not be communicating with. Typically this is a list of compromised hosts that have a reputation for sending nefarious traffic.  This list is updated by several Internet Service Providers.
  • Multicast Traffic Violation: Any multicast traffic that exceeds the threshold that isn’t excluded will violate this algorithm.
  • Nefarious Activity Violation: Looks for hosts communicating with many hosts with a low number of flows. An example would be a port 80 scan of an entire subnet.
  • NULL Scan: The null scan turns off all flags, creating a lack of TCP flags that should never occur.
  • Peer to peer: P2P (includes BitTorrent) connections are monitored by this algorithm..
  • RST/ACK: RST/ACK packets are connection denials that come back from destinations to the originating hosts. This alarm can be caused by network scanning. Print servers can cause false positives with this algorithm and often need to be excluded.
  • SYN scan/flood: SYN packets are sent out in an attempt to make a network connection with a target host. This alarm can be caused by network scanning.
  • Unfinished Flows Violation: Executed by the Top Flows Algorithm, helps identify hosts that have a high percentage of unfinished flows. This indicates scanning, Malware or poorly configured applications on a host.
  • XMAS Tree scan: The Xmas tree scan sends a TCP frame to a remote device with the URG, PUSH, and FIN flags set. This is called a Xmas tree scan because of the alternating bits turned on and off in the flags byte (00101001), much like the lights of a Christmas tree.
    Network threat monitoring

As you can see from the above Flow Analytics™ can cover a lot of different cyber attacks and violations that other network security tools cannot. Also now in our latest version  you have the ability from the alarms page to quickly see who is triggering the most alarms and how many times/types of alarms have been triggered. Our network monitoring tool has the ability to send out email alerts to an administrator whenever a violation is triggered which can reduce response time.

With there being so many new cyber security threats coming out each and every day the need for traffic analysis has never been this high. With our network monitoring software you are getting 100% network visibility.

If you have any questions or need any assistance setting up Flow Analytics ™ feel free to let us know.

 

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

If you enjoyed this post, please consider leaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.
Tags: , ,

3 Responses to “Cisco NetFlow | Part 2 – What is Flow Analytics™?”

  1. Tim Shimeall Says:

    Nice menu of simple analytics, but there are some that are almost as easy that you leave out: spam sources sending to the network(University of Twenty in Netherlands had a nice thesis describing this analytic, and FloCon has had several presentations on an independently-derived variant), SSH or FTP brute force attempts, outgoing repeated beacons, etc (again, see the FloCon proceedings).

    In addition to “black lists” (network threats, in your terminology above), I find it very useful to implement “white lists” — known false positives for various analytics — which the users can employ to reduce rework and to document non-malicious sites.

  2. mike@plixer.com Says:

    Hi Tim,

    Yes, some of those are basic threat detection although definitely still viable. We also setup customer specific environment monitors for things like the DNS and watch for odd flow patters/volumes, etc.

    BTW: FlowCon was great. We added a threat heat map in the next release. Threats high and to the right should be addressed first. I like the idea of white lists.

  3. Using NetFlow for Network Security - NetFlowKnights.com - NetFlow & sFlow Network Monitoring - NetFlowKnights.com Says:

    [...] a port 80 DDoS attack, suspicious scans of your network, or excessive DNS requests. See my blog on network security for more information on the network monitoring algorithms we have pre-built in our NetFlow [...]

Leave a Reply