局域全14.detect a data plane dos签名作者现任明教教主

1、局域网安全2008Detect a Data Plane DoS作者:现任明教教主:Security CCIE#You can use NetFlow in a wide range of routers and on some high-end switches, such as the Catalyst 6500, Cisco 7600, Catalyst 4500 with Sup V, and with the help of a daughter card on Catalyst 4500 with Sup IV.An IP flow is the unidirectional pa

2、cket stream betn a given source and agiven destination, and its characterized by a specific set of parameters.Traditionally, an IP flow is based on a set of five and up to seven IP packet attributes.介绍 NetFlowNetFlow使用的IP source address. Mandatory attribute; the IP source address of thepacketshe flo

3、w. （强制参数:源IP）IP destination address. Mandatory attribute; the IP destination addressof the packetshe flow. （强制参数:目的IP）Source port. Mandatory attribute; the Layer 4 source port, such as UserDatagrrotocol (UDP) port or TCP port, if any. （强制参数:源端口）Destination port. Mandatory attribute; the Layer 4 dest

4、ination port, such as UDP or TCP port, if any.（强制参数:目的端口）Layer 3 protocol type. Mandatory attribute; the value of the Protocolfieldhe IP header, such as 6 for UDP. （强制参数:三层协议类型）Type of service. Optional attribute; the value of the type of service (ToS)bytehe IP header. （可选参数:TOS字段）Router or switcher

5、face. Optional attribute; the identifier of theerface or suberface, such as a VLAN, on which this flow is received. It isidentical to theSimple Network Management Protocol (SNMP)（可选参数:收到Flow的接口，子接口或者VLAN）erface index.IP packetributesAll packets with the same source/destination IP address,source/dest

6、ination ports, protocol,erface, and ToS are groupedo a flow,and then the packets and bytes tald and otharameters of the flow arecollected (like the IP next-hop router). The set of five attributest uniquelyidentifies a flow is called a flow mask, and the attributes are called keysbecause they uniquel

7、y identify a flow.具有相同源目IP，源目端口，协议，接口，TOS的所有的数据包被归为一个Flow，并且进一步对这个Flow里边的包和字节数还有一些其它参数进行统计。这五个参数唯一的标识了一个Flow，把标识一个Flow的参数成为Flow Mask，这些参数被成为 keys ,因为它们唯一的标识了一个Flow。Catalyst switches的Flow MaskFull. The five attributes source IP address, destination IP address, protocol, andprotocol ports.Source only.

8、 A less specific flow mask. Sistics for all flows from a given source IPaddressaggregateo a single flow.Destination only. A less specific flow mask. Sistics for all flows from a givendestination IPaddress aggregateo a single flow.Fullerface. The most specific flow mask. Adds the source VLANerface id

9、entifier to theinformationhe full flow mask.Flow MaskVer1. 基本的5个强制参数和2个可选参数。Ver5. 在Ver1的基础上增加了BGP的AS信息和Flow序列号。VerSeries7. 增加了Netflow对配备了NetFlow特性卡的Cisco Catalyst 5000对 etflow的支持。的支持 这个版本也引入了Ver8. 主要的功能是对拥有相同参数的多个Flows的汇聚.主要的目的就是减少输出数据的量。（Ver8与Ver5基本相同，差距只是V8不像V5一样收集那么多信息，并且把多个Flow汇聚在一个Flow里边）Ver9.

10、更加灵活更加可扩展的一个标准Netflow版本（RFC 39542）.Ver地址实现 etFlow的版本. Ver也是现在唯一一个可以基于9 也对flows增加了一些新的信息，例如:MPLS信息。NetFlow VersInformation Collected by Different NetFlow Vers 1Information Collected by Different NetFlow Vers 2Information Collected by Different NetFlow Vers 3NetFlow Exporter. The actual router or swit

11、ch collecting the NetFlow dataand exporting this dao the NetFlow collectorNetFlow Collector. An aggregation and consolidation poas well aspersistent storageNetFlow Application. An application using the collected NetFlow daodisplay network utilization, generate billing information, or detect DoS or w

12、orm activitiesNetFlow architecture6500:IOS(config)# mls netflow IOS(config)# mls flow iperface-fullIOS(config)# mls flow ipv6erface-fullIOS(config)# mls nde sender ver7IOS(config)# ip flow-export source vlan 1IOS(config)# ip flow-export destination 00 200Router:ip flow-export source FastEthernet0/1i

13、p flow-export ver9ip flow-export destination 5 2055erface FastEthernet0/1 ip flow ingressip route-cache flowEnable NetFlowCLI查看NetFlow状态A DoS attack. Where many flows are beinged toone destination IP address and probably one destination Layer 4 port, such as SYN flooding.An active worm. Propagates i

14、n your network by aggressively scanning your network; this causes many flows to numerous destination IP addresses, but alwaysto the same Layer 4 port. (For ex worm always attacked port TCP 445.)le, the SasserNetFlow as a Security Tool通过Show ip cache Flow能够获取Worm的特点Pr=6 （协议号为6，表示是TCP）DstP=0087 （目的端口为

15、0 x0087，表示目的端口为135）一个Worm实例NetFlow Applications MARSSecuring Networks with RMONRemote Monitoring (RMON) is a specific SNMP Management Information Base (MIB) for remote monitoring and management of network equipment. MIB is standardized at the IETF as RFC 20216 and RFC 28197. It transforms every RMON

16、-capable network deviceo aremote protocolyzer. Different pieof information can be collected:和管理网络设备.不同的信息可以被Host. Related to each host discoveredhe network by keng MAC addresses captured inpromiscuous mode.Matrix. Used for conversations betn sets of two addresses.Upper-layrotocol. Some RMON implemen

17、ions understand IP, IPv6, UDP, TCP, and cancollect information about hosts and conversations for those protocols.Packet capture. An RMON device can even capture packets to allow for remote sniffing.The Cisco Network 6500ysis Module (NAM) is an implemenion of RMON available for Catalyst需要配置SPAN把流量引入到

18、NAM模块IOS(config)# monitor ses IOS(config)# monitor ses1 source vlan 1 both1 destinationysis-module 3SPANNAM Detectsa High Volume of SMB TrafficNAM Capture Function for a SYN FloodingNAM Decode Functionfor an HTTP PacketOther Techniquest DetectActive Worms （Sink Hole）When no worm ishe network, existi

19、ng hosts (cnts and servers) exchange allIP packets; therefore, all packets have a valid destination IP address (t is, oneexistinghe routing tables). They always reach their destination. Hence, the sink-holerouter never gets any traffic.When a worm iive on some infected hosts, it tries to propagate itself bygenerating random IP addresses and by trying to connect to those random addresses to infect more machines. When the worm connects to a valid addresst is, anaddress existinghe routers routing tablesthe IP packets are actually forwardedto their destination. But,