What is DNSpionage?

Late last year, Cisco Talos discovered a DNS hijacking attack targeting Lebanon and the United Arab Emirates (UAE) affecting .gov domains, as well as a private Lebanese airline company.

Talos said the perpetrators of DNSpionage were able to steal email and other login credentials by hijacking the DNS servers for these targets, so that all email and virtual private networking (VPN) traffic was redirected to an Internet address controlled by the attackers.

How can you detect the presence DNSpionage activity on your network?

Earlier this year, security firm CrowdStrike published a blog post listing IP addresses and domain names known to be used by the espionage campaign to date. If you want to check for the presence of DNSpionage activity on your network, you should monitor network traffic at your networks perimeter and watch out for any activity associated with the IP addresses or domains.

Using LANGuardian to detect DNSpionage activity

Our LANGuardian product includes both a network traffic analysis module which can capture IP addresses and a DNS decoder to extract metadata from DNS queries. You just need to monitor network traffic going to and from your Internet gateways to gain visibility into what is happening and root out any suspicious activity.

Once you have LANGuardian deployed, you need to check two reports for DNSpionage activity.

Check applications report for any traffic associated with the IP addresses connected to the espionage campaign.

1. Log onto your LANGuardian and click on All Reports / Applications in Use
2. Enter the IP range listed above into the Source or Destination IP/Subnet report filter
3. Run report
4. Optionally you can save this as a custom report by clicking on Actions / Save As

You should not see any results in the report when you run it. If you do, you need to check the systems on your network that are communicating with the IP addresses. The image below shows the report output from my lab network, no results returned which is what you are aiming for. Click on this image to access this report on our online demo.

Check DNS queries for any lookups associated with the domains connected to the espionage campaign.

1. Log onto your LANGuardian and type DNS Lookups into the search box top center. Select the report Network Events (DNS Lookups)
2. Enter the domain list shown above into the Domain report filter. Select Matches regexp from the dropdown
3. Run report
4. Optionally you can save this as a custom report by clicking on Actions / Save As

You should not see any results in the report when you run it. If you do, you need to check the systems on your network that are trying to resolve one or more domains from the list. The image below shows the report output from my lab network. I do show some activity and I will need to do further analysis of the local client 10.1.1.159.

How to monitor network traffic going to and from the Internet.

The video below shows the steps needed to get traffic monitoring in place so that you can check for DNSpionage activity on your network

More reasons to check inbound traffic on your network

Looking though the latest infosec news this week I spotted two exploits which use similar attack methods.

• Printers targeted via TCP port 9100 by external clients
• Poorly configured Ethereum nodes targeted over port 8545

In both cases hosts located outside your network try to connect to devices hosted inside your LAN or cloud environments. The printer exploit is an unusual one. It’s main purpose is to deliver PewDiePie propaganda around the world. PewDiePie is currently the most subscribed to channel on YouTube. Recently it has been in a battle for this position with an Indian company called T-Series.

Over the last couple of days, Twitter users have been posting screenshots of unsolicited printouts from internet-connected printers that say that PewDiePie needs their help. A Twitter user called TheHackerGiraffe has claimed responsibility but had claimed they did this to raise awareness of printers and printer security.

The second inbound exploit attempt has a more sinister background. A cybercriminal group has managed to steal a total of 38,642 Ethereum, worth more than $20,500,000, from clients exposing the unsecured interface on port 8545. The process behind this is simple. External clients scan your network on port 8545, looking for geth clients and stealing their cryptocurrency. Geth is a multipurpose command line tool that runs a full Ethereum node implemented in Go.

How to monitor inbound traffic on your LAN

One quick check you can do to check for port 9100 or 8545 activity is to check if the ports are open on your firewall. While this is not an indication of activity you should consider shutting them down for all external clients.

A better approach is to monitor network traffic going to and from the Internet using a SPAN, mirror port or network TAP. Once a traffic source is established you can use a product like our own LANGuardian to report on what ports and applications are been used.

The image below shows an example of what to look out for. In this case we can see evidence of SMB activity. Ports like 9100 or SMB which uses 445 should not be open for unknown clients. Click on the image below to access this report on our online demo.

In the next example we are looking at what ports are accepting connections from external clients. Again we can see the activity on TCP port 445. Looking though the results, I also need to check the activity on port 49158. Click on this image to access the report on our online demo.

In order to check your firewall configuration and get visibility of traffic at an application level allowed in through your firewall, simply deploy a traffic analysis system such as LANGuardian and configure the sensor SPAN or mirror port correctly.

You can easily use a SPAN port for example to monitor traffic from your  internal network to and from the firewall. A very useful and simple validation of those firewall rules sometimes configured by an external consultant. The video below goes through what is needed to get network traffic analysis in place at your network edge together with the steps to get LANGuardian in place monitoring this traffic.

How to monitor inbound traffic in the cloud

When an infosec alert like the ones mentioned above goes out, the oblivious thing to do is check your on premise data centers for suspicious activity. This is certainly a good starting point. However, don’t forget about your cloud based networks. They may be targeted even more than your on premise networks. Getting visibility in the cloud is not as straightforward as with a more traditional on premise network.

Recently we announced support for AWS VPC Flow Log Analysis and we will also have an option for Azure monitoring shortly. I took a look at reports associated with our AWS estate and sure enough there is evidence of inbound activity on port 9100, see image below. In our case this was blocked. I observed similar activity for inbound connections on 8545.

If you have any questions about how to monitor traffic on your network using LANGuardian, or would like to know more about how our network traffic monitoring tool can meet your organization´s requirements, do not hesitate to contact us and speak with one of our helpful technical support team.

Monitoring traffic on your network is important if you want to keep it secure and running efficiently. The information obtained by network traffic monitoring tools can be used in multiple security and IT operational use cases to identify security vulnerabilities, troubleshoot network issues and analyze the impact new applications will have on the network. These 5 tips should help you get the most out of your network traffic monitoring application.

1.    Choose the right data source

Whatever your motive for monitoring network traffic, you have two main data sources to choose from:

1. Flow data: which can be acquired from layer 3 devices like routers
2. Packet data: which can be sourced from SPAN, mirror ports or via TAPs

Flow data is great if you are looking for traffic volumes and mapping the journey of a network packet from its origin to its destination. This level of information can help detect unauthorized WAN traffic and utilize network resources and performance. However, flow-based tools for monitoring network traffic lack the detailed data to detect many network security issues or perform true root cause analysis.

Packet data extracted from network packets can help network managers understand how users are implementing/operating applications, track usage on WAN links, and monitor for suspicious malware or other security incidents. Deep packet inspection tools provide 100% visibility over the network by transforming the raw metadata into a readable format and enabling network managers to drill down to the minutest detail.

The image below shows a good approach when it comes to network traffic monitoring for most networks. A SPAN or mirror port is configured at the network core which allows for the capture of any traffic passing through. In my example this would allow me to capture traffic going to and from the Internet as well as traffic associated with important servers.

4.   Associate the data with usernames

Traditional network traffic monitoring tools usually report on activity using IP or MAC addresses. While this is useful information, it can be problematic in DHCP environments if you are trying to find a problematic device. One piece of information that can bring together network activity and devices is usernames. Username association will let you know who is doing what on the network.

5.    Check the flows and packet payloads for suspicious content

Many networks have intrusion detection systems at the edge but very few have this type of technology monitoring internal traffic. All it takes is one rogue mobile or IoT device to compromise a network. Another issue I often see are firewalls allowing  suspicious traffic through where a rule was misconfigured.

The image below shows an example of this: someone created a rule to allow traffic inbound on TCP 5901 (VLC remote desktop sharing), but they did not limit it to one source and destination. The source addresses in this case appear to be registered in China and connections from this country would not be expected to connect to this network.

Summary

Not all tools for monitoring network traffic are the same. Generally they can be broken down into two types – flow-based tools and deep packet inspection tools. Within these two types you have the choice of tools that use/don´t use software agents, tools that store/don´t store historical data, and tools with intrusion detection systems that monitor network traffic within the network as well as at the network edge.

