Webinar: Top Tips for Effective Cyber Threat Hunting Watch Now
FlowTraq > Blog > Tech Thoughts > FlowTraq Cloud: Getting Started

FlowTraq Cloud: Getting Started

Dr. John Murphy
By | July 9, 2013


Opening a FlowTraq Cloud window for the first time can be like walking into a big grocery store when you’re hungry: There’s a lot to see, and you know there’s something good here… but where to start? This post is intended as a springboard to help you find interesting traffic on your network. The workspaces linked here all show your data as a FlowTraq Cloud customer, which means that anything you see, you can immediately act on. It’s easy, it’s fast, and there’s a LOT to see.

Common High-Bandwidth Sites

Facebook is one of the most commonly visited sites on the web, both from people using it directly and from “like” buttons embedded in thousands of other websites. Similarly, many web browsing sessions start with a visit to a search engine such as Google, Yahoo! or Bing. NetFlix, YouTube, and Hulu are all popular video streaming sites. Large networks such as these operate many computers over a wide range, any one of which might service a particular request, and which may change over time. To find them on the big Internet they use Autonomous System Numbers (ASNs) to identify themselves; FlowTraq makes it easy to filter traffic on ASN.

Check out how much traffic you are shoveling for each of these sites, viewed by those IP addresses receiving the most data:

Bing (Microsoft): AS8075

Facebook: AS32934

Google: AS15169 Also, and less often, AS36040 and AS43515. (View all three together)

Hulu: AS23286

NetFlix: AS2906

Yahoo!: AS10310

YouTube: AS36561 (but may also appear at AS15169, via Google)

Security Threats

FlowTraq Cloud also helps you evaluate your security. Even long after the fact, FlowTraq’s history-long full-fidelity database gives you the data you need to identify attempts to compromise your network. When the media talks about hacking attempts from China or the newest malware, you don’t have to wonder if you’ve been hit: FlowTraq helps you find out.

Earlier this year, Mandiant published a brilliant report on phishing attempts that they traced to a series of IP addresses originating in China. We discussed their results and identified in their report sets of IP addresses worth looking for in your traffic over the last six months.

Check if any of your hosts have been involved with these attacks, successfully or not:

Traffic associated with FTP and Windows Remote Desktop ports, attempts to use your network as a hop point.

Traffic associated with HTTP / HTTPS traffic, either in using HTRAN tunneling, or outward connections.

If you see traffic on either of these workspaces, remember that you can inspect the individual sessions. (Sessions for FTP/Windows Remote; Sessions for HTTP / HTTPS) Long-running sessions with many packets exchanged may be a danger sign.