JANET CSIRT use of NetFlow data
NetFlow
NetFlows are records that a router may generate.
They consist of header information from sequences of packets with the same
source address and port,
destination address and port,
and protocol (TCP, UDP etc).
In many TCP interactions a flow will correspond to
an
UDP applications commonly use multiple source ports
and a single destination port,
so that a transaction will generate multiple flows;
and other protocols such as ICMP have no notion of a port.
NetFlow in JANET
The routers at the edges of JANET generate flow data. They pass it to private collector servers, which collate the flows into stored files available for transfer or processing.
Limitations on what is available are:
- Packets are sampled at about 1:10 so that the flows are not a complete record;
- The sampling results in some individual flows being incomplete or wrongly labelled;
- There is no sight of traffic purely internal to JANET;
- The process of collection introduces latency between the occurrence of a flow and its availability for processing.
The JANET CSIRT applications
There are also facilities for a limited class of manually initiated queries.
Although the processes and results have much in common with an
Intrusion Detection System,
there are at present no automated queries which will directly identify
an intrusion into or a targetted attack on JANET
or the network of a JANET organization.
The patterns normally sought are of outgoing traffic
likely to indicate abnormal behaviour of computers within JANET.
For instance:
-
Worms and viruses commonly attempt to propagate
by contacting the same port on a great number of remote addresses,
which will typically include some outside JANET
and so detectable in the flows.
Where propagation is by UDP, many separate flows have to be recognised with a common destination port. - Certain ports should not normally appear as destinations for traffic outside a LAN.
- From time to time particular destination addresses, source ports or destination ports may reveal instances of current threats and exploits.
- Bots and botnets are a common manifestation of abuse, and combinations of the above can help to identify individual bots in JANET, and controllers or motherships whether in JANET or elsewhere.
Access to data
Flow data consists entirely of
Where flow data indicates some problem at an organization,
We recognise that in some instances
the behaviour patterns we report for one or more computers
imply behaviour by one or more users which is
contrary to local regulations and to the
Future plans
The present service is constrained in:
-
the volume of data it can hold;
In practice this restricts the time for which flow data is kept to a value much shorter than its administrative lifetime; the time varies but is typically two or three weeks. -
the processing power available;
A single system manages the retrieval of bulk data from the collectors, enters it into the database and runs queries. It is not possible to apply more subtle patterns to the searching, to include statistical considerations or to automate any graphing of relationships,
Long-term trends or events (already to some extent hidden by the short data life) cannot be revealed. -
the parts of JANET visible to it;
Risks arising through traffic from one JANET entity to another will not be identified.
On the face of it, modest additional resources would permit some
development,
but at the time of writing an entirely different approach
is being considered for flow monitoring in JANET,
which would have a substantial impact.
Broadly, information would be gathered from a wider range of sources,
preprocessed close to its source
and made available to
Further development of a
Additional information
- JANET flow monitoring project
-
NetFlow
(mainly about
version 9; JANET hasversion 5) - IP packet headers RFC791 http://www.ietf.org/rfc/rfc0791.txt