• Choose flow based analysis tools if you want to get traffic volumes and IP addresses associated with WAN or other layer 3 links
• Choose packet analysis tools if you need traffic volumes, IP addresses and more detail to investigate security or operational issues.

If you would like to discuss any of the points raised in this article, do not hesitate to contact us.

HTTP Background

Designed in the early 1990s, HTTP is an application layer protocol that is sent over TCP, though any reliable transport protocol could theoretically be used. Typically it uses TCP port 80 but this can be changed. Due to its extensibility, it is used to not only fetch hypertext documents, but also images and videos or to post content to servers, like with HTML form results. HTTP can also be used to fetch parts of documents to update Web pages on demand.

Google are promoting a move away from HTTP

For the past several years, Google have moved towards a more secure web by strongly advocating that sites adopt HTTPS encryption. It started back in 2014 when they announced that they were using HTTPS as a ranking signal. If you moved your site away from HTTP and onto HTTPS you would receive a tiny boost in the Google search rankings.

Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”. If you host your own web servers it could mean that users will be less likely to interact with them if their browsers are marking them as insecure. Now is the time to move your websites from HTTP to HTTPS.

Generating an inventory of HTTP servers using network traffic analysis.

HTTP servers normally run over TCP port 80.However, you can configure HTTP servers to run over any port so generating a list of web servers running over TCP port 80 may not result in the complete list. Another method to detect webservers would be to use a network scanning too that would check for anything listening on port 80 or other ports.

One thing to watch with the scanning approach is to make sure all servers are powered up when you run the network scan. Another issue with this approach is that you won’t be able to find out if users from outside your network are accessing these servers, you will just know that they are active.

Our recommended appoach is to monitor network traffic going to and from your web servers. You can do this by setting up a SPAN\Mirror port or by using a TAP device. If you are only concerned about users outside of your network, you just need to monitor your Internet gateway points. The video below goes through the process of getting network monitoring in place at your network edge.

Once you have a data source in place (SPAN\Mirror\TAP) you can then check for web server activity by searching for specific metadata such as a HTTP GET. For small networks you can manually do this using tools like Wireshark. For larger networks you can automate this with an application such as our own LANGuardian. It has built in web traffic decoders which can automatically build a HTTP server inventory 24/7.

Using LANGuardian to passively detect HTTP servers on your network

LANGuardian comes with an application recognition engine which can report on what applications are in use on your network. If you combine these reports with filters you can quickly find out what web servers are on your network and also which are being accessed by clients and their countries outside your network.

The image below shows an example of the output. Here we can see that we had 6 HTTP servers active on our network for the past 1 hour sample time period. Also worth noting is that some of these web servers are running on non standard ports; 8080 and 5357.

If you have a LANGuardian on your network you need to select the “Top Website Domains” report and use these filters

1. Source = External
2. Destination = Internal
3. Protocol = HTTP

Click on the image above to access this report directly on our live demo system and drill down.

What is the QUIC Protocol?

QUIC (Quick UDP Internet Connections, pronounced quick) is a transport layer network protocol designed by Jim Roskind at Google. QUIC supports a set of multiplexed connections between two endpoints over User Datagram Protocol (UDP), and was designed to provide security protection equivalent to TLS/SSL, along with reduced connection and transport latency, and bandwidth estimation in each direction to avoid congestion. QUIC aims to be nearly equivalent to an independent TCP connection, but with much reduced latency.

The most common use of QUIC today is for streaming YouTube videos. If you use a Chrome browser then data associated with your YouTube activity uses the QUIC protocol. Some reports suggest that QUIC now accounts for more than 5% of Internet Traffic. Other browsers such as Opera version 16 and above also support the QUIC protocol but don’t have it enabled by default.

How to detect QUIC protocol use on your network

The most reliable way to detect QUIC protocol use on your network is to monitor network traffic at your network edge. Our LANGuardian product can use this data source to look at packet payloads and identify what protocols are in use. The video below shows how to set up a SPAN or mirror port to capture traffic at your network edge.

Once you have your LANGuardian in place you need to click on Reports \ Top Protocols. In my case the QUIC protocol account for 78% of bandwidth use.

Drilling down on this we can then see the Googlevideo domain and the usernames associated with this activity. Googlevideo is the domain Google use for streaming YouTube content.

Upgrade your LANGuardian to enable QUIC detection

QUIC detection was added to LANGuardian version 14.3.2. If you are a customer you must upgrade to this or higher version. Click on the gear symbol top right, then settings \ LANGuardian software upgrade. Your LANGuardian must have Internet access to check for and download the latest version.

If you are not a LANGuardian customer then you can download a 30 day trial and see within minutes how much bandwidth the QUIC protocol is using on your network.

How to monitor OneDrive traffic

OneDrive is a file hosting service developed by Microsoft that allows users to sync files and later access them from any web browser or mobile device. Presently, their basic OneDrive free package allows for 5GB of storage and you can upgrade to a premium offering which allows for 1TB of storage. This can result in high bandwidth use associated with OneDrive traffic.

A common question asked by our customers is how to provide reports about flow data usage by the Microsoft OneDrive application. The application requires access to a range of external websites and port numbers which can make it tricky to get a top level view of bandwidth use.

From an IP lookup point of view, all of the IP addresses are registered to Microsoft, so you may not be able to definitely say it was OneDrive traffic activity using IP look up alone.

Firstly, all of the traffic is encrypted, ignore the HTTP part as that was me browsing other sites. This would be standard practice for all cloud storage services; I would be very surprised to find one that was not using encryption and if so, I would refuse to use it.

Drilling down on the HTTPS traffic, it revealed that the data was associated with the live.com domain. This would make perfect sense as OneDrive is included in the suite of online services formerly known as Windows Live.

Further analysis highlights that this activity is associated with storage sub domains within live.com. LANGuardian captures this by dissecting the server’s SSL certificate (which is always required to be presented to the client) and at this point, it can extract the server\domain name. By filtering on this sub domain info, it would then be possible to show how much data is associated with OneDrive.

Finally, looking at the GeoIP data, I can see that the IP addresses are registered in the US. Nothing strange here, as I think all of Microsoft’s IP blocks are US registered.

If you want to check for OneDrive traffic volumes on your network, download a 30 day trial of LANGuardian, install on a standard server or VMware and simply connect to a SPAN port or port mirror, to find out what is happening on your network within minutes.

2016 Top Blog Posts

As we look back on 2016, we review our top 5 blog posts from the year that highlight key challenges and share solutions on how we have helped our customers (I know most like to show their top 10 blog posts, but we think that’s too many to read all at once!).

 1. Tracking Web Activity by MAC Address (Read)

Tracking web activity is nothing new! For many years, IT managers have tried to get some sort of visibility at the network edge so that they can see what is happening. One of the main drivers for this is the need to keep the network secure no matter what type of device gets connected. As Internet usage is constantly growing, malicious, phishing, scamming and fraudulent sites are also evolving. In this post, we take a look at how to track web activity back to MAC addresses.

2. Five Methods for Detecting Ransomware Activity (Read)

New variants of Ransomware are appearing on a daily basis and traditional security tools like antivirus are struggling to keep up. New variants have also changed the way they encrypt files and what happens your data once it is encrypted. Here, we take a look at 5 methods for detecting and alerting on Ransomware activity.

3. Forensic Analysis of a DDoS Attack (Read)

2016 was a busy year for DDoS style attacks and a recent article from the BBC also suggests that website-crippling cyber-attacks are set to rise. We look at what happens when a network is targeted and what you should watch out for on your own network.

4. Monitoring multiple VLANs with a single SPAN session (Read)

SPAN or mirror ports can be a rich source of network and user activity data. Most people set them up so that one port is mirroring another port. However, most switches support many-to-one port mirroring and some even support VLAN monitoring. In this post, we look at how you can configure VLAN monitoring on a Cisco switch.

