I’m sure many of you are familiar with the rise in targeted attacks via the Internet. How can NetFlow or IPFIX be analyzed to detect these types of security breaches:

  • Epsilon email theft resulted in thousands of email addresses being stolen.
  • Fox theft resulted in employee information being stolen.
  • Sony’s credit card theft resulted in the potentially stolen account numbers  of nearly 25 million SOE (Sony’s Online Entertainment division) customers, as well as 77 million more from the PlayStation® Network.

I started thinking about how amazon.com keeps customer credit card information. I’m sure they are under high alert for targeted attacks at all times.

Can the use of NetFlow and IPFIX be leveraged to detect these targeted attacks? How? Does the attack start with a TCP SYN or XMAS scan? Hmm, maybe. How about a behavior baseline? Can we compare existing traffic behavior to what is considered normal? Hmm Maybe. Consider this: the machine that hacked the database may often communicate with the compromised system on a daily basis. NetFlow Behavior baselines may not detect this type of targeted attack but, can be useful for detecting rogue traffic caused by:

  • Conficker
  • DoS Attacks
  • DHCP Pirates
  • Illegal DNS Traffic
  • DHCP Pirates, etc.

Targeted attacks often start when the perpetrator does some homework first. Sites like Facebook, Twitter, MySpace, etc. might be studied for background information. Loaded with employee information, a diabolical targeted attack is plotted.

Baselining behavior to help detect targeted attacks should be done on servers within applications. Software developers should build behavior base-lining into the applications and databases the business depends on. For example, what queries do individual users normally execute, what reports and queries does it usually run, etc. A query on a new data source could increase a threat index.  NetFlow and IPFIX exports do not contain enough information to determine unique end system application behavior insight.

What was NetFlow intended for? Here is what Cisco says:

NetFlow efficiently provides a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, Denial of Service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing.”

The details on how an end system normally uses the inner workings of an application is worth base-lining, but today this is largely unavailable. The traffic details created by the connections and exported in NetFlow v5 may not be very helpful in detecting well thought out targeted attacks.

In practice, NetFlow and IPFIX are largely used for investigations although, they certainly can be used to do some alerting on strange behaviors.  Netflow does not *yet* allow the same types of deep inspection functionality that can be gleaned from an IDS/IPS. Certain types of attacks can be detected but not necessarily provide a smoking gun. The more stealthy and clever the attack, the harder it is to identify via Netflow much the same way that it is harder to convince a jury on pure circumstantial evidence over physical evidence.

A targeted attack will be captured in NetFlow but, how can something like a  Targeted APT (Advanced Persistent Threat) attack be detected out of tens of thousands of flows per second?  NetFlow will help detect some threats but, not all of them.  What if the data being stolen is less than 1K?

The Bottom Line

NetFlow and IPFIX should not be the entire network security protection plan and will unlikely replace the IDS or IPS anytime soon.   We are seeing more and more hardware (e.g. routers, switches and firewalls) implement deeper security methods and export the findings using NetFlow and IPFIX.  We will keep reporting on NetFlow and using our Flow Analytics technology to provide threat dection as a way to augment existing threat detection efforts.

Perhaps building deep application baselines is an opportunity for the new Citrix AppFlow technology with Netscaler in combination with hardware?


Ryan Slosser author pic

Ryan Slosser

My name is Ryan. I work in development here at Plixer. I mostly deal with hardware deployment. I enjoy kayaking and fishing during the summer and skiing in the winter. People can count on me and I always give 100% unless I'm donating blood.


Leave a Reply