CURELAN TECHNOLOGY Co., LTD Flowviewer FM-800A CURELAN TECHNOLOGY Co., LTD www.CureLan.com 1 Introduce Product Major Functions Quota Management (IPv4 & IPv6) and current traffic monitor. Peer-to-Peer (P2P) filter. P2P Report. Netflow or sFlow traffic report. Worm detection(NBAD). Automatically block infected IPs from L3 Switch by ACL .(for Cisco, Foundry, Alcatel, Extreme) or Automatically block by Flowviewer. Port Scan and SSH Password Guess Attacks Report. (NBAD) RDP Password Guess Attacks Report. (NBAD) List of Possible UDP Flood Attacks Report. (NBAD) List of Possible DOS Attacks Report. (NBAD) Port Scan and SSH Password Guess Detection and Blocking. Blocked by Flowviewer . RDP Password Guess Detection and Blocking. Blocking method: Blocked by Flowviewer . UDP Flood Attack Detection and Blocking. Blocking method: Apply ACL command to core switch. DOS Attack Detection and Blocking. Blocking method: Apply ACL command to core switch. 2 Agenda Classification by Function Automatic detection of RDP and SSH attacks. Automatic prevention of UDP Flood and DOS attacks. Dynamic Traffic Query can identify suspect network traffic and check the IP against a list of known and offenders. 3 Network Security Threats Case-1 Virus:Using normal packet data a virus compromises PCs, potentially leading to the destruction of personal computer hard disk data or storage memory and also causing the PC to slow and so on. The destructive characteristics of those programs are limited to personal computers. Hacker:In the computer security context, a hacker is someone who seeks and exploits weaknesses in a computer system or computer network. Hackers may be motivated by a multitude of reasons, such as profit, protest, or challenge. The hackers can use a port scan Trojan to discover the network vulnerabilities. They can also scan the unit's Port Service, so some units will change the original Port Service number leaving the network open to further hacking activities. By using a Port Scan hackers can scan the unit's Port Service, allowing Trojans to invade a specific port by guessing the password. After the success of these Trojans horse programs the computer then becomes a zombie computer and potentially part of a botnet. 4 Network Security Threats Case-2 After the successful hacking of the zombie computer, this can lead to other internal computer intrusion and through the use of a key logging program the hacker can determine if the computer is a personal computer or a server, because the personal computer will be shutdown regularly by the user while a server is very rarely shutdown. If it is a server this is a suitable method to relay and attack the target IP. The server may also contain valuable data which can be stolen by the hacker. Through the Port Scan program hackers can exploit the known insecurities of ports 53 and 123 and can then create a DNS Amplification Attack via port 53 (DOS Attacks), this type of attack can also be created by using port 123 NTP (Network Time Protocol) reflection attacks. (UDP Flood Attacks) If your device is using network behavior analysis(NBA) to identify hacker intrusion and attack, you do not need to use the feature value (Pattern). Network behavior analysis is the collection of all network IP data to determine, by identifying anomalous network data, intrusion and hacking attacks. NBA allows for the rapid detection of network attacks by analyzing ALL network data unlike the pattern detection method which is restricted to identifying attacks based on set patterns of network activity. Hackers can bypass this detection method by regularly changing the pattern of their attacks every 2 or 3 days. 5 Hacking Methods Bypass network security by exploiting SSH and RDP vulnerabilities. Known Microsoft operating system vulnerabilities(see note below) and PHP, C++ database vulnerabilities. These methods exploit bugs that even software and operating system developers are not aware of in their systems. This is the best situation from a hacker’s point of view as these types of attacks cannot be detected or stopped until developers identify the bug and release updated software to fix the problem. Note: Hackers can use injection of CSS codes on insecure web sites allowing them to access confidential user data on the