CURELAN TECHNOLOGY Co., LTDFlowviewer FM-800A CURELAN TECHNOLOGY Co., LTD www.CureLan.com
What happens when hackers breach the perimeter? • Hackers try to penetrate the security perimeter to steal the customer's private data of the bank or the national security secrets. It may endanger national security. • The military network of every country is a closed network. This means that it is independent and has no connection between it and the internet.There is a chance that someone has been nobbled and used some programs for intrusion and implanted the Trojans to steal the military secrets.
The Blind Spot of the IPS（Intrusion Prevention System) Equipment • IPS equipment uses a feature code (Pattern) to detect hacker attacks and intrusions. Hackers always want to bypass the detection of IPS. Therefore, they will change the attack pattern every 2 or 3 days. That is the reason why IPS equipments always in a passive position under attack. • After the successful hacking of the computer in the intranet, hackers can use the Trojans horse programs to intrude other hosts in the intranet. The victim computer may become a zombie computer and potentially part of a botnet. • The IPS equipments are deployed in line mode, but they cannot use the information of Netflow to analyze the data of all hosts in the intranet. Therefore, the IPS equipments can do nothing about the intrusion of intranet. • The IPS equipment uses the threshold function to prevent the DDOS attack, but there is a very high false positive rate problem with this function.
The Blind Spot of the IPS（Intrusion Prevention System) Equipment (cont.) • Hackers will use some port scanners to scan the devices on the internet. They can know which port is used by doing that. There is no use changing the port number to the port service. Sometimes, hackers can know the relationship between the port number and the port service. Once they know the association, they can use the vulnerabilities to implant Trojans to the computer. Finally, the computer will become a zombie computer. • Hackers can invade the network by using SSH (22 port) or RDP (3389 port) password guessing. After the intrusion succeeds, hacker can implant Trojans to the computer and make it become a zombie computer.
Introduce Product Major Functions • Netflow or sFlow traffic report. • Worm detection(NBAD). • Automatically block infected IPs from L3 Switch by ACL .(for Cisco, Foundry, Alcatel, Extreme) or Automatically block by Flowviewer. • Port Scan and SSH Password Guess Attacks Report. (NBAD) • RDP Password Guess Attacks Report. (NBAD) • List of Possible UDP Flood Attacks Report. (NBAD) • List of Possible DOS Attacks Report. (NBAD) • Port Scan and SSH Password Guess Detection and Blocking. Blocked by Flowviewer . • RDP Password Guess Detection and Blocking. Blocking method: Blocked by Flowviewer . • UDP Flood Attack Detection and Blocking. Blocking method: Apply ACL command to core switch. • DOS Attack Detection and Blocking. Blocking method: Apply ACL command to core switch. • DNS Attack Detection and Blocking. Blocking method: Apply ACL command to core switch. • NTP Attack Detection and Blocking. Blocking method: Apply ACL command to core switch.
Cyber-Intrusion V.S. Cyber-Attack Cyber-Attack Cyber-Intrusion • Like a robber • Use the amount of traffics and a number of sessions to paralyze the computer networks • Not afraid of being discovered because hackers may “borrow” these IP addresses • Like a thief • Use small packet traffic • Afraid of being discovered
Analysis of cyber-attack Cyber-Attack The Amount of Traffic A Number of Sessions Such attack usually uses a large number of sessions and leads the network devices overload because of the CPU resource is consumed. It uses a large number of UDP packets to consume the network bandwidth.
Network Behavior Anomaly Detection (NBAD) Detect & block attacks automatically NBADTechnology Flowviewer is 64 bit solution High Error Rate Version 2 ? TRUE ? FALSE ? Version 1 Picture provided by : free vector graphics
The Flowviewer FM-800A can receive Netflow and analyze the data provided by Netflow
The Flowviewer can automatically block the cyber-intrusions and the cyber-attacks UDP Flood Attack Port scan SSH Cyber-Attack (網路攻擊) Cyber-Intrusion (網路入侵) DOS Attack RDP DNS Attack Worm NTP Attack
The Flowviewer can be deployed in inline mode to prevent the cyber-intrusion and the cyber-attack
Automatically Prevent Hacker Intrusion and Attack in Inline Mode • Even in the event of a combined hardware and system failure, the Flowviewer, utilizing auto by-pass mode, will not have any adverse effect on network connections or stability. • The Flowviewer device provides automatic blocking of hacker intrusions and attacks. • The Flowviewer System can automatically block hackers attack by itself. (When hackers want to intrude on internal network via the Internet.) • The Flowviewer can automatically write ACL commands to the Core Switch to block attacks via intranet to intranet. • Flowviewer can automatically stop the SSH Password Guess Attacks, RDP Password Guess Attacks, UDP Flood Attacks, NTP Attacks, DNS Attacks and DOS Attacks , by sending ACLs (Access Control List Entries) to Core Switch (Layer 3). The target company includes Cisco, Foundry,Alcatel and Extreme etc.
