Cure Lan Technology 治科資訊

按鈕列起始

About us

Product

Promotion

Testimonials

Download

Free Trial

Purchase

Contact us

Home

Event

按鈕列結束

 

 

 

 

NEWS

NEW Add New Function

 

Generally, the IPS devices usually use pattern recognition method to filter anomaly traffic; however, it is always too laggardly. Curelan Company did not use pattern recognition but use behavior analyzes to detect UDP Flood Attack. When Flowviewer detected UDP Flood Attack, it will block the infected IP through the Core Switch by ACL commands. This can avoid the large number of packets that generated by the infected IP to pass through gateway devices and avoid the crash of gateway devices.

Ex. The internal IP of Ling Tung University had infected and launched UDP Flood Attack. Following is the figure of the detecting result by using Flowviewer behavior analyzes.

 

 

 

領東udp flood攻擊-1英文

 

By using the Flowviewer “realtime netflow” function, adjust the time range from 00:00:00 to 23:00:00 and select UDP protocol to find out which user generate the most amount of traffic on Apr. 20, 2009. We found that 192.168.27.37, 192.168.27.4 and 192.168.27.3 were the top 3. The following figures are the detail netflow records of these 3 IPs:

 

 

 

 

Figure 1

 

Analysis: Source IP is 192.168.27.37(Private IP) and Source Port changed all the time. Destination IP is 121.12.172.171(Public IP) and Destination Port is 80. Source IP generated 658M Bytes traffic per record on 13:40:21 Apr. 20, 2009. As the above report, we found that 192.168.27.37 had infected and launch UDP Flood Attack to 121.12.172.171.

 

 

 

 

Figure 2

 

Analysis: Source IP is 192.168.27.4(Private IP) and Source Port changed all the time. Destination IP is 121.12.172.171(Public IP) and Destination Port is 80. Source IP generated 740M Bytes traffic per record on 14:11:20 Apr. 20, 2009. As the above report, we found that 192.168.27.4 had infected and launch UDP Flood Attack to 121.12.172.171.

 

 

 

 

Figure 3

 

Analysis: Source IP is 192.168.27.3(Private IP) and Source Port changed all the time. Destination IP is 121.12.172.171(Public IP) and Destination Port is 80. Source IP generated 343M Bytes traffic per record on 13:59:17 Apr. 20, 2009. As the above report, we found that 192.168.27.3 had infected and launch UDP Flood Attack to 121.12.172.171.

 

 

 

Conclusion:

1.     From the above 3 reports, we known that UDP Flood Attack can spread through network. Form the above report, we known that 192.168.27.37 infected the virus first and then spread to192.168.27.3 and 192.168.27.4.

2.     UDP Flood Attack will generate a huge amount of packets.

3.     From Flowviewer report, you may analyze a regular UDP Flood Attack behavior. Flowviewer can find out UDP Flood Attack by behavior analyzes and then automatically block the infected IPs by thought Core Switch by ACL commands.

 

 

<< back

 

 

 

 

 

 

Copyrightc 2002 by CureLAN Corp. All rights reserved . Send all questions and comments regarding this site to E-MAIL