CURELAN TECHNOLOGY Co., LTD Flowviewer FM-800A

CURELAN TECHNOLOGY Co., LTD
Flowviewer FM-800A
CURELAN TECHNOLOGY Co., LTD
www.CureLan.com
1
Introduce Product Major Functions














Quota Management (IPv4 & IPv6) and current traffic monitor.
Peer-to-Peer (P2P) filter.
P2P Report.
Netflow or sFlow traffic report.
Worm detection(NBAD).
Automatically block infected IPs from L3 Switch by ACL .(for Cisco, Foundry, Alcatel, Extreme)
or Automatically block by Flowviewer.
Port Scan and SSH Password Guess Attacks Report. (NBAD)
RDP Password Guess Attacks Report. (NBAD)
List of Possible UDP Flood Attacks Report. (NBAD)
List of Possible DOS Attacks Report. (NBAD)
Port Scan and SSH Password Guess Detection and Blocking. Blocked by Flowviewer .
RDP Password Guess Detection and Blocking. Blocking method: Blocked by Flowviewer .
UDP Flood Attack Detection and Blocking. Blocking method: Apply ACL command to core switch.
DOS Attack Detection and Blocking. Blocking method: Apply ACL command to core switch.
2
Agenda
Classification by Function
Automatic detection of RDP and SSH attacks.
Automatic prevention of UDP Flood and DOS attacks.
Dynamic Traffic Query can identify suspect network
traffic and check the IP against a list of known and
offenders.
3
Network Security Threats Case-1
 Virus:Using normal packet data a virus compromises PCs, potentially
leading to the destruction of personal computer hard disk data or storage
memory and also causing the PC to slow and so on. The destructive
characteristics of those programs are limited to personal computers.
 Hacker:In the computer security context, a hacker is someone who seeks
and exploits weaknesses in a computer system or computer network.
Hackers may be motivated by a multitude of reasons, such as profit, protest,
or challenge.
 The hackers can use a port scan Trojan to discover the network vulnerabilities. They can
also scan the unit's Port Service, so some units will change the original Port Service
number leaving the network open to further hacking activities.
 By using a Port Scan hackers can scan the unit's Port Service, allowing Trojans to invade a
specific port by guessing the password. After the success of these Trojans horse programs
the computer then becomes a zombie computer and potentially part of a botnet.
4
Network Security Threats Case-2
 After the successful hacking of the zombie computer, this can lead to other internal computer
intrusion and through the use of a key logging program the hacker can determine if the computer
is a personal computer or a server, because the personal computer will be shutdown regularly by
the user while a server is very rarely shutdown. If it is a server this is a suitable method to relay
and attack the target IP. The server may also contain valuable data which can be stolen by the
hacker.
 Through the Port Scan program hackers can exploit the known insecurities of ports 53 and 123
and can then create a DNS Amplification Attack via port 53 (DOS Attacks), this type of attack can
also be created by using port 123 NTP (Network Time Protocol) reflection attacks. (UDP Flood
Attacks)
 If your device is using network behavior analysis(NBA) to identify hacker intrusion and attack,
you do not need to use the feature value (Pattern). Network behavior analysis is the collection of
all network IP data to determine, by identifying anomalous network data, intrusion and hacking
attacks. NBA allows for the rapid detection of network attacks by analyzing ALL network data
unlike the pattern detection method which is restricted to identifying attacks based on set patterns
of network activity. Hackers can bypass this detection method by regularly changing the pattern of
their attacks every 2 or 3 days.
5
Hacking Methods
 Bypass network security by exploiting SSH and RDP vulnerabilities.
 Known Microsoft operating system vulnerabilities(see note below) and PHP, C++
database vulnerabilities. These methods exploit bugs that even software and operating
system developers are not aware of in their systems. This is the best situation from a
hacker’s point of view as these types of attacks cannot be detected or stopped until
developers identify the bug and release updated software to fix the problem.
 Note: Hackers can use injection of CSS codes on insecure web sites allowing them to access
confidential user data on the host server. A google safety engineer also pointed out that there
is evidence that Microsoft was aware of this vulnerability as early as 2008 . At present users
must rely on their browsers to deal with this vulnerability.