5. Building Your Own Cryptolocker Monitoring Dashboard (Read)

This is the second Ransomware themed post in our top 5 which indicates how much of a problem Ransomware was in 2016. In this post, we look at how you can build a LANGuardian dashboard to focus on suspicious network file share activity.

Let us know what your favorite blogs were in 2016 in the comments below – and perhaps, tell us what you would like us to cover. We are always listening!

So, you don’t miss any of our blogs in 2017, subscribe here!

Normal NTP traffic vs. DDoS NTP traffic

Yet again, DDoS attacks were in the news when the recent Dyn outage took a lot of popular websites and services offline. DDoS attacks of this nature are an ever present threat and are similar to ones which shutdown a number of government and college networks earlier this year.  I covered this attack in an earlier blog post which looked at the forensic analysis of a DDoS attack.

Each of these attacks used spoofed packets based on UDP protocols like NTP or DNS. Both of these protocols are vital when it comes to data communications, so we cannot just switch them off. What we all need to do is monitor network traffic on our networks and watch out for suspicious activity.

If you want to carry out detailed forensics on current and past events, packet capture is the recommended approach, as it will enable you to look at packet payloads which can reveal a lot about the nature of the attack. A SPAN, mirror port or network TAP are the most popular methods for getting a source of network packets.

Take a look at this short video, as it explains the basics of what you need to do to monitor Internet traffic on your network.

How to tell the difference between normal NTP and DDoS NTP traffic

Firstly, let us take a look at what a snapshot of normal NTP traffic looks like on a network. The screen shot below was taken from a LANGuardian system which was monitoring all traffic at the edge of a busy network.

1. The first thing we see is random external IP addresses sending UDP packets. This would suggest that this network is hosting open NTP servers. Unless, there is a specific reason for this, I would not allow inbound queries like these.
2. The destination IP address is local to this network. I have blurred some of the information as it has IP addresses associated with this specific network.
3. The destination port is 123 which is associated with NTP.
4. The total amount of data sent back to the queries is small or zero in some cases. This is normal when it comes to NTP.

Now, lets take a look at NTP traffic associated with a DDoS attack. The image below was taken from the same network when it was targeted with a DDoS attack. The initial symptom was high CPU usage on firewalls which then lead to network congestion when Internet links became swamped with traffic. What was also interesting is the firewall logs were inaccessible, so it was vital, that we had a separate network traffic monitoring tool in place.

1. Random external source addresses. Nothing unusual here other than the question if this network should be providing open NTP services
2. The destination IP is located inside this network. Note that the source IP is probably spoofed by the attackers. This is not the IP address of their system so its pointless blocking these source IP addresses.
3. Targeted service is NTP.
4. The crucial info is in the received column. Here, we can see that for a small amount of sent traffic there is a large reply. 18KB may not seem like a lot but when you have millions of queries it can add up to a massive DDoS NTP traffic attack.

Summary

• Not matter what size of network you are responsible for, you need to monitor network traffic.
• Don’t rely on log files as they may not be accessible if your network comes under attack.
• Watch out for suspicious activity like DDoS NTP traffic where the received totals are much higher than what is been sent.
• Make changes to firewall rules based on your findings. If you run public services inside your network, move them to a DMZ or block access if it something that should not be in place.

To find out if LANGuardian is the right solution for your business, visit www.netfort.com/languardian

About NetFort

NetFort provides network traffic and security monitoring software for virtual and physical networks. NetFort’s flagship product, LANGuardian, is unique in the marketplace thanks to its powerful deep-packet inspection technology that can be downloaded and deployed on standard physical or virtual hardware to provide comprehensive visibility in minutes. Organizations worldwide depend on LANGuardian solutions from monitoring user activity to file activity monitoring, web activity monitoring, network security monitoring,bandwidth monitoring, wire data analytics, network forensics to packet capture.

To see LANGuardian in action – try our interactive demo today!

Customer Use Case: Top wireless users downloading from the internet

Last week, we had an interesting request from one of our customers. In their own words, they requested “I’m looking for a new report on our Internet Monitoring dashboard. I want to list the top wireless users downloading from the internet”.

Specifically, the customer had 3 questions they wanted answering:

(1) On average, how many users are downloading 5GB and over an hour?
(2) On average, how many users are downloading 2.5GB and over an hour?
(3) If we limit users to 5Mbps, how much bandwidth would we save for distribution between other users?

They really needed to see the level of downloads and gauge the effect of implementing rate limiting wireless users.

Our Support Team worked with them to update their LANGuardian dashboards, so that they had access to a new set of reports which focused on wireless client activity.  The response from the customer was “Excellent, exactly what I was looking for” needless to say, great to see another happy customer. The image below depicts what this dashboard looks like now.

Providing reliable wireless network access is a must for most Network Managers these days. Between the demands from network users to use their own wireless devices to the moves to an IoT connected world, it is vital that wireless networks are both secure and efficient. It simply just takes one or two wireless clients to hog bandwidth availability and suddenly all users are impacted.

One of the challenges with monitoring BYOD devices on wireless networks is that traditional monitoring tools which require logs or software agents won’t work. You will struggle to enable any sort of local logging on mobile devices and the owners of these devices never want to put monitoring agents/software on them.

If you want to monitor what wireless users are doing on your network, you can use network traffic analysis as a data source. Essentially, there are two main technologies that you can choose from, if you want to perform traffic analysis on your network:

(1) Flow analysis

(2) Packet analysis

Flow analysis tools struggle with wireless traffic as they only report on IP addresses and ports. Network traffic analysis tools which use deep packet inspection technologies can capture wireless device metadata from HTTP headers. A sample report from a traffic analysis application is shown below.

A SPAN or mirror port is an ideal source if you want to monitor Internet traffic. It provides for a passive way of capturing network packets which means it will not impact on network performance. Network TAPs can be used as an alternative if you do not want to use SPAN ports. Check out this video below to see how you can set up a SPAN port to monitor internet activity.

Another advantage with using network packets as a data source is that you can identify what type of mobile devices are connecting to your network. When a mobile device connects to a web site, it transmits device specific information in the User-Agent field of the HTTP header. The image below shows how this information can be then used to report on what is connecting to your network via wireless.

To find out if LANGuardian is the right solution for your business, visit www.netfort.com/languardian

About NetFort

NetFort provides network traffic and security monitoring software for virtual and physical networks. NetFort’s flagship product, LANGuardian, is unique in the marketplace thanks to its powerful deep-packet inspection technology that can be downloaded and deployed on standard physical or virtual hardware to provide comprehensive visibility in minutes. Organizations worldwide depend on LANGuardian solutions from monitoring user activity to file activity monitoring, web activity monitoring, network security monitoring,bandwidth monitoring, wire data analytics, network forensics to packet capture.

To see LANGuardian in action – try our interactive demo today!

Analyzing Network Traffic – Where To Start

If you want to find out what is happening on your network, analyzing network traffic is great way to start. By capturing traffic from a SPAN, mirror port or network TAP you have a non intrusive way for gaining visibility without the need for software agents or clients.

If you want to upgrade from capturing local traffic on a client using applications like Wireshark, it may not be obvious where to start capturing. In this blog post, I take a look at the most important points on a network which you should focus on. In all cases, you can use either a SPAN port, port mirror, TAP or network packet broker (NPB) to act as a data source for network packets.

1.  Network Perimeter \ Internet Gateway

The best starting point for any type of traffic analysis strategy is at the edge of your network. Many bandwidth or security issues can be investigated by implementing network traffic analysis at this point. With the traffic analysis tool, you can spot things like large downloads, streaming or suspicious inbound or outbound traffic. Make sure you start off by monitoring the internal interfaces of firewalls, this will allow to track activity back to specific clients or users.

This video explains how you can use a SPAN port to monitor internet activity.