host server. A google safety engineer also pointed out that there is evidence that Microsoft was aware of this vulnerability as early as 2008 . At present users must rely on their browsers to deal with this vulnerability. No network security product can ever protect from all attacks, for example, a Trojan horse attached during P2P、APP and Spear Phishing is undetectable. Luckily, server equipment does not receive and send mails or use P2P downloads automatically, therefore any action of this kind is on a personal computer. Most hacks focus on one computer and then use the intranet to attack other IPs until they locate the server IP that allows access to confidential data. Another method is to slip Trojans to individual PCs then using the relay function to take down the network. The FM-800A provides RDP、SSH attack detection and blocking functions. 6 Hacker steals confidential data of file server Flowveiwer has solution Most intranet attacks are performed via RDP, the RDP password guessing attack detection function is unique and available only in Flowviewer FM-800A. The Flowviewer system can detect and automatically send ACLs (Access Control List Entries) to Core Switch (Layer 3) to prevent attacks. As seen below: a list of possible RDP Attacks report, Number 3, 5, 6 and 7 illustrate this type of intranet attack. Outlined in the red column, we can see an internal source IP (140.xxx.xxx.229) attacked 9 IPs (140.xxx.xxx.3, 140.xxx.xxx.2, and so on) at the same time. It is possible that the source IP of number 3, 5, 6 and 7 are the victims of the Spear Phishing. Figure is a successful example of FM-800A detecting the RDP attack. 7 Exclusive technology : RDP Attacks-1 On 2012/06/04, our RDP Attack detect function detected a hacker using 222.133.38.22 (Src IP) trying to compromise 140.XXX.101.4(Dst IP). Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to another computer. Clients exist for most versions of Microsoft Windows (including Windows Mobile), Linux, Unix, Mac OS X, Android, and other modern operating systems. 8 RDP Attacks-2 Trace of the source IP of RDP attack. 222.133.38.22 (Source IP) is from China. All series of Flowviewer FM-800A can query IP address using Geotool and whois web site. 9 SSH Password Guess Attacks Report Many attacks go through the SSH route, the Flowviewer system can detect and automatically send ACLs (Access Control List Entries) to Core Switch (Layer 3) to prevent attacks. As seen below: a list of Possible SSH Attacks. FM-800A detected and blocked the IP 203.125.203.23 that used the SSH password guess attack to compromise a certain university's IP on 2013/08/23. 10 Real Case Hackers compromised the intranet IP successfully by SSH password guessing then implanted the Trojans on September 12th, 2010. After three days, hackers attacked the external IP by using UDP Flood Attacks with intranet IPs that had been implanted with the Trojans. 11 Example of an SSH Attack The IP (218.29.100.122) tried to attack TANet between September 9th and 12th. The targets were National Sun Yat-sen University, National Chung Cheng University and the Ministry of Education Computer Center. There were as many as 160000 individual attack during this period. Hackers(218.29.100.122) tried to invade one University IP 140.XXX.XXX.134(Server) and another University Server Farm on September 11th & 12th. Hackers successfully invaded the servers of these two universities. Using the same method, hackers can invade the networks of commercial companies and gain access to confidential information. For example customer credit card details. 12 Successful detection of SSH intrusion attempts-1 Hackers(218.29.100.122) try to invade the XXX University IP 140.XXX.XXX.134(Server) on September 11th. Hackers(218.29.100.122) try to invade the YYY University Server Farm on September 11th. 13 Successful detection of SSH intrusion attempts-2 Hackers(218.29.100.122) try to invade the XXX University IP 140.XXX.XXX.134(Server) on September 12th. Hackers(218.29.100.122) try to invade the YYY University Server Farm on September 12th. 14 Successful hacker attack : September 12th . UDP Flood Attacks begins September 15th Why do hackers try to implant Trojan horse programs to servers via SSH? Taking the IP 218.29.100.122 as an example. On 