The way of intrusion :intranet to intranet • After hacker implant Trojans, hacker will use this device to intrude or infect other devices on the intranet. As the left picture below, the four record shown that the IP address of 140.xxx.xxx.56 tried to intrude 7 IPs (140.xxx.xxx.66, 140.xxx.xxx.209, and so on) by RDP password guessing at the same time. • As the right picture below, the first record shown that the IP address of 140.xxx.xxx.171 tried to intrude 14 IPs (140.xxx.xxx.2, 140.xxx.xxx.3, and so on) on the intranet by RDP password guessing at the same time.
UDP Attack • Real case: UDP is a connectionless protocol, that means no session is set up for data transmission (Only TCP needs to set up the connection before transmission) . Hackers can create sessions by switching the port number. As seen below: hacker use an IP address 140.xxx.xxx.197 to attack an external IP. It may cause that the intranet to be paralyzed. If you have a Flowviewer, it can automatically detect and block the IP address. It can avoid the network to be paralyzed. • For example, the outages of the United Airlines flights and the New York Stock Exchange(NYSE) happened in one day. It may cause by using the internal IP addresses to relay attack the external IP addresses.
How can hackers pass the detection of IPS • The first case causes 40.72 GB network traffic and 2,390,917 sessions. In this case, the maximum of session per second is 743. The main purpose is to pass the IPS detection. • The threshold function of the IPS equipment can be used to prevent the DDOS attack. Usually, the default value will be set to 5000. In this case, hackers can pass the IPS detection because the maximum of session per second is 743.
Using mathematical formula to analyze the cyber-attack S: session Psrc n: source port number Pdst n: destination port number Tn: some time ∵ ∵
Real-time Query of Dynamic Traffic • The query can be adjusted at any time to analyze the individual IP address and show all of the destination IPs it has contacted. This function can identify the details of any potential crime and be used as evidence later on. • The following figure shows the source IP(120.XXX.XXX.39) and lists the destination IPs it contacted during May 20, 2014 from 12:30 to 13:30. The destination IP is the IP address of the website or server . The IP in blue means it was accessed via port 80 and the IP in green represents those not using port 80.
Conclusion • Hackers will use some port scanners to scan the devices on the internet. The range may be set from 0 to 65535 because they want to know which port is used. They will use the vulnerabilities to implant Trojans to the computer. The Flowviewer has the ability to detect the port scan. • The National Center for High-performance Computing found that hackers will use the specific program to invade the network through SSH (22 port) or RDP (3389 port) password guessing. The Flowviewer has the ability to detect these kinds of attack. • There are three kinds of intrusions that can not be guarded: 1. the spear phishing 2. the apps that downloaded by user 3. the vulnerabilities of the operating system Flowviewer's the second line of defense is designed to make the collateral damage down to the minimum. How does the Flowviewer do that?
Conclusion (cont.) • The Flowviewer has the ability to detect the UDP Flood Attack: • (A) If the hacker implants Trojans by the method which we just mentioned, a UDP flood attack can be initiated by sending a large number of UDP packets to the external IP addresses on the internal hosts. The network will be paralyzed because of the network bandwidth is consumed by the UDP packets. Therefore, this is not only your own business. For example, the outages of the United Airlines flights and the New York Stock Exchange(NYSE) happened in one day. The intranet networks were paralyzed. This may cause by using the internal IP addresses to relay attack the external IP addresses. • (B) when hacker initiate the UDP flood attack from the intranet, the Flowviewer can detect the attack. • As we mentioned previously, hackers will use amount of sessions (flows) to attack the target. As mentioned earlier, hacker will “borrow” the internal IP addresses to attack the external target; on other hand, the internal network may be attacked by a number of sessions (flows).The Flowviewer has the ability to detect the DOS attack.
Our reference sites • Important Customer: • National Center for High-Performance Computing • l Main Service : Cross-Campus WLAN Roaming Mechanism. • l Our Product–Flowivewer–use netflow traffic report feature to trace IPs that controlled by Botnet and notify the administrators who’s in charge of the IP address. • School: • National Chung Hsing University (NCHU) • National Kaohsiung Marine University • FuJen Catholic University • Tunghai University • National pingtung University of Science&Technology • I-Shou University ; Chinese culture University • National University of Tainan ; Nanya Institute of Technology • National Taichung University ; Ling Tung University • National Changhua University of Education • WuFeng University ; National Taichung Nursing College • Military: • Chung Cheng Armed Preparatory School • National Defense University • R.O.C Military Academy • Government: • Kaohsiung City Government • Taitung County Government • Financial Supervisory Commission, Financial Examination Bureau • Other: Show Chwan Memorial Hospital﹐Chi Mei Medical Center ﹐ Mega International Commercial Bank, Fist
Demo site for Flowviewer FM-800A device • http://18.104.22.168 • Account: curelan01 • Password: 123456789
Contact us Office：15F-1, No,255, Jiuru 2nd rd., Sanmin District, Kaohsiung City 807, Taiwan(R.O.C) TEL:+886-7-311-5186 FAX:+886-7-311-5178 Email: firstname.lastname@example.org Website : www.curelan.com