Packeteer

PACKETEER - SHAPE YOUR NETWORK FOR BUSINESS

Solutions for Malicious Applications Worms Viruses, and Denial of Service Attacks

Worms, viruses, and Denial of Service (DoS) attacks such as MS Blaster, SQL Slammer, NIMDA, Code Red, and others have caused significant problems for both WAN and business performance -- from downtime and service degradation to lost revenue and productivity. Many enterprises have deployed Intrusion Detection and Prevention Systems at their Internet borders to stop attacks. Many have also deployed desktop virus scanning software to stop known attacks at the source. However, the key word is "known". Enterprises still experience problems with new attacks that don't have known signatures. These attacks can slip through employee, partner, or contractor laptops or through employees downloading infected files via Instant Messenger or peer-to-peer applications.

Packeteer can help contain and control these attacks to maintain network integrity and minimize business disruption. Many features built into Packeteer's Application Traffic Management system assist in finding and containing threats and exploits and maintaining business continuity during attacks. Specifically, Packeteer provides:

The Building Blocks

• Early Identification of Potential Threats. Packeteer's comprehensive L 2-7 monitoring tracks more than 100 performance variables - several of which identify network anomalies. These metrics can be accessed via graphical Web user interface, command-line or multiple APIs for third-party integration. Events can be configured to notify administrators when an anomaly first starts allowing a rapid response before the exploit impacts a site or large set of users.
• Real-Time Threat and Exploit Containment. Packeteer can be easily configured to block specific types of traffic for specified hosts, VLANs, address ranges, etc. Once the infected host and/or exploited application is classified, Packeteer's control capabilities can effectively block or limit the harmful traffic.
• Protection of Critical Business Application Traffic. Critical applications should always be protected. Whether it's from worms, viruses, and DoS attacks, or other traffic that can clog networks such as large email attachments or file downloading, critical applications should always receive the bandwidth they require first, leaving the rest to the less critical recreational, traffic.

Early Identification

Link Level Analysis

The quickest and easiest way to see that an anomaly is occurring is by looking at the link level graphs for unusually high levels of:

• TCP Connection Initiations - Number of new TCP connections started.
• TCP Server Ignores - Number of TCP connections that a server did not respond to.
• Percentage of TCP Server Ignores -TCP Server Ignores divided by TCP Connection Initiations.
• TCP Server Refuses - Number of TCP connections refused by the server.
• Generally this happens when a server denies a connection because it's too busy to accept a new connection.
• Percentage of TCP Server Refuses -TCP Server Refuses divided by TCP Connection Initiations.
• Client Flood Blocks - Number of flows that were blocked due to a client (flow initiator) exceeding the flow limit rate configured on PacketShaper.
• Server Flood Blocks - Number of flows that were blocked due to a server (flow destination) exceeding the flow limit configured on PacketShaper.
• Unsolicited ICMP - Detects ICMP denial-of-service attacks including ICMP replies with no matching request.

Application Level Monitoring

When analyzing a defined class of traffic (application, server, or client), many of the same metrics and graphs used for link monitoring are available for specific types of traffic as well. The more granular application level issues will often be quite visible on a graph, whereas at a link level they may not be as obvious when mixed with normal traffic.

The following example shows Packeteer's unique TCP Health reports that clearly illustrate an instance of a worm attack, in this case MS Blaster. The left graph shows the attack starting on a data center's MPLS link, where the number of TCP Initiations jumps from approximately 225,000 per two-hour period to more than 1,500,000. Additional confirmation that an attack is occurring can be seen by the large percentage of TCP Server Ignores, which were almost non-existent prior to the attack.

Identifying Specific Hosts

Monitoring the link and specific applications is good for discovering that an attack is occurring; however, to fix the source of the problem it is necessary to identify the infected hosts. Packeteer has the tools to quickly find infected hosts.

The host database command lists total current connections, client connections, server connections, and failed connections. Infected machines normally feature spikes in both total and failed connections, meaning they will show up at the top of the list. Spotting problem machines is extremely fast and easy.

Once the suspicious hosts are identified, the next step is to determine what that host is doing. The traffic history command displays all of the other devices that host is trying to communicate with, and what protocol they are using. For example, this will clearly point out whether the host is scanning IP addresses for other potential hosts to infect, or directing a DoS attack on a specific host.

Proactive Alarms

In addition to using Packeteer's comprehensive reporting to identify attacks, Packeteer has the ability to proactively send an alert to an administrator and/or management application for any of the reported metrics, with 22 predefined events that make it easy to get started. All that is required is to set the threshold and rearm value for events of interest. When an event exceeds the predefined threshold value, the event is triggered and Packeteer automatically sends out notification via an email, SNMP trap, or SysLog when an attack is occurring.

Without proactive monitoring, network engineers usually learn about attacks from users calling in to report a network slowdown, high router CPU utilization or an automated ping reporting a site is unavailable. By the time these reports come in it is too late to prevent a performance impact.

Threat and Exploit Containment

Once the protocol and hosts have been identified, Packeteer provides the tools to contain the attack. Depending on the nature of the attack, containment can be on an entire application/protocol or limited to the individual infected hosts. For example, if the attack is over an application or port not widely used in that organization, a simple policy can be applied to discard all traffic of that application or on that port.

The trickier situation is when the attack uses an application that is prevalent in the enterprise. For example, NIMDA used HTTP, so it may not be practical to discard all HTTP traffic. In this case, a traffic class can easily be created to isolate the traffic associated with the infected hosts. Creating a class both collects more granular data and allows controls to be applied to just desired traffic. For even more granular data and analysis, traces can be taken with the Packet Capture feature for use with leading protocol analyzers.

Critical Application Protection

Finally, it is always important to protect business-critical applications. No matter how much planning and effort is put into preventing attacks, it is inevitable that security threats will find a way to enter the network. Even if an organization is prepared to react quickly when the next breach occurs, excess traffic that could impact application performance will be on the network. If mission-critical applications are protected, they will continue to function optimally, regardless of whether an exploit is flooding the network.

Packeteer provides the patented technologies required to ensure that the most critical applications get the bandwidth they need first, leaving other traffic - including worms, viruses, and DoS attacks - to whatever bandwidth is left.

For a technical consultant to call you click here and they will do so at the time you specify. If you are looking for a quotation or need help designing your solution then click here. If you require access to our SECURE online catalogue then click here.