Available Languages: English
Flow Analytic Algorithms look for specific traffic patterns and send alerts. Thresholds can be set per algorithm.
The above gadget scrut_nba.cgi should be added to MyView.
Goes out to an internet site every hour for a list of known hosts that end systems on the network should not be communicating with. The default threshold minimum that can be set is 1. Contact Us to learn more. Only Internet routers should be included with this algorithm. Some threats that could appear include:
A collection of computers is useless without some control mechanism. The Command and Control, or C&C, constitutes the interface between the botnet and the herder. The herder commands the C&C, and the C&C commands the bots.
Traditionally, botnets have been controlled using Internet Relay Chat (IRC). IRC is a pseudo communications standard and is easy to modify. Bot software is designed to connect the infected host to an IRC server and accept commands from a control channel.
Herders have the option to utilize existing chat services and networks, or implement their own control servers by compromising a host and installing an IRC daemon. Herders do not directly communicate with the bots rather, they must communicate with the C&C server to issue commands. Although this offers a substantial level of protection if the C&C server is privately owned and operated, herders may utilize TOR as an additional safegaurd should the C&C be seized and investigated.
IRC has the disadvantage that chatroom traffic is transmitted in cleartext, which means that spying on botnet traffic is relatively easy should one utilize a packet sniffer such as Wireshark. Recently there has been an emergence of new encryption techniques that mask the herders commands. Also a significant number of botnets makes use of HTTP to implement the C&C. Being a stateles protocol it does not allow the herders to send commands to the drones in realtime but the bot has to check for new commands periodically. The advantage of HTTP is that it is usually not blocked on firewalls and sniffing the communication will not reveal any information about other drones on the network. Source: www.shadowserver.org
This is a message that comes back from the router to the requesting host stating that it doesn't have a route to the destination network of the target host. The default threshold is 100 and the minimum that can be set is 20. We recommend excluding all internet routers from this algorithm. Click Here to learn more.
This is a message that comes back from the destination server stating that it will not open communication on the specified port requested by the host. The default threshold is 100 and the minimum that can be set is 20. Click Here to learn more. We recommend excluding all internet routers from this algorithm.
Any multicast traffic that exceeds the threshold that isn't excluded will violate this algorithm. The default threshold is 1,000,000 and the minimum that can be set is 100,000. We recommend only including backbone routers with this algorithm.
This algorithm determines the top conversations across all included flow sending switches and routers. It sets up the data for the Top Conversations gadget topconv.html should be added to MyView. Include all routers with this algorithm. If it is taking too long, exclude a few routers.
RST/ACK packets are connection denials that come back from destinations to the originating hosts. This alarm can be caused by network scanning. The default threshold is 100 and the minimum that can be set is 20. Print servers can cause false positives with this algorithm and often need to be excluded. Also, we recommend excluding all internet routers from this algorithm.
SYN packets are sent out in an attempt to make a network connection with a target host. This alarm can be caused by network scanning. The default threshold is 100 and the minimum that can be set is 20. We recommend excluding all internet routers from this algorithm. Click Here to learn more.
P2P (includes BitTorrent) connections are monitored by this algorithm. The default threshold is 100 and the minimum that can be set is 100. We recommend excluding all internet routers from this algorithm.
This algorithm creates the content for the Network Volume gadget. The gadget scrut_volume.cgi should be added to MyView. We recommend including only core routers in this algorithm.
Algorithms can watch for nearly any traffic pattern using NetFlow/sFlow data. Algorithms can be developed which alarm for:
The time to run can be altered per algorithm. Some algorithms need more time to run than others either due to the behavior of the search and or the volume of the routers / switches included in the algorithm.
Details on other NBA Algorithms that have recently been added that FA will alarm for:
If you would like to add an algorithm contact us.
Next Topic: Back to Table of Contents
Available Languages: English