9/12, the TANet intrusion finishes, but it then starts to attack the IP 93.114.111.187(it belongs to an ISP based in Romania) by UDP Flood attack. Although we do not know why hackers do these attacks, but they used IP 218.29.100.122 (Server) to intrude 140.XXX.XXX.134 (Server) . It’s purpose is to attack the ISP in Romania by UDP Flood attack. The following description is a real case. 15 Real Case : UDP Flood Attack on September 15th Example: XXX university has a server which was implanted with Trojan horse programs and launched a UDP Flood Attack to a foreign IP. 218.29.100.122 and invaded 140.XXX.XXX.134 and then attacked the Romanian ISP(IP:93.114.111.187) via UDP Flood Attack on September 15th. As shown below, the time duration was 2010-09-15 11:57:59 --> 2010-09-15 12:00:23. There is 1.63GB of network traffic but the number of transmission packets is as high as 22,464,848, so we can know it is indeed a UDP Flood Attack event. Within 5 minutes, the Flowviewer was abled to detect the UDP Flood attack and send an email to notify administrators and write ACL commands to the Core Switch to block the attack. 16 Defense Methods The FM-800A collects real time IP network traffic and analyzes it to identify unusual or suspicious behavior, rather than using the defined terms. Therefore the system doesn't take into account the names of the attacks, that is to say network administrators don't have to waste time in researching the names of hacker attacks. 1.UDP Flood Attacks:Make a large number of traffic, fake UDP packages to attack a special IP. Weaken the intranet so it cannot work normally. This IP can be the HTTP file server, Web server, DNS server and so on. 2.DOS Attacks:Make a large number of sessions (flows), fake TCP packages to attack a special IP. Weaken the intranet so it cannot work normally. This IP can be the HTTP file server, Web server, DNS server and so on. FM-800A automatically blocks UDP Flood attacks and DOS attacks. 17 UDP Flood Attack(DNS Amplification Attack) Attacks National XXX University -1 On November 29, 2010, a central national university internal IP was attacked by three foreign IPs: 212.59.6.158 (Lithuania) 202.104.151.201 (Chinese) 124.127.117.86 (Chinese) via UDP Flood Attack. This attack caused the entire campus network to shut down. 18 UDP Flood Attack(DNS Amplification Attack) Attacks National XXX University -2 Highlighted below we can see the flows which 212.59.6.158 attacked 140.XXX.XXX.131 with. As the following figure shows, that time duration is 2010-11-29 06:41:53 - > 201011-29 06:46:12. It produced 23,566,887 packets in 5 minutes, the graph clearly shows that the Flowviewer can accurately and automatically detect the UDP Flood Attacks from 140.XXX.XXX.131. From the following report, we can identify that the hacker attacked the target via port 53 and it is a DNS Amplification Attack. 19 Detection of UDP Flood Attack Event After detecting the UDP Flood Attack, the Flowviewer will send a notification e-mail to administrators and write ACL commands to the Core Switch to block the attacking IP. According to the time duration, the packet number and traffic are correlated, we can identify that it is a UDP flood attack. 20 NTP reflection attacks (UDP Flood Attacks): The Hacker relays 140.XXX.XXX.2 to attack 192.99.18.64 via port 123, this attack is an NTP reflection attack. 21 Detection of DOS Attack Event The Flowviewer can detect DOS attacks and notify the administrator by e-mail. It can also automatically block the IP by itself. 140.XXX.XXX.174. is used as a DOS Relay source to attack 113.107.174.140. The flows (Sessions) are up to 53,706,960 and the traffic was 105.44 GB. The attack will cause internal network performance to fall sharply and even cause the entire internal network to shut down, so we can see that a DOS Relay IP is not just a problem for a single user it is also a problem for the entire network. 