2. Network Core

Once you have visibility at the network edge, you should then look at analyzing network traffic at the network core. Most managed switches will allow you to take a copy of traffic going to\from multiple ports and send it to a single port where you can plug in your traffic analysis tool. On certain switches such as Cisco, you can monitor entire VLANs so you don’t need to worry about monitoring specific ports.

The key thing to watch out for when monitoring at the core is that you don’t overload the SPAN port. If you max out the capacity, you may need to consider splitting the traffic across two SPAN\mirror ports or upgrading to 10gb, if you are currently using 1gb ports.

3. DMZ

4. Remote Networks

If you are analyzing network traffic at your network core, you should be able to see what is happening on WAN links. This is possible through the use of filters based on the subnets in use at the remote sites. You can read more about this in my recent blog post which looked at a number of ways for generating reports on WAN bandwidth utilization.

However, you will need to analyze traffic locally at the remote sites if you want to see what is happening on these remote networks. A typical use case for this would be identifying the source of a broadcast or unicast storm at the remote network.

5. East West Traffic on Virtual Platforms

If you use virtual environments like VMware, Hyper-V or VirtualBox, you will have virtual networks in place. These networks are built up from virtual switches which are mapped to the physical interfaces on the Hypervisor. However, network traffic can flow between virtual hosts that will never appear on the physical network. This has now become a common blind spot for many Network Managers who have virtualized one or more servers.

In order to gain visibility within a virtual environment, you need to deploy a virtual machine capable of analyzing network traffic flowing through a virtual switch. The following video explains what needs to be done to implement this on an ESX server.

We have further videos available within the resources section on this website which looks at what you need to do on other Hypervisors.

About NetFort

NetFort provides network traffic and security monitoring software for virtual and physical networks. NetFort’s flagship product, LANGuardian, is unique in the marketplace thanks to its powerful deep-packet inspection technology that can be downloaded and deployed on standard physical or virtual hardware to provide comprehensive visibility in minutes. Organizations worldwide depend on LANGuardian solutions from monitoring user activitytofile activity monitoring, web activity monitoring, network security monitoring, bandwidth monitoring, wire data analytics, network forensics to packet capture.

To see LANGuardian in action – try our interactive demo today!

The perimeter of most networks is a busy place. From the constant bandwidth battles with resource hungry applications to the security threats posed by malware like Ransomware. Gone are the days of SNMP graphs for monitoring the internet user; today’s IT professionals need the detail provided by deep packet inspection technologies and firewall logs. Monitoring internet traffic is vital for keeping a network running secure and efficient.

Deep packet inspection once had the name of an expensive and difficult to use technology, as most solutions were appliance based and required specific skill sets to use. However, there are many low cost and easy to use products available now. All you need to do is is setup a SPAN port or install a TAP and you will gain visibility of what is happening on your Internet connection.

Recently, we asked our customers what their top use cases were for internet traffic analysis. Interestingly, the results returned a number of operational and security use cases. Here, we just take a look at the top 5.

1. Look for unexpected traffic on specific ports

There are two primary TCP ports used for internet browsing. TCP port 80 for non-encrypted communications and TCP 443 for encrypted sessions. However, many applications can use these ports, such as Skype, Dropbox and Bitorrent. In today’s world, you cannot assume that all activity on port 80 or 443 is web page browsing.

Many of our customers want reports which look for all outbound traffic on port 80/443 but where the traffic type isn’t HTTP/HTTPS. They are struggling with flow tools as they were never designed as a web usage tracker. Monitoring tools which look at packet payloads and identify what applications are riding on ports 80 or 443 are a more accurate solution. This is the most common security use case we hear about when it comes to monitoring internet traffic.

2.  Identify traffic which generated a large number of connections through firewalls

Almost all firewalls in use today are of a stateful variety. A stateful firewall is a network firewall that tracks the operating state and characteristics of network connections traversing it. The firewall is configured to distinguish legitimate packets for different types of connections. Only packets matching a known active connection are allowed to pass through the firewall. More recent firewalls are also application aware so that they can understand what applications are generating connections and apply filters based on this.

Our customers are reporting that in extreme cases their firewalls start dropping connections if there is a large increase in outbound or inbound connections. A typical example is the Bittorrent application which can generate hundreds of connections simultaneously. Make sure your monitoring tool has a means of tracking the number of network connections on a per client basis. When monitoring internet traffic, tools that look at traffic volumes alone will not spot the problems. You need tools which can report on the number on connections on a per user or IP address basis.

3. Understand who is misusing\abusing the Internet at remote locations

Bandwidth capacity to remote networks is still an issue for most network managers. When links get busy, you can’t keep increasing the capacity. Once you do so, bandwidth hungry applications will chew up the new bandwidth. It may also be a very expensive option, so getting visibility as to what is happening on these links is vital.

One of the most common causes of WAN issues, is excessive internet traffic. Sometimes this is accidental; a user copying hundreds of HD images onto a Dropbox folder, to more deliberate like using the workplace network to download movies. If you experience concerns about remote networks or with the WAN links to them, you should start by monitoring internet traffic. Our video at the end of this blog post, explains what to do.

4. Report on proxied web activity on a per user basis

Proxy servers were once implemented to speed up access to popular sites. In theory, they would cache popular webpages which cut down on bandwidth use. This has become more complicated as most content is now dynamic such as Facebook news feeds; so proxy servers are now mostly used for their site blocking capabilities.

While proxy servers may be good at caching and filtering, they were never designed as a user web reporting tool. Flow based monitoring tools will not work either, as they will either report clients connecting to a proxy or the proxy connecting to external websites. Stitching this information together is a complicated process.

Packet capture applications solve this problem as they look inside HTTP headers to extract information like client, proxy and website. This is why, they are popular when it comes to reporting on proxied web activity on a per user basis.

5. Reports that can tell if users are streaming content like movies or games

The internet is a wonderful place, but it is also full of distractions; from watching live events to checking out recent movies or spending hours playing online games. While we all need our releases from everyday life, too much streaming can overload computer networks.

I recently worked with a client who had major issues at a remote site. Users there, were reporting that access to business applications was slow. They logged onto their LANGuardian application and found that a number of users at the remote site were streaming live soccer to their PC’s which overloaded the WAN connection.

How to monitor Internet activity using a SPAN port

Setting up SPAN ports on Cisco Nexus switches

SPAN ports are commonly used for network traffic analysis applications. SPAN ports work by sending a copy of the traffic destined to one or more ports or VLANs to another port on the switch that has been connected to a network traffic analysis or security device. SPAN mirrors receive or send (or both) traffic on one or more source ports to a destination port for analysis.

The new generation of Cisco switches based on the Nexus platform have a slightly more complicated SPAN setup when compared to other Cisco switch platforms. In summary, you must set the mode or the destination port to monitor before you set it as a destination for the SPAN traffic.

In this blog post, we are going to look at two common network traffic monitoring scenarios and how to configure a SPAN port on a Cisco Nexus switch. For more a detailed configuration, check out this guide from the Cisco Nexus manual which looks at all SPAN options.

Monitoring a single switch port using a SPAN session

In this example, we are going to setup a SPAN port to monitor traffic going to and from the firewall. A copy of the traffic to be sent to the network traffic analyzer via its sensor port is shown as the red connection. For this  purposes, we are going to set the SPAN port as ethernet 2/10 and the firewall port as ethernet 1/1

Monitoring a VLAN using a SPAN session

If you want to monitor multiple servers or devices on you network, you can monitor VLANs with a SPAN session. In the next example, we are going to setup a SPAN port to monitor traffic going to and from our server VLAN. For the purposes of this example, we are going to set the SPAN port as ethernet 2/10 and we will use it to monitor VLAN 100

About NetFort

NetFort provides network traffic and security monitoring software for virtual and physical networks. NetFort’s flagship product, LANGuardian, is unique in the marketplace thanks to its powerful deep-packet inspection technology that can be downloaded and deployed on standard physical or virtual hardware to provide comprehensive visibility in minutes. Organizations worldwide depend on LANGuardian solutions from monitoring user activity to file activity monitoring, web activity monitoring, network security monitoring, bandwidth troubleshooting, wire data analytics, network forensics to packet capture.

