A useful oversimplification for network surveillance?
Howard C. Berkowitz
hcb at gettcomm.com
Thu Aug 25 15:20:54 UTC 2005
I'm developing some guidance for ISP surveillance for infrastructure
attacks, and my increasing impression is that for other than the
expert level, there may be some useful simplifications of the
applicability of tools. Remember that I am speaking of surveillance
here, not the detailed analysis in a sinkhole. Perhaps this could be
the basis of some security architecture presentations/tutorials at
NANOG.
Let me put up the following strawmen and invite people with flaming
torches to go for them, with the caveat that these simplifications
are for an introduction to the topic.
NetFlow is the key to analyzing traffic patterns outside the router,
looking for DDoS signatures when known, and for traffic anomalies that
may become DDoS.
SNMP is the key to analyzing the effect of exploits on network elements.
For example, NetFlow might tell you there is a flood directed at TCP
port 179, but your router may implement rate-limiting/policing such
that the control processor doesn't see this flood and processor
utilization stays within reasonable ranges.
Syslog and SNMP traps focus on physical events by people (e.g.,
reconfiguration), physical problems ranging from temperature alarms
to router and interface shutdown, and exploits against security
mechanisms. Some of this asynchronous information has undergo
root cause analysis: the interface you see go down may be perfectly
fine; the problem is in the medium or distant interface.
More information about the NANOG
mailing list