It is often advisible to run multiple instances of one or more of the NBI tools to control alerting channels, priorties, and load balance. You can use -lf, -ll, and -lu to tell instances apart at the log collector. To get the full benefit of the NBI tools, run at least one of each tool.
The FlowTraq Behavioral Fingerprint Generator requires very little configuration. Besides the basic options and the learning period, there is only one parameter to specify.
Table 12.2. ftbfg-specific Parameters
| Parameter | Description |
|---|---|
-bc N
| Behavioral fingerprint complexity index (default: 1, max: 16) |
A higher complexity index generates a better fingerprint, but takes longer to generate. Here is an example of ftbfg output:
host:nbitools user$ ./ftbfg -s SERVER -un USER -up PASS -tn 4w Learning... Progress: | 100.000% 15943 records [....] Optimizing behavioral fingerprint... Complexity 7.81 10/15/2012 16:14:39.870553 unusual connection from 1.2.3.4 to 4.3.2.1 443/TCP 10/15/2012 16:14:37.707855 unusual connection from 2.3.4.5 to 5.4.3.2 123/UDP 10/15/2012 16:14:36.366546 unusual connection from 3.4.5.6 to 6.5.4.3 53/UDP 10/15/2012 16:14:40.350553 unusual connection from 4.5.6.7 to 7.6.5.4 443/TCP 10/15/2012 16:14:36.365546 unusual connection from 5.6.7.8 to 8.7.6.5 53/UDP [...]
The FlowTraq DOS Detector requires a few configuration parameters besides the basic options and the learning period. They are:
Table 12.3. ftdos-specific Parameters
| Parameter | Description |
|---|---|
-bg
| Behavioral granularity, one of: WEEK (hourly slices), DAY (10 minute slices). Default: DAY. |
-bt
| Absolute threshold. Don't alert unless values are above threshold (default: 100) |
![[Important]](../common/images/admon/important.png) | Important |
|---|---|
When using -bg WEEK, the detector runs every 10 minutes, requesting an hour. When using -bg DAY, the dtector runs every 2 minutes, requesting 10 minuets. DAY may have up to a 120 second lag between start of attack and the detection, while WEEK has up to a 600 second lag. However, WEEK puts a smaller load on the system than DAY. If DDOS mitigation is a priority, you must run the DOS detector in DAY mode. However, other detectors that do not require immedate automated response may be more accurate in WEEK mode. |
![[Tip]](../common/images/admon/tip.png) | Exclude Local Addresses |
|---|---|
Consider using a filter to exclude your local CIDR block from the DOS detector if you use automatic mitigation. Or be a good Internet neighbor and block local addresses that are originating too many connections. |
Here is an example of ftdos output:
host:nbitools user$ ./ftdos -s SERVER -un USER -up PASS Learning... Estimated iterations: 1.01042 Progress: / 100.000% 1737392 records [....] Training complete, tracking 4094 entities... 10/15/2012 16:31:04.446711 DOS behavior detected from source 1.2.3.4 to target 4.3.2.1 during 10/15/2012 16:20:00 to 10/15/2012 16:30:00: 273 connections initated 10/15/2012 16:31:04.446749 DOS behavior detected from source 2.3.4.5 to target 5.4.3.2 during 10/15/2012 16:20:00 to 10/15/2012 16:30:00: 148 connections initated 10/15/2012 16:31:04.446760 DOS behavior detected from source 3.4.5.6 to target 6.5.4.3 during 10/15/2012 16:20:00 to 10/15/2012 16:30:00: 101 connections initated [...]
The FlowTraq Scan Detector tool accepts the -bg/-bt parameters. Their interpretation, use, and caveats, is the same as in ftdos. Please see Section 12.3.2, “
ftdos
” for more information on these.
Here is an example of ftscan output:
host:nbitools user$ ./ftscan -s SERVER -un USER -up PASS Learning... Estimated iterations: 1.00149 Progress: - 100.000% 1931638 records [....] Training complete, tracking 254 entities... 10/15/2012 16:32:23.992240 host/horizontal SCAN detected from source 1.2.3.4 during 10/15/2012 15:30:00 to 10/15/2012 16:30:00: 1370 unique hosts scanned 10/15/2012 16:32:23.992289 host/horizontal SCAN detected from source 2.3.4.5 during 10/15/2012 15:30:00 to 10/15/2012 16:30:00: 275 unique hosts scanned 10/15/2012 16:32:23.992306 host/horizontal SCAN detected from source 3.4.5.6 during 10/15/2012 15:30:00 to 10/15/2012 16:30:00: 221 unique hosts scanned [...]
The FlowTraq Typical Connection Volume tool is the most configurable tool in the NBI toolkit. Like ftscan and ftdos, fttcv accepts the basic parameters, the training period parameters, and the -bg/-bt parameters. Please see Section 12.3.2, “
ftdos
” and Section 12.3.1, “
ftbfg
” for more information on these.
However, fttcv also accepts a parameter to specify how many standard deviations away from baseline a measurement must be to alert on. Measurements can be significantly higher OR lower than baseline to trigger an alert:
Table 12.4. fttcv-specific Parameters
| Parameter | Description |
|---|---|
-bk
| Anomaly threshold: number of standard deviations away from mean (default: 3) to trigger alert. |
Futhermore, fttcv accepts the -grp/-cnt/-snd/-rcv parameters to specify exactly what to measure about what entities. Astute readers may notice that the ftdos and ftscan commands can be approximated with judicious use of these parameters with fttcv.
Here is an example of fttcv output:
host:nbitools user$ ./fttcv -s SERVER -un USER -up PASS -grp HOST -cnt BYTES Learning... Estimated iterations: 9 Progress: \ 100.000% 1612679 records [d...] Progress: \ 100.000% 4183841 records [d...] Progress: / 100.000% 5135777 records [d...] Progress: / 100.000% 7033539 records [d...] Progress: | 100.000% 6527109 records [....] Progress: \ 100.000% 0 records [....] Progress: - 100.000% 0 records [....] Progress: / 100.000% 3674372 records [....] Progress: / 100.000% 1928253 records [....] Training complete, tracking 12636 entities... 10/15/2012 16:50:51.749012 unusually HIGH volume for total bytes communicated by address 1.2.3.4 during 10/15/2012 15:50:00 to 10/15/2012 16:50:00: 1110337644.00 (u: 1110337644.00 s: 0.00 k: -1.00 n: 1) 10/15/2012 16:50:51.749193 unusually HIGH volume for total bytes communicated by address 2.3.4.5 during 10/15/2012 15:50:00 to 10/15/2012 16:50:00: 944856533.00 (u: 152723952.99 s: 331763734.18 k: 11.55 n: 7) 10/15/2012 16:50:51.749456 unusually HIGH volume for total bytes communicated by address 3.4.5.6 during 10/15/2012 15:50:00 to 10/15/2012 16:50:00: 938749314.00 (u: 167720982.61 s: 352670922.12 k: 11.41 n: 6) [...]
