Security of Czech army information and communication systems - On-line monitoring, Visualization and Packet Filtration. Computer Incident Response Capability Development in the Cyber Defence EnvironmentDetection of Time Variation in Network Connections
The monitoring tools that observe current network status and send alerts when suspicious anomalies happen are regularly used for the network defence. There are active monitoring methods implemented in tools such as Nagios or Zabbix. The active approach provides explicit control on the generation of packets for measurement scenarios. In contrast, we have focused on passive monitoring in our research. The passive approach uses devices to watch the traffic as it passes by. The aim has not been to create applications substituting active monitoring tools, but complementing them. Passive monitoring is preferable from the network administrator point of view, because there is no need to install any auxiliary tool on monitored servers; moreover it does not increase the traffic on the network for the measurements.
The Delaywatch tool is our plugin for NfSen. It uses NetFlow record timestamps to track delays in the server responses to client requests. The rising of delay can indicate DoS or DDoS attacks in progress, but also increased internal server load. Delaywatch tool makes an effort to narrow detection only to true attacks. It reports event only if it is correlated with the network traffic surge at a given moment. The plugin graphical interface displays graphs of time evolution of delay and network traffic characteristics regarding monitored machines.
The figure shows an unexpected increase in all monitored parameters caused by the attack on the server.
- version 1.2.0, SHA-1 checksum, readme.txt, release date: March 15, 2012
- version 1.1.0, SHA-1 checksum, readme.txt, release date: February 15, 2012
- version 1.0.0, SHA-1 checksum, readme.txt, release date: January 17, 2012