22 Comparison Chart between FM-800A, IPS and Spyware Type Flowviewer FM-800A IPS spyware Installation Type In-line / Listen In-line Each PC Default Type When the Intranet is being attacked Using network behavior IPS equipment uses feature anomaly detection(NBAD) codes (Pattern) to detect technology hacker attacks hacker attacks and can be detected and intrusion intrusion, feature code can be blocked not just by the (Pattern) update is slow Flowviewer, but it can also leaving systems vulnerable use ACL commands to the L3 to attack. Also there is a Core Switch to block the high error rate on the attacking IP. threshold value (threshold) setting function if you set the threshold value too low. Uses NBAD to automatically find and block the attack by writing ACL to core switch or the FM-800A itself. Only focuses on “Intranet to Internet”. Cannot find the attack from the Intranet. Pattern It can only be used by pattern. If pattern updates too fast or the worm is unknown, then it is useless. 23 Comparison Chart between FM-800A, IPS and Spyware IPS Type Flowviewer FM-800A Flow, IP, Port Traffic Quota Search and Report Internet Intranet Intranet Internet Intranet Intranet Only focus on “Inter to Intra” and sometimes “Intra to Inter” X IP/Port Search at any time We can focus on the times of Source IP, Destination IP, Protocol Source IP, Destination Port, flow direction X X P2P Types 9 types include 11 programs (even if those programs update, we can still find and block them) Uses patterns for defense. If the P2P programs update, the IP’s can’t block successfully. X Processor Speed 6 seconds (30Mbps ~ 3Gbps) > 20 minutes (30Mbps) X spyware 24 The Blind Spot of IPS Equipment IPS equipment uses a feature code (Pattern) scheme to identify the external network hacker attacks by feature codes (Pattern) and threshold (threshold) setting function and then block the hacker. However the hacker through P2P, APP, Spear Phishing and other methods of intrusion into the internal network computer, can then by using implanted Trojan zombie computers on the internal network bypass IPS detection methods as these are designed to block external attacks only. IPS equipment uses a feature code (Pattern) to detect hacker attacks and intrusion. Feature code (Pattern) update is slow, and the threshold value (threshold) setting function error rate is very high. Just like the USA Inc Arbor Networks, Mazu Networks, Lancope , the Flowviewer device uses NBAD (Network Behavior Anomaly Detection) technology with synchronization and does not use feature code(Pattern) and so does not suffer from slow updates and very high false positive rate problems with the threshold function. 25 DNS Amplification Attack-1 26 DNS Amplification Attack-2 As shown in above, when a hacker slipped a Trojan on PC4, the hacker changed the inquiry packet sourced IP as target A, and this is the IP the hacker attacked. The fake IP would ask domain name data for Local DNS, but the DNS Server doesn’t have that data. Therefore, the DNS Server would ask for data from the Public DNS. When Domain name data is transferred back to the DNS Server, the DNS Server would transfer data back to the fake IP. However, that IP is Public IP on the Internet and is not on the Intranet. Thus, the domain name data which the Local DNS asked for will be transferred to the Internet Public IP. As you can see, PC4 had been slipped the Trojan, so PC4 would continuously ask for domain name data from the Local DNS, and the Local DNS would continuously transfer the data to the Internet Public IP. This method of attack is called a DNS Amplification Attack. 27 DNS Amplification Attack-3 Here we can see how hackers used huge sessions (Flows) to paralyze a website or a server. This is an example to illustrate how our FM-800A can detect and stop network attacks. On Oct. 11th, 2013, a hacker used at Ukrainian IP 80.91.160.129 (sourced IP) to make a huge sessions (Flows) to paralyze port 53 of the DNS server at Wu Feng University. The method of attack was to use a sessions (flows) on every single port service. As shown above the picture, we can see there were 9,436 sessions (flows). 28 Zoom In 9,436 Sessions(Flows) report A UDP connection is a connection which does not include sessions (Flows), that’s why hackers use packets of only 69 Bytes with every single Port Service as shown above the picture, FM-800A receives Netflow data, and Netflow will take every single Port Service as a session (Flow). 29 DNS Amplification Attack-4 According to the analysis data above , we made a chart to show how hackers used a huge UDP connection to paralyze the port 53 of the DNS server. This chart shows the UDP connection flows per second, by the 37th second, there is a maximum of 206 UDP connections. 