« Worm Origin Identification Using Random Walks | Main | Network Measurement with a Network Telescope »

Flow-based Worm Detection

Two of the main flow formats widely available are sFlow, from InMon, and NetFlow from Cisco. Juniper devices often create cFlow, which is compatable with Cisco NetFlow. Flow-based methods provide an advantage over packet capture in several areas:

  1. You leave collection and flow construction up to your existing infrastructure. It's already instrumented and pervasive (if you've deployed capable hardware).
  2. It's far more abstract than full packet captures since it's summaries of connections.
  3. You can infer topology information.

While people often relied on hardware to create their flow, you can sniff traffic to generate flow records. Have a look at the list by Simon Leinen, who maintains a page with links to other NetFlow implementations, including libpcap-based capture sources.

Peter Phaal  posted a recipe describing how you can detect the Slammer worm using sFlow and basic capture and analysis techniques based on the InMon sflowTools distribution. It turns out that sFlow can report on the payload of the packets, not just the headers.

Worm detection using NetFlow is easily done using the flow-tools software, originally from OSU. Paul Dokas posted a Perl script to detect scanners, which is a simple way to detect active worm hosts. The current software distribution of flow-tools includes flow-dscan, which detects scanners based on flow input. There is also a set of examples which includes basic techniques to detect the presence of a worm on port 3127 by looking for scanners on port 3127: 

touch dscan.suppress.src dscan.suppress.dst

flow-cat /flows/R | flow-filter -P3127 | flow-dscan -b

And finally,  Ray Burkholder posted a flow-tools configuration to detect SQLSlammer using nfilter, with the implicit assumption that no hosts should be sending traffic on UDP port 1434, the network service attacked by the SQLSlammer worm. 

All in all, flow-based worm detection is possible and relatively easy, although you'll want to do some secord-order analysis to correlate scanner activity and call it a worm. When coupled to other techniques like dark IP monitoring using NetFlow or sFlow, you can reduce the false positive rate and improve your accuracy and utility.

December 27, 2004 in tools | Permalink
Tell others: digg submit | del.icio.us this | Reddit

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d8345595b269e200d83540f7ed69e2

Listed below are links to weblogs that reference Flow-based Worm Detection:

Comments

The comments to this entry are closed.