 No network security product can ever protect from all attacks, for example, a Trojan
horse attached during P2P、APP and Spear Phishing is undetectable. Luckily, server
equipment does not receive and send mails or use P2P downloads automatically,
therefore any action of this kind is on a personal computer. Most hacks focus on one
computer and then use the intranet to attack other IPs until they locate the server IP
that allows access to confidential data. Another method is to slip Trojans to individual
PCs then using the relay function to take down the network.
 The FM-800A provides RDP、SSH attack detection and blocking functions.
6
Hacker steals confidential data of file server
Flowveiwer has solution
 Most intranet attacks are performed via RDP, the RDP password guessing attack detection
function is unique and available only in Flowviewer FM-800A. The Flowviewer system can
detect and automatically send ACLs (Access Control List Entries) to Core Switch (Layer 3) to
prevent attacks. As seen below: a list of possible RDP Attacks report, Number 3, 5, 6 and 7
illustrate this type of intranet attack.
 Outlined in the red column, we can see an internal source IP (140.xxx.xxx.229) attacked 9 IPs
(140.xxx.xxx.3, 140.xxx.xxx.2, and so on) at the same time.
 It is possible that the source IP of number 3, 5, 6 and 7 are the victims of the Spear Phishing.
Figure is a successful example of FM-800A detecting the RDP attack.
7
Exclusive technology : RDP Attacks-1
 On 2012/06/04, our RDP Attack detect function detected a hacker using 222.133.38.22
(Src IP) trying to compromise 140.XXX.101.4(Dst IP).
 Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft,
which provides a user with a graphical interface to another computer. Clients exist for
most versions of Microsoft Windows (including Windows Mobile), Linux, Unix, Mac OS
X, Android, and other modern operating systems.
8
RDP Attacks-2
 Trace of the source IP of RDP attack.
 222.133.38.22 (Source IP) is from China.
 All series of Flowviewer FM-800A can query IP address using Geotool and
whois web site.
9
SSH Password Guess Attacks Report
 Many attacks go through the SSH route, the Flowviewer system can detect
and automatically send ACLs (Access Control List Entries) to Core Switch
(Layer 3) to prevent attacks. As seen below: a list of Possible SSH Attacks.
 FM-800A detected and blocked the IP 203.125.203.23 that used the SSH
password guess attack to compromise a certain university's IP on
2013/08/23.
10
Real Case
 Hackers compromised the intranet IP successfully by
SSH password guessing then implanted the Trojans
on September 12th, 2010.
 After three days, hackers attacked the external IP by
using UDP Flood Attacks with intranet IPs that had
been implanted with the Trojans.
11
Example of an SSH Attack
 The IP (218.29.100.122) tried to attack TANet between September 9th and
12th. The targets were National Sun Yat-sen University, National Chung
Cheng University and the Ministry of Education Computer Center. There
were as many as 160000 individual attack during this period.
 Hackers(218.29.100.122) tried to invade one University IP
140.XXX.XXX.134(Server) and another University Server Farm on
September 11th & 12th.
 Hackers successfully invaded the servers of these two universities. Using the
same method, hackers can invade the networks of commercial companies
and gain access to confidential information. For example customer credit
card details.
12
Successful detection of SSH intrusion attempts-1
 Hackers(218.29.100.122) try to invade the XXX University IP
140.XXX.XXX.134(Server) on September 11th.
 Hackers(218.29.100.122) try to invade the YYY University Server Farm on
September 11th.
13
Successful detection of SSH intrusion attempts-2
 Hackers(218.29.100.122) try to invade the XXX University IP
140.XXX.XXX.134(Server) on September 12th.
 Hackers(218.29.100.122) try to invade the YYY University Server Farm on
September 12th.
14
Successful hacker attack : September 12th .
UDP Flood Attacks begins September 15th
 Why do hackers try to implant Trojan horse programs to
servers via SSH?
 Taking the IP 218.29.100.122 as an example. On 9/12, the
TANet intrusion finishes, but it then starts to attack the IP
93.114.111.187(it belongs to an ISP based in Romania) by UDP
Flood attack. Although we do not know why hackers do these
attacks, but they used IP 218.29.100.122 (Server) to intrude
140.XXX.XXX.134 (Server) . It’s purpose is to attack the ISP in
Romania by UDP Flood attack. The following description is a
real case.