To see LANGuardian in action – try our interactive demo today!

Pokémon Go – “Gotta catch’em all” (It’s not what you think!)

I don’t think anyone can have missed the phenomenon of Pokémon Go which has exploded into our lives over the last week or so. The objective is still the same, to capture ALL the Pokémon characters!

It’s a great news story as broadcasters scramble for headline stories,
Danger – Pokémon Go can seriously damage your health! Whether that’s the potential dangers of walking or driving while playing the game

Breaking News – “Kids have left their bedrooms” kids are actually going for walks this summer (motivated by hatching eggs within the game) rather than locked in their rooms playing computer games!

From a business perspective, we have also seen Boeing become the first corporate to ban the game, simply on the grounds of safety.

That got me thinking; in a work environment, Pokémon Go users are pretty easy to spot, as they walk along trance like staring at their phone…. there is clearly an addictive element to the game, but it’s no different to a lot of other computer games, media and social apps out there.

A regular challenge we hear from Network Managers is around monitoring user’s “non-work related” online activities and the subsequent impact it has on, not only individual’s productivity, but also overall network performance. Network Managers are also concerned about the possibility of users downloading fake Pokémon Go apps. These do exist and when installed can introduce malware onto networks.

The good news is there is an effective, affordable solution for monitoring network activity – LANGuardian; LANGuardian enables Network Managers to use a SPAN (monitoring) port to monitor and report on network activities both internally (intranet servers and files shares) and externally (websites, cloud services and social media)

Easy to use; LANGuardian’s “deep packet inspection” provides the highest level of visibility into activity on the network. Its intuitive reporting and dashboards, drill down capabilities, and powerful searches provide extremely detailed information without requiring you to understand and interpret raw data packets

The old expression “You can’t manage, what you can’t see” is no longer a problem, thanks to LANGuardian we “Let you see, so you can manage” So in line with the Pokémon theme and from a LANGuardian view,

“Packets… Gotta catch’em all”

Detecting Pokémon Go activity with LANGuardian

The Pokémon Go application was developed in partnership with Niantic. When the app is loaded it communicates with the domain nianticlabs.com. All communications are secured and the good news is that it does not use a lot of bandwidth.

To track down Pokémon Go users on your network you just need to detect what clients are connecting to the nianticlabs.com domain. To do this on LANGuardian, you just need to use the NetFort search feature.

Enter nianticlabs.com in the website field, select a time range and then click on the search button. If you see any activity associated with this domain, drill down to reveal what IP addresses are associated with this. You can then use the LANGuardian Network Inventory reports to get associated MAC addresses if you want to block the clients from accessing your network.

Active directory and/or RADIUS integration can also reveal any associated usernames. The 2 minute video below shows you the basics of what you need to do to track down Pokémon Go activity on your network.

To see LANGuardian in action, try our interactive demo here

What are your options to address URL search requirements?

Before I go into how you can do a URL search using network traffic as a data source, I want to go back over and explain what a URL string is.

For most use cases, a URL search involves searching for either a full or partial website name to see who is accessing it. Here is some feedback we recently got from a university customer which they sent back after evaluating our LANGuardian product. This is a very typical use case.

Building a database of URL search strings

There seems to be an increasing demand for more sophisticated analysis and visibility of the Internet link and activity probably driven by:

• Security concerns,  continuous monitoring and rich visibility of activity on this link is an absolute must these days.
• Cloud, hybrid cloud, etc. Many applications used across organizations today are hosted externally and as a result, the utilization of this link is critical.

Before you can search URL strings you need a data source. The most common ones I come across are:

1. Local packet capture on a PC or laptop.
2. Network wide packet capture through a SPAN, mirror ports or TAPs.
3. Log file analysis on firewalls or proxy servers.

I am not including any flow based tools in this post as most are not good web usage trackers. Some IPFIX implementations can export HTTP header information but very few tools actually use this.

Local Packet Capture

Capturing network traffic locally on your PC or laptop is a great way to learn about packet capture and how you can use this to search for URL strings. Wireshark is the most popular tool and it allows you to capture all network traffic going in and out of local network adapters.

If you want to do a URL search, you simply use the display filter within Wireshark to search for a specific text string.

Pros

• Free and easy way to capture local traffic
• Great for learning about packet capture and traffic analysis

Cons

• Does not scale up. Very easy to overload a system if you try and capture traffic at high data rates.
• While it is fine for real time analysis, you wont get long term storage of data unless you have access to lots of disk space.
• Complex, not that easy to read and interpret. Difficult to easily get the ‘big picture’.

Network wide packet capture through a SPAN, mirror port or TAP

If you want to scale up from local packet capture, then you should look at options like SPAN ports or TAPs. This approach will allow you to get a copy of all traffic flowing into and out of your network and so you will get a data source for all web activity on your network.

The video at the link below goes through the steps that are needed to monitor Internet activity via a SPAN port.

Pros

• Visibility of all Internet activity on your network.
• SPAN or port mirror options available on most managed switches with no impact on performance.
• Works effectively whether a web proxy is in place or not.
• Deploy in minutes, no agents, clients, no network downtime.

Cons

• Free tools\software offerings that can connect to a SPAN or mirror ports are limited so you need to look at a commercial solution.

Once you have got your SPAN port setup, you can use a tool like NetFort LANGuardian to process the packet data. The NetFort DPI engine extracts application level detail like URL strings from the traffic flows, discarding the remainder of the packet contents before storing them in the built in database.

This data reduction (400:1 over full packet capture and storage) results in cost effective long life historical storage of network and user activity, very useful for forensics, reporting and planning.

It stores all the critical details including IP address, user name, domain names, URI and bandwidth consumed in its own database. This gives you access to realtime and historical web usage reports.

If are considering other tools, make sure they include both realtime and historical reporting features to match you data retention requirements.

Log file analysis on firewalls or proxy servers

Many firewall and proxy servers will have logging options. These can be very useful for troubleshooting or checking if changes to firewall rules are working. However, server log files do have their limitations. They are meant to provide server administrators with data about the behavior of the server, not the behavior of the user like what URLs they are accessing.

I recently attended a conference which brought together network and security professionals from colleges and universities all over the UK. During the conference, one IT manager described how their network fell victim to multiple DDoS attacks. Their firewalls were under so much pressure, they could not access the logs and get any visibility. One recommendation from this was not to rely on firewall logs alone, you need another data source to troubleshoot problems.

Pros

• Great for troubleshooting problems or checking if changes to block rules are working.

Cons

• Enabling logging will impact on firewall or proxy performance. These devices were not designed for long term capturing of log information.
• If your proxy or firewall is having performance issues you wont be able to access the logs to troubleshoot the problem.

Do you have any other ideas on how to capture and search URL information? Comments welcome.

In this blog post we are going to do a forensic analysis of a DDoS attack. The DDoS analysis is supported by screenshots captured from a LANGuardian system that was monitoring network edge traffic via a SPAN port at the time of the attack.

The purpose of our DDoS analysis is to demonstrate how DDoS monitoring can identify an attack in progress. With the information gathered by using a DDoS attack monitor, we can then take steps to mitigate against these types of DDoS attacks.

Why DDoS Monitoring is Important

Over the past ten days in Ireland, numerous online services and public networks have been targeted by DDoS attacks. A recent article from the BBC also suggests that website-crippling cyber-attacks are to rise in 2016 – the organization itself having been taken offline by a massive DDoS attack at the end of last year.

The majority of the recent attacks in Ireland were NTP amplification attacks. NTP is a popular vector for DDoS attacks because, like DNS, it is a simple UDP-based protocol that can be persuaded to return large replies to small requests. It has been estimated there are over a hundred thousand abusable NTP servers with administrative functions incorrectly open to the general Internet.

