前文讨论了使用Nmap扫描靶机的网络端口,并且得到了相应的wireshark记录。本文讨论如何使用NetFlow来检测分析网络端口扫描行为。

1. NetFlow

NetFlow是Cisco提出1

A network flow is defined as a unidirectional sequence of packets between given source and destination endpoints. Network flows are highly granular; flow endpoints are identified both by IP address as well as by transport layer application port numbers. NetFlow also utilizes the IP Protocol type, Type of Service (ToS) and the input interface identifier to uniquely identify flows.

也就是说,NetFlow不再局限于单个的packet,而是把具有相同特征的packet aggregate起来,看成是一个flow。具体来说,就是把同向的(src ip–>dst ip或相反),同端口的包聚合在一起,为下一步的flow分析打下基础。

现今常用的NetFlow标准是v52,具体包括:

Ingress interface (SNMP ifIndex)
Source IP address
Destination IP address
IP protocol
Source port for UDP or TCP, 0 for other protocols
Destination port for UDP or TCP, type and code for ICMP, or 0 for other protocols
IP Type of Service

一个典型的NetFlow是像这样子的:

Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows
2010-09-01 00:00:00.459 0.000 UDP 127.0.0.1:24920 -> 192.168.0.1:22126 1 46 1
2010-09-01 00:00:00.363 0.000 UDP 192.168.0.1:22126 -> 127.0.0.1:24920 1 80 1

2. 检测分析网络端口扫描

使用nfcapd把wireshark得到的pcap数据转成NetFlow数据,得到了一个nfcapd的文件:

nfcapd.201903110920

再使用nfdump打开这个nfcapd文件,就得到了一系列的NetFlow:

2019-03-11 09:20:45.622 0.000 TCP 192.168.229.128:49220 -> 192.168.229.129:256 1 24 1
2019-03-11 09:20:45.678 0.001 TCP 192.168.229.128:49220 -> 192.168.229.129:512 2 44 1
2019-03-11 09:20:45.636 0.000 TCP 192.168.229.128:49220 -> 192.168.229.129:768 1 24 1

Summary: total flows: 2066, total bytes: 46986, total packets: 2081, avg bps: 13983, avg pps: 77, avg bpp: 22
Time window: 2019-03-11 09:20:26 - 2019-03-11 09:20:53
Total flows processed: 2066, Blocks skipped: 0, Bytes read: 99192
Sys: 0.012s flows/second: 172166.7 Wall: 0.038s flows/second: 53755.9

其中:

  • 192.168.229.128:49220正是Kali的IP和端口
  • 192.168.229.129是靶机的IP

其实这里就已经能看出来,Kali使用TCP对靶机进行网络端口扫描。

结合src port的统计看得更清楚:

Top 10 Src Port ordered by -:
Date first seen Duration Proto Src Port Flows(%) Packets(%) Bytes(%) pps bps bpp
2019-03-11 09:20:45.648 0.000 any 1 1( 0.0) 1( 0.0) 20( 0.0) 0 0 20
2019-03-11 09:20:35.672 3.003 any 62552 1( 0.0) 4( 0.2) 728( 1.5) 1 1939 182
2019-03-11 09:20:46.787 5.007 any 52556 4( 0.2) 4( 0.2) 236( 0.5) 0 377 59
2019-03-11 09:20:45.617 0.110 any 49220 1024(49.6) 1036(49.8) 24816(52.8) 9418 1.8 M 23
2019-03-11 09:20:26.763 5.006 any 47770 4( 0.2) 4( 0.2) 236( 0.5) 0 377 59
2019-03-11 09:20:36.777 5.007 any 43886 4( 0.2) 4( 0.2) 188( 0.4) 0 300 47
2019-03-11 09:20:32.584 8.002 any 43694 3( 0.1) 3( 0.1) 162( 0.3) 0 161 54
2019-03-11 09:20:48.638 5.005 any 39664 2( 0.1) 2( 0.1) 92( 0.2) 0 147 46
2019-03-11 09:20:45.674 0.000 any 1024 1( 0.0) 1( 0.0) 20( 0.0) 0 0 20
2019-03-11 09:20:45.634 0.000 any 1023 1( 0.0) 1( 0.0) 20( 0.0) 0 0 20

Kali的端口49220的1024条flow占了所有flow的近一半,正好对应扫描靶机的1-1024端口。

NetFlow对于检测分析网络端口扫描是十分有效的。

3. 一点延伸

上文讨论了一个网络端口扫描检测分析实验,先使用wireshark抓包,再转成NetFlow格式的文件,再做分析。

但是在实际的网络检测分析中,主要由于performance的原因,并不是这么做的。(Nickless, 2000)提到把NetFlow和database结合起来。具体来说,就是把获得的NetFlow数据保存在数据库中,然后用数据库查询的方法,检测分析NetFlow数据。

例如同样是检测分析网络端口扫描,可以用以下数据库语句1

select src_ipn,count(distinct dst_ipn)
                      as num_anl_addrs
   from netflows
   where srcas>0 and starttime >
         date_sub(now(),interval 3 day)
   group by src_ipn
   having num_anl_addrs > 64
   order by num_anl_addrs

以3天为时间段,查询哪些src ip对内网不同的dst ip有netflow,并且netflow记录超过64条。这样相当于把潜在的对内网端口扫描的src ip过滤出来,可以做进一步分析。

select src_ipn,min(starttime) as first,
           max(endtime) as last,
           count(distinct dst_ipn) as
                    addrs,prot,dstport
       from netflows
       where src_ipn=140221009006
       group by prot,dstport
       order by addrs

给定可疑的src ip,查询给定时间段内对哪些dst ip和port有netflow。

文章总结:

ICMP Echo Reply (ping) scans, port scans, and even NMAP stealth scans show up very obviously in this and the preceding report.

  1. Bill Nickless. 2000. Combining Cisco NetFlow Exports with Relational Database Technology for Usage Statistics, Intrusion Detection, and Network Forensics. In Proceedings of the 14th USENIX conference on System administration (LISA ‘00). USENIX Association, Berkeley, CA, USA, 285-290.  2

  2. Wikipedia contributors. “NetFlow.” Wikipedia, The Free Encyclopedia. Wikipedia, The Free Encyclopedia, 15 Feb. 2019. Web. 12 Mar. 2019.