More recently, we published an article entitled “ Network Monitoring and Detection of Abnormal Network Activity Using Flowmon Networks Solutions ”. There we briefly reviewed the features of this product and the installation process. Unexpectedly for us, after the article and the webinar , we received a large number of requests for testing Flowmon . And the very first pilot projects revealed several typical network problems that you would not see without using NetFlow. It should be noted right away that during the product testing, the most interesting results were obtained thanks to the Anomaly Detection Module (ADS). After a short “training” (at least a week), we began to record various incidents. In this article we will consider the most common of them.
1. Someone is scanning the network
In every pilot, we found hosts that scan the network. Hosts that should not do this. In a couple of cases, it turned out that this “specific” software and the problem was solved by the usual rules on the firewall. However, in most cases, the company showed up some kind of “bastard” who plays with Kali Linux, taking PenTest courses (which is very commendable!). Only once was a truly infected PC found that automatically scanned the network.
2. Large losses on the network (downloaded 60mb, the user reached 10)
Quite often, you can find problems with losses in certain parts of the network. In the Flowmon incident, it could mean that 60mb was downloaded from the target system, while the user who contacted received only 10mb. Yes, sometimes users really tell the truth that some application is very slow. Flowmon may be useful in such cases.
3. Many connections from peripheral devices (printers, cameras) to servers
We find this incident almost every time. Having made the simplest filter, you can see that there are periodic requests from peripheral devices to the domain controller. Having started the investigation, they often came to the conclusion that these connections / requests should not be. Although there are “legal” things. In any case, after that, the “security guards" suddenly discover that they have a whole class of devices that they also need to monitor and at least place in a separate segment.
4. Connecting to servers via non-standard ports
Also a frequent case. For example, a DNS server is found to which requests are sent not only on port 53, but also on a bunch of others. Two problems immediately emerge here:
- Someone allowed other ports to the DNS server on the ME;
- Other services are raised on the DNS server.
Both issues require trial.
5. Connections to other countries
It is found in almost every pilot. This is especially interesting for any segment with cameras or access control systems. It turns out that some Chinese devices are aggressively “knocking” to their homeland or somewhere in Bangladesh.
6. Before the dismissal of an employee, his traffic increases sharply
We found this in the last two pilots. We did not take part in the proceedings, but most likely the user simply did backups of some kind of working information. Whether this is permitted by company policy is unknown to us.
7. Multiple DNS queries from the user host
This problem is often a sign of an infected PC, or “features” of some specific software. In any case, this is useful information for thought, especially when the user's computer generates 1000 DNS queries per hour.
8. The “left” DHCP server on the network
Another disease of many large networks. The user started VirtualBox or VMWare Workstation, at the same time forgot to turn off the built-in DHCP server, from which some network segment periodically lays down. The NetFlow analysis here very quickly helps to identify our intruder.
9. “Loops” in the local network
“Loops” are found in almost every pilot project, where it is possible to wrap NetFlow / sFlow / jFlow / IPFIX from access switches, and not just from the kernel. In some companies, the switches successfully cope with these loops (in view of the proper configuration of the equipment) and nobody especially notices them. And in some - the entire network periodically storms and no one can understand what is happening. Flowmon will be very helpful here.
Conclusion
Such a network analysis can be useful for almost any company. Especially when you consider that it can be performed as part of the free trial period. Here we already talked about how to deploy the solution yourself. But you can always contact us for help in setting up, analyzing the results, or simply for extending the trial mode !
If you are interested in such materials, then stay tuned ( Telegram , Facebook , VK , TS Solution Blog )!