Session 2 Security Monitoring Identify Device Status Traffic Analysis Routing Protocol Status Configuration & Log Classification
Identifying an Attack
Identification Tools
Network Benchmark Parameter
Device Status CPU Memory Temperature
CPU Load
Abnormal CPU Load
Identifying an Attack through CPU Load
Temperature
Traffic Analysis Technology (Netflow & Sniffer) Layer 3 or 4 based Application based
Netflow Detect & Affirm
Use Netflow
Detect DoS
Example
Layer 3 or 4 TOP N IP address based Protocol based Port based Packet Size based AS based
Index
overview Normalin/Normalout Spoofin/Spoofout Bandwidth 、 PPS and Packet Size
Traffic Statistics Picture According to bandwidth bandwidth 、 packet size and PPS According to direction normalin/normalout spoofin/spoofout According to time 4 hours , 2 days , 1 week , 2 months max , min , average , now
Traffic Statistics Picture (overview)
Traffic Statistics
IP TOP 20 Order by source/destination address Order by source destination peer Order by bandwidth and PPS
Traffic Analyse (TOP20)
Packet size TOP20 Order by bandwidth 、 PPS
Port Distribution TOP20 Order by sour/dest port summary Order by sour/dest port direction Order by bandwidth and pps
Port distribution TOP20
Protocol statistic TOP20 According to protocol normalin 、 normalout 、 spoofin and spoofout Order by bandwidth and pps
Protocol Statistic TOP20
Protocol Picture According to bandwidth and pps According to type TCP UDP ICMP According to time 4hours , 2day , 1week , 2month Max, min, average, now
Protocol (TCP UDP ICMP) Statistics Overview
Protocol (TCP UDP ICMP) Statistics
AS Statistic TOP20 According to direction normalin 、 normalout 、 spoofin and spoofout According to bandwidth and pps
AS Statistic TOP20
Abnormal Traffic Query System
Routing Protocol Status Route Entries Routing Protocol Stability
Route Monitoring
Routing (BGP summary)
Routing Monitoring
BGP Statistics
BGP Monitoring (TEIN2-NORTH)
BGP Monitoring (TEIN2-SOUTH)
BGP Monitoring (TEIN2-JP)
AS Path Entries
Community Entries
IPv4 Prefix
IPv6 Prefix
Route Flapping Top 20 No.PREFIXASOscillation / / / / / / / / / / / / / / / / / / / / No.ASOscillation
IPv6 Route Flapping Top 10 No.PREFIXAS Oscillat ion 12001:4c00::/ :1a70::/ :1410::/ :4b58::/ :1b20::/ :a98::/ :720::/ :4170::/ :778::/ :1a18::/ No.ASOscillation
AAA & Log Audit Account SYSLOG Log audit tools
Configuring Syslog on a router
Configuration change notification and logging
Log skill
SNMP Authentication Failure via SYSLOG
Classification Objectives
Classification ACLs
Classification and Traceback ACLs
Classification ACLs - Hints
Netflow Classification Technique
show ip cache flow
show ip cache verbose flow
Sink Hole – How to Classify?