I have had many customers ask me, “What are the algorithms in Flow Analytics and what do they do?” Excellent question. That is exactly what I will be covering in this second installment of my extensive series on Flow Analytics. In part one I covered how to enable Flow Analytics and properly configure it to your liking.
Each Top report in Flow Analytics has its own gadget. Select which devices you would want to have each ‘top’ algorithm report on, like this Top Countries report below. The “Devices in Flow Analytics” gadget is used to configure the Top Countries algorithm. I added five of my internet routers to be included. Within five minutes I started to see the data come in the gadget below.
You can do have the same ‘Top’ gadgets for Applications, Conversations, Domains, Flows, Hosts, Subnet Traffic, Network Transports, and Well Known Ports (WKP).
Flow Analytics also has a set of algorithms that uses NetFlow to detect and alarm on malicious network behavior. Here are some of the different types of algorithms and what kinds of devices we suggest you configure them on:
Internet Threats: Our neatest threats detection yet! Internet Threats goes out every hour and updates it’s list for known hosts that your network should not be talking to. Configure on Internet Routers.
DNS Violations: This algorithm alerts you when a host initiates an excessive amount of DNS queries. You can use this to identify any infected hosts that may require an excessive amount of DNS lookups. Configure on all internal devices.
FIN Scan: This method is used to identify listening TCP ports based on how the intended device reacts to a requested transaction. This can easily breach firewalls due the reason that it communicates with a device without going through your normal TCP handshake. Configure on all internal devices.
XMAS Tree scan: Xmas Scans send TCP frames to a remote device with the URG, PUSH, and FIN flag sets. They call this an Xmas scan due to the alternate bits turned off and on in the flag bytes (010101), similar to Christmas Tree lights. Configure on all internal devices.
Multicast Traffic Violation: This algorithm is used for any multicast traffic that surpasses a configurable threshold in Flow Analytics. The default is 1,000,000 packets and the minimum is 100,000. Configure on Core Routers.
NULL Scan: Null Scans like to take off all of the TCP flags in the datagrams. This can also easily breach firewall barriers. Configure on all internal devices.
Peer-to-Peer: This algorithm detects BitTorrent and P2P traffic with Netflow. Configure on Internet Routers.
Unfinished Flows Violation: Unfinished Flows are ran by the “Top Flows” algorithm. This algorithm will alarm you on hosts with a high volume of unfinished flows. Unfinished flows may be a result of scanning, malware, or even poorly configured applications. Configure on all border Routers.
Nefarious Activity Violation: This algorithm is on the lookout for hosts that are communicating with many hosts using a low number of flows. An example would be a port 80 scan of an entire subnet. Configure on Internet Routers.
DDoS Violation: This algorithm detects a Distributed Denial of Service attack like those that can be launched by a BOTNET. A DDoS attack is when one user attempts to flood the bandwidth of a targeted system.Configure on Internet Routers.
Breach Attempts Violation: Flow Analytics will be on the lookout for a small amount of flows from one source to one destination. This may be a brute force password attack happening, like a dictionary attack on your SSH server. Configure on all internal devices.
These are just a few atrocious activities you can be alerted on. Stay tuned for the finale of this trilogy of Flow Analytics where I talk about how to alarm on these nefarious network activities.