Using LANGuardian as a DDoS Attack Monitor

All of the following screenshots were taken using LANGuardian as a DDoS attack monitor on a real network. The network was one of many that suffered multiple DDoS attacks during January 2016. The first image below shows traffic associated with this network at a time when it was not under attack. What I am watching out for here is:

1. The majority of the traffic is IPv4.
2. Over 97% of traffic is TCP with small amounts of UDP. This is very normal and what I would expect.
3. Drilldown on the UDP traffic shows the majority is DNS. For most networks DNS Would be the most active UDP protocol. Exceptions this this would be on networks where applications like Bittorrent are allowed.

The next screen shot shows the network traffic profile during a time when the network was under attack. The main thing that stands out is the UDP traffic is now the majority. This is the classic fingerprint of a UDP based amplification attack. You can read more about amplification attacks here and here.

Drilling down on the UDP traffic reveals that the network is receiving large amounts of NTP and DNS traffic. Both of these are important protocols so you cannot just block them. The other issue is that the network packets will contain spoofed IP addresses so basic firewall rules are useless.

Composed of legitimate-appearing requests, massive numbers of “zombies” and spoofed identities that make it virtually impossible to identify and block these malicious flows.

Drilling down further reveals that the traffic appears to originate from 4700 different servers.  We can do a WHOIS by IP address and determine that these are valid NTP servers, owned by reputable organizations.

It’s unlikely that 4700 reputable NTP servers are compromised and targeting an attack at the network, so something else is happening here.

The NTP protocol is based on UDP, a connection-less protocol. This means that a malicious client can create an NTP request, but instead of using its own IP address as the source, it uses the IP address of the target network. The NTP server assumes the request is genuine and responds, sending the response, not to the originating client, but to the target network.

This is known as a reflection attack. We can determine this is occurring, because our network has not sent any NTP packets to the NTP servers in question (zero packets sent, zero bytes sent) as seen here.

Further, we can calculate that the average received NTP response packet size is about 440 bytes, significantly larger than a standard NTP response packet (about 90 bytes). The 440 byte packet is likely a response to a ‘monlist’ request, a remote command in older NTP servers to return a list of the last clients to contact it. The ‘monlist’ command returns multiple packets of this size in response to a single request. This is known a amplification, where a small request generates big responses.

Finally, what of the client that originated the NTP request? We have no information about that client, as it successfully forged the source IP address in the original NTP request. We can assume that the client was a member of a botnet and was issued commands to target this network. There can be many thousands of compromised clients in a given botnet.

The scenario is shown in the diagram below, showing how a single C&C, controls many zombie clients, to generate malformed NTP requests to many servers, which in turn send amplified responses to the target network. Click on image to zoom in.

Any local servers shown in the reports would need to be checked for malware activity. It could end up as a zombie host in a botnet or it may also be serving up Malware.

Using DDoS Analysis to Mitigate Against DDoS Attacks

When it comes to mitigating against DDoS attacks, you do have a number of options. It does depend on what stage you are at. If you are presently under attack, you may need to weather the storm a bit and avoid any rush decisions. Blocking traffic for example may only introduce other problems and you may end up with a network cut off from the outside world.

It is critical that you have some type of network activity monitoring in place prior to and during an attack. Make sure you can see where the traffic is coming from and what servers are being targeted. To try and mitigate against an attack you should consider the following.

1. See if your ISP can black hole the suspicious traffic. Most will not get involved but if you are an education or government institute you may be able to address the issue at an ISP level.
2. If you host your own web applications or servers you could consider a local DDoS protection system. These high-performance appliances enable attack traffic analysis and cleaning of the traffic, enabling a defense against large-scale DDoS attacks. Good traffic goes one way and bad traffic is dropped.
3. If your website is hosted externally you could consider something like the Cloudflare DDoS protection infrastructure. They do the job of sorting out the good traffic from the bad in the cloud.
4. In some extreme cases I have heard of companies changing their ISP to get away from the problem. Their public IP addresses seem to be a constant target to the only way out is to change them by moving to a different ISP.

Do you have any tips for mitigating against DDoS attacks? Comments welcome.

Popular posts:

• Importing Database Archives

A term I often hear our customers say is that they use our LANGuardian product to “take a deep dive into network traffic“. When you hear something like ‘deep dive’ you could associate it with geeks in their Speedos taking a dive into a swimming pool. The reality is a lot more technical and maybe more boring; what they are trying to do is use network traffic as a data source to get to the root cause of network, security, application or user problems.

Client based traffic analysis

For a lot of network administrators the tool of choice may be Wireshark. It is excellent for taking a deep dive into network packets. I often use it to capture network traffic on my laptop and scroll through the packets to work out what traffic flows are present and see what packet payloads are associated with them.

The problem with this approach is that it can be very time consuming, this is especially so if you are dealing with high traffic volumes. Wireshark filters are useful but this is a foreign language to most people. Connect your laptop to a SPAN or mirror port and within minutes you could be dealing with a multi gigabyte packet capture file.

There is no doubt that tools like Wireshark or Microsoft Message Analyzer have their uses. However, if you want 24/7 traffic monitoring then you will need to look at a different solution.

Flow based traffic analysis

Many layer 3 type network devices like routers and some switches have flow export features. Standards include NetFlow, sFlow, JFlow and IPFIX. Typically a network device extracts certain information from the packet headers. This will include IP addresses and port information together with a total amount of data contained within the packet payloads. This flow information is then sent to a flow collector where its is processed and stored.

If we think of it as diving into a swimming pool, flow analysis is like getting your Speedos on and approaching the pool. You dip your toes in but that is it. You have an idea how cold the water is but it is not a deep dive.

Flow analysis is great for getting a top level view of what is happening on a network. Some flow technologies have moved towards sampled packet analysis. I am not a big fan of this due to the resource demands it puts on networking devices.

Going deep with Deep Packet Inspection

If you want to take a deep dive into network traffic, you need deep packet inspection. Technologies like this automate packet analysis so that you have 24/7 monitoring. Some solutions will store all packet data on disk (packet recorder) while others will extract certain payload data like website or file names (known as meta data).

Another feature of deep packet inspection tools is their ability to recognize applications based on packet payloads. Flow tools will make assumptions like all traffic on TCP port 80 is web but this is not always the case. Most firewalls available today include this functionality and it is vital in today’s world were so many applications are web based.

Traffic analysis tools that monitor traffic inside a network are getting more popular. The main driver for this is that IT managers want to get an insight into network activity so that they can increase security awareness. They also want historical reporting for seeing what happened at a particular point and time.

Before you make a decision on one you need to consider the following

1. Do you need to record every packet or just capture important meta data. Unless you are monitoring a critical banking application or similar, meta data capture is recommended.
2. Can the tool be deployed in remote data centers and provide a single console to monitor all activity.
3. Don’t forget about virtual networks. Network packets can move around here and may never appear on the ‘wired’ network.
4. Check if the tool supports username association. When you are dealing with LAN issues, it is very useful to be able to track activity back to actual users.
5. Watch out for ease of use. Too many tools claim they can do deep packet inspection but are difficult to use. Ideally you want ‘management friendly’ graphics with drill down capabilities.

All of the solutions I mentioned above have their uses. Wireshark for client side diagnostics, flow tools for high level traffic reports, and deep packet inspection for taking a deep dive into network traffic. In some cases you may need all three, just make sure you don’t end up with the wrong solution if you only can pick one or two.

Bittorrent is a very popular file sharing protocol. As a way of distributing content from many hosts, it is second to none. It is very popular with movie\music pirates as it does not require a central server for the storage of data. A downloader (peer) can contact other peers and download pieces of content and that peer will automatically share any content it has downloaded. It does have many other uses such as a platform for distributing software updates.

When it comes to network management, most administrators try to block Bittorrent use. The main reason behind this is that it can use up massive amounts of network bandwidth and disk storage. Many high definition movies are now 6GB+ in size so all it takes is for a few clients to clog up a network. Bittorrent clients also create thousands of network connections to other peers which can overload some firewalls.

