As a field engineer for Plixer I do my fair share of training customers. I’ve found that the most effective and entertaining way of teaching the use of Scrutinizer is by getting right into the network and showing customers how I look for anything that appears out of place.
While reviewing the Flow Analytics Threats Overview gadget, I decided to drill into the P2P Monitor algorithm. As the customer is a well-known college I had a feeling I would see something interesting here.
When a user clicks on the P2P Monitor link, a new Scrutinizer alarm window pops up showing a list of hosts that are involved in network behavior resembling P2P traffic.
One of the administrators said: “Hey… That right there is a workstation…” We immediately clicked on the user to see what kind of traffic this host was generating.
What surprised me wasn’t the fact that this guy was abusing the college’s bandwidth by taking up about 1.5% of a gigabit link by himself, but how he was able to conceal his abuse by using a port range commonly used for VoIP, in an environment where VoIP isn’t out of the ordinary. This technique allowed the user to circumvent packet shapers and an ASA firewall with an IPS module. To add insult to injury, QoS has been implemented to give priority to VoIP so that others would have to take a back seat to this user’s illegitimate traffic use.
We have to remember that Flow Analytics is analyzing behavior, not just what ports are being used. What gave it away is that although VoIP traffic is not out of the ordinary on this link, the behavior of this VoIP traffic was.
If you look at the bottom of the list, you’ll see conversations using ports commonly reserved for VoIP being used in a way that is not consistent with normal end user VoIP traffic. For practical blogging purposes I had to cut off the report at 100 conversations, but there were several hundred conversations that were too small for real VoIP traffic.
I have to admit I got a kick out of this one. You can run, but you can’t hide from Scrutinizer and Flow Analytics.