Something Wormy On Your Net? Investigate with Ourmon
Editor's Note: When he's not busy clarifying networking concepts, Enterprise Networking Planet's Charlie Schluting spends some of his spare cycles on Ourmon, an open source network security monitor developed at Portland State University in Oregon. Here's the first of two pieces from Charlie on how ourmon works and how to set it up.
What if you could see statistics about network traffic and actually know what computers were causing anomalies? A huge spike in traffic is usually of concern, and being able to discern the source of the traffic, as well as the type of traffic, all in one software package is the grail of network and security monitoring.
Lately there has been revived interest in botnet and network-oriented malware detection software. People have discovered that Cricket and other traffic graphing software packages are semi-useless from a security perspective. Ourmon, originally used to monitor host network activity and give reports and graphs of "top talkers," started investigating anomalous traffic a few years ago. Yes, the name is a play on RMON, which provides similar, but of course more limited, host-level network information. It has since been known as: "Ourmon: Network Monitoring and Anomaly Detection System." Ourmon now provides Denial of Service (DoS) detection, TCP and UDP scanner detection, IRC botnet detection, and the ability to discover and report other anomalous activity.
First, let's begin with anomalies, since that's how Ourmon morphed into a botnet and scanner detector to begin with.
When I was a student and network engineer at Portland State University (PSU), Ourmon's creator, Jim Binkley, would come to me with puzzling graphs and statistics. We could sometimes attribute TCP SYN scanning behavior to poorly behaved applications that lost communication with their server, for whatever reason, but most of the time it was much more serious. Ourmon started graphing TCP and UDP "work weights" to show us how efficiently hosts were communicating. This was, at first, a simple metric to compare the number of SYN packets to the number of SYN+ACKs to reveal TCP scanning activity. All of a sudden, Ourmon started revealing compromised machines that were executing DoS attacks or scanning for other computers to infect.
Next, Ourmon reveals IRC botnets. Many commercial products that claim to report "botnet activity" are simply reporting which computers on your network connect to IRC servers. Ourmon grew up at a University, where people use IRC to communicate all the time, so this crude and fast-to-market method the companies use clearly wouldn't work in our situation. Ourmon's botnet detection correlates the scanning hosts with IRC activity and generates a list of "evil channels." Chances are very high that if a Windows computer has been scanning the network, and participates in the same IRC channel as other scanners, it is a compromised machine. The scanning machines are normally a result of worms attempting to propagate, so Ourmon calls them "wormy hosts." One of the text-based reports, the IRC report, gives a clear and concise view of which hosts are infected:
channel name number of hosts wormy hosts evil flag #exploit 10 9 E #ubuntu 15 0
Yes, someone really did run a botnet with a channel name #exploit. You can see that most of the hosts on campus who were in this IRC channel were also observed exhibiting "wormy" behavior. Ourmon has just discovered a new botnet, along with (at least) 9 infected machines on our network.
You may be thinking: "so it's like Snort, right?" but that couldn't be further from reality. Snort uses fingerprints to detect viruses and exploits, and it can't detect anything that hasn't been programmed into it. Ourmon analyzes network anomalies and reports them, so it actually has the ability to discover unknown worms and IRC botnets. As a side effect, it also discovers poorly behaved programs, like some file sharing software. Most of the time file sharing software shows up as a scanner because it is trying to contact an invalid list of peers. Ourmon can also be told to monitor and graph anything you desire, through its configuration file's ability to use any BPF (like tcpdump syntax) expression you provide.
Focusing a bit on the network monitoring features now, Ourmon's graphs provide network administrators with a wonderful view of basic network traffic, along with many levels of detail. The first thing you see on the Ourmon web pages is a graph of total traffic and total packets for the last day and a half. Scrolling down the page is akin to drilling deeper into the statistics. You'll find traffic broken down by protocol, then by TCP port, then by originating host. On the sample page, linked to above, you can see that PSU has set up subnet-based views as well. It's as simple as another line in the config file, and you can tell whether it's those marketing or engineering folks that are using up all the bandwidth. You'll also find graphs of the "top SYNners" and the more general "top talkers" which allows you to very quickly find the IP of the top machines using the most bandwidth, for any protocol.
There is a plethora of information on the main page alone, and you can add as much as you'd like. If the graph of "top ports" doesn't suite your needs, you can change it to keep track of any set of ports that you'd like. The top SYN count and TCP Worm graphs give a very quick view of how wormy your site really is. It also tells you if you're being DoS'd, or if you're the one participating in a DoS attack via the "us" and "them" labels. Of course these are all MRTG graphs, so you can view up to a year's worth of data.
The basic idea behind Ourmon is that it sits strategically placed somewhere near your border, and sniffs down a copy of all packets coming to or leaving your site. It requires a slightly beefy server to keep up with a fast Internet connection, but the data it can provide is priceless. Ourmon on the fastest Pentium 4 available will keep up with PSU's Gigabit connection (200 to 400+ Mb/s is actually used), but a much slower box can be tasked with monitoring slower connections. Up to 35 Mb/s is easily handled with a Pentium III 500 MHz, depending on how many things you wish to monitor.
Configuring Ourmon can take some time, but installing it with the default graphs can be done rather quickly. Next week we'll provide a how-to on installing and configuring Ourmon, with a focus on customizing it to fit your needs.