Blocking access to sites like ThePirateBay may work in the short term but the introduction of magnet links makes site blocking more difficult. If you are successful in blocking the torrent sites, users can still access them at home and use your network to download the content.

How to detect Bittorrent tunnelling activity on your network

Traditional firewalls which use port blocking are useless when it comes to Bittorrent. The protocol will seek out open TCP or UDP ports and use these to tunnel\transfer data. Even newer firewalls struggle with the Bittorrent protocol due to encryption and other recent changes.

In today’s world, the only way to accurately identify Bittorrent is to be application aware. What I mean by this is to forget about identifying applications based on the port numbers they use to communicate. Assume that TCP port 80 could be any application, HTTP, Skype, Bittorrent, etc…. You need to take a look inside the network packets and work out what application it is based on what the packet payload or content is.

This all sounds very complicated and it is if you have to sort through packets using something like Wireshark. It is not impossible but you will find it is very time consuming. The other issue is scale, Wireshark works fine for analyzing a single client but it will get overloaded if you are monitoring hundreds of clients.

What you are looking to do is extract certain metadata from the network packets. There is no need to store the contents of every packet unless you plan to replay the traffic for further analysis. This approach is also referred to as deep packet inspection.  Aim to capture these fields at a minimum:

• Source IP Address
• Source Port
• Destination IP Address
• Destination Port
• Info_hash: urlencoded 20-byte SHA1 hash

A simple way to get visibility of Bittorrent on your network is via a SPAN or mirror port. Find where your Internet connection connects to your network switch infrastructure then configure it to send a copy of traffic going to and from the Internet to a switch port of your choice, this switch port is known as a SPAN or mirror port. It’s just a regular port but you configure it to be the destination for the SPAN traffic. See video below which covers this in more detail.

Tracking down Bittorrent activity with deep packet inspection

Once you have your SPAN port setup, you need to plug in a network analyzer which can process network packets. We develop one called LANGuardian but there are other options out there. For this example I will use a LANGuardian installed on my own network to track down Bittorrent tunneling. LANGuardian has the advantage of been able to report on real-time and historical activity.

Step 1 – Run a Top Applications Report

In my case I am going to take a look at activity over the past 4 hours and I also want to focus in on applications using port 80.

Step 2 – Drill Down on the Bittorrent Traffic

Most traffic on my network using port 80 is HTTP but I have a small amount of Bittorrent traffic using this port. To drill-down I click on the traffic volumes

Here I can clearly see the client IP address, host-name and info-hash values associated with this Bittorrent activity. Further details like other associated port numbers and external IP addresses can be got by drilling down further.

LANGuardian Web Activity Report Features

The LANGuardian traffic analysis engine may also be used to passively report on web activity.  It is a very useful feature for organizations such as universities who for various reasons including performance, simplicity, and cost do not want to deploy a web proxy or any sort of inline device.

It is also very easy to deploy which is critical for the already pretty busy network engineer who would prefer to concentrate on other tasks and not on the relatively tricky subject of user Internet monitoring. No inline devices required, no agents or clients, no change to browser setting, completely transparent to the user. Just SPAN or mirror the Internet link, connect the LANGuardian to the SPAN port and away you go.

The data is captured, stored and immediately accessible when you need it or when it is requested. One can search by IP or MAC address, user name or even part of the domain or URI. For example show me all the users who accessed Dropbox in the last week and how much data was uploaded. Or list all the domains accessed with resources or URIs containing the word Torrent and the user who accessed them.

Whether a web proxy is in use on the network or not, all the detail required, including user name, IP address, domain, resource, size, date and time can be extracted from the raw traffic by the LANGuardian passively usually via a SPAN port or TAP and retained for months in the built in database.

How to focus in on a user

To instantly access and report on web activity for a particular user name, IP or MAC address:

• Using the search box, top right, enter resource
• Select the report Web :: Top Website Domains and resources

• Use the Time filter to select the required time period.
• Using the logon name field enter the name of the user and click view to rerun the report for that particular user.

It is also possible to automatically send a daily or weekly email summarizing the web activity for a particular user by saving this report with the required user name and then under configuration, top right using the email settings to schedule the report.

How does it work?

LANGuardian passively captures HTTP and HTTPS header information from network traffic. In most cases a SPAN or mirror port is setup. There is no impact on network performance as this is not an inline solution. This approach also works for direct and proxy based activity. The video below explains how you can get this setup on your network.

How to Deal With Unusual Traffic Detected Notifications

If you get an unusual traffic detected notification from Google, it usually means your IP address was or still is sending suspicious network traffic. Google can detect this and has recently implemented security measures to protect against DDoS, other server attacks and SEO rank manipulation.

The key thing to remember is that the notification is based on your Internet facing IP address, not your private IP address which is assigned to your laptop\PC\device. If you don’t know what your Internet facing (or public) IP address is you can use something like this service.

Further reading in these blog posts.

• What Traffic Reports To Focus on if You Are Dealing With Google Unusual Traffic Notifications. A look at how one of our customers approached the problem.
• How to deal with “Google has detected unusual traffic from your network” notifications

Top-Level Domains – What are they and how to monitor traffic associated with them.

Back in 2011 ICANN approved a plan to expand the number of top level domains (TLDs). Shortly afterwards some analysts suggested that this could spell Dot-Trouble for businesses.

Move forward to 2015 and sure enough a few shady neighbourhoods have appeared on the Internet. Research done by Bluecoat shows that some of these Internet neighbourhoods have become almost exclusively the domain of people setting up hosts for spam e-mailing, scams, shady software downloads, malware distribution, botnet operations and “phishing” attacks, or other suspicious content.

The image below shows an example of how Wireshark can be used to look inside HTTP headers to extract top-level domain information. Wireshark is very useful for troubleshooting issues associated with a single client. However, it may become data overload if you connect it up to a SPAN or mirror port. If you want to do this you need to look at a commercial network traffic analysis tool like LANGuardian.

Monitoring Suspicious Top-Level Domain Activity with NetFort

The following procedure describes the steps to show any activity associated with these top-level domains (TLDs). The report can be saved on your LANGuardian system as a custom report and can be re-run any time updated information is needed. Alerts and automated reports are also supported.

1. Click on Reports in the LANGuardian menu bar.
2. In the Web section, click on Top Website Domains, LANGuardian displays the Top Website Domains report.
3. In the Website Domain Name field (Matches regexp selected) place \.link$|\.gq$|\.party$|\.work$|\.science$|\.cricket$|\.kim$|\.country$|\.review$|\.zip$
   
4. Click View.
5. When LANGuardian displays the report, click More Actions on the report menu bar and select Save Report.
6. Enter a name and description for the report, then click Save. The new report will be listed in the Custom Reports section.

Most of the basic Regular Expressions (RegEx) and IP Address/Subnet needs are covered in the LANGuardian Tip Sheet.

And, of course, please contact us any time if you have any questions about web activity or indeed any other aspect of network monitoring with LANGuardian.

If you have any tips for tracking down suspicious top-level domains, please use the comment section below.

Darragh Delaney

Users accessing media sites like Netflix and YouTube can consume massive amounts of bandwidth. What’s needed are performance management solutions that can 1) detect and notify you about network performance degradation and spikes in bandwidth utilization, and 2) give you visibility into what applications are running on the network and what IP addresses and usernames are associated with them.

For most media sites it is easy to start monitoring activity associated with them. Just follow these steps:

1. Ping the website in question. For example www.netflix.com comes back as 208.75.76.17
2. Go to the website www.incidents.org and enter this IP address in the top right hand corner.
3. You will find that this IP address is part of the range 208.75.76.0/24. Google this range to see if Netflix have any other subnet ranges registered to them. YouTube for example will have many subnets associated with their services
4. Log onto LANGuardian (or other network activity monitoring tool) and select Reports\Bandwidth\IP\Top Talkers from the reporting menu on the top.
5. Enter 208.75.76.0/24 as the subnet and this will reveal if you have any Netflix traffic on your network. Drill down on the totals to reveal the most active clients

If you have proxy servers on your network you don’t need to lookup the IP ranges. Logon to LANGuardian and go to Reports\Web\More\Proxy Sessions By IP. Enter Netflix as the website and run the report.

