Session 2 Security Monitoring

Session 2Security Monitoring

Identify

Device Status

Traffic Analysis

Routing Protocol Status

Configuration & Log

Classification

Identifying an Attack

Identification Tools

Network Benchmark Parameter

Device Status

CPU

Memory

Temperature

CPU Load

Abnormal CPU Load

Abnormal CPU Load

Identifying an Attack through CPU Load



Temperature

Traffic Analysis

Technology (Netflow & Sniffer)

Layer 3 or 4 based

Application based

Netflow Detect & Affirm

Use Netflow

Detect DoS

Example

Layer 3 or 4 TOP N

IP address based

Protocol based

Port based

Packet Size based

AS based

Index

overview

Normalin/NormaloutSpoofin/SpoofoutBandwidth 、 PPS and Packet Size

Traffic Statistics Picture• According to bandwidth bandwidth 、 packet size and PPS• According to direction normalin/normalout spoofin/spoofout• According to time 4 hours ， 2 days ， 1 week ， 2 months• max ， min ， average ， now

Traffic Statistics Picture (overview)

Traffic Statistics

IP TOP 20

• Order by source/destination address

• Order by source destination peer

• Order by bandwidth and PPS

Traffic Analyse (TOP20)

Traffic Analyse (TOP20)

Packet size TOP20

Order by bandwidth 、 PPS

Port Distribution TOP20

• Order by sour/dest port summary

• Order by sour/dest port direction

• Order by bandwidth and pps

Port distribution TOP20

Protocol statistic TOP20

• According to protocol normalin 、 normalout 、 spoofin and spoofout

• Order by bandwidth and pps

Protocol Statistic TOP20

Protocol Picture• According to bandwidth and pps • According to type TCP UDP ICMP

• According to time 4hours ， 2day ， 1week ， 2month

• Max, min, average, now

Protocol (TCP UDP ICMP) Statistics Overview

Protocol (TCP UDP ICMP) Statistics

AS Statistic TOP20

• According to directionnormalin 、 normalout 、 spoofin and spoofout

• According to bandwidth and pps

AS Statistic TOP20

Abnormal Traffic Query System

Abnormal Traffic Query System

Routing Protocol Status

Route Entries

Routing Protocol Stability

Route Monitoring

Routing (BGP summary)

Routing Monitoring

BGP Statistics

BGP Monitoring (TEIN2-NORTH)

BGP Monitoring (TEIN2-SOUTH)

BGP Monitoring (TEIN2-JP)

AS Path Entries

Community Entries

IPv4 Prefix

IPv6 Prefix

Route Flapping Top 20No. PREFIX AS Oscillation

1 195.251.96.0/24 5408 3400

2 156.148.0.0/16 137 2829

3 195.251.98.0/23 5408 2714

4 195.251.0.0/23 5408 2301

5 193.194.64.0/19 3208 1952

6 195.251.104.0/24 5408 1895

7 194.177.196.0/24 3323 1528

8 84.205.64.0/24 12654 1417

9 84.205.65.0/24 12654 1266

10 84.205.77.0/24 12654 1250

11 84.205.67.0/24 12654 1147

12 84.205.76.0/24 12654 1134

13 84.205.78.0/24 12654 1074

14 84.205.75.0/24 12654 1025

15 84.205.69.0/24 12654 1008

16 84.205.74.0/24 12654 998

17 195.60.236.0/22 39154 941

18 84.205.71.0/24 12654 940

19 193.124.160.0/21 5402 922

20 193.124.208.0/20 3335 874

No. AS Oscillation

1 680 46486

2 786 38707

3 5408 36036

4 2018 31828

5 137 21231

6 4621 17600

7 1103 17268

8 559 17071

9 12654 13666

10 2200 13621

11 5387 12209

12 2614 10461

13 1659 10013

14 766 9504

15 237 7633

16 668 7213

17 5501 6840

18 553 6190

19 2561 6062

20 2422 6026

http://202.179.242.4/bgp-cgi/route_query.cgi?%70%72%6F%74%6F%63%6F%6C%3D%49%50%56%34%26%73%74%61%72%74%3D%32%30%30%36%2D%36%2D%36%20%31%34%3A%34%34%3A%31%33%26%65%6E%64%3D%32%30%30%36%2D%37%2D%36%20%31%34%3A%34%34%3A%31%33%26%61%73%3D%31%33%37%26%70%72%65%66%69%78%3D%26%6C%69%6E%65%73%3D%34%30%26%6D%65%72%67%65%72%3D%6E%6F%6E%65%26%74%79%70%65%3D%41%4C%4C%26%70%61%67%65%3D%31

http://202.179.242.4/bgp-cgi/route_query.cgi?%70%72%6F%74%6F%63%6F%6C%3D%49%50%56%34%26%73%74%61%72%74%3D%32%30%30%36%2D%36%2D%36%20%31%34%3A%34%34%3A%31%33%26%65%6E%64%3D%32%30%30%36%2D%37%2D%36%20%31%34%3A%34%34%3A%31%33%26%61%73%3D%34%36%32%31%26%70%72%65%66%69%78%3D%26%6C%69%6E%65%73%3D%34%30%26%6D%65%72%67%65%72%3D%6E%6F%6E%65%26%74%79%70%65%3D%41%4C%4C%26%70%61%67%65%3D%31



http://202.179.242.4/bgp-cgi/route_query.cgi?%70%72%6F%74%6F%63%6F%6C%3D%49%50%56%34%26%73%74%61%72%74%3D%32%30%30%36%2D%36%2D%36%20%31%34%3A%34%34%3A%31%33%26%65%6E%64%3D%32%30%30%36%2D%37%2D%36%20%31%34%3A%34%34%3A%31%33%26%61%73%3D%31%32%36%35%34%26%70%72%65%66%69%78%3D%26%6C%69%6E%65%73%3D%34%30%26%6D%65%72%67%65%72%3D%6E%6F%6E%65%26%74%79%70%65%3D%41%4C%4C%26%70%61%67%65%3D%31












IPv6 Route Flapping Top 10

No. PREFIX ASOscillat

ion

1 2001:4c00::/32 34695 673

2 2001:1a70::/32 12046 529

3 2001:1410::/32 25538 508

4 2001:4b58::/32 6802 443

5 2001:1b20::/32 8665 441

6 2001:a98::/32 8517 439

7 2001:720::/32 766 431

8 2001:4170::/32 13092 407

9 2001:778::/32 2847 392

10 2001:1a18::/32 3268 391

No. AS Oscillation

1 195 716

2 34695 673

3 559 610

4 12046 529

5 25538 508

6 6802 443

7 8665 441

8 8517 439

9 766 431

10 13092 407

AAA & Log Audit

Account

SYSLOG

Log audit tools

Configuring Syslog on a router

Configuration change notification and logging

Log skill

SNMP Authentication Failurevia SYSLOG

SNMP Authentication Failurevia SYSLOG

Classification Objectives

Classification ACLs

Classification and Traceback ACLs





Classification ACLs - Hints

Netflow Classification Technique

show ip cache flow

show ip cache verbose flow

Sink Hole – How to Classify?

Documents

Session 2 Security Monitoring