30 DNS Attacks: How to avoid firewall detection The following are real cases showing that firewall Dos Protections (Threshold function) cannot protect the IP from attacks by hackers. We set up an IP UDP connection (sessions/packets) with 300 UDP packets per second, to ensure that the firewall will then block this IP. However, in this case, there are only 206 UDP packets per second. This means that the attack cannot be detected by the firewall. When setting firewall thresholds, it is not effective to block an IP for just 300 UDP packets per second. Hackers always want to bypass the firewall and that includes changing the attack pattern every 2 or 3 days. In this case, NBAD (Network Behavior Anomaly Detection) is the best and most effective way to keep networks secure and free from outside attacks. 31 Real-time Query of Dynamic Traffic The query can be adjusted at any time to analyze the individual IP address and show all of the destination IPs it has contacted. This function can identify the details of any potential crime and be used as evidence later on. The following figure shows the source IP(120.XXX.XXX.39) and lists the destination IPs it contacted during May 20, 2014 from 12:30 to 13:30. The destination IP is the IP address of the website or server . The IP in blue means it was accessed via port 80 and the IP in green represents those not using port 80. 32 FM-800A Configuration : Inline Mode 33 Automatically Prevent Hacker Intrusion and Attack in Inline Mode Even in the event of a combined hardware and system failure, the Flowviewer, utilizing auto by-pass mode, will not have any adverse effect on network connections or stability. The Flowviewer FM-800A device provides automatic blocking of hacker intrusions and attacks. Automatic blocking of external IPs. (When hackers want to intrude on internal network via the Internet.) The Flowviewer can automatically write ACL commands to the Core Switch to block attacks via intranet to intranet. 34 Flowviewer FM-800A Can Block Automatically Flowviewer FM-800A can automatically stop the SSH Password Guess Attacks, RDP Password Guess Attacks, UDP Flood Attacks and DOS Attacks , by sending ACLs (Access Control List Entries) to Core Switch (Layer 3). As we can see, the target company includes Cisco, Foundry, Alcatel and Extreme etc. 35 Traffic Quota Function 36 Introduction of Traffic Quota Control On campus, this function may be used to control the network traffic on the dorm. For government or enterprise, the function can be set to limit network traffic. Therefore, network limits can be set at different levels for different network groups depending on their requirements. When the user quota is exceeded, the quota manager can: (1) Blocking(Block the user’s IP address). (2) Bandwidth limit(Rate limit). The system allows the user to choose either Bandwidth limit or Block IP for different groups at the same time. The system can prevent the increase of bandwidth as a method to solve network traffic problems. 37 Traffic Monitor Function Introduction Traffic Monitor can monitor real time traffic, including total up/down/bidirection traffic, current up/down/bi-direction speed and peak up/down/bidirection speed. 38 Forced Disconnection Function When managers find an IP improperly using network resources or performing any malicious acts (such as setting others’ IP address) they can block this IP manually. 39 Traffic Analysis of Individual Units on the Internal Network A unit IP Group can be defined and used to display the network traffic usage rate of this IP group, which is then displayed in a pie chart. This can be used to identify network problems using a unit IP group to show that units individual flow analysis. 40 P2P function The flowviewer system can use P2P Pattens to filter P2P traffic such as : BitTorrent;AppleJuice;WinMX;SoulSeek;Ares、AresLite;Gnutella ; Foxy; eDonkey、eMule、Kademlia;KaZaA、FastTrack;Direct Connect;Xunlei、 Thunder;PPStream、QQLive、feidian、POCO、QVOD;SIP(VoIP). P2P white list:IP or subnet can be added to P2P white list and will never be blocked from using P2P applications. 41 P2P White List IP or subnet can be added to P2P white list and will never be blocked from using P2P applications. 