One thing to watch out for if you are using logs or flow data is that reverse lookups of the IP addresses may be misleading. I noticed the IP addresses above using up a lot of bandwidth on my network. A reverse lookup using my favorite security lookup site (incidents.org) reported that the IP address is registered to Eircom which at first seems strange. Further analysis of the IP address and DNS traffic also shows it to be associated with AkamaiHD.net which is a content delivery network (CDN).

Netflix is a provider of on demand internet streaming media and is available to users in the majority of locations all over the world. The service is becoming increasingly popular and by the end of last year had a total of 57.4 million subscribers. In parallel with this growth, we have seen a corresponding increase in the number of people questioning the impact that Netflix traffic is having on their network.

Watching Netflix can use around 1 GB of data per hour for each stream when viewing in standard definition and up to 3 GB per hour for streaming content in high definition. The ‘Internet is slow today’ could easily be as a result of a single user streaming Netflix.

There are a couple of ways you can check for Netflix traffic on your network after installing LANGuardian. The easiest way to do this is to click on, reports, top website domains and simply type in Netflix into the appropriate field.

Example below from our demo system shows Skype appearing on the network. It is the same idea for Netflix, simply type in the website name and click on view. You can also drill-down from here to find the associated username and IP addresses.

An alternative way is to look at the IDS rule set in LANGuardian. The IDS in LANGuardian contains two signatures to detect Netflix on your network and they can be found under sid: 2007638 and 2013498 which are included below:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”POLICY Netflix On-demand User-Agent”; flow:to_server,established; content:”|0d 0a|User-Agent|3a| WmpHostInternetConnection”; nocase; reference:url,doc.emergingthreats.net/2007638; classtype:policy-violation; sid:2007638; rev:5;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”POLICY Netflix Streaming Player Access”; flow:to_server,established; uricontent:”/WiPlayer?movieid=”; content:”|0d 0a|Host|3a| movies.netflix.com|0d 0a|”; nocase; reference:url,netflix.com; classtype:policy-violation; sid:2013498; rev:2;)

You could also create a custom report which would allow you to search for specific IDS events like Netflix by following the guide here on the forum.

Ray Barnes

Looking deeper into what is happening on a network

An interesting problem cropped up during our company huddle this morning.  Our head of development had the floor and was giving us an update on some recent modifications to our Bittorent decoder.

But, I also remember back to a meeting years ago in Dublin, where the network admin had investigated one user for continuous bandwidth abuse causing the other users to complain ‘the Internet is slow today’ on that site.  HR got involved, a meeting was called, and the user asked to explain.  User explained he was downloading research papers and doing nothing wrong.

The admin was able to instantly produce a report listing the movie names (including the complete Harry Potter box set) dates, times, the user had downloaded. The smoking gun, proof to eliminate guesswork and save time, stress for everybody. User owned up immediately and the issue was resolved.

And just last week, we had the following feedback from a new customer in the UK, food company.

“This product is amazing… I’m getting an insight into the network that I have never had before and seeing activity that I just did know was going on!“

This guy, Simon, was definitely not complaining about having too much visibility.

I guess it may be useful to have the information at your fingertips IF and WHEN you need it, the last step of a drill down, but, not in your face all the time? Back to the customer, let’s get their opinion, listen to them.

John Brosnan
NetFort CEO

Popcorn Time is a multi platform, open source BitTorrent client which includes an integrated media player. It uses sequential downloading to play media. Torrent pieces are usually downloaded in an optimal order which maximizes speed and benefits to the swarm health. Sequential downloading allows you to download torrent pieces in sequentially order (from the beginning to the end) so it allows you to watch movies instantly.

In the following example I used LANGuardian to extract certain information (metadata) from network traffic which shows Popcorn Time activity.

This screenshot above shows a typical network traffic breakdown for a client running Popcorn Time. This was captured after just a few minutes of video playback and amounts to almost 1GB of data. Most of the data is Bittorrent related with a small amount of web traffic (HTTP).

As well as streaming content via the Bittorrent protocol, the application also downloads other metadata from a number of websites. You can see some of the sites which the application communicates with in the images above. Blocking access to these sites will not stop the Popcorn Time applications. It just means that some images may be missing when users are browsing the app.

When it comes to Popcorn Time use, there are three issues you should consider if you are responsible for the operations and security of a computer network.

1. Popcorn Time uses the Bittorrent protocol. A lot of the music and movies downloaded using Bittorrent clients are copyrighted. You may receive notifications from your ISP or from another third party if this type of activity is detected.
2. Bittorrent will consume large amounts of bandwidth. During my tests I had downloaded almost 1GB of data in just a few minutes.If you allow it.
3. If you allow it, Bittorrent is yet another way for Malware to get into your network.

Download a free trial of LANGuardian if you want to check for Bittorrent use on your network. The Bittorrent decoder is enabled in the trial version.

Darragh Delaney

How to gain visibility of Internet usage

When it comes to understanding what is happening on your network, one of the most common questions I get is how you can find a data source to understand what is happening on an Internet connection. The most common data sources that people mention are

1. Reports from an ISP
2. Reports available directly from firewalls or routers
3. SNMP data
4. Log files
5. Packet capture

The easiest reports to get are the ones from an ISP or directly from network devices. The image below shows an example of these.

While it does give us some idea as to what is happening, it lacks detail as to what is causing those peaks. The same problem will exist for any application which uses SNMP (simple network management protocol) as a data source. You will get an alert that there is excessive traffic on your Internet connection but you will lack the detail you need to troubleshoot why this is happening.

This then brings us on to gathering flow records like NetFlow. NetFlow and other flow standards allow you to see what systems are connecting to what and how much data is been exchanged. This is very useful information as we can now break down those peaks into what system is connecting to what.

The problem with this is that while this is a view of what system is connecting to what, it is hard to read. Users do not connect to IP addresses. They use applications and connect to services like YouTube. For that reason flow based tools are not a good option for monitoring Internet activity. The problem is even worse if you use proxy servers. Flow records will just show IP addresses connecting to the proxy server IP address and at the other side you have the IP of the proxy connecting to IP addresses outside your network.

Lets now look at two other sources of data; log files and packet capture. Server log files are inappropriate for gathering usability data. They are meant to provide server administrators with data about the behaviour of the server, not the behaviour of the user. The log file is a flat file containing technical information about requests for files or websites on the server. Log files can also be easily overwritten and need to be pulled back to a SIEM for indexing and storage.

The final data source is packet capture. The wonderful world of bits and bytes where only the geeks dare to travel. The thing is that modern deep packet inspection tools make the job of processing network packets really easy. You can download them and within minutes you can start to drill down and see what is actually moving around your network.

The following image is a good example of this. Here we can see two users downloading an OVA file from netfort.com. Really easy to read and it shows exactly what happened. No issues with trying to resolve IP addresses and no hours spent looking through packet capture files.

Finally, I spoke to someone during the week and when I mentioned that you could monitor Internet traffic with a SPAN or mirror port he reported that he had no managed switch. In most cases you need a managed switch to setup a SPAN\mirror port. However, if you do not have a managed swich you can always deploy a cheap network TAP. These devices allow you to get a copy of traffic going in and out of a network connection.

In my case the network manager had a Cisco ASA 5505 deployed. This is actually a hybrid device with an 8 port switch and firewall features. To configure a SPAN port on an ASA 5505 you need to use the following commands.

If you need to check if your switch supports SPAN or mirror ports there is a good guide at this link.

/downloads/product-documentation/core-switch-documentation/

So that is it for this post. If you really need to find out what is happening on your Internet connection, look inside the network packets!

Darragh Delaney