- Netflow Solutions
Open network environments are naturally prone to abuse by users sharing files through Peer to Peer applications. This can be annoying when lots of bandwidth is used, and it can become a legal hassle if the files shared are copyrighted content such as music, movies, television shows, and software.
There are a number of P2P applications available, and they work hard to avoid detection and blockage. One behavior they all have in common is the need to connect to many other systems to participate and sustain the sharing network. This behavior, regardless of P2P application, can be easily picked up by searching for hosts in your network that connect to many other unique hosts:
We notice several systems that contacted over 1,000 unique other systems in the past 3 hours. Lets grab one and filter on 10.2.3.127. By adding an application view, we quickly notice a large number of different UDP ports used, indeed often indicative of a P2P application:
Keep in mind that other applications (Skype for example) may sometimes display similar traffic characteristics. Total traffic volumes are often much lower, and the number of unique hosts contacted will be smaller also for non file sharing applications.
Export CISCO NetFlow datagrams to up to 16 flow collectors. Flow Exporter captures 100% of the data in an easy-to-deploy way.
Download Now »
Advanced Threat Intelligence Services Added to FlowTraq Q2/13
Faster, more powerful, FlowTraq Q2/13 delivers detailed view of the potential network threats with NBI threat management and new threat intelligence service.
Have You Been Targeted by Chinese Espionage Units?
How to use Mandiant's Analysis and FlowTraq to Identify Threats: Mandiant's excellent analysis "APT1: Exposing One of China's Cyber Espionage Units" identifies a broad set of IP addresses...
Monitoring Your Security Measures: port knocking
Learn how to use knockd with FlowTraq to monitor security measures on SSH Server.