Several businesses fall targets to hackers in spite of deploying firewalls and intrusion detection systems (IDS). This is because both these systems read packet header and do signature matching, and are oblivious to advanced security attacks such as DDoS and zero-day attack. Today, businesses need advanced security analysis and protection measures that helps them to safeguard their network and data centers against such sophisticated attacks.
Network Defender Plus is flow-based network behavior anomaly detection (NBAD) software that analyzes the packet flows to detect malicious traffic hitting the network. The flow technologies supported by NDP are Cisco NetFlow version 5, version 7 & version 9 exports, sFlow, cFlow, J-Flow, IPFIX and NetStream. This exported flow data is collected & analyzed to identify intrusions or attacks by applying advanced rules and patterns on the malicious traffic.
Network Defender Plus helps you:
Network Defender plus continuously analyses the packet flow using its Continuous Stream Mining Engine to find out malicious traffic hitting your network. It does pattern matching and find outs attacks and classifies them under appropriate problem classes namely DDoS, Bad Src-Dst, Scan/Probes, and Suspect Flows.
Event details gives a thorough detail about the problem. The details include problem name, offender IPs, target IPs, unique connections, port, protocol and much more. Clicking on the router name gives details with mapped destination- source IP and the application, port, protocol etc. Dials provides information on Source & Destination Occupancy as well as Span to trace patterns based on how end point are distributed (dense) and nature of scan (host/port).
Event list Dashboard gives a list of all the events along with details, such as problem name, offenders, target, hits, severity, and time of the attack. From this view, you can ignore certain events by giving criteria. You can also discard trusted flows to be harmless and that will not be taken into account.
Generate Reports for a specific time period based on requirement to view suspicious flow and set criteria to view the path of flow and trace the exact location of the fault. It saves time to analyze the generated data easily with the help of advanced reports.
Alert profile configuration is possible to create email and SMS notifications for attacks. Add alert configuration from settings and generate alerts which satisfy defined criteria, thus notifying users about attacks in real time. Thus, save your datacenter from outage by taking suitable actions against the attack.
DDoS is an attack, which disrupts the services delivered by an enterprise, flooding junk traffic from multiple sources simultaneously. The most common method of this attack involves sending multiple communication requests to the router (target device) so that it fails to respond to legitimate requests. Network Defender Plus identifies such junk traffic hitting the network from unwanted sources and raises as a DDoS event.
Some attacks are caused due by bad source or destination IP addresses. Some examples for Bad Src-Dst are invalid source or destination IP, excess multicast flows for a source IP, excess broadcast traffic sent to a destination IP, and much more. Network Defender Plus keeps a tab on all such malicious activities happening at the source and destination IPs and pinpoints such problems for immediate action.
In a flow, if any of the field other than source and destination looks suspicious, it is called as suspect flows. In this attack either pack size is abnormal (below the legitimate size of IP or TCP packets) or wrong priority is set. Malformed IP and TCP packets and invalid ToS flows are some example of suspect flows. Malformed IP and TCP packets do not have the legitimate packet size (IP - 20 bytes and TCP - 40 bytes). Invalid ToS flows will have invalid ToS values (other than 0-255). Network Defender Plus identifies such suspicious flows and raises an event.
Scan or a probe is a technique used by attackers to scan a network for identifying vulnerable systems so that they can get into the network and cause major problems. Attackers scan the network for systems running remote desktop services, open ports, network mapping etc. They carryout such actions by sending ICMP sweeps, executing DNS commands, spoofing IP address, and much more techniques are followed. Network Defender Plus detects such scanning and probing activities and brings them to the notice of admins in real-time.