Monitoring network traffic to CDNs (content delivery networks) is becoming network engineers’ and network admins’ nightmare. Since a lot of social media and even malware are being hosted on these large cloud servers, host reputation (typically done with IP information) is in most cases becoming obsolete. In this blog I will show you how using our NetFlow probe and our advanced DNS analytics provides insight into encrypted CDN traffic.

Monitoring CDN traffic using NetFlow:

Through standard elements in NetFlow, we can give you domain information that relates to a specific IP address. In this example, I will talk about youtube.com; if we do an IP lookup on this address, we get the following: 216.58.219.238. This is okay in most instances, but if we do a reverse-DNS lookup we get lga25s41-in-f14.1e100.net (that doesn’t look like youtube does it?). As most of you know, this is because the IP address we are looking up falls under Google’s domain (1e100.net). Using typical netflow/DNS we find that someone on your network had traffic going to something owned by Google—still helpful, but how much further can we go?

DNS Analytics with FlowPro:

Our NetFlow probe is going to sit somewhere on your network and take a raw SPAN/Mirror port of DNS traffic and inspect it to look for what the DNS query was and what IP address comes back. Using this, the probe will send it to our IPFIX/NetFlow collector so that it can correlate this back to the users on your network. Looking at the screenshot below you can see that we have a lot of traffic going to Akamai (most networks do) but you can see in the far right column we are also going to list out the DNS name that was requested. This is especially helpful with encrypted traffic since you can’t sniff the encrypted packets to find the HTTP hosts. Luckily for us, however, the DNS traffic is in plain text, making it very easy to see what end users are doing.IPFIX Monitoring

Future of CDN traffic Monitoring

Since a lot of malware is using CDNs as well as DNS to hide their communication (Data Exfiltration) I only see this becoming part of a larger security front to help both security engineers and network engineers clean up their networks as quickly as possible. As you have seen in our other blogs about tracking down malware with NetFlow, there are many methods, but DNS seems to be the most reliable way in recent months. Whether you are looking to track down anomalous behaviors and threats on your network or have recently moved to a cloud-based solution that you need help monitoring, feel free to reach our team to get the tools to get it done!Tracking DNS traffic

Jake

Jake

Jake Bergeron is currently one of Plixer's Sr. Solutions Engineers - He is currently responsible for providing customers with onsite training and configurations to make sure that Scrutinizer is setup to their need. Previously he was responsible for teaching Plixer's Advanced NetFlow Training / Malware Response Training. When he's not learning more about NetFlow and Malware detection he also enjoys Fishing and Hiking.

Related