42 Worm IP Blocking Function The system provides an ACL(Access Control List) blocking function. Flowviewer can block by itself, and can also notify the administrator while blocking IPs. It can also set white list IPs that can bypass the blocking function. The feature can work on the following Layer 3 switches: Cisco, Foundry, Alcatel, H3C and Extreme. 43 Built-in standard feature with the difference functionality table Flowviewer Type peer-to-peer (P2P) filter FM-200A/AS Yes FM-800A Yes P2P Report Yes Yes Quota Management function and current traffic monitor Yes Yes Netflow or sFlow traffic report worm detection(NBAD) Automatic block infected IPs from L3 Switch by ACL Yes Yes Yes Yes Yes Yes Port Scan and SSH Password Guess Attacks Report No Yes RDP Attack Report No Yes Automatic block Port Scan and SSH Password Guess Attacks No Yes Automatic block RDP Attacks No Yes UDP Flood Attacks and DOS Attacks Detection Report No Yes Automatic block UDP Flood Attacks and DOS Attacks Detection No Yes Public Report(Hyperlinks) Yes Yes 44 Telecoms Solutions Most telecoms Companies provide an IDC(Internet Data Center) and the IDC service provides customer websites with the ability to detect DDoS(Distributed Denial of Service) attacks. Therefore, detecting UDP Flood Attacks becomes the most important function. Flowviewer FM-800A has the ability to accurately detect hacker IPs and send ACLs (Access Control List Entries) to Core Switch (Layer 3) that cuts off UDP Flood Attacks and prevents IDC(Internet Data Center) customer websites or business application servers from being paralyzed. 45 UDP Flood Attacks: a real world example Below is an example of the Flowviewer FM-800A successfully detecting an attack from an external IP(140.xxx.xxx.183) to a university in Taiwan. Using a Flowviewer FM-800A a Telecoms Company can protect an IDC(Internet Data Center)client from hacker attacks. 46 Conclusion No single device can detect all hacker attacks. But our device can detect most types of hacker attacks. There is no solution for P2P and Spear Phishing but our device has a way to deal with these problems. We can do this using our RDP detect functionality. The Flowviewer FM-800A is the only system with this exclusive functionality on the market. 47 Our reference sites Important Customer: National Center for High-Performance Computing l Main Service : Cross-Campus WLAN Roaming Mechanism. l Our Product–Flowivewer–use netflow traffic report feature to trace IPs that controlled by Botnet and notify the administrators who’s in charge of the IP address. School: National Chung Hsing University (NCHU) National Kaohsiung Marine University National pingtung University of Science&Technology I-Shou University ; Chinese culture University National University of Tainan National Taichung University National Changhua University of Education ; WuFeng University Nanya Institute of Technology Ling Tung University National Taichung Nursing College Military: Chung Cheng Armed Preparatory School National Defense University R.O.C Military Academy Government: Kaohsiung City Government Taitung County Government Financial Supervisory Commission, Financial Examination Bureau Other: Show Chwan Memorial Hospital﹐Mega International Commercial Bank, Fist 48 Customers 49 Performance and Function Flowviewer Models Form Factor Attack Mitigation Performance and Function Inline Mode NIC FM-800A 2U MRTG MAX: ~2Gbps Up to 6 million concurrent unidirectional application sessions over an IP network Quota Management function and current traffic monitor Peer-to-Peer filter and P2P Report Netflow or sFlow traffic report worm detection (NBAD) Automatic ACL block infected Ips SSH and RDP Password Guess Attacks Report UDP Flood Attacks Report DOS Relay Attack Report Automatic block Worm, Port Scan, SSH and RDP Password Guess, Port Scan, UDP Flood Attack and DOS Attack. Hardware & Software 2 Port 10/100/1000 BaseT 2 Port 1000 Base-SX Bypass 50 Demo site for Flowviewer FM-800A device http://140.130.102.146 Account: guest Password: 1234 51 Contact us Office:15F-1, No,255, Jiuru 2nd rd., Sanmin District, Kaohsiung City 807, Taiwan(R.O.C) TEL:+886-7-311-5186 FAX:+886-7-311-5178 Email: blue@curelan.com aria@curelan.com Website : www.curelan.com 52