NetFort Advertising

A week in the life of a network; Shellshock and other random issues

network switch

Shellshock Worm and Other Network Issues

Last week was an interesting one for most IT managers. Early on in the week the security hats had to be worn to get an understanding of the Shellshock worm and what systems were vulnerable. By now most of you will have a handle on this. If you are still worried about this, we have added IDS signatures to LANGuardian which should detect exploit attempts.

For non IT people the world of IT seems to be about this, dealing with occasional attacks and for the rest of the time we are watching videos on YouTube. The reality is much different, most IT people are constantly dealing with user issues.

We heard about an interesting example from one of customers this week. At some stage on Friday they noticed that response times to services on the Internet were very slow. Users were blaming the network, an IT problem to fix.

In order to get to the bottom of a problem like this (find the smoking gun) you need data. You could check firewall logs or deploy a flow analysis tool. What we will see is IP address connecting to other IP address and data being sent\received.

Network flow

Is it the smoking gun that we are looking for? Probably not, it certainly is the sound of gunfire; something is going on but we can’t start finger pointing yet. If we do start telling users to stop connecting to certain IP addresses much confusion will ensue.

Coming back to our customer who has LANGuardian installed. They were able to drilldown further into the traffic as LANGuardian uses deep packet inspection to capture metadata from network packets. Metadata is stuff like website names, file names, and host names. What they found was two things. Lots of downloads of iOS 8 to corporate laptops and a bunch of users streaming the opening round of the Ryder cup. The image below shows what metadata from packets looks like when you match it up with usernames.

Packet Metadata

For most this is the smoking gun, who and what was happening at the time the Internet connection slowed down. The evidence to prove that it was not the network faults but misuse of it. When it come to forensics names (users, files, websites, hosts) are important, the proof that stops any finger pointing stone dead and saves time.

Don’t forget that your traffic can give you unbelievable levels of visibility and you usually can get at it very easily and unobstrusively using your SPAN or mirror port. If you don’t already capture metadata from network packets, try out our LANGuardian which comes as a free 30 day trial. You will be amazed at the information which can be pulled from network packets.

Darragh Delaney