NetFort Advertising

Network Traffic Monitoring

In order to be fully effective, network traffic monitoring software should keep a close eye on not only what is happening within your network, but what is happening on the perimeter of your network as well. In order to give network managers complete visibility over this area of activity, network traffic monitoring software must have deep packet inspection to identify the content of network packets originating from public IP addresses and subnets.

Network traffic monitoring software with this depth of visibility has many practical uses within the network as well. It can be used to troubleshoot network issues, conserve bandwidth, identify threats to the security of the network and enforce acceptable use policies. The monitoring can be done in real time of historically when real-time analysis is insufficient to identify trends or time-sensitive issues when certain network events occur.

LANGuardian is a leader in network traffic monitoring software. It is quick to install, easy to maintain and fully effective at monitoring the traffic on and around the perimeter of your network versatile. To find out more about LANGuardian, read our network traffic monitoring blog posts, contact us with any questions you have, or download a trial of LANGuardian today in order to evaluate our network traffic monitoring software free of charge in your own environment for thirty days.

Why a CCTV type system is a necessity for Monitoring Network Traffic

CCTV for computer networks

Why monitor network traffic?

The recent Equifax security breach resulted in hackers getting their hands on the sensitive personal information of 143 million American consumers. The breach lasted from mid-May 2017 through July 2017. The hackers accessed people’s names, social security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers from about 209,000 people and dispute documents with personal identifying information from about 182,000 people; they also grabbed personal information of people in the UK and Canada.

This information was not carried in briefcases. It left the organization as a payload in network traffic, mixed in with the massive amounts of legitimate traffic that would have left Equifax during the hacking period. While it is good practice to have firewalls and threat detection systems, many of them rely on known signatures of exploit attempts. This approach fails if you are targeted with something new, or if your security applications are missing detection capabilities for a specific type of attack. This is one of the main reasons why you need to constantly monitor network traffic leaving and entering your network.

What is a CCTV system for monitoring network traffic?

When I talk about a CCTV type system for monitoring network traffic, I usually give this analogy. When we want to protect physical buildings, we invest in locks, gates, walls and other physical barriers to protect our property and physical assets.

We also invest in CCTV systems so that if there is a break in, we can see what is happening in real time and get recordings so we can look back over events. If you have a breach, it is important to know what happened so that we can make changes to prevent further breaches happening in the future. CCTV systems can also alert if someone enters a premises outside of normal working hours.

Monitoring network edge

Too often in the digital world, we forget about monitoring tools. Senior management often sees them as a ‘nice to have’ as there is no obvious payback. It is easy to get seduced into spending IT budgets on fancy firewalls and threat prevention systems as they can take an action. However, the Equifax hack has reminded us that we need eyes on our networks 24/7 and we need to keep historical records of who is connecting to what so that we can go back and see how someone hacked into our network.

network flows

A CCTV system for network traffic can be based on flow or packet analysis. If you use managed switches or if you have a router, you will have a data source. From this analysis, you need to be capturing information such as:

  • True application names as you cannot rely on port labels
  • Resource (URI) names
  • HTTP header fields
  • Web client information
  • DHCP data such as IP addresses, MAC and host-names
  • SMTP metadata such as email addresses and subject lines
  • BitTorrent Hash values
  • DNS SPAM detection
  • SMB and NFS metadata
  • Ingress and egress IP flows including IP addresses and port numbers
  • Associated GeoIP details
  • Packets counts
  • IP flow counts
  • Detect application layer attacks
  • Associated usernames
  • Accurate web domain names from DNS, HTTP or HTTPS traffic analysis

One of the most important things is that you get both a real-time and historical view of this data. Most network monitoring applications do real-time monitoring. Some do historical reporting but may age and compress data to cut down on disk usage. This is not ideal, as you will want to store as much detail as possible so that you can investigate historical events. Make sure you choose a forensics or monitoring application that retains all information captured.

Integrating IDS (Intrusion Detection System) and traffic analysis are also beneficial. This allows you to detect known attacks as well was providing extra context like what connections were made and if the attackers targeted any other systems on your network. You will only get good threat detection with packet analysis, flow (NetFlow, IPFIX, etc) will struggle as they don’t look at packet payloads.

Your monitoring tool needs to be independent of edge equipment

Many firewalls now come with advanced logging and reporting capabilities. On paper, they tick boxes for both prevention and reporting. However, if your network is under attack you may find that these logs become inaccessible.

Some time ago I attended a JANET conference in the UK. A number of universities had been targeted with DDoS attacks. Many network managers spoke about how they struggled to understand what was happening, as their firewall logs were inaccessible or were filling up so quickly it was difficult to get an overall view of where the DDoS traffic was coming from. One of the recommendations from the conference was to ensure your monitoring tools were independent of edge devices such as firewalls or routers.

Don’t wait for a breach before investing in monitoring tools

The worst way to implement monitoring tools is to do so in the middle of an attack. You will never capture all the information you need and you may be rushed into buying tools that don’t address your requirements. Get something in place ASAP and use the CCTV analogy when discussing with senior management.  In today’s world, you need to be watching over your network 24/7.

Game of Thrones, Dragons and Network Visibility?

Network VIsibility

There once existed vast unexplored areas of the oceans that in apocryphal sea charts were marked off and labeled ‘Here be Dragons’; meaning no-one knew what was there, but the suspicion was, it couldn’t be good.

This week there’s talk of dragons of a different hue – for Game of Thrones fans; as the 7th season premieres around the world, it promises to be the most action-packed season yet, with dragons, treachery, White Walkers and so on.  It also promises to be an action-packed time for networks and network managers, and treachery will play its part!

With the excitement of this premiere, many users may let their defences down as they try to download the latest episodes.  Links to downloadable episodes provides excellent bait for delivering Ransomware and other malware to unsuspecting users. Even without the threat of malware, we’ve seen time and again, how frequent media downloads can bring even the most stable networks to a stop when bandwidth provided for business operations is swallowed up.

Do you know what content your users are downloading and storing on fileshares, what sites your users are visiting, what copyrighted material is being downloaded and seeded by torrents through your firewall, what malware is being inadvertently downloaded and what it’s accessing on your network, do you know why that recently upgraded WAN link is at full capacity again? In other words, do you have blind spots? Or do you have continuous network visibility and the control it brings?

Visibility is a very common and maybe an overused term these days. However, it really is important to always have visibility into the various activities on your network, and also have drill down to rich detail and be able to understand and prove the root cause.

If you don’t know what happening on your network, you can’t secure it or manage it properly.

NetFort’s LANGuardian is downloadable software that’s quick to configure and quickly gives you visibility into what’s on and what’s happening on your network. Understand what users, applications, and devices are on your network and what they are doing.

Visit netfort.com to watch our 3-minute video

Or else you’ll continue to have network blind spots, the ‘Here be Dragons’ areas; not sure what’s there, but can’t shake that feeling that it can’t be good.

Monitoring Network Traffic Going In and Out of Your Network

Why you need to watch out for traffic going in and out of your network

One of the most common requests from customers at the moment is the need to create LANGuardian reports which show what network traffic is entering and leaving their network. The recent WannaCry Ransomware outbreak has really made this type of reporting vital for all Network and Security Managers. WannaCry actively scanned for networks which had TCP port 445 opened and then used a vulnerability in SMBv1 to access network file shares.

Leaving Ransomware to one side, it is always good practice to keep a very close eye on your network perimeter. Even if you have a very good Firewall, mistakes can happen and rogue traffic will get through or users will use various methods including tunneling, external anonymizers and VPNs to get around firewall rules.

Defining what is your network edge

Typically, your network edge perpetrates the local subnets on your network from all the external subnets out on your network. Many of you will use private addresses internally, but it is not uncommon to find public IP blocks in use as well. In order to report on what is entering and leaving your network, you need to define what subnets are in use. If you only use private address ranges then your internal networks could be represented as this list of subnets.

10.0.0.0/8,192.168.0.0/16,172.16.0.0/12

Creating subnet variables for use with LANGuardian reports

While you can use subnets directly within LANGuardian reports, you can save some time in the long run by using report variables. Click on the gear symbol top right and select Customization. From here, click on Report Variables and then Add New Report Variable.

  • Create a variable called External by using the subnet filter !10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
  • Create a variable called Internal by using the subnet filter 10.0.0.0/8,192.168.0.0/16,172.16.0.0/12

Note that you will need to change the subnet lists above if you use public IP blocks inside your network. Just add them to the list using comma separators.

Top Tip: Add all of your remote sites and VLAN subnets as report variable to speed up troubleshooting. You can quickly see what applications are hogging bandwidth on WAN links by using LANGuardian to focus on traffic associated with the relevant subnet ranges.

Network edge report variables

Creating custom LANGuardian reports to focus on network edge activity

There are two reports I recommend you look at when it comes to network edge activity.

  1. Top external clients connecting inbound to my network
  2. Internal to External traffic flows

The steps to create a custom Top Clients report are as follows:

  1. Use the search box to locate the Bandwidth :: Top Clients report
  2. Click on the Source IP/Subnet box and select External
  3. Click Run Report
  4. When LANGuardian displays the report, click Actions on the report menu bar and select Save As.
  5. Enter a name and description, then click Save

The new report will be listed in the My Reports section

The steps to create a custom Internal to External report are as follows:

  1. Use the Search box to locate the Bandwidth :: Sessions report.
  2. Click on the Source IP/Subnet field and select Internal
  3. Click on the Destination IP/Subnet field and select External
  4. Click Run Report
  5. When LANGuardian displays the report, click Actions on the report menu bar and select Save As.
  6. Enter a Name and Description, then click Save.

The new report will be listed in the My Reports section.

network sessions

Take a read of this blog post, if you would like to learn more on how to monitor network traffic on your network. It contains some handy tips on how to get visibility as to what is happening inside your network.

How to detect SMBv1 use on your Network

SMBv1 file sharing

How can I find out if SMBv1 is being used on my network?

Even if you disable SMBv1 on all clients and servers, it is still good practice to check if any systems on your network are using this protocol. You may have un-managed systems like personal laptops or embedded operating systems within other network-connected devices. These are the most common ways to find out if SMB1 is in use on your network:

  1. Use a network traffic analysis system connected to a SPAN, mirror port or network TAP to monitor traffic associated with your file servers
  2. Run Get -SmbConnection on a client
  3. Scan your network using a vulnerability scanner
  4. Take a packet capture off the network and use Wireshark to identify what version of server message block you are running

Detect SMBv1 Use on Your Network

Use the deep packet inspection engine of LANGuardian to report on SMBv1 client or server activity by IP address or username. Real time and historical reports available. No need to install any agents or client software.

What is SMBv1?

Server message block (SMB) is an application layer network protocol used typically to provide shared access to files and printers. It is also known as Common Internet File System (CIFS). Most data is transferred via TCP port 445 although, it also uses TCP port 137 and 139.

SMB was first used in Windows operating systems around 1992. Windows Server 2003, and older NAS devices use SMBv1 natively. It is a very inefficient protocol; Microsoft have advised all customers to stop using SMBv1. SMBv2 was introduced with Windows Vista in 2006 and the latest version is SMB 3.1.1 which was introduced with Windows 10 and Windows Server 2016.

Detect SMBv1 Scanning and SMNv1 active or established connections

Click on the image above to try out our online LANGuardian demo which uses packet capture to root out SMBv1 activity.

Why all the attention about SMBv1?

In May 2017, the WannaCry Ransomware started to infect computer networks around the world. It was the first in the family of WannaCrypt Ransomware which targeted both locally stored data and network based file shares. It has become a huge problem, and most IT and Security Managers have made detecting WannaCry Ransomware their top priority.

There are three known attack vectors for WannaCry. Some computers were accessed directly, some people opened email attachments and some were redirected to websites where they downloaded the malware.  Direct access is an unusual attack vector and occurred if a network allowed NetBIOS packets from external networks.

