Case studies and examples

Real world examples

Some case studies from the real world.

Case Zero

click to enlarge

This is from the default deviation report ("new traffic") showing a brute force password attack on the FTP servers. They were supposed to have a limit on the number of login attempts, but after an upgrade this limit was lost. This report alerted the operators of the problem, fixing it. Please note that this attack is quite low in intensity with about 200 packages per 15 minutes, or about 4 seconds between each packet. Despite of this ASDIC has no problem isolating it thanks to the deviation style report and the logarithmic scale.

Case One

During a demonstration of ASDIC in the customers network environment, we present some traffic patterns of the network: Look for example here, one of your users running the KaZaA peer to peer file sharing software.

The CIO excuses himself, leaves the demonstration to send out a technician bringing in the client PC in for examination.

Case Two

click to enlarge

This is from the recursive attack report as described in the documentation. It monitors a firewall exposed to the internet during a Nessus scan. Not only notice the scanning itself, but also how relative quiet the report is during normal circumstances. The recursive scheme is quite powerful in eliminating uninteresting hits such as the background noise from all the worms and viruses constantly pestering the internet. In this scheme, if the attack do not render any successful hits it will not be included. Read more how to define such refined searches here.

Case Three

An engineer at the multinational corporation is asked by the CSO if ASDIC can be used to detect spy software in their network. The first report ASDIC produces, the very first entry, shows a spyware trying to deliver information out from the internal network to a Russian server.

Case Four

The smaller company who chose to secure the individual servers instead of using a firewall.

click to enlarge

An ASDIC traffic analysis shows that even if no break-in attempts from the internet are successful, about 75 % of all bandwidth is consumed by worms attempting to crack the SQL-servers.

Here the aggregates are of type
SourceIP => DestinationIP:MSSQL and each colour represents a brute force attack. Several attacks are overlapping in time. You clearly see that the more intense an attack is, the shorter period of time it keeps going. The only legal SQL traffic patterns in this graph, are the small patterns in the foreground. The attacks are dominating by far.

Case Five

click to enlarge

A graph over all incoming traffic shows a malfunctioning DNS client doing an involuntary denial of service attack. Here are the three largest traffic patterns are selected. Thanks to the early detection, the error was corrected before the loss of bandwidth had any significant effect.

Please note that the orange pattern at all times is larger than all other pattens, but due to the logarithmic scale almost disappears compared to the brown pattern.

Case Six

click to enlarge

And last, a portscan of this very web server. This is from the default "conflicts" report, and 1000+ conflicting sessions one and the same time slice, is very likely a portscan. A detailed session report shows a scan of all ports between 1024 and 2048 tcp. The red dot (AR) shows that every single packet from this host was rejected by the firewall. Compared to the attack report in case two above, this is much more noisy because this includes all denied traffic patterns, even the once not passing the firewall at all. Remember - a pattern can both be denied and accepted at the same time, since it spans multiple sessions.

Please do not mess with our poor web hosting provider.

Your case?

Do you have a case where ASDIC saved you a lots of trouble? Please tell us all about it, and we might include it in this list!

Ping Research