15
Real Case : UDP Flood Attack on September 15th
 Example: XXX university has a server which was implanted with Trojan horse programs and
launched a UDP Flood Attack to a foreign IP. 218.29.100.122 and invaded 140.XXX.XXX.134
and then attacked the Romanian ISP(IP:93.114.111.187) via UDP Flood Attack on September
15th.
 As shown below, the time duration was 2010-09-15 11:57:59 --> 2010-09-15 12:00:23.
 There is 1.63GB of network traffic but the number of transmission packets is as high as
22,464,848, so we can know it is indeed a UDP Flood Attack event. Within 5 minutes, the
Flowviewer was abled to detect the UDP Flood attack and send an email to notify
administrators and write ACL commands to the Core Switch to block the attack.
16
Defense Methods
 The FM-800A collects real time IP network traffic and analyzes it
to identify unusual or suspicious behavior, rather than using the
defined terms. Therefore the system doesn't take into account the
names of the attacks, that is to say network administrators don't
have to waste time in researching the names of hacker attacks.
 1.UDP Flood Attacks:Make a large number of traffic, fake UDP
packages to attack a special IP. Weaken the intranet so it cannot work
normally. This IP can be the HTTP file server, Web server, DNS server
and so on.
 2.DOS Attacks:Make a large number of sessions (flows), fake TCP
packages to attack a special IP. Weaken the intranet so it cannot work
normally. This IP can be the HTTP file server, Web server, DNS server
and so on.
 FM-800A automatically blocks UDP Flood attacks and DOS attacks.
17
UDP Flood Attack(DNS Amplification Attack)
Attacks National XXX University -1
 On November 29, 2010, a central national university internal IP was attacked by
three foreign IPs: 212.59.6.158 (Lithuania) 202.104.151.201 (Chinese)
124.127.117.86 (Chinese) via UDP Flood Attack. This attack caused the entire
campus network to shut down.
18
UDP Flood Attack(DNS Amplification Attack)
Attacks National XXX University -2
 Highlighted below we can see the flows which 212.59.6.158 attacked 140.XXX.XXX.131
with. As the following figure shows, that time duration is 2010-11-29 06:41:53 - > 201011-29 06:46:12. It produced 23,566,887 packets in 5 minutes, the graph clearly shows
that the Flowviewer can accurately and automatically detect the UDP Flood Attacks
from 140.XXX.XXX.131. From the following report, we can identify that the hacker
attacked the target via port 53 and it is a DNS Amplification Attack.
19
Detection of UDP Flood Attack Event
 After detecting the UDP Flood Attack, the Flowviewer will send a notification e-mail
to administrators and write ACL commands to the Core Switch to block the
attacking IP.
 According to the time duration, the packet number and traffic are correlated, we can
identify that it is a UDP flood attack.
20
NTP reflection attacks (UDP Flood Attacks):
 The Hacker relays 140.XXX.XXX.2 to attack 192.99.18.64 via port 123, this
attack is an NTP reflection attack.
21
Detection of DOS Attack Event
 The Flowviewer can detect DOS attacks and notify the administrator by e-mail. It
can also automatically block the IP by itself.
 140.XXX.XXX.174. is used as a DOS Relay source to attack 113.107.174.140. The
flows (Sessions) are up to 53,706,960 and the traffic was 105.44 GB.
 The attack will cause internal network performance to fall sharply and even cause
the entire internal network to shut down, so we can see that a DOS Relay IP is not
just a problem for a single user it is also a problem for the entire network.
22
Comparison Chart between FM-800A, IPS and Spyware
Type
Flowviewer
FM-800A
IPS
spyware
Installation Type
In-line / Listen
In-line
Each PC
Default Type
When the Intranet
is being attacked
Using network behavior
IPS equipment uses feature
anomaly detection(NBAD)
codes (Pattern) to detect
technology hacker attacks
hacker attacks and
can be detected and intrusion
intrusion, feature code
can be blocked not just by the
(Pattern) update is slow
Flowviewer, but it can also
leaving systems vulnerable
use ACL commands to the L3
to attack. Also there is a
Core Switch to block the
high error rate on the
attacking IP.
threshold value (threshold)
setting function if you set
the threshold value too low.