Data from antivirus provider Kaspersky Lab showed that 98% of the victims were actually running Windows 7. When the Ransomware first came out it was suggested that it was targeting Windows XP systems but the number of affected Windows XP systems looks to be insignificant.

This could be one reason for the widespread infection seen in this outbreak and why many people are unsure about the initial infection vector of the malware. More the reason why need to know what is going in and out of your network. Not just in real-time but also historically so you can look back and see what happened.

Once downloaded the malicious code in the zip file infects the local computer, which then does two things:

  • Encrypts the local filesystem
  • Attempts to infect other systems, by exploiting vulnerabilities SMBv1 (EternalBlue)

A further exploit known as DoublePulsar is then used to create a backdoor and inject malicious DLLs into the target system’s kernel. The EternalBlue and DoublePulsar exploits are linked to tools originally developed by the NSA which were recently exposed by the Shadows Brokers group.

Customer Use Case – Is there a way to detect SMB1 traffic?

Way back in October 2016 a US public sector customer sent us this query

“Is there a way to detect SMB1 traffic? Microsoft recommends to stop using it so I’d like to see if it’s being used in our network.

IT Manager”

At that time our LANGuardian product could detect SMB traffic and extract metadata such as filenames and actions but it did not capture and store the SMB version. Our product management team looked at this and we decided to modify our SMB decoder to capture the following information

  1. Capture and store the SMB version of all SMB traffic.
  2. Generate an alert if a client or server establishes a connection using SMBv1
  3. Generate an alert if a client tries to connect to another network device using SMBv1

This use case also highlight the flexibility and power of using wire traffic data as opposed to logs to get visibility, to get the critical detail, in this case the SMB version. Some critical details like the SMB version may not be available from logs, but are available via network traffic analysis.

It is worth noting that at the time our customer did not have a Ransomware problem. They were being proactive by dealing with the SMBv1 problem before it could be exploited on their network. This is still very relevant today. Too many networks are still using SMBv1 and IT managers have no visibility into what protocols are being used on their internal networks.

What systems are at risk?

Any Windows system that supports SMBv1 and does not have patch MS17-010 applied is potentially at risk. This is not limited to just Windows Server 2003 and Windows XP clients. As far back as September 2016 Microsoft the removal of SMBv1 from networks. Potentially all Windows clients on your network need to be checked and patched. Publicly available exploit code lists targets as:

  • Windows XP (all services pack) (x86) (x64)
  • Windows Server 2003 SP0 (x86)
  • Windows Server 2003 SP1/SP2 (x86)
  • Windows Server 2003 (x64)
  • Windows Vista (x86)
  • Windows Vista (x64)
  • Windows Server 2008 (x86
  • Windows Server 2008 R2 (x86) (x64)
  • Windows 7 (all services pack) (x86) (x64)

Windows XP and Windows Server 2003 can only support SMBv1. Aim to cease use of these systems on your network, as they are end-of-life and Microsoft does not provide regular updates. The latest Windows 10 indsider build removes the SMBv1 server software. he client SMB1 remains, so that users can connect to devices still using the protocol, but server-side is gone.

What should I do?

Make sure you apply patch MS17-010. Disable SMBv1 on systems that can support SMBv2 and SMBv3. SMBv2 and SMBv3 are much more efficient and will use less network resources. Check your backups, are they running and have you tested restoring data.

To disable SMBv1 you need to run these commands in Power Shell on each system.

  • Check for SMBv1
    • Get-SmbServerConfiguration | Select EnableSMB1Protocol
  • To disable SMBv1 on the SMB server
    •    Set-SmbServerConfiguration -EnableSMB1Protocol $false

Further information on how to disable SMBv1 on other systems available here. You can also disable SMBv1 via Group Policy preferences. This approach will allow you to configure and enforce the registry settings related to disabling SMBv1 client and server components for Windows Vista and Server 2008 and later.

Checking SMB version on a client

The version of SMB used between a client and the server will be the highest dialect supported by both the client and server.

This means if a Windows 10 machine is talking to a Windows Server 2012 machine, it will use SMB 3.0. If a Windows 8 machine is talking to Windows Server 2008 R2, then the highest common level is SMB 2.1.

To check which dialect version you are using, run the the PowerShell cmdlet: Get-SmbConnection

Get-SmbConnection

Scan your network using a vulnerability scanner

Various vulnerability scanners may help with this, but need to know which systems to query. Microsoft have released Desired State Configuration Environment Analyzer which is a PowerShell module which can be used to scan a Windows Server 2012 R2 environment to see if any of the systems have SMB1 installed. Further reading in this post which also contains a sample script.

Using packet capture and analysis to detect SMBv1 activity

One of the easiest ways to detect what versions of server message block you are using is to use network traffic capture. You can do this locally on a client or server or use a SPAN\Mirror port. Once you have a source of network packets you need to process them using a network traffic monitoring application.

Microsoft have some guides on how to use their Message Analyzer application to audit active SMB1 usage. Further reading on this page which includes some screenshots of what to look out for. As per the image below, Wireshark can also be used to check for SMB1 connections from live traffic or from a PCAP file. However, WireShark and Microsoft Message Analyzer do not monitor continuously and do not alert.

Should I worry about non Windows operating systems?

The main target for Ransomware is Windows based file shares. However, variants such as KeRanger are designed to target maxOS systems. In recent days the Samba team released a patch (CVE-2017-7494) on May 24 for a critical remote code execution vulnerability in Samba, the most popular file sharing service for all Linux systems.

All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.

There is a high probability that this could be the target of a Linux specific Ransomware variant. It is even trending as SambaCry on Twitter at the moment. According to the Shodan computer search engine, more than 485,000 Samba-enabled computers exposed port 445 on the Internet. The main advice you can take from this is to make sure you patch vulnerable Linux systems and close access to TCP port 445 on your firewall if it is not needed.

What does LANGuardian do and how can it monitor SMBv1 traffic?

Deep Packet Inspection Software can monitor all client network connections and if equipped with sufficiently sophisticated application layer decoders, can determine the version of SMB protocol that is being used. All you need is a data source which is typically a SPAN\Mirror port or network TAP. Our own LANGuardian product includes a deep packet inspection engine which can be used to monitor network traffic on any network that has a managed switch.

LANGuardian can detect, report and alert on the following scenarios:

  • A client connection request to any server, using SMBv1 protocol
  • A successful connection response from a server using SMBv1
  • Any file share actions (file write, rename, read etc) transacted using the SMBv1 protocol

The advantages of this continuous monitoring are:

  • Any attempt by an infected client to infect any other system on the network (lateral movement) via SMBv1 can be detected.  It is not possible for a client to hide its “network traffic trail”
  • Clients do not have to be known by the monitoring system beforehand (so monitors managed and unmanaged devices)
  • Detects embedded systems that may not be patched
  • No endpoint software is needed such as agents or client software
  • Very easy to deploy, simply SPAN or mirror the traffic to and from the file share servers (usually on the same VLAN) to get instant visibility
  • No logs are required, no configuration changes or extra load on servers

The video below shows LANGuardian in action and how it can be used to root out SMB1 clients and servers on your network.

Full Packet Capture now available in LANGuardian

Network packet capture

We regularly get feature requests from our customers which are always very welcome.  Such requests can greatly influence our road-map, while it also highlights that our customers are actively using our products. Recently a number of customers asked us to add direct or full packet capture. Specifically, they wanted a way to capture a small amount of very specific traffic.

At the core of LANGuardian is a metadata extraction engine where raw network packets are analyzed. User and application data such as usernames, filenames and website domains are extracted and stored in a database which can then be used for real time or historical troubleshooting.

However, there may be times where you may need access to the raw network packets. Typical use cases would include:

  • More detail for troubleshooting issues. Earlier, I was looking at a DHCP issue on my network, and I took a capture of the DHCP traffic to see if there was anything interesting in the packet payloads.
  • Capture specific traffic which then can be used to build custom IDS signatures or for developing firewall rules.
  • Application traffic sampling for building custom application signatures.

As LANGuardian packet sensors are typically connected to the network core, it has access to a rich data source. Applications such as Wireshark can be easily overloaded, if you connect them to a SPAN or mirror port. The LANGuardian packet capture feature allows you to create packet captures based on:

  1. Network interface
  2. Packet and flow filters
  3. Packet count

Take a look at this short video below, as it shows how a packet capture was setup to grab 100 TCP packets where the destination port was set to 80.

If you would like to try this packet capture feature for yourself, download a 30-day trial of LANGuardian here.

Monitoring OneDrive Traffic

monitor onedrive traffic

How to monitor OneDrive traffic

OneDrive is a file hosting service developed by Microsoft that allows users to sync files and later access them from any web browser or mobile device. Presently, their basic OneDrive free package allows for 5GB of storage and you can upgrade to a premium offering which allows for 1TB of storage. This can result in high bandwidth use associated with OneDrive traffic.

A common question asked by our customers is how to provide reports about flow data usage by the Microsoft OneDrive application. The application requires access to a range of external websites and port numbers which can make it tricky to get a top level view of bandwidth use.

From an IP lookup point of view, all of the IP addresses are registered to Microsoft, so you may not be able to definitely say it was OneDrive traffic activity using IP look up alone.

Firstly, all of the traffic is encrypted, ignore the HTTP part as that was me browsing other sites. This would be standard practice for all cloud storage services; I would be very surprised to find one that was not using encryption and if so, I would refuse to use it.

Drilling down on the HTTPS traffic, it revealed that the data was associated with the live.com domain. This would make perfect sense as OneDrive is included in the suite of online services formerly known as Windows Live.

onedrive domains

Further analysis highlights that this activity is associated with storage sub domains within live.com. LANGuardian captures this by dissecting the server’s SSL certificate (which is always required to be presented to the client) and at this point, it can extract the server\domain name. By filtering on this sub domain info, it would then be possible to show how much data is associated with OneDrive.

associated onedrive traffic domains

Finally, looking at the GeoIP data, I can see that the IP addresses are registered in the US. Nothing strange here, as I think all of Microsoft’s IP blocks are US registered.

onedrive geoip information

If you want to check for OneDrive traffic volumes on your network, download a 30 day trial of LANGuardian, install on a standard server or VMware and simply connect to a SPAN port or port mirror, to find out what is happening on your network within minutes.

Looking back at our 2016 Top Blog Posts

2016 Top Blog Posts

2016 Top Blog Posts

As we look back on 2016, we review our top 5 blog posts from the year that highlight key challenges and share solutions on how we have helped our customers (I know most like to show their top 10 blog posts, but we think that’s too many to read all at once!).

 1. Tracking Web Activity by MAC Address (Read)

Tracking web activity is nothing new! For many years, IT managers have tried to get some sort of visibility at the network edge so that they can see what is happening. One of the main drivers for this is the need to keep the network secure no matter what type of device gets connected. As Internet usage is constantly growing, malicious, phishing, scamming and fraudulent sites are also evolving. In this post, we take a look at how to track web activity back to MAC addresses.

2. Five Methods for Detecting Ransomware Activity (Read)

New variants of Ransomware are appearing on a daily basis and traditional security tools like antivirus are struggling to keep up. New variants have also changed the way they encrypt files and what happens your data once it is encrypted. Here, we take a look at 5 methods for detecting and alerting on Ransomware activity.

3. Forensic Analysis of a DDoS Attack (Read)

2016 was a busy year for DDoS style attacks and a recent article from the BBC also suggests that website-crippling cyber-attacks are set to rise. We look at what happens when a network is targeted and what you should watch out for on your own network.

4. Monitoring multiple VLANs with a single SPAN session (Read)

SPAN or mirror ports can be a rich source of network and user activity data. Most people set them up so that one port is mirroring another port. However, most switches support many-to-one port mirroring and some even support VLAN monitoring. In this post, we look at how you can configure VLAN monitoring on a Cisco switch.

5. Building Your Own Cryptolocker Monitoring Dashboard (Read)

This is the second Ransomware themed post in our top 5 which indicates how much of a problem Ransomware was in 2016. In this post, we look at how you can build a LANGuardian dashboard to focus on suspicious network file share activity.

