As a field engineer for Plixer I do my fair share of training customers. I’ve found that the most effective and entertaining way of teaching the use of Scrutinizer is by getting right into the network and showing customers how I look for anything that appears out of place.

While reviewing the Flow Analytics Threats Overview gadget, I decided to drill into the P2P Monitor algorithm. As the customer is a well-known college  I had a feeling I would see something interesting here.

flow-analytics-threats-overview

When a user clicks on the P2P Monitor link, a new Scrutinizer alarm window pops up showing a list of hosts that are involved in network behavior resembling P2P traffic.

p2p-alarm1

One of the administrators said: “Hey… That right there is a workstation…” We immediately clicked on the user to see what kind of traffic this host was generating.

p2p-using-voip-ports1 What surprised me wasn’t the fact that this guy was abusing the college’s bandwidth by taking up about 1.5% of a gigabit link by himself, but how he was able to conceal his abuse by using a port range commonly used for VoIP, in an environment where VoIP isn’t out of the ordinary. This technique allowed the user to circumvent packet shapers and an ASA firewall with an IPS module. To add insult to injury, QoS has been implemented to give priority to VoIP so that others would have to take a back seat to this user’s illegitimate traffic use.

We have to remember that Flow Analytics is analyzing behavior, not just what ports are being used. What gave it away is that although VoIP traffic is not out of the ordinary on this link, the behavior of this VoIP traffic was.

If you look at the bottom of the list, you’ll see conversations using ports commonly reserved for VoIP being used in a way that is not consistent with normal end user VoIP traffic. For practical blogging purposes I had to cut off the report at 100 conversations, but there were several hundred conversations that were too small for real VoIP traffic.

I have to admit I got a kick out of this one. You can run, but you can’t hide from Scrutinizer and Flow Analytics.

 

Steve Cunha author pic

Steve

Stephen joined Plixer in 2011. Steve’s efforts over the years have helped many customer gain better Visibility and Network Analytics. With more than 5 years of successful technology consultation, Steve has become a thought leader, focusing on how Scrutinizer can be part of a system incorporating other solutions such as Gigamon, Statseeker, Uptime, InfoBlox and Splunk. Firm believer that most organizations will have a larger SDN implementation and greater leveraging the Cloud in the next few years. Steve resides in Scarborough, ME with his wife and two sons.

Related

Leave a Reply