Uses NBAD to automatically
find and block the attack by
writing ACL to core switch
or the FM-800A itself.
Only focuses on “Intranet
to Internet”.
Cannot find the attack
from the Intranet.
Pattern
It can only be used by
pattern. If pattern updates
too fast or the worm is
unknown, then it is
useless.
23
Comparison Chart between FM-800A, IPS and Spyware
IPS
Type
Flowviewer
FM-800A
Flow, IP, Port
Traffic Quota
Search and Report
Internet  Intranet
Intranet  Internet
Intranet  Intranet
Only focus on “Inter to
Intra” and sometimes
“Intra to Inter”
X
IP/Port Search at
any time
We can focus on the times of
Source IP, Destination IP,
Protocol Source IP,
Destination Port, flow
direction
X
X
P2P Types
9 types include 11 programs
(even if those programs
update, we can still find and
block them)
Uses patterns for defense.
If the P2P programs update,
the IP’s can’t block
successfully.
X
Processor Speed
6 seconds (30Mbps ~ 3Gbps)
> 20 minutes (30Mbps)
X
spyware
24
The Blind Spot of IPS Equipment
 IPS equipment uses a feature code (Pattern) scheme to identify the external network
hacker attacks by feature codes (Pattern) and threshold (threshold) setting function
and then block the hacker. However the hacker through P2P, APP, Spear Phishing
and other methods of intrusion into the internal network computer, can then by
using implanted Trojan zombie computers on the internal network bypass IPS
detection methods as these are designed to block external attacks only.
 IPS equipment uses a feature code (Pattern) to detect hacker attacks and intrusion.
Feature code (Pattern) update is slow, and the threshold value (threshold) setting
function error rate is very high.
 Just like the USA Inc Arbor Networks, Mazu Networks, Lancope , the Flowviewer
device uses NBAD (Network Behavior Anomaly Detection) technology with
synchronization and does not use feature code(Pattern) and so does not suffer from
slow updates and very high false positive rate problems with the threshold function.
25
DNS Amplification Attack-1
26
DNS Amplification Attack-2
 As shown in above, when a hacker slipped a Trojan on PC4, the
hacker changed the inquiry packet sourced IP as target A, and this is
the IP the hacker attacked. The fake IP would ask domain name data
for Local DNS, but the DNS Server doesn’t have that data.
Therefore, the DNS Server would ask for data from the Public DNS.
When Domain name data is transferred back to the DNS Server, the
DNS Server would transfer data back to the fake IP. However, that
IP is Public IP on the Internet and is not on the Intranet. Thus, the
domain name data which the Local DNS asked for will be transferred
to the Internet Public IP. As you can see, PC4 had been slipped the
Trojan, so PC4 would continuously ask for domain name data from
the Local DNS, and the Local DNS would continuously transfer the
data to the Internet Public IP. This method of attack is called a DNS
Amplification Attack.
27
DNS Amplification Attack-3
 Here we can see how hackers used huge sessions (Flows) to paralyze a website or a
server. This is an example to illustrate how our FM-800A can detect and stop
network attacks.
 On Oct. 11th, 2013, a hacker used at Ukrainian IP 80.91.160.129 (sourced IP) to make
a huge sessions (Flows) to paralyze port 53 of the DNS server at Wu Feng University.
The method of attack was to use a sessions (flows) on every single port service. As
shown above the picture, we can see there were 9,436 sessions (flows).
28
Zoom In 9,436 Sessions(Flows) report
 A UDP connection is a connection which does not include sessions (Flows), that’s why
hackers use packets of only 69 Bytes with every single Port Service as shown above the
picture, FM-800A receives Netflow data, and Netflow will take every single Port Service
as a session (Flow).
29
DNS Amplification Attack-4
 According to the analysis data above , we made a chart to show how hackers
used a huge UDP connection to paralyze the port 53 of the DNS server. This
chart shows the UDP connection flows per second, by the 37th second, there
is a maximum of 206 UDP connections.
30
DNS Attacks: How to avoid firewall detection
The following are real cases showing that firewall Dos Protections (Threshold
function) cannot protect the IP from attacks by hackers.