Let us know what your favorite blogs were in 2016 in the comments below – and perhaps, tell us what you would like us to cover. We are always listening!

So, you don’t miss any of our blogs in 2017, subscribe here!

GeoIP Use Cases for Network Traffic Analysis

Using GeoIP for Network Traffic Analysis & Security Monitoring

GeoIP refers to the method of locating a network device’s geographic location by using that device’s IP address. This can be very useful for identifying where your data is going or for spotting suspicious activity on your network.

For many Network Administrators, Wireshark continues to be the tool of choice when it comes to troubleshooting network issues. I use it all the time myself and it is excellent for diagnosing issues associated with a single client or host. You can also integrate GeoIP databases with Wireshark so you can see countries associated with IP packets.

However, Wireshark struggles when it comes to monitoring traffic flowing through a switch, especially at the network core. You will end up with too much data and it can be hard to spot problems.

wireshark

This is where our LANGuardian product fits in, as you can use it to monitor network traffic on your network. You simply need to deploy it as a physical or virtual appliance, setup a SPAN or mirror port and you are good to go! I am using a beta version of LANGuardian with GeoIP features in my home lab and I am using it for some interesting use cases.

GeoIP Use Case #1: Where is my data going?

I use a lot of cloud services for both personal and work tasks. If we upload something to Google drive or synchronize something with Dropbox, do we care about where our data goes? For most people, the answer to that is no, but if you are dealing with sensitive data, then you may want to check this out.

Thankfully most cloud service providers encrypt all sessions now, but that makes things difficult for network monitoring tools. However, if you use a product like LANGuardian which can extract metadata from network packets then you can get an understanding as to what is happening. In the example below, we can see encrypted connections from my network to Google drive addresses which are registered in the US.

GeoIP Use Case 1

GeoIP Use Case #2: What servers are users\devices connecting to outside my network?

Watch out for any connections to servers in countries where you would not expect. For example, on my network I noticed a lot of traffic associated with a server in The Netherlands. Drilling down on this revealed the traffic was associated with connections over UDP 443 which is typical of private VPN connections.

GeoIP use case 2

GeoIP Use Case #3: Check for suspicious inbound activity

Most networks will have a very strict policy on what traffic is allowed inbound into a network. What I mean by inbound is where the connection is established by a client or server outside the networks perimeter. Typically this will be limited to services like email. A review of the activity within my lab showed some activity associated with UDP connections. Further analysis revealed this to be BitTorrent activity –  the high server port number is also an indicator of BitTorrent activity.

GeoIP use case 3

GeoIP Use Case #4: When investigating IDS\security events, what are the associated countries?

When you are investigating a security issue you need to have as much data as possible. What devices were targeted, where did the activity come from, what applications were used, was any data copied etc. In this next image, we can see that an IDS event has triggered due to BitTorrent activity and the client in question has made connections to other clients in many different countries.

GeoIP use case 4

If you are interested in testing a beta version of our GeoIP integration, please email us at: support@netfort.com

Is it the Network or is it the Server?

Is it the network or is it the server

Is it the network?

No matter how well we design networks, servers\applications can run slow or go offline completely. Some of this may be down to too many users accessing a service, hardware failures or security issues to name but a few. The problem is that every one will blame the network and it will be up to you to answer the question “is it the network or is it the server?”.

To be in the position to answer this question, you need data and this data can be acquired from network monitoring tools or log files. The important thing is to set these up now and not wait for problems to happen. There are hundreds of monitoring tools available and the trick is to get one to give you the right level of detail to get to the root cause of network and application issues.

Troubleshooting Example

For this example, I am going to focus on a web application which was reported to have been running slow. The story is based around a real world problem that I worked on recently; it is a straightforward client and single server configuration. However, I will look at tiered applications in a later post.

For most server troubleshooting scenarios, I start off by looking at what is happening on a network before moving onto look at what is happening locally on the server. My tool of choice is LANGuardian which is setup to monitor network traffic going to\from important servers.

The first data set that I look at is total traffic to the server broken down by protocol. Normally, you would see lots of traffic associated with open TCP ports on the server. This can vary if media streaming applications are in use, you may see more traffic associated with UDP protocols. As I am focusing on a web server, the ratios in the image below look correct, a lot more TCP traffic compared to UDP traffic. If the server was targeted as part of a DDoS attack you would also see a lot more UDP traffic.

Total network traffic associated with server

The next step is to drill down on the traffic volumes and see what applications are in use. NetFlow based tools will try and label applications based on TCP\UDP port numbers. In my case, I am using network packets as a data source and so the application labels are based on the packet contents which is a lot more accurate. The top two applications are file sharing and web which looks normal as that is what the server is used for.

Applications associated with server

Moving on, I next take a look at the connection rates to the server. This report shows something interesting in that one client seems to be establishing a lot of connections to the server. The report is looking at a 20 minute time frame which suggests automation rather than a user connecting to the server. At this stage, it looks like the answer to the question “is it the network” is a no. Evidence so far suggests a user or application problem.

Total network connections to server

The next drill-down reveals the root cause for our server issue. A user called Laura.Ashton is accessing a resource called stress.htm on the server. Detail like this is called metadata, certain data fields which are captured from network traffic. A call to the user confirmed that they were running test scripts to check server performance under load. They stopped the scripts and server performance returned to normal.

user metadata

Metadata is fast becoming a must have data source for troubleshooting security and operational issues. It is one of the main reasons why tools which monitor network traffic are seeing to be the next step up from flow based tools. Recently we asked a customer “What issue/requirement has the LANGuardian addressed for you?” Their response was “To get a deeper look into the traffic flow in and out of our network. It also allowed us to see what was hogging data.” For this customer, use cases like the one covered in this post are a regular thing and so tools like LANGuardian are a must have to answer that age old question of “Is it the network or is it the server“.

Get an alert when certain traffic is found on the network

Custom reports and alerts associated certain protocols

We just received this interesting request into our support desk “Is it possible to get an alert when certain traffic is found on the network. For example when TFTP or FTP is used we get an email“. IT professionals want to know when there is suspicious traffic moving around their networks. Sometimes this is because of data exfiltration use cases and in others it is down to quickly identifying when external hosts are accessing data on the LAN or WAN.

Content based application recognition

LANGuardian uses a feature called content based application recognition to identify what applications are running on a network. This is more accurate than technologies which use TCP\UDP port numbers to label network traffic. LANGuardian identifies applications by looking at packet payloads so if an application uses a non standard port number it is still detected.

Creating custom reports to focus on certain applications

Before you can configure application alerting you first need to create a report focuses on a specific application. Logon to your LANGuardian web console and click on the All Reports menu. Select the More option under the Applications section.

Report on protocols
  • Click on the report Top Talkers by Application.
  • Click on Show More link which exposes the full set of report filters on the right.
  • From the protocol drop-down, select the application that you want to focus on. For my example I am going to choose HTTP.
  • Run the report to check for any network activity associated with that application.
  • As per the image below, click on the Actions option and choose Save As. Type in an appropriate report name and save your custom report.

Get an alert when certain traffic is found on the network

Once you have the report saved you can then configure alerting if traffic associated with the report filters is detected. To enable this you need to:

  • Click on gear symbol top right and select settings
  • From the Alerts, Reports section select Email and alerts configuration
  • Click on Report Wizard
  • Scroll down to the custom section and select every 2 hours from the Send Alert drop down

Repeat the process for each application that you want to get an alert on. Your LANGuardian will run each report automatically every two hours. If activity is detected an alert is sent.

How to conserve YouTube bandwidth usage

Monitoring YouTube Bandwidth Usage

How to conserve YouTube bandwidth usage on any network

How to conserve YouTube bandwidth usage is an issue faced by many network managers. YouTube is one of the most popular services on the Internet and, for me, it is my number one go to resource for technical information and entertainment.

My favorite channels range from a guy who takes apart random electronic devices to another, who can repair anything on four wheels; I think everyone has their favorites. The YouTube interface hasn’t changed very much over the years, but the quality of the videos has increased significantly.

One of the reasons YouTube network activity seems to have increased in recent years is not necessarily that the social media channel has become more popular. It has more to do with YouTube bandwidth requirements. 4k video support was added in 2010 and more recently 4k streaming support was announced. So, without doubt, YouTube bandwidth usage is at the forefront of most Network Managers’ minds.

Blocking YouTube Network Activity is Not an Ideal Solution

YouTube in the workplace has always been a difficult relationship. HR departments worry about employees wasting time watching videos, and IT or Network Administrators worry about the way it can consume bandwidth. Blocking YouTube is never a great idea, as essentially you will end up blocking access to a fantastic learning resource.

Blocking introduces a further issue, in that people will try to find a way around this block.  Applications like Hola allow users to get around web filters. When this happens their attack surface increases, as they will be able to access any website, including those hosting malware. If you want to monitor network traffic for this type of activity, I took a look at how you can use DNS metadata to see those clients running applications like Hola in a previous blog post.

One way to conserve YouTube bandwidth usage is to get users to watch videos at lower resolution. There is a massive difference in bandwidth use if you watch a video at the lowest setting when compared to the maximum. YouTube will always try and use the maximum setting, so you can have the best viewing experience.

If employees need YouTube access during work hours, they will rarely need to watch videos in high definition. Dropping down to 480p or less will result in less bandwidth use and less congestion at Internet gateways. Provided users comply with acceptable use policies, this way to conserve YouTube bandwidth usage should keep both HR Departments and Network Administrators happy.

YouTube Bandwith Usage

How much bandwidth does YouTube use?

Lets take a look at YouTube bandwidth use when different resolution settings are selected. For these tests, I used our own LANGuardian product to monitor traffic on my Internet gateway. The graphs show bandwidth use on my Internet gateway over the course of about 2 hours, as I watched one video on YouTube and increased the resolution settings during this time period.

YouTube @ 144p

Watching YouTube videos at the lowest resolution used up about .1Mb/s of bandwidth on my test network. However, they quality of the playback was poor. It is ideal if you just want to listen to some music with the video part minimized.

YouTube 144p

YouTube @ 480p

Increasing the resolution up to 480p increased bandwidth use up to around 1.6Mb/s. For most YouTube playback in the workplace, this is a good setting. Video and audio will be clear.

YouTube 480p

YouTube @ 1080p

Once you start playing YouTube videos in HD mode you start to eat up enough bandwidth to put a dent in many Internet connections. My own tests reported YouTube bandwidth use at around 3.5Mb/s while watching a single video in 1080p HD mode. As I mentioned earlier, there is no need to be streaming content at these rates for most use cases.

YouTube 1080p

YouTube @ 2160p

Watching YouTube videos at the current highest resolution of 2160p (also known as 4k) will eat a lot of bandwidth. For my own test, I showed levels around 20Mb/s while watching one video. This can increase to 30Mb/s if your playback equipment can support it.

YouTube 2160p

The Benefits of Monitoring YouTube Network Traffic

Being able to monitor YouTube usage in such detail has its benefits. Network managers can identify when users are exceeding acceptable use YouTube bandwidth requirements – even on wireless connections – and impose bandwidth limits on YouTube network traffic to stop persistent offenders.

Monitoring YouTube network traffic with a deep packet inspection solution such as LANGuardian can also help resolve network issues such as WAN connectivity problems. With LANGuardian, Network Administrators are able to detect the root causes of the issues and resolve them quickly.

Monitoring a network to control and conserve YouTube bandwidth usage is therefore a better solution than blocking access to the social media site or trying to enforce an unenforceable acceptable use policy. If you allow YouTube network activity in the workplace, and monitor YouTube usage effectively, you could resolve many more issues than employees wasting time watching videos.

Conclusion: Education rather than eradication

In my experience, it is better to educate users on the appropriate use of YouTube during normal business hours. You will find that it is almost impossible to eradicate YouTube out of the workplace. So, it is best to have network traffic monitoring tools in place to check on YouTube bandwidth usage. In the event, someone is continuously hogging bandwidth, remind them of your fair usage policy! Finally, if you need to research something or any such, watch your videos in low resolution where possible.

