Using NetFlow/IPFIX for Anomaly Detection with opFlow
NetFlow data can be used to identify attacks on your network such as denial of service (DoS), viruses, and worms. Changes in network behavior is represented clearly with NetFlow data and understanding these deviations from normalcy can help in identifying harmful anomalies. An event or condition in the network that deviates from previously typical traffic patterns is considered an anomaly.
opFlow can detect anomalies by determining what an average network usage baseline would be and comparing it with traffic of a suspected anomaly event. DoS attacks flood the network with packets from an untrusted source and usually it is a rather large packet size. Packet sizes are normally no larger than 1500 bytes, creating an ingress policy for specific ports to discard packets larger than 1500 bytes could prevent some DoS attacks from ever occurring. opFlow clearly displays the sources and destinations of flow traffic allowing for you to see when an unknown or untrusted source is sending flow data to your network.
NetFlow collects the Packet source, Port number, Destination Packet size, and Protocol number. Understanding what ports are commonly used on your network can help you in determining if abnormal activity is coming through. Using the Conversation Summary feature in opFlow allows for a detailed look into all conversations happening on your network. There may be a lot of conversations happening across your network, in Figure 1 below, you can see that the ports are filtered to only show Src Port 443 allowing you to see specific and relevant traffic easier. These packets can be sorted in ways that help you view and understand the information more clearly. In this example, packets received are sorted in descending order to see if the packet count is unusually higher than normal; this is why understanding what normal packet sizes are as well as the ports/sources commonly used on your network is important for any network engineer.
To view the Conversation Summary page navigate to menu -> Views -> Conversation Summary. The filter is added by simply typing the desired port in the box in the top right hand corner of the Conversation Summary page. The drop down menu to the right of the search box allows you to search for the specific Application, Source, Src Port, Destination, and Dst Port.
Figure 1 - Conversation Summary
The default landing page for opFlow displays the Top 10 App Sources as shown in Figure 2 below. This shows the applications that are generating the most flow data displaying their Source, Application, Bits, and Pkts. In this example, these sources are mostly coming from known servers and routers having conversations with each other. However, the application generating the most Bits is clearly Other. Other is defined by all of the other applications that are not on the Top 10 Apps list which in this case is quite a lot. The Top 10 App Sources default view can be used to detect anomalies as well. If you do not recognize a Source or Application or notice that the Other Application/Source has a larger packet count than average then this is cause to investigate. To get a clearer view of all the applications that are grouped in Other, the Conversation Summary view is recommended. If you wanted an application that is defined in the Other category to be recognized as a known application by you, you can create a Custom Application. Assigning Custom Applications to known flow data can help gain insight into your network and make it easier to notice when an anomaly is present.
Custom Application creation is detailed HERE: Creating Custom Applications
Figure 2 - Top 10 App Sources
More information on Anomaly Detection regarding DoS attacks can be found HERE: Detect DDoS attacks with opFlow