 We set up an IP UDP connection (sessions/packets) with 300 UDP packets per second, to
ensure that the firewall will then block this IP. However, in this case, there are only 206
UDP packets per second. This means that the attack cannot be detected by the firewall.
When setting firewall thresholds, it is not effective to block an IP for just 300 UDP packets
per second. Hackers always want to bypass the firewall and that includes changing the
attack pattern every 2 or 3 days. In this case, NBAD (Network Behavior Anomaly
Detection) is the best and most effective way to keep networks secure and free from
outside attacks.
31
Real-time Query of Dynamic Traffic
 The query can be adjusted at any time to analyze the individual IP address and show
all of the destination IPs it has contacted. This function can identify the details of
any potential crime and be used as evidence later on.
 The following figure shows the source IP(120.XXX.XXX.39) and lists the destination
IPs it contacted during May 20, 2014 from 12:30 to 13:30. The destination IP is the
IP address of the website or server . The IP in blue means it was accessed via port 80
and the IP in green represents those not using port 80.
32
FM-800A Configuration : Inline Mode
33
Automatically Prevent Hacker
Intrusion and Attack in Inline Mode
 Even in the event of a combined hardware and system
failure, the Flowviewer, utilizing auto by-pass mode,
will not have any adverse effect on network
connections or stability.
 The Flowviewer FM-800A device provides automatic
blocking of hacker intrusions and attacks.
 Automatic blocking of external IPs. (When hackers want to intrude on
internal network via the Internet.)
 The Flowviewer can automatically write ACL commands to the Core
Switch to block attacks via intranet to intranet.
34
Flowviewer FM-800A Can Block Automatically
 Flowviewer FM-800A can automatically stop the SSH Password Guess Attacks,
RDP Password Guess Attacks, UDP Flood Attacks and DOS Attacks , by
sending ACLs (Access Control List Entries) to Core Switch (Layer 3). As we
can see, the target company includes Cisco, Foundry, Alcatel and Extreme etc.
35
Traffic Quota Function
36
Introduction of Traffic Quota Control
 On campus, this function may be used to control the network traffic on the dorm. For
government or enterprise, the function can be set to limit network traffic. Therefore,
network limits can be set at different levels for different network groups depending on
their requirements.
 When the user quota is exceeded, the quota manager can: (1) Blocking(Block the user’s
IP address). (2) Bandwidth limit(Rate limit). The system allows the user to choose either
Bandwidth limit or Block IP for different groups at the same time.
 The system can prevent the increase of bandwidth as a method to solve network traffic
problems.
37
Traffic Monitor Function Introduction
 Traffic Monitor can monitor real time traffic, including total up/down/bidirection traffic, current up/down/bi-direction speed and peak up/down/bidirection speed.
38
Forced Disconnection Function
 When managers find an IP improperly using network resources
or performing any malicious acts (such as setting others’ IP
address) they can block this IP manually.
39
Traffic Analysis of Individual Units
on the Internal Network
 A unit IP Group can be defined and used to display the network traffic usage
rate of this IP group, which is then displayed in a pie chart.
 This can be used to identify network problems using a unit IP group to show
that units individual flow analysis.
40
P2P function
 The flowviewer system can use P2P Pattens to filter P2P traffic such as :
BitTorrent;AppleJuice;WinMX;SoulSeek;Ares、AresLite;Gnutella ; Foxy;
eDonkey、eMule、Kademlia;KaZaA、FastTrack;Direct Connect;Xunlei、
Thunder;PPStream、QQLive、feidian、POCO、QVOD;SIP(VoIP).
 P2P white list:IP or subnet can be added to P2P white list and will never be blocked
from using P2P applications.
41
P2P White List
 IP or subnet can be added to P2P white list and will
never be blocked from using P2P applications.
42
Worm IP Blocking Function
 The system provides an ACL(Access Control List) blocking function.
 Flowviewer can block by itself, and can also notify the administrator
while blocking IPs.
 It can also set white list IPs that can bypass the blocking function. The
feature can work on the following Layer 3 switches: Cisco, Foundry,
Alcatel, H3C and Extreme.