Why Monitoring Network Traffic is important during the Holidays

Monitoring network traffic

Monitoring network traffic around holiday events

Thanksgiving and Black Friday have come and gone and to those of you who celebrated either, I hope you had a good one! Holiday events like this can bring extra challenges when it comes to keeping networks running securely and efficiently. Cyber criminals exploit times like this with anything from fake purchase invoices to malware attached to shipping notifications.  One way to keep your network secure is to monitor network traffic so you can see what is happening on your network.

Once you start monitoring network traffic, you need to watch out for suspicious traffic patterns or new devices connecting to your networks. The best way to do this is via network packet capture. If you are unsure where to start, check out this recent blog post which looks at where you should be analyzing network traffic on your network.

Detecting Hola and other anonymizers

Over the past week, I have noticed an increase in the use of a browser plugin called Hola. It is used to get around web filters and to anonymize web browsing. I am not a huge fan of web filters unless, they are used to block access to malware sites or illegal content.

Occasionally, I see Network Managers blocking sites like YouTube as they use a lot of bandwidth, this can frustrate users as YouTube has a lot of useful and work related content. Instead, users should be educated on how the watch videos in lower resolutions and thus reduce bandwidth use. If users are blocked from accessing sites, they will look at finding ways around this and this can expose the network to other security risks.

The dangers of plugins like Hola is that they can expose users to sites which can cause problems like Ransomware infections. Cybercriminals know that users may be more vulnerable around Thanksgiving or Black Friday. Users may be more inclined to click on a link to a silly Thanksgiving video or try and access a website which is advertising amazing discounts.

One way to detect the presence of Hola clients on your network, is to check for DNS requests associated with the Hola website. You can do this by monitoring network traffic going to and from your Internet gateway. Once you have traffic monitoring in place, you can use a tool like LANGuardian to extract the DNS metadata from the network packets. The image below shows an example of this; here, we can see that a client was detected sending DNS queries associated with the Hola service.

Detecting Hola Traffic

Watch out for new devices connecting to your network

The second issue, to watch out for at this time of year is the influx of new devices connecting to networks. Many people will have bought tablets or other IoT type devices and some may find their way onto corporate networks. The problem is that some devices may be prone to attacks, if default settings are used. Hacked cameras and DVRs were responsible for a massive Internet outage recently.

You can detect new devices on your network by watching out for new MAC addresses or by watching for certain strings in hostnames. In the following image, we can see how our LANGuardian system detected the presence of an Android device on my network. The report in use is called Ethernet :: DHCP Lease Assignments. Once you have the MAC address, you can trace it by looking through the ARP tables on your switches.

Detecting IoT devices with network traffic monitoring

Conclusion: You need to be monitoring network traffic

Network traffic monitoring was once difficult and only used for low level network troubleshooting. However, metadata analysis tools have now made this task much easier and more accessible. While it is vital that you monitor network traffic around holiday events, our advice is that you should have it running 24/7 all year round. It will allow you to get to the root cause of operational and security issues much faster.

About NetFort

NetFort provides network traffic and security monitoring software for virtual and physical networks. NetFort’s flagship product, LANGuardian, is unique in the marketplace thanks to its powerful deep-packet inspection technology that can be downloaded and deployed on standard physical or virtual hardware to provide comprehensive visibility in minutes. Organizations worldwide depend on LANGuardian solutions from monitoring user activity to file activity monitoring, web activity monitoring, network security monitoring,bandwidth monitoring, wire data analytics, network forensics to packet capture.

How to troubleshoot slow network issues

Troubleshoot slow network problems with network traffic analysis

One of the most vague issues to land on any Network Administrators desk is users complaining that the network is slow. In most cases, the network is not to blame, instead the user is experiencing issues with a slow application or website. However, more than often it is the responsibility of Network Administrators to troubleshoot slow network issues and prove that it is not the network.

The first thing you will need is a data source, so you can find out what is happening on your network. You can use technologies such as flow analysis or packet capture. For my example, I am going to use packet capture as it provides the greatest detail; you just need to ensure you set it up in the right places on the network.  Check out my earlier post which looks at ways to monitor network traffic and pick the most important points to focus on.

We develop a network traffic monitoring tool called LANGuardian. It can report on real-time and historical network use. This is important when it comes to troubleshooting slow network issues. You need to be able to compare what is happening when the network is running slow versus what was happening when the network was running without issues.

Check overall traffic volumes

If the user complaints are coming from a remote office, I would check traffic volumes on the link first. We covered this topic in a previous post which looks at ways for generating reports on WAN bandwidth utilization. If the complaints are coming from users on the local LAN, then I would focus on all network activity.

The first report I look at is the ratio of TCP to UDP traffic. A normal network will have over 80% of TCP traffic. If UDP protocols are using your bandwidth, check the data from the previous day and see if it is something new. Excessive UDP traffic can be a sign of a DDoS attack or over use of media streaming. Issues such as these can slow down a network.

Find out what are the top applications consuming bandwidth

Next up, I would check for the most active applications. For most networks, activity like file sharing, web or database activity ranks highest during business hours. If you see something like backup running during the day or large data replications between servers it can be the source of network slowdowns.

troubleshoot slow network issues via top protocols report

Check for network broadcast issues

A broadcast storm can slow down a network within seconds. All it takes is for one rogue device to send out a few hundred megabytes of broadcast data and suddenly your LAN will be saturated with broadcast packets. A quick way to look for this activity is to filter on network packets which have ff:ff:ff:ff:ff:ff as a destination MAC address.

You should also take a look at multicast traffic. It is less problematic than broadcast traffic, but worth checking if you are trying to troubleshoot slow network problems. Use a filter to show traffic associated with the destination IP range 224.0.0.0/4.

Watch out for excessive connection rates

Firewalls and layer 3 devices such as routers, can struggle if connection rates increase significantly on a network. If clients start disconnecting from web sites or services hosted on the other side of routers, it is worth checking this metric.

top connection pairs on network

Summary

There are many ways to troubleshoot slow network problems, and I havn’t covered them all in this post. However, I always use the following approach and in most cases, I find the root cause of network problems by monitoring network traffic and comparing what happens during a network slowdown against times when the network is running normally.

 

To see LANGuardian in action – try our interactive demo today!

About NetFort

NetFort provides network traffic and security monitoring software for virtual and physical networks. NetFort’s flagship product, LANGuardian, is unique in the marketplace thanks to its powerful deep-packet inspection technology that can be downloaded and deployed on standard physical or virtual hardware to provide comprehensive visibility in minutes. Organizations worldwide depend on LANGuardian solutions from monitoring user activity to file activity monitoring, web activity monitoring, network security monitoring,bandwidth monitoring, wire data analytics, network forensics to packet capture.

5 Tips if you are looking to monitor network traffic

Monitor Network Traffic

What you should consider if you want to monitor network traffic

There are many good reasons to monitor network traffic. The information obtained by network traffic monitoring tools can be used in multiple security and IT operational use cases to (for example) identify security vulnerabilities, troubleshoot network issues and analyze the impact new applications will have on the network.

However, not all tools for monitoring network traffic are the same. Generally they can be broken down into two types – flow-based tools and deep packet inspection tools. Within these two types you have the choice of tools that use/don´t use software agents, tools that store/don´t store historical data, and tools with intrusion detection systems that monitor network traffic within the network as well as along the network edge.

Here are my 5 tips if you are looking to monitor network traffic.

1.    Choose the right data source

Whatever your motive for monitoring network traffic, you have two main data sources to choose from:

(1) Flow data can be acquired from layer 3 devices like routers

(2) Packet data can be sourced from SPAN, mirror ports or via TAPs

Flow data is fine if you are looking for traffic volumes and mapping the journey of a network packet from its origin to its destination. This level of information can help detect unauthorized WAN traffic, the utilization of network resources and network performance. However, flow-based tools for monitoring network traffic lack the detailed data to perform true root cause analysis.

Packet data extracted from network packets can help network managers understand how users are using applications, track usage on WAN links, and monitor for suspicious malware or other security incidents. By transforming the raw metadata into a readable format and enabling network managers drill down to the minutest detail, deep packet inspection tools provide 100% visibility over the network.

2.    Pick the correct points on the network to monitor

Naturally with agent-based software, you have to install software on each device you want to monitor. This is not only an expensive way of monitoring network traffic but it creates a significant maintenance overhead for IT teams. Furthermore, if your objective is to monitor activity on a BYOD or publicly-accessible network, agent-based software will not give you the full picture of user activity because it is impractical (and in some states illegal) to monitor activity on users´ personal devices.

Even with agent-free software, a common mistake many people make when deploying tools to monitor network traffic is that they try and monitor too many data sources at the start. There is no need to monitor every network point. Instead you need to pick points where data converges. Examples of this would be Internet gateways, Ethernet ports on WAN routers or VLANs associated with critical servers.

If you are new to getting tools in place to monitor network traffic, I would suggest you should start by monitoring your Internet gateway(s). This can be an excellent source of security and operational data. This short video below explains how you can do this with Cisco switches – a similar approach can be applied to other switch vendors.

3.    Sometimes real-time data is not enough

The ability to monitor network traffic in real-time is sufficient to achieve many objectives of network traffic monitoring, but sometimes real-time data is not enough. Historical data is just as important if you want to analyze past events, identify trends or compare current network activity to maybe a week previous. For these objectives it is best to use tools for monitoring network traffic with deep packet inspection.

Some tools for monitoring network traffic choose to age data. This means the further back you go historically, the less detail you can get. While this can save on disk space, it is not an ideal solution if you are trying to determine how an intruder managed to overcome your defenses to plant malware on the network. Without accurate and complete data relating to the event, you can be left looking for answers that no longer exist.

It is also a good idea to be aware that some SIEM and network traffic monitoring systems base their pricing on the amount of data you want to store. Keep a watchful eye out for this when you are evaluating solutions. Other appliance-based tools are limited based on the specifications of the system you buy, and an upgrade becomes a replacement appliance which can be expensive. The most flexible options are network traffic monitoring tools that are software-based and allow you to allocate whatever disk space you think is appropriate.

4.    Associate the data with usernames

Traditional network traffic monitoring tools usually report on activity using IP or MAC addresses. While this is useful information, it can be problematic in DHCP environments if you are trying to find a problematic device. One piece of information that can bring together network activity and devices is usernames. Username association will let you know who is doing what on the network.

User network traffic sceenshot

5.    Check the flows and packet payloads for suspicious content

Many networks have intrusion detection systems at the network edge but very few networks have this type of technology monitoring traffic inside the network. All it takes is for one rogue mobile or IoT device for a network to be compromised. Another issue, I often see is firewalls allowing  suspicious traffic through where a rule was misconfigured.

The image below shows an example of this: someone created a rule to allow traffic inbound on TCP 5901 (VLC remote desktop sharing), but they did not limit it to one source and destination. The source addresses in this case appear to be registered in China and connections from this country would not be expected to be connecting to this network.

Network Security Events

Summary

My 5 tips if you are looking to monitor network traffic are flexible depending on your motives for monitoring network traffic, the depth of visibility you need over the network to achieve your objectives, and the resources you have available to address potentially high maintenance overheads.

Nonetheless they should help you determine the most appropriate tool for network traffic monitoring, and the features it should have in order to monitor network traffic effectively. There are a huge amount of solutions available if you want to monitor network traffic. The key is to pick one to match your requirements.

  • Choose flow based analysis tools if you want to get traffic volumes and IP addresses associated with WAN or other layer 3 links
  • Choose packet analysis tools if you need traffic volumes, IP addresses and more detail to investigate security or operational issues.

If you would like to discuss any of the points raised in this article, do not hesitate to contact us.

Monitoring IP Spoofing activity on your network

In my opinion, network traffic analysis and bandwidth monitoring solutions are a must have. You can closely monitor bandwidth and traffic patterns to identify any anomalies that can be addressed before they become threats. The trick is to capture usernames and other metadata as well as the usual IP addresses and flow information, so that you can fully understand what is happening on your network and spot suspicious traffic like IP spoofing.

Last week, I worked on an interesting network issue which involved IP Spoofing. One of our LANGuardian customers reported that they were seeing a lot of network scans from IP addresses that were not part of their local address schemes. Network scans are typically triggered when a single IP addresses attempts to connect to hundreds of other clients in a short time period.

Network Scans

The customer was using 10.0.0.0/8 addressing but the scans were originating from 172.16.0.0/12 addresses. For a 24 hour period, we detected over 5.5 million connection attempts. What was unusual here is the source address range, it is private so it should not be routing in from the Internet.

The customer wanted to know if this was IP Spoofing or if the traffic from this network had somehow made its way into their main corporate network. IP Spoofing involves the creation of IP packets with a false source IP address for the purpose of hiding the identity of the sender or impersonating another computing system.

IP Spoofing is also widely used in DDoS amplification attacks. For most DNS and NTP amplification attacks, the destination IP is spoofed which will flood it with unsolicited responses. DDoS attacks like this can overwhelm networks, a recent attack on the Krebs on Security blog resulted in 665Gbs of traffic.

If you do spot suspicious traffic or IP addresses on your network, you first must work out if it is spoofed or if actual connections were established. Many traffic analysis or IDS systems can trigger alerts when a single source attempts to connect many other devices on a network. In most cases, they are watching out for SYN packets which try to initiate a connection. If the target host responds then a connection may be possible.

Your first priority will be to look at flow reports associated with the source addresses. For the purposes of this demonstration, I am going to use our own product LANGuardian. However, you can use a similar approach with other network traffic monitoring applications. I am also going to focus on the 10.11.0.0/16 network which is the source of the scans in my case.

As can be seen from the image below, we do not detect any flows or connections associated with this subnet. This would suggest that the source device(s) of these packets is spoofing the IP addresses them.

Ip Spoofing Dashboard

The next step of your investigation would be to determine what are the MAC addresses associated with these addresses. Again I am using the built in inventory reports of LANGuardian to resolve the MAC address of the suspicious IP addresses. In my case, I narrowed the search down to a single Dell system.

MAC Address

My next step would be to check the MAC tables on my switches so that I can find what port the device is connected to and shut it down. Going back to the customer issue I worked on, we traced the problem back to one of their firewalls. It had a known issue where it would send out random IP packets associated with the 172.16.0.0/12 network. An upgrade sorted the issue resulting in the disappearance of the spoofed packets.

For additional information on IP Spoofing; take a moment to watch this short video 

About NetFort

NetFort provides network traffic and security monitoring software for virtual and physical networks. NetFort’s flagship product, LANGuardian, is unique in the marketplace thanks to its powerful deep-packet inspection technology that can be downloaded and deployed on standard physical or virtual hardware to provide comprehensive visibility in minutes. Organizations worldwide depend on LANGuardian solutions from monitoring user activity to file activity monitoring, web activity monitoring, network security monitoring,bandwidth monitoring, wire data analytics, network forensics to packet capture.

To see LANGuardian in action – try our interactive demo today!

5 Points on your Network where you should be analyzing Network Traffic

Network Traffic Analysis Tools

Analyzing Network Traffic – Where To Start

If you want to find out what is happening on your network, analyzing network traffic is great way to start. By capturing traffic from a SPAN, mirror port or network TAP you have a non intrusive way for gaining visibility without the need for software agents or clients.

If you want to upgrade from capturing local traffic on a client using applications like Wireshark, it may not be obvious where to start capturing. In this blog post, I take a look at the most important points on a network which you should focus on. In all cases, you can use either a SPAN port, port mirror, TAP or network packet broker (NPB) to act as a data source for network packets.

1.  Network Perimeter \ Internet Gateway

The best starting point for any type of traffic analysis strategy is at the edge of your network. Many bandwidth or security issues can be investigated by implementing network traffic analysis at this point. With the traffic analysis tool, you can spot things like large downloads, streaming or suspicious inbound or outbound traffic. Make sure you start off by monitoring the internal interfaces of firewalls, this will allow to track activity back to specific clients or users.

This video explains how you can use a SPAN port to monitor internet activity.

2. Network Core

Once you have visibility at the network edge, you should then look at analyzing network traffic at the network core. Most managed switches will allow you to take a copy of traffic going to\from multiple ports and send it to a single port where you can plug in your traffic analysis tool. On certain switches such as Cisco, you can monitor entire VLANs so you don’t need to worry about monitoring specific ports.

The key thing to watch out for when monitoring at the core is that you don’t overload the SPAN port. If you max out the capacity, you may need to consider splitting the traffic across two SPAN\mirror ports or upgrading to 10gb, if you are currently using 1gb ports.

3. DMZ

Once you have got visibility inside your network, you should then consider monitoring activity just outside the networks edge. Typically, this is called the demilitarized zone (DMZ) and may contain web servers and other public facing resources.

A DMZ is a busy place when it comes to network events. Many devices here may have pubic IP addresses and so, will be constantly scanned and checked for vulnerability weaknesses.

Analyzing Network Traffic in DMZ

4. Remote Networks

If you are analyzing network traffic at your network core, you should be able to see what is happening on WAN links. This is possible through the use of filters based on the subnets in use at the remote sites. You can read more about this in my recent blog post which looked at a number of ways for generating reports on WAN bandwidth utilization.

However, you will need to analyze traffic locally at the remote sites if you want to see what is happening on these remote networks. A typical use case for this would be identifying the source of a broadcast or unicast storm at the remote network.

5. East West Traffic on Virtual Platforms

If you use virtual environments like VMware, Hyper-V or VirtualBox, you will have virtual networks in place. These networks are built up from virtual switches which are mapped to the physical interfaces on the Hypervisor. However, network traffic can flow between virtual hosts that will never appear on the physical network. This has now become a common blind spot for many Network Managers who have virtualized one or more servers.

In order to gain visibility within a virtual environment, you need to deploy a virtual machine capable of analyzing network traffic flowing through a virtual switch. The following video explains what needs to be done to implement this on an ESX server.

We have further videos available within the resources section on this website which looks at what you need to do on other Hypervisors.

About NetFort

NetFort provides network traffic and security monitoring software for virtual and physical networks. NetFort’s flagship product, LANGuardian, is unique in the marketplace thanks to its powerful deep-packet inspection technology that can be downloaded and deployed on standard physical or virtual hardware to provide comprehensive visibility in minutes. Organizations worldwide depend on LANGuardian solutions from monitoring user activitytofile activity monitoring, web activity monitoring, network security monitoring, bandwidth monitoring, wire data analytics, network forensics to packet capture.

To see LANGuardian in action – try our interactive demo today!

3 Ways for Generating Reports on WAN Bandwidth Utilization

monitoring bandwidth use

Bandwidth Monitoring Options

One of the most common use cases for network traffic analysis is WAN link bandwidth monitoring. The challenge for most Network Managers is that increasing link speeds is not always the solution. Links get overloaded for a reason and you need to find out what is the root cause before you considering upgrading them.

The good news is that most network equipment will already have built-in features which allow you to find out what is happening on your network. You just need to pick the right one, to give you the level of visibility that you need.

1. SNMP polling

Simple network management protocol (SNMP) allows you to get interface statistics like port speed and utilization. You will need a SNMP polling application to query router interfaces at regular intervals. It is an efficient way of getting high level information but you won’t be able to drill down to find the source of problems.

SNMP graph

2. Flow data analysis

NetFlow, sFlow and IPFIX are examples of flow standards. Flow features on routers and other layer 3 capable devices provide the ability to collect IP network traffic as it enters or exits an interface. You need a flow collector which will collect the flow records and this data can be used to generate graphs and reports on WAN link usage.

You need to try and collect the flow data as near as possible to the routers\switches that you are monitoring. For example, if you install your NetFlow collector at your data center, you need to collect the flow data from the routers located at the data center. Don’t collect the flow data from the routers at the remote sites, as you will end up with lots of extra traffic across the WAN links.

NetFlow Analysis

Flow data is not an ideal option if you want to monitor web traffic and it may not be available on all network devices. However, it will allow you to drill down to see data such as IP addresses and port numbers.

3. Network packet capture

One of the richest data sources on a network is a SPAN\Mirror port or the output of a network test access point (TAP). This gives you a mirror image of the traffic moving around, and coupled with the right analysis tool, you can get visibility from layer 2 to layer 7 of the OSI model. When it comes to WAN monitoring you just need to capture traffic going to\from router Ethernet ports.

network bandwidth monitoring

You can learn more about setting up a SPAN port to monitor Internet traffic in this video below. You can adopt a similar approach for monitoring WAN activity.

How to filter data associated with a single WAN connection?

Once you have collected your flow or packet data, you need to filter it so that you can see what traffic is associated with a specific link. While some of the flow standards support the export of interface names, most people choose to filter the data based on subnet(s).

Lets say, we have a hub and spoke network topology and the data center uses network addressing 10.1.0.0/16. This is known as CIDR notation. If you are not sure what CIDR notation to use, you can calculate it by using the subnet mask of the clients and\or servers at the remote site. For example, if the clients at the remote site use a subnet mask 255.255.0.0 and the IP address of a client is 10.2.100.29, the whole network can be represented as 10.2.0.0/16.

Hub and Spoke Network

Here is a handy CIDR calculator which you can use to work out what notation you need to use to filter data going to and from a specific network. You can then use this within your bandwidth monitoring tool to show all traffic associated with the remote network. The image below depicts how you would do this within our LANGuardian product.

CIDR Notation

About NetFort

NetFort provides network traffic and security monitoring software for virtual and physical networks. NetFort’s flagship product, LANGuardian, is unique in the marketplace thanks to its powerful deep-packet inspection technology that can be downloaded and deployed on standard physical or virtual hardware to provide comprehensive visibility in minutes. Organizations worldwide depend on LANGuardian solutions from monitoring user activity tofile activity monitoring, web activity monitoring, network security monitoring, bandwidth monitoring, wire data analytics, network forensics to packet capture.

To see LANGuardian in action – try our interactive demo today!

How to Setup SPAN Ports on Cisco Nexus Switches

etting up SPAN ports on Cisco Nexus switches

Setting up SPAN ports on Cisco Nexus switches

SPAN ports are commonly used for network traffic analysis applications. SPAN ports work by sending a copy of the traffic destined to one or more ports or VLANs to another port on the switch that has been connected to a network traffic analysis or security device. SPAN mirrors receive or send (or both) traffic on one or more source ports to a destination port for analysis.

The new generation of Cisco switches based on the Nexus platform have a slightly more complicated SPAN setup when compared to other Cisco switch platforms. In summary, you must set the mode or the destination port to monitor before you set it as a destination for the SPAN traffic.

In this blog post, we are going to look at two common network traffic monitoring scenarios and how to configure a SPAN port on a Cisco Nexus switch. For more a detailed configuration, check out this guide from the Cisco Nexus manual which looks at all SPAN options.

Monitoring a single switch port using a SPAN session

In this example, we are going to setup a SPAN port to monitor traffic going to and from the firewall. A copy of the traffic to be sent to the network traffic analyzer via its sensor port is shown as the red connection. For this  purposes, we are going to set the SPAN port as ethernet 2/10 and the firewall port as ethernet 1/1

Single-Port-SPAN

Configuration Example

switch# configure terminal
switch(config)# interface ethernet 2/10
switch(config-if)# switchport monitor
switch(config-if)# exit
switch(config)# monitor session 2
switch(config-monitor)# destination interface ethernet 2/10
switch(config-monitor)# source interface ethernet 1/1 both

Monitoring a VLAN using a SPAN session

If you want to monitor multiple servers or devices on you network, you can monitor VLANs with a SPAN session. In the next example, we are going to setup a SPAN port to monitor traffic going to and from our server VLAN. For the purposes of this example, we are going to set the SPAN port as ethernet 2/10 and we will use it to monitor VLAN 100

Monitoring a VLAN with SPAN

Configuration Example

switch# configure terminal
switch(config)# interface ethernet 2/10
switch(config-if)# switchport monitor
switch(config-if)# exit
switch(config)# monitor session 2
switch(config-monitor)# destination interface ethernet 2/10
switch(config-monitor)# source vlan 1 both

About NetFort

NetFort provides network traffic and security monitoring software for virtual and physical networks. NetFort’s flagship product, LANGuardian, is unique in the marketplace thanks to its powerful deep-packet inspection technology that can be downloaded and deployed on standard physical or virtual hardware to provide comprehensive visibility in minutes. Organizations worldwide depend on LANGuardian solutions from monitoring user activity to file activity monitoring, web activity monitoring, network security monitoring, bandwidth troubleshooting, wire data analytics, network forensics to packet capture.