43
Built-in standard feature with the difference
functionality table
Flowviewer Type
peer-to-peer (P2P) filter
FM-200A/AS
Yes
FM-800A
Yes
P2P Report
Yes
Yes
Quota Management function and current traffic monitor
Yes
Yes
Netflow or sFlow traffic report
worm detection(NBAD)
Automatic block infected IPs from L3 Switch by ACL
Yes
Yes
Yes
Yes
Yes
Yes
Port Scan and SSH Password Guess Attacks Report
No
Yes
RDP Attack Report
No
Yes
Automatic block Port Scan and SSH Password Guess Attacks
No
Yes
Automatic block RDP Attacks
No
Yes
UDP Flood Attacks and DOS Attacks Detection Report
No
Yes
Automatic block UDP Flood Attacks and DOS Attacks
Detection
No
Yes
Public Report(Hyperlinks)
Yes
Yes
44
Telecoms Solutions
 Most telecoms Companies provide an IDC(Internet Data
Center) and the IDC service provides customer websites with
the ability to detect DDoS(Distributed Denial of Service)
attacks.
 Therefore, detecting UDP Flood Attacks becomes the most
important function. Flowviewer FM-800A has the ability to
accurately detect hacker IPs and send ACLs (Access Control
List Entries) to Core Switch (Layer 3) that cuts off UDP Flood
Attacks and prevents IDC(Internet Data Center) customer
websites or business application servers from being paralyzed.
45
UDP Flood Attacks: a real world example
 Below is an example of the Flowviewer FM-800A successfully detecting an
attack from an external IP(140.xxx.xxx.183) to a university in Taiwan.
 Using a Flowviewer FM-800A a Telecoms Company can protect an
IDC(Internet Data Center)client from hacker attacks.
46
Conclusion
 No single device can detect all hacker attacks. But our
device can detect most types of hacker attacks.
 There is no solution for P2P and Spear Phishing but
our device has a way to deal with these problems. We
can do this using our RDP detect functionality. The
Flowviewer FM-800A is the only system with this
exclusive functionality on the market.
47
Our reference sites
 Important Customer:
 National Center for High-Performance Computing
 l Main Service : Cross-Campus WLAN Roaming Mechanism.
 l Our Product–Flowivewer–use netflow traffic report feature
to trace IPs that controlled by Botnet and notify the
administrators who’s in charge of the IP address.
 School:







National Chung Hsing University (NCHU)
National Kaohsiung Marine University
National pingtung University of Science&Technology
I-Shou University ; Chinese culture University
National University of Tainan
National Taichung University
National Changhua University of Education ; WuFeng
University
 Nanya Institute of Technology
 Ling Tung University
 National Taichung Nursing College
 Military:
 Chung Cheng Armed
Preparatory School
 National Defense
University
 R.O.C Military Academy
 Government:
 Kaohsiung City
Government
 Taitung County
Government
 Financial Supervisory
Commission, Financial
Examination Bureau
 Other: Show Chwan Memorial
Hospital﹐Mega International
Commercial Bank, Fist
48
Customers
49
Performance and Function
Flowviewer
Models
Form
Factor
Attack Mitigation Performance and
Function
Inline
Mode
NIC
FM-800A
2U
 MRTG MAX: ~2Gbps
 Up to 6 million concurrent
unidirectional application sessions
over an IP network
 Quota Management function and
current traffic monitor
 Peer-to-Peer filter and P2P Report
 Netflow or sFlow traffic report
 worm detection (NBAD)
 Automatic ACL block infected Ips
 SSH and RDP Password Guess
Attacks Report
 UDP Flood Attacks Report
 DOS Relay Attack Report
 Automatic block Worm, Port Scan,
SSH and RDP Password Guess, Port
Scan, UDP Flood Attack and DOS
Attack.
Hardware
&
Software
 2 Port 10/100/1000 BaseT
 2 Port 1000 Base-SX
Bypass
50
Demo site for Flowviewer FM-800A device
http://140.130.102.146
Account: guest
Password: 1234
51
Contact us
Office:15F-1, No,255, Jiuru 2nd rd., Sanmin District,
Kaohsiung City 807, Taiwan(R.O.C)
TEL:+886-7-311-5186
FAX:+886-7-311-5178
Email: blue@curelan.com
aria@curelan.com
Website : www.curelan.com
52