To see LANGuardian in action – try our interactive demo today!

Is The Windows 10 Anniversary Update Eating Your Bandwidth?

Windows 10 Anniversary Update

Windows 10 Anniversary Update

Microsoft released a major update to Windows 10 on August 2nd, 2016. Code named Anniversary Update, it contains many new features and upgrades.

If you are responsible for the management of a computer network, you may want to watch out for excessive bandwidth use, as clients download this update. Our analysis has shown that a single client can download almost 3GB of updates as part of this release from Windows update.

How to check for Windows 10 Anniversary Update Traffic

You can quickly check for Windows 10 Anniversary Update traffic with LANGuardian.

  1. Using the NetFort search feature in LANGuardian, enter URI and select the report Top Websites and URI

2. Enter the text 14393.0.160715-1616 in the URI search field on the left hand side. This is a unique identifier for the anniversary update.

Top Clients

3. Drilling down on the total number of events will reveal what clients are downloading the Windows 10 Anniversary Update. If you have Active Directory integration enabled, you can also get the associated username.

While we do recommend that you keep your Windows clients updated with the latest updates, you may want to inform your users to refrain from forcing the Windows 10 Anniversary Update download during business hours.

LANGuardian uses network traffic as a data source. You can easily acquire network traffic through SPAN\Mirror ports or by using devices like network TAPs.  The video below explains how you can setup a SPAN port to focus on Internet activity.

About NetFort

NetFort provides network traffic and security monitoring software for virtual and physical networks. NetFort’s flagship product, LANGuardian, is unique in the marketplace thanks to its powerful deep-packet inspection technology that can be downloaded and deployed on standard physical or virtual hardware to provide comprehensive visibility in minutes. Organizations worldwide depend on LANGuardian solutions from monitoring user activity to file activity monitoring, web activity monitoring, network security monitoring, bandwidth troubleshooting, wire data analytics, network forensics to packet capture.

To see LANGuardian in action – try our interactive demo today!

How to Detect Pokémon Go Activity on Your Network

Pokémon Go Clients on Network

Pokémon Go – “Gotta catch’em all” (It’s not what you think!)

I don’t think anyone can have missed the phenomenon of Pokémon Go which has exploded into our lives over the last week or so. The objective is still the same, to capture ALL the Pokémon characters!

It’s a great news story as broadcasters scramble for headline stories,
Danger – Pokémon Go can seriously damage your health! Whether that’s the potential dangers of walking or driving while playing the game

Breaking News – “Kids have left their bedrooms” kids are actually going for walks this summer (motivated by hatching eggs within the game) rather than locked in their rooms playing computer games!

From a business perspective, we have also seen Boeing become the first corporate to ban the game, simply on the grounds of safety.

That got me thinking; in a work environment, Pokémon Go users are pretty easy to spot, as they walk along trance like staring at their phone…. there is clearly an addictive element to the game, but it’s no different to a lot of other computer games, media and social apps out there.

How to Detect Pokémon Go Activity on Your Network

A regular challenge we hear from Network Managers is around monitoring user’s “non-work related” online activities and the subsequent impact it has on, not only individual’s productivity, but also overall network performance. Network Managers are also concerned about the possibility of users downloading fake Pokémon Go apps. These do exist and when installed can introduce malware onto networks.

The good news is there is an effective, affordable solution for monitoring network activity – LANGuardian; LANGuardian enables Network Managers to use a SPAN (monitoring) port to monitor and report on network activities both internally (intranet servers and files shares) and externally (websites, cloud services and social media)

Easy to use; LANGuardian’s “deep packet inspection” provides the highest level of visibility into activity on the network. Its intuitive reporting and dashboards, drill down capabilities, and powerful searches provide extremely detailed information without requiring you to understand and interpret raw data packets

The old expression “You can’t manage, what you can’t see” is no longer a problem, thanks to LANGuardian we “Let you see, so you can manage” So in line with the Pokémon theme and from a LANGuardian view,

“Packets… Gotta catch’em all”

Detecting Pokémon Go activity with LANGuardian

The Pokémon Go application was developed in partnership with Niantic. When the app is loaded it communicates with the domain nianticlabs.com. All communications are secured and the good news is that it does not use a lot of bandwidth.

To track down Pokémon Go users on your network you just need to detect what clients are connecting to the nianticlabs.com domain. To do this on LANGuardian, you just need to use the NetFort search feature.

Niantic Labs

Enter nianticlabs.com in the website field, select a time range and then click on the search button. If you see any activity associated with this domain, drill down to reveal what IP addresses are associated with this. You can then use the LANGuardian Network Inventory reports to get associated MAC addresses if you want to block the clients from accessing your network.

Pokemon Client Drilldown

Active directory and/or RADIUS integration can also reveal any associated usernames. The 2 minute video below shows you the basics of what you need to do to track down Pokémon Go activity on your network.

To see LANGuardian in action, try our interactive demo here

It’s not the network, stupid!

Monitor Network Traffic

Mixing business and pleasure: I spent time with my son last week who is on an internship with a TV station in Kansas City and while there, I also took the opportunity to visit some partners and customers.

It was my first visit to Kansas City and I must admit, I really enjoyed it. My son described it as a ‘little gem’ that will explode over the next few years. I can see why; there is very little traffic, people are friendly, downtown Kansas is really nice and very affordable. Everything from food to beer (very important), housing and even spinning classes are about half the price of New York and San Francisco. If you go, don’t forget to sample their barbecue, they are very proud of it, especially the burnt ends and they are really good.

My son got us tickets to go see “Guns and Roses” at the Arrowhead; the loudest stadium in the world. A fantastic gig, great production, lights show. Axl, Slash and the rest of band really put on an excellent show, playing just short of 3-hours. Slash played the theme song from the movie the Godfather, really different but brilliant.

I also had the pleasure of meeting with one of our new LANGuardian customers that we signed up in the past few months. They specialize in the energy sector and have over 20 remote sites. The CIO was getting tired of people always blaming the network; they also have lots of servers running business apps in their main data center so bandwidth, utilization in important. The guy in charge of a remote site would call her up and say, ‘this network is so damn slow I can’t update the ERP system, what’s going on?’ She tasked her network guy, Steve to find her a solution that would address these 2 issues:

  1. WHO is causing the issue?
  2. WHAT are they doing?

They tried some Netflow based solutions, but they did not give her the actual WHO – the user name that she wanted, nor the WHAT – the detail or proof required. They also mentioned that the reporting in some solutions was not intuitive or mature enough. She wanted to find an easy solution that even she could use herself, if required. She wanted to be able to read and understand the data and get the detail that eliminated guesswork.

Steve found our solution on a site that listed alternatives to Netflow. He downloaded and deployed LANGuardian on VMware; got traffic from a SPAN port to it and had it running in their data center in under an hour. In real time, they were now able to see the top users, their names and the apps they were running and if any users were transferring a large file, they could also see the file name and size. They also picked up on two servers in the data center that were misconfigured and constantly communicating wasting valuable bandwidth and resources.

Now the CIO gets great satisfaction when somebody calls complaining of a slow network, “go talk to your guy John, tell him to stop watching videos on this sports web site’

With the looming US election, there are plenty of discussions to be had; this along with our new customer and all the news here, reminded me of the US elections in the 90’s when Bill Clinton was running for office; one of his campaign slogans was, ‘It’s the economy, stupid’

Well in this use case, the CIO could also say (not that she would of course!), ‘it’s not the network, stupid’….’it’s your users’

 

John Brosnan

CEO

How to monitor which files are accessed through NFS?

NFS Network File System

Monitoring Network File Systems (NFS)

Network file shares based on Microsoft servers remain the most popular way of sharing files and folders within corporate networks. This may change in a few years with the continued growth of services like Google docs or Office 365. There are many options available if you want to monitor Windows based file shares, a common use case is tracking down who is deleting files off your network.

NFS is another type of distributed file system. NFS is often used with Unix operating systems (such as Solaris, AIX and HP-UX) and Unix-like operating systems (such as Linux and FreeBSD). It is often used in research and development applications where engineers are using specialist computer systems to share data.

As with any network based data it is important to monitor who is accessing it and what they are doing with it. It may be because of compliance, operational or security reasons. Issues such as Ransomware attacks have made it a hot topic in todays world.

Getting an audit trail on a NFS server may be tricky as logs may not be available and even if they are it may cause performance issues on the NFS file server when you enable them. An alternative approach worth considering is to monitor the network traffic going to and from the NFS file servers. All you need to do is use a system like LANGuardian to analyze this traffic and extract certain metadata.

Monitoring NFS servers using network traffic analysis

Network traffic data can be captured from SPAN\mirror ports or via network TAPs. While it is possible to capture traffic locally on a system using tools like Wireshark, this is not a scalable solution for monitoring all activity throughout a network. The image below shows how you can see the activity associated with a file by looking inside the network packets.

NFS traffic capture using Wireshark

The image below shows a typical example of how a SPAN or mirror port can be used to capture NFS traffic. The switch is configured to send a copy of the network packets going to and from the file server to the network traffic analyzer (LANGuardian) which is plugged into the same switch. If you want to learn more about setting up SPAN or mirror ports, check out our video resource page.

Monitor NFS shares using SPAN or mirror port

Once you have your SPAN or monitor port in place and you have a LANGuardian connected, you can begin to see who is doing what on your NFS file shares. Use the search feature within LANGuardian and enter the text “NFS”. For my example I used Network Events (NFS) but you can choose any of the reports. The user variants allow you to see what username is associated with the activity. You can also focus in on a specific time period by clicking on the calendar option to the left of the report.

NFS LANGuardian report

How to do a URL search using network traffic analysis

URL search tips

What are your options to address URL search requirements?

Before I go into how you can do a URL search using network traffic as a data source, I want to go back over and explain what a URL string is.

A Uniform Resource Locator (URL) string is a subset of the Uniform Resource Identifier (URI) that specifies where an identified resource is available and the mechanism for retrieving it. Examples of  URLs would be:

URL: ftp://ftp.netfort.c0m/doc/languardian-tips.txt
URL: https://www.netfort.com/download-languardian/
URL: mailto:support@netfort.com

All of the above are also URI’s but a true URI may contain extra info like an anchor link which is used client side to automatically navigate to a particular section of a webpage.

URL String

For most use cases, a URL search involves searching for either a full or partial website name to see who is accessing it. Here is some feedback we recently got from a university customer which they sent back after evaluating our LANGuardian product. This is a very typical use case.

All those within the test group without exception found it (LANGuardian) to be a very useful tool for detecting suspicious traffic and for discouraging misbehavior.

A very popular feature mentioned by most users in the test group was the ability to search by URL. All the users were in agreement that it provides a very quick and easy way to extract the exact information management would like visibility of, particularly where cloud services are concerned“.

Building a database of URL search strings

There seems to be an increasing demand for more sophisticated analysis and visibility of the Internet link and activity probably driven by:

  • Security concerns,  continuous monitoring and rich visibility of activity on this link is an absolute must these days.
  • Cloud, hybrid cloud, etc. Many applications used across organizations today are hosted externally and as a result, the utilization of this link is critical.

Before you can search URL strings you need a data source. The most common ones I come across are:

  1. Local packet capture on a PC or laptop.
  2. Network wide packet capture through a SPAN, mirror ports or TAPs.
  3. Log file analysis on firewalls or proxy servers.

I am not including any flow based tools in this post as most are not good web usage trackers. Some IPFIX implementations can export HTTP header information but very few tools actually use this.

Local Packet Capture

Capturing network traffic locally on your PC or laptop is a great way to learn about packet capture and how you can use this to search for URL strings. Wireshark is the most popular tool and it allows you to capture all network traffic going in and out of local network adapters.

If you want to do a URL search, you simply use the display filter within Wireshark to search for a specific text string.

Pros

  • Free and easy way to capture local traffic
  • Great for learning about packet capture and traffic analysis

Cons

  • Does not scale up. Very easy to overload a system if you try and capture traffic at high data rates.
  • While it is fine for real time analysis, you wont get long term storage of data unless you have access to lots of disk space.
  • Complex, not that easy to read and interpret. Difficult to easily get the ‘big picture’.
URI String

Network wide packet capture through a SPAN, mirror port or TAP

If you want to scale up from local packet capture, then you should look at options like SPAN ports or TAPs. This approach will allow you to get a copy of all traffic flowing into and out of your network and so you will get a data source for all web activity on your network.

The video at the link below goes through the steps that are needed to monitor Internet activity via a SPAN port.

Pros

  • Visibility of all Internet activity on your network.
  • SPAN or port mirror options available on most managed switches with no impact on performance.
  • Works effectively whether a web proxy is in place or not.
  • Deploy in minutes, no agents, clients, no network downtime.

Cons

  • Free tools\software offerings that can connect to a SPAN or mirror ports are limited so you need to look at a commercial solution.

Web Users Report

Once you have got your SPAN port setup, you can use a tool like NetFort LANGuardian to process the packet data. The NetFort DPI engine extracts application level detail like URL strings from the traffic flows, discarding the remainder of the packet contents before storing them in the built in database.

This data reduction (400:1 over full packet capture and storage) results in cost effective long life historical storage of network and user activity, very useful for forensics, reporting and planning.

It stores all the critical details including IP address, user name, domain names, URI and bandwidth consumed in its own database. This gives you access to realtime and historical web usage reports.

If are considering other tools, make sure they include both realtime and historical reporting features to match you data retention requirements.

Log file analysis on firewalls or proxy servers

Many firewall and proxy servers will have logging options. These can be very useful for troubleshooting or checking if changes to firewall rules are working. However, server log files do have their limitations. They are meant to provide server administrators with data about the behavior of the server, not the behavior of the user like what URLs they are accessing.

I recently attended a conference which brought together network and security professionals from colleges and universities all over the UK. During the conference, one IT manager described how their network fell victim to multiple DDoS attacks. Their firewalls were under so much pressure, they could not access the logs and get any visibility. One recommendation from this was not to rely on firewall logs alone, you need another data source to troubleshoot problems.

Pros

  • Great for troubleshooting problems or checking if changes to block rules are working.

Cons

  • Enabling logging will impact on firewall or proxy performance. These devices were not designed for long term capturing of log information.
  • If your proxy or firewall is having performance issues you wont be able to access the logs to troubleshoot the problem.
Web Proxy Log

Do you have any other ideas on how to capture and search URL information? Comments welcome.

Forensic Analysis of a DDoS Attack

forensic analysis of a DDoS attack

In this blog post we are going to do a forensic analysis of a DDoS attack. The DDoS analysis is supported by screenshots captured from a LANGuardian system that was monitoring network edge traffic via a SPAN port at the time of the attack.

The purpose of our DDoS analysis is to demonstrate how DDoS monitoring can identify an attack in progress. With the information gathered by using a DDoS attack monitor, we can then take steps to mitigate against these types of DDoS attacks.

Why DDoS Monitoring is Important

Over the past ten days in Ireland, numerous online services and public networks have been targeted by DDoS attacks. A recent article from the BBC also suggests that website-crippling cyber-attacks are to rise in 2016 – the organization itself having been taken offline by a massive DDoS attack at the end of last year.

The majority of the recent attacks in Ireland were NTP amplification attacks. NTP is a popular vector for DDoS attacks because, like DNS, it is a simple UDP-based protocol that can be persuaded to return large replies to small requests. It has been estimated there are over a hundred thousand abusable NTP servers with administrative functions incorrectly open to the general Internet.

Using LANGuardian as a DDoS Attack Monitor

All of the following screenshots were taken using LANGuardian as a DDoS attack monitor on a real network. The network was one of many that suffered multiple DDoS attacks during January 2016. The first image below shows traffic associated with this network at a time when it was not under attack. What I am watching out for here is:

  1. The majority of the traffic is IPv4.
  2. Over 97% of traffic is TCP with small amounts of UDP. This is very normal and what I would expect.
  3. Drilldown on the UDP traffic shows the majority is DNS. For most networks DNS Would be the most active UDP protocol. Exceptions this this would be on networks where applications like Bittorrent are allowed.
DDoS monitoring dashboard

The next screen shot shows the network traffic profile during a time when the network was under attack. The main thing that stands out is the UDP traffic is now the majority. This is the classic fingerprint of a UDP based amplification attack. You can read more about amplification attacks here and here.

UDP Traffic associated with DDoS attack

Drilling down on the UDP traffic reveals that the network is receiving large amounts of NTP and DNS traffic. Both of these are important protocols so you cannot just block them. The other issue is that the network packets will contain spoofed IP addresses so basic firewall rules are useless.

Composed of legitimate-appearing requests, massive numbers of “zombies” and spoofed identities that make it virtually impossible to identify and block these malicious flows.

UDP Protocol Analysis

Drilling down further reveals that the traffic appears to originate from 4700 different servers.  We can do a WHOIS by IP address and determine that these are valid NTP servers, owned by reputable organizations.

It’s unlikely that 4700 reputable NTP servers are compromised and targeting an attack at the network, so something else is happening here.

The NTP protocol is based on UDP, a connection-less protocol. This means that a malicious client can create an NTP request, but instead of using its own IP address as the source, it uses the IP address of the target network. The NTP server assumes the request is genuine and responds, sending the response, not to the originating client, but to the target network.

This is known as a reflection attack. We can determine this is occurring, because our network has not sent any NTP packets to the NTP servers in question (zero packets sent, zero bytes sent) as seen here.

Further, we can calculate that the average received NTP response packet size is about 440 bytes, significantly larger than a standard NTP response packet (about 90 bytes). The 440 byte packet is likely a response to a ‘monlist’ request, a remote command in older NTP servers to return a list of the last clients to contact it. The ‘monlist’ command returns multiple packets of this size in response to a single request. This is known a amplification, where a small request generates big responses.

DDoS packet numbers

Finally, what of the client that originated the NTP request? We have no information about that client, as it successfully forged the source IP address in the original NTP request. We can assume that the client was a member of a botnet and was issued commands to target this network. There can be many thousands of compromised clients in a given botnet.

The scenario is shown in the diagram below, showing how a single C&C, controls many zombie clients, to generate malformed NTP requests to many servers, which in turn send amplified responses to the target network. Click on image to zoom in.

DDoS Amplification Traffic

Any local servers shown in the reports would need to be checked for malware activity. It could end up as a zombie host in a botnet or it may also be serving up Malware.

Using DDoS Analysis to Mitigate Against DDoS Attacks

When it comes to mitigating against DDoS attacks, you do have a number of options. It does depend on what stage you are at. If you are presently under attack, you may need to weather the storm a bit and avoid any rush decisions. Blocking traffic for example may only introduce other problems and you may end up with a network cut off from the outside world.

It is critical that you have some type of network activity monitoring in place prior to and during an attack. Make sure you can see where the traffic is coming from and what servers are being targeted. To try and mitigate against an attack you should consider the following.

  1. See if your ISP can black hole the suspicious traffic. Most will not get involved but if you are an education or government institute you may be able to address the issue at an ISP level.
  2. If you host your own web applications or servers you could consider a local DDoS protection system. These high-performance appliances enable attack traffic analysis and cleaning of the traffic, enabling a defense against large-scale DDoS attacks. Good traffic goes one way and bad traffic is dropped.
  3. If your website is hosted externally you could consider something like the Cloudflare DDoS protection infrastructure. They do the job of sorting out the good traffic from the bad in the cloud.
  4. In some extreme cases I have heard of companies changing their ISP to get away from the problem. Their public IP addresses seem to be a constant target to the only way out is to change them by moving to a different ISP.

Do you have any tips for mitigating against DDoS attacks? Comments welcome.

LANGuardian Online Demo
Download LANGuardian Trial

Popular posts:

Sorry. No data so far.

Watch Over Your Network While Your Support Team is on Leave This Holiday Season

Empty office as support staff are on leave

Let LANGuardian watch over your network while your support team is on leave

While it may be holiday season for your support staff, your network never sleeps. Operational and security problems can show up at any time so you need to make sure you have eyes on your network 24/7. Reports from our customers and security focused news sites suggest that attacks from Ransomware have intensified in recent weeks.

One way to do this is to deploy network traffic and security monitoring tools which keep an audit trail of who is doing what on your network. If problems occur during the holiday period, when you return, you will have the historical data needed to ‘go back’, troubleshoot, have the detail to really understand what happened,  and remedy the issue before it gets out of control.

watch over network
capture network traffic from SPAN or mirror port

Our LANGuardian product is available as a 30 day trial download so if you install now as a physical or virtual server you will have monitoring in place over the holiday period. It captures network traffic via a SPAN\Mirror port or TAP, analyzes it using deep packet inspection techniques, and stores the results in a database.

A web-based user interface provides access to the traffic data in the database. As it works on network packet data, there is no client software to install, no interaction with the devices on the network, and no impact on network performance. See activity by MAC, IP address and associated user names.

Watch Over Your Network During The Holiday Period With LANGuardian

LANGuardian is the first and only deep packet inspection (DPI) software to provide network managers with root cause information about network and user activity.

  • Get visibility using traffic from a SPAN or mirror port, no agents required.
  • Monitor networks 24/7 so you have user and application data needed to investigate issues.
  • Drill down to granular information; usernames,  file names, web domains and URIs.
  • Ideal for network forensics, real time troubleshooting or identifying suspicious traffic.
  • Download and deploy on standard hardware, VMWARE or HyperV.

Got ‘Butter Fingers’ On Your Network Deleting Files or Folders?

network file share

Track down users deleting files or folders from network drives.

In many organizations, the most valuable and sensitive data resides on file shares. Accordingly, file shares are monitored very closely for availability, security, compliance and data protection reasons.

deleting files from network shares

Monitoring Windows file shares can be a lot of work. Typically, you’ve got to analyze event logs from individual servers and collate them to get the data that’s needed to produce audit trails detailed enough to satisfy audit requirements. For troubleshooting and forensics, analyzing logs individually makes it difficult to spot trends across multiple file shares. Auditing file access on file servers can also overload your log files and/or SIEM systems.

Find Out What Users Are Deleting Files or Folders With LANGuardian

Use the advanced deep packet inspection features in LANGuardian to track down user deleting data off your network file shares. Active Directory integration lets you see the associated username.

There is no need for agent\clients or no need to enable auditing on your file servers. File names and actions are captured from network traffic.

With LANGuardian, you can monitor and record every access to windows file shares without the need for logs or software agents.  It records details of user name, client application, server name, event type, file name, and data volume. All of this information is captured passively from network traffic via a SPAN port.

Click on the image below to access interactive LANGuardian demo and see the power of network traffic and security monitoring in action.

users deleting files from a network share

File activity monitoring is a standard feature of LANGuardian. Common use cases include tracking down users who deleted files to finding the source of Ransomware on a network. Many of our customers also use network traffic monitoring to verify that there are no other infected PC’s active on their networks

Taking a Deep Dive into Network Traffic

Taking a deep dive into network traffic

A term I often hear our customers say is that they use our LANGuardian product to “take a deep dive into network traffic“. When you hear something like ‘deep dive’ you could associate it with geeks in their Speedos taking a dive into a swimming pool. The reality is a lot more technical and maybe more boring; what they are trying to do is use network traffic as a data source to get to the root cause of network, security, application or user problems.

Client based traffic analysis

For a lot of network administrators the tool of choice may be Wireshark. It is excellent for taking a deep dive into network packets. I often use it to capture network traffic on my laptop and scroll through the packets to work out what traffic flows are present and see what packet payloads are associated with them.

Wireshark traffic analysis

The problem with this approach is that it can be very time consuming, this is especially so if you are dealing with high traffic volumes. Wireshark filters are useful but this is a foreign language to most people. Connect your laptop to a SPAN or mirror port and within minutes you could be dealing with a multi gigabyte packet capture file.

There is no doubt that tools like Wireshark or Microsoft Message Analyzer have their uses. However, if you want 24/7 traffic monitoring then you will need to look at a different solution.

Take a Deep Dive into Traffic on YOUR Network

Use the power of LANGuardian deep packet inspection to take a deep dive into traffic on your network. No need for client or agent software, just setup a SPAN or mirror port. Active Directory integration allows you to associate traffic flows with usernames too.

Flow based traffic analysis

Many layer 3 type network devices like routers and some switches have flow export features. Standards include NetFlow, sFlow, JFlow and IPFIX. Typically a network device extracts certain information from the packet headers. This will include IP addresses and port information together with a total amount of data contained within the packet payloads. This flow information is then sent to a flow collector where its is processed and stored.

If we think of it as diving into a swimming pool, flow analysis is like getting your Speedos on and approaching the pool. You dip your toes in but that is it. You have an idea how cold the water is but it is not a deep dive.

Flow analysis is great for getting a top level view of what is happening on a network. Some flow technologies have moved towards sampled packet analysis. I am not a big fan of this due to the resource demands it puts on networking devices.

Going deep with Deep Packet Inspection

If you want to take a deep dive into network traffic, you need deep packet inspection. Technologies like this automate packet analysis so that you have 24/7 monitoring. Some solutions will store all packet data on disk (packet recorder) while others will extract certain payload data like website or file names (known as meta data).

Deep packet inspection

Another feature of deep packet inspection tools is their ability to recognize applications based on packet payloads. Flow tools will make assumptions like all traffic on TCP port 80 is web but this is not always the case. Most firewalls available today include this functionality and it is vital in today’s world were so many applications are web based.

Traffic analysis tools that monitor traffic inside a network are getting more popular. The main driver for this is that IT managers want to get an insight into network activity so that they can increase security awareness. They also want historical reporting for seeing what happened at a particular point and time.

Before you make a decision on one you need to consider the following

  1. Do you need to record every packet or just capture important meta data. Unless you are monitoring a critical banking application or similar, meta data capture is recommended.
  2. Can the tool be deployed in remote data centers and provide a single console to monitor all activity.
  3. Don’t forget about virtual networks. Network packets can move around here and may never appear on the ‘wired’ network.
  4. Check if the tool supports username association. When you are dealing with LAN issues, it is very useful to be able to track activity back to actual users.
  5. Watch out for ease of use. Too many tools claim they can do deep packet inspection but are difficult to use. Ideally you want ‘management friendly’ graphics with drill down capabilities.

All of the solutions I mentioned above have their uses. Wireshark for client side diagnostics, flow tools for high level traffic reports, and deep packet inspection for taking a deep dive into network traffic. In some cases you may need all three, just make sure you don’t end up with the wrong solution if you only can pick one or two.

Learn more: Utilizing traffic fingerprinting for protocol analysis

Tunnelling Bittorrent Over Port 80 – How to Detect Activity on Your Network

Bittorrent Over TCP Port 80

Bittorrent is a very popular file sharing protocol. As a way of distributing content from many hosts, it is second to none. It is very popular with movie\music pirates as it does not require a central server for the storage of data. A downloader (peer) can contact other peers and download pieces of content and that peer will automatically share any content it has downloaded. It does have many other uses such as a platform for distributing software updates.

When it comes to network management, most administrators try to block Bittorrent use. The main reason behind this is that it can use up massive amounts of network bandwidth and disk storage. Many high definition movies are now 6GB+ in size so all it takes is for a few clients to clog up a network. Bittorrent clients also create thousands of network connections to other peers which can overload some firewalls.

Blocking access to sites like ThePirateBay may work in the short term but the introduction of magnet links makes site blocking more difficult. If you are successful in blocking the torrent sites, users can still access them at home and use your network to download the content.

How to detect Bittorrent tunnelling activity on your network

Traditional firewalls which use port blocking are useless when it comes to Bittorrent. The protocol will seek out open TCP or UDP ports and use these to tunnel\transfer data. Even newer firewalls struggle with the Bittorrent protocol due to encryption and other recent changes.

In today’s world, the only way to accurately identify Bittorrent is to be application aware. What I mean by this is to forget about identifying applications based on the port numbers they use to communicate. Assume that TCP port 80 could be any application, HTTP, Skype, Bittorrent, etc…. You need to take a look inside the network packets and work out what application it is based on what the packet payload or content is.

This all sounds very complicated and it is if you have to sort through packets using something like Wireshark. It is not impossible but you will find it is very time consuming. The other issue is scale, Wireshark works fine for analyzing a single client but it will get overloaded if you are monitoring hundreds of clients.

Find Out Who is Tunneling Bittorrent on YOUR Network

Use the power of LANGuardian deep packet inspection to find out who is tunneling Bittorrent traffic on your network. No need for client or agent software, just setup a SPAN or mirror port. Active Directory integration allows you to associate Bittorrent activity with usernames too.

What you are looking to do is extract certain metadata from the network packets. There is no need to store the contents of every packet unless you plan to replay the traffic for further analysis. This approach is also referred to as deep packet inspection.  Aim to capture these fields at a minimum:

  • Source IP Address
  • Source Port
  • Destination IP Address
  • Destination Port
  • Info_hash: urlencoded 20-byte SHA1 hash

A simple way to get visibility of Bittorrent on your network is via a SPAN or mirror port. Find where your Internet connection connects to your network switch infrastructure then configure it to send a copy of traffic going to and from the Internet to a switch port of your choice, this switch port is known as a SPAN or mirror port. It’s just a regular port but you configure it to be the destination for the SPAN traffic. See video below which covers this in more detail.

Tracking down Bittorrent activity with deep packet inspection

Once you have your SPAN port setup, you need to plug in a network analyzer which can process network packets. We develop one called LANGuardian but there are other options out there. For this example I will use a LANGuardian installed on my own network to track down Bittorrent tunneling. LANGuardian has the advantage of been able to report on real-time and historical activity.

Step 1 – Run a Top Applications Report

In my case I am going to take a look at activity over the past 4 hours and I also want to focus in on applications using port 80.

Top Network Applications

Step 2 – Drill Down on the Bittorrent Traffic

Most traffic on my network using port 80 is HTTP but I have a small amount of Bittorrent traffic using this port. To drill-down I click on the traffic volumes

Bittorrent Tunneling activity on network

Here I can clearly see the client IP address, host-name and info-hash values associated with this Bittorrent activity. Further details like other associated port numbers and external IP addresses can be got by drilling down further.

5 Tips for Dealing with Unusual Traffic Detected Notifications

How to Deal With Unusual Traffic Detected Notifications

If you get an unusual traffic detected notification from Google, it usually means your IP address was or still is sending suspicious network traffic. Google can detect this and has recently implemented security measures to protect against DDoS, other server attacks and SEO rank manipulation.

The key thing to remember is that the notification is based on your Internet facing IP address, not your private IP address which is assigned to your laptop\PC\device. If you don’t know what your Internet facing (or public) IP address is you can use something like this service.

Top tips for dealing with unusual traffic detected messages:

  1. Get an inventory. Do you have unknown devices on your network? There are many free applications which can do network scans. Another option is to deploy deep packet inspection tools which will passively detect what is running on your network.
  2. Monitor traffic on your Internet gateway. Watch out for things like network scans, traffic on unusual port numbers, TOR traffic. I have included a video below which explains how you can do this.
  3. Track down the device using its MAC address. Network switches maintain a list of what MAC addresses are associated with what network switch ports. The guide at this link shows you how to do this on Cisco switches but similar commands are available on other switch models.
  4. See if your IP address is blacklisted  You can use something like this http://www.ipvoid.com/ to see if your IP address is known black lists.
  5. If you cannot find any issues, talk to your ISP. Maybe you need an IP change. IP addresses are recycled so it could be that you were allocated a dodgy one. This is a remote possibility so make sure you cover tips 1 to 4 first.

Please don’t hesitate to get in contact with our support team if you are having an issue with a unusual traffic notification. They can help you quickly get to the root cause of issues associated with suspicious network traffic.

Darragh Delaney

How to Monitor Network Traffic For Suspicious Top-Level Domains

top level domains

Top-Level Domains – What are they and how to monitor traffic associated with them.

Back in 2011 ICANN approved a plan to expand the number of top level domains (TLDs). Shortly afterwards some analysts suggested that this could spell Dot-Trouble for businesses.

Move forward to 2015 and sure enough a few shady neighbourhoods have appeared on the Internet. Research done by Bluecoat shows that some of these Internet neighbourhoods have become almost exclusively the domain of people setting up hosts for spam e-mailing, scams, shady software downloads, malware distribution, botnet operations and “phishing” attacks, or other suspicious content.

Beware - Suspect Websites

Blue Coat asserts that more than 95% of the sites on these 10 Top-Level Domains (TLDs) are suspect:

  1. .zip
  2. .review
  3. .country
  4. .kim
  5. .cricket
  6. .science
  7. .work
  8. .party
  9. .gq
  10. .link

We recommend that you monitor Internet traffic on your network and watch out for any client connecting to these suspicious TLDs. The best way to do this is to setup a SPAN or mirror port and monitor network traffic at your Internet gateway.

Flow based tools are not a good option for monitoring Internet traffic as they cannot look inside the HTTP header to see what domains users are trying to access. The video below explains how you can setup a SPAN or mirror port to monitor Internet traffic. Most managed switches will allow you to do this.

If you don’t have a managed switch there are many alternatives for SPAN or mirror ports. You just need to pick one to match your requirements.

The image below shows an example of how Wireshark can be used to look inside HTTP headers to extract top-level domain information. Wireshark is very useful for troubleshooting issues associated with a single client. However, it may become data overload if you connect it up to a SPAN or mirror port. If you want to do this you need to look at a commercial network traffic analysis tool like LANGuardian.

Top-Level domains bad neighborhoods

Monitoring Suspicious Top-Level Domain Activity with NetFort

The following procedure describes the steps to show any activity associated with these top-level domains (TLDs). The report can be saved on your LANGuardian system as a custom report and can be re-run any time updated information is needed. Alerts and automated reports are also supported.

  1. Click on Reports in the LANGuardian menu bar.
  2. In the Web section, click on Top Website Domains, LANGuardian displays the Top Website Domains report.
  3. In the Website Domain Name field (Matches regexp selected) place \.link$|\.gq$|\.party$|\.work$|\.science$|\.cricket$|\.kim$|\.country$|\.review$|\.zip$
  4. Click View.
  5. When LANGuardian displays the report, click More Actions on the report menu bar and select Save Report.
  6. Enter a name and description for the report, then click Save. The new report will be listed in the Custom Reports section.

Most of the basic Regular Expressions (RegEx) and IP Address/Subnet needs are covered in the LANGuardian Tip Sheet.

And, of course, please contact us any time if you have any questions about web activity or indeed any other aspect of network monitoring with LANGuardian.

Find out who is accessing suspicious top-levels domains on YOUR Network

Download a 30 day trial of LANGuardian and find out what users are accessing suspicious top-level domains. No need to install agents or client software. All you need is a SPAN or mirror port.

If you have any tips for tracking down suspicious top-level domains, please use